Avatar of JillC

asked on 

Can’t verify SSL peers

I have been running a script which uses a Google docs spreadsheet to update the webpage daily. Every day that Google updates, my data disappears and I have to re-upload the text file again. This script has been working fine for 2 years. The text file gets replaced with the following error message:
File does not exist: Can’t verify SSL peers without knowning which Certificate Authorities to trust
This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE envirionment variable or by installing the Mozilla::CA module.
To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME envirionment variable to 0.  If you do this you can’t be sure that you communicate with the expected peer.
I sent an email to the author of the script and he says it is not his script which is at fault and pointed me to this page: http://sysops.ie/blog/2011/03/21/cant-verify-ssl-peers-without-knowning-which-certificate-authorities-to-trust/

I am none the wiser. I don't understand what I am supposed to do. I downloaded the file but then what? Can you please step me through this. I am sure it is easy if you know what you're doing!
PerlApache Web Server

Avatar of undefined
Last Comment
Avatar of noci

with SSL there are two things at work:
1) are you talking to the right counter party  (validation of endpoints)
2) is the connection confidential...    (encryption is used)

@2) the key for this connection is determined during 1

@1) during the first phase certificates are exchanged, certificates describe aspects of the endpoint..
For a user mostly an email address, for a server mostly a username...
A certificate exists of the subject (above description), a private key (mostly protected with a pass phrase) and a public key. If the private key is used to encrypt some thing, then the public key can be used to decrypt it again. (and the other way around).
Using a known thing encrypt it and let the other decrypt it can verify one party, doing it both ways can authenticate both partners.

Now the validity of the keys still is not verified... for this we can request a third party to underwrite the validity and sign a certificate. That means a checksum of the certificate is encrypted by the third party
and if we have the public key of that 3rd party we can decrypt and verify the checksum.

Now how to verify that third party... well it can be a chain ... but it needs to be anchored somewhere.
That is what is called a Trusted Third Party. (or CA Certificate Authority) well known brands are:
Verisign, Global Trust. Open Source is CACert.
Those parties are mentioned is a special file/directory (depending on verify library) then the library can accept a certificate that is signed by such a party. (In that directory /file the public key is stored).

Avatar of JillC


I don 't need the geek talk. I need help interpreting the instructions in the link provided above. The SSL comes from Google Docs. Can I do this myself or do I need to ask the hosting company to sort it?
Avatar of JillC


Alright, I thought about it .... I went on to the server in cPanel and found a Perl button. Then I did a search for Mozilla::CA and it came up with an install button. So I installed it.
Then it came up with a comment:
Using Your Perl Module(s)
You will need to add /home/kidspart/perl to the include path.
You can do this by adding the following code to your script:

    my $base_module_dir = (-d '/home/kidspart/perl' ? '/home/kidspart/perl' : ( getpwuid($>) )[7] . '/perl/');
    unshift @INC, map { $base_module_dir . $_ } @INC;
So I have added that at the bottom of the cgi script (although the author of the script said his script was faultless).
I don't know whether I needed to do that or not. I won't know for another day if the script calls the spreadsheet in from Google Docs properly or not.
Avatar of noci

ok this looks like it was the right move as you cannot set a commandline environment variable.
(You can set some variables using a BEGIN { ... }" statement though.
Appearantly when your Service Provider updates it's cpanel software something get disrupted at the backend and this message is shown.

The script  can be faultless, if it used in a different than anticipated/designed for environment it needs adjustment. The script appearantly uses LWP (as can be seen from the mentioned environment variables) LWP changed from an accept anything mode to an really do checkout certificates mode.
That could cause old configurations to fail.  That does count as an unanticipated move, btw the old LWP more or less functioned as a door lock that didn't need a specific key, anything could work screwdriver, other keys as long as it was a flat.

To function using cPanel, the module appearently can reverted to the old behaviour or better support checking using the Mozilla::CA environment, that in turn requires that it gets activated hence the code that needs to be run at perl startup "BEGIN { ... }"

The real first question then is: What kind of certificate are you using to access the site?
(You created it your self, or you bought a certificate.)
Both need to be signed by some Certificate Authority (CA) to work. If you created a private CA then you need your CA's certificate by the ISP (might be hard) or if you bought one (from Verisign, global trust etc.) then it should have worked by now.

In the first case you might be better of by turning off the verification (accepting the blank keys again).
Avatar of JillC


I didn't buy a certificate.
This is how it works: I go into Google docs and put in my spreadsheet. I publish it. I save it as a web page. I copy the link provided which looks like 'https://spreadsheets.google.com/spreadsheet/pub?hl=en&hl=en&key=0Aqlv6gjEkxORd0YmtLMUdRdnJ4bkt2HZUmR2dVE&single=true&gid=0&output=txt' and paste into the line which starts my $google_url_to_spreadsheet = (I removed a couple of letters just in case some nasty person decides to mess with it).
I save the script and upload it to the cgi-bin.
Now, tell me why I need a certificate? Is it because of 'https://spreadsheets.google ?
Avatar of noci

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of JillC


I really figured out the answer myself and noci just confirmed I was on the right track. I made a change in Google docs and after Google did its update, the change came through to the website. So all good.

Perl is a high-level, general-purpose, interpreted, dynamic programming languages with over 25 years of development. Perl 5 runs on over 100 platforms from portables to mainframes and is suitable for both rapid prototyping and large-scale development projects. Perl gained widespread popularity as a Common Gateway Interface (CGI) scripting language, in part due to its regular expression and string parsing abilities. In addition to CGI, Perl is used for graphics programming, system administration, network programming, finance, bioinformatics, and other applications.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo