Log in / Register

Forum How do I...?

Error with sha256 SSL cert: NSS: client certificate not found (nickname not specified)

thecowster
Hi

I'm probably missing something obvious, but we have an html page on an https server with a SHA256 SSL certificate which we cannot generate pdfs for. The error reported is from the NSS lib. and occurs regardless of the use of any --ssl switches (including --ssl-blindly-trust-server):

NSS: client certificate not found (nickname not specified)


The reference to a "client" certificate would seem to be incorrect here as our server does not require client certificates. I could not find any reference to NSS errors in the forum here.

The debug output (prince 9, and also nightly build 20150928) only has this error, no further detail:

prince: loading document: https://oursite/print.phtml?ISIN=AT0000A18RE3
prince: debug: resource from cache: https://oursite/print.phtml?ISIN=AT0000A18RE3
prince: debug: error loading resource: NSS: client certificate not found (nickname not specified)
prince: https://oursite/print.phtml?ISIN=AT0000A18RE3: error: NSS: client certificate not found (nickname not specified)
prince: https://oursite/print.phtml?ISIN=AT0000A18RE3: error: could not load input file


Just for comparison, I see a different error with prince 6:
  • Without --ssl-blindly-trust-server I get the error "SSL certificate problem, verify that the CA cert is OK"
  • With --ssl-blindly-trust-server I get the error "Empty reply from server"

What might be going on here? What further debug information could I gather to help get to the bottom of this?

Thanks
Andy



Edited by thecowster

mikeday
Which operating system are you running Prince on, and which package did you install?
thecowster
We're running CentOS release 6.6 (Final)

We installed prince using the tar.gz files (not the rpms). We do this because we have 3 versions of prince running on the same host, to provide backwards compatibility for old apps (a.k.a "don't force backend changes on our customers until they have a chance to review them, but also don't hold back new features from new apps")
mikeday
Is OpenSSL installed on the server? It might be helpful to check what is the result of "rpm -qa" and grepping for "curl" and "ssl".
thecowster
Indeed it is (although I assumed the NSS error seggested prince was now using NSS instead of OpenSSL?):

[fts@princexml1.test pdfgen]$ rpm -qa | grep curl
python-pycurl-7.19.0-8.el6.x86_64
libcurl-7.19.7-40.el6_6.4.x86_64
curl-7.19.7-40.el6_6.4.x86_64
libcurl-7.19.7-40.el6_6.4.i686
[fts@princexml1.test pdfgen]$ rpm -qa | grep ssl
openssl-1.0.1e-30.el6.11.x86_64
openssl098e-0.9.8e-18.el6_5.2.x86_64
openssl098e-0.9.8e-18.el6_5.2.i686
openssl-1.0.1e-30.el6.11.i686
nss_compat_ossl-0.9.6-1.el6.x86_64
mikeday
Prince uses curl, and curl uses different SSL backends on each platform, including OpenSSL, GnuTLS, NSS, or WinSSL on Windows.

If you run "curl <your URL>" from the command-line do you get the same certificate error?
thecowster
Thanks Mike, yes, I get the same issue when using curl directly. This is also the case with "curl --insecure <URL>"

Consider this question resolved. I shall pursue this as a curl issue.