Forum How do I...?

CERT_TRUST_IS_PARTIAL_CHAIN

CsKwg
Hi,

when trying to access a webpage on a server by HTTPS, the following error is displayed:

prince: https://pdf.xxx.test/test.htm:
error: schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN
prince: https://pdf.xxx.test/test.htm: error: could not load input file

The same file can be accessed with Internet Explorer and Edge.

I'm using username and password, but these do not seem to be the problem here.

The HTTPS connection has a binding with a self-signed certificate.
But, as far as I can say, the chain correct.

The same wildcard certificate is being used by other websites on the same server, these also are accessible by HTTPS.

Kind regards
mikeday
Which version of Prince are you using? Can you try accessing the same URL with curl for Windows:

https://curl.se/windows/
CsKwg
Prince 14.2.

Curl gives:
curl: (60) SSL certificate problem: unable to get local issuer certificate

CURL -k DOES retrieve the document.

prince --insecure ALSO retrieves the document.

So, for the time being, this is sufficient.

I would like to know how to create valid self-signed certificates.
Anyway, you don't have to worry about this. :)

Thank you very much for the good support!

CsKwg
Hi Mike,

sorry, but I'm back with a similar problem:

PrinceXML shows this error:

schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT

We created the certificates ourselves, including the CA.
It is working without problems in Edge and IE, but Firefox also complains.

When showing the Security panel in Edge, it gives:
"This site has a valid certificate, issued by a trusted authority."

CURL -v gives:

* Trying 192.168.141.61:443...
* Connected to pdf.oni.test (192.168.141.61) port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: ALPN, offering http/1.1
* schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
* Closing connection 0
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.


Is there a better option than --insecure?

CURL has --ssl-no-revoke, which retrieves the file without problems.


As we are creating these certificates ourselves, we might be able to fix it.
But what could be missing or wrong?


Kind regards









CsKwg
Hi Mike,

working with --insecure, another problem came up:

I reconfigured the website to use more stringent restrictions:
Only Basic and Windows Authentication are allowed
and the connecting user must be in the Users group.

Then I'm passing the credentials as arguments to Prince:

A)
GetUrlStatus: SC:OK url:https://pdf.oni.test/input/403_20220522-175650.htm
WaitForFile: OK url:https://pdf.oni.test/input/403_20220522-175650.htm

B)
RunProcess: name:C:\EVV\prince\bin\prince.exe args:-v --insecure --auth-user=PDFrender --auth-password=XXXX https://pdf.oni.test/input/403_20220522-175650.htm -o c:\EVV\pdftest\output\403_20220522-175650.pdf
RunProcess: name:C:\EVV\prince\bin\prince.exe code:1
RunProcess: name:C:\EVV\prince\bin\prince.exe output:
RunProcess: name:C:\EVV\prince\bin\prince.exe error:prince: loading document: C:\EVV\prince\license\license.dat

C)
prince: Loading document...
prince: loading document: https://pdf.oni.test/input/403_20220522-175650.htm
prince: loading HTML5 input: https://pdf.oni.test/input/403_20220522-175650.htm
prince: loading document: https://pdf.oni.test/input/403_20220522-175650.htm
prince: https://pdf.oni.test/input/403_20220522-175650.htm: error: The requested URL returned error: 401
prince: https://pdf.oni.test/input/403_20220522-175650.htm: error: could not load input file
prince: error: failed to load all input documents
prince: Finished: failure


Regarding A)
Before running PrinceXML, WaitForStatus and GetUrlStatus check if the file (url) exists.
This succeeds.

Regarding B)
Shows the arguments giving to PrinceXML and the results.

Regarding C)
Shows the PrinceXML output:

- There is a problem checking the licence. But this file exists and is looking fine to me.
- And PrinceXML cannot download the HTML file.

But if I try downloading this file manually, it succeeds.

What could cause this and how can I prevent it so, that it works.


Kind regards





CsKwg
Could this have to do with it?
https://github.com/jeroen/curl/issues/193
mikeday
We may need to add a new option to Prince equivalent to ssl-no-revoke.

Regarding the license.dat issue, does the file exist at the specified path, and does the Prince executable have permissions to access that drive and path?
mikeday
We have added two new options in the latest builds, --ssl-no-revoke and --ssl-revoke-best-effort, to control the curl behaviour on Windows.
CsKwg
Thank you very much! Running this version, shows a licensing error:

license.dat: warning: inapplicable license for this version

Version is: Prince 20220715

mikeday
You will need an updated license file, by purchasing a support contract.
CsKwg
For me, with the latest version, it does not work:

c:\temp C:\xxx\prince\bin\prince.exe -v --ssl-no-revoke --auth-user=PDFrender --auth-password=render.2022.PDF https://pdf.xxx.test/pdf/input/403_20220731-043713.htm -o \\hawk\xxx_pdf\output\403_20220731-043713.pdf
prince: loading document: C:\xxx\prince\license\license.dat
prince: Loading document...
prince: loading document: https://pdf.xxx.test/pdf/input/403_20220731-043713.htm
prince: loading HTML5 input: https://pdf.xxx.test/pdf/input/403_20220731-043713.htm
prince: loading document: https://pdf.xxx.test/pdf/input/403_20220731-043713.htm
prince: https://pdf.xxx.test/pdf/input/403_20220731-043713.htm: error: schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT
prince: https://pdf.xxx.test/pdf/input/403_20220731-043713.htm: error: could not load input file
prince: error: failed to load all input documents
prince: Finished: failure

c:\temp C:\xxx\prince\bin\prince.exe -v --ssl-revoke-best-effort --auth-user=PDFrender --auth-password=render.2022.PDF https://pdf.xxx.test/pdf/input/403_20220731-043713.htm -o \\hawk\xxx_pdf\output\403_20220731-043713.pdf
prince: loading document: C:\xxx\prince\license\license.dat
prince: Loading document...
prince: loading document: https://pdf.xxx.test/pdf/input/403_20220731-043713.htm
prince: loading HTML5 input: https://pdf.xxx.test/pdf/input/403_20220731-043713.htm
prince: loading document: https://pdf.xxx.test/pdf/input/403_20220731-043713.htm
prince: https://pdf.xxx.test/pdf/input/403_20220731-043713.htm: error: schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT
prince: https://pdf.xxx.test/pdf/input/403_20220731-043713.htm: error: could not load input file
prince: error: failed to load all input documents
prince: Finished: failure

c:\temp C:\xxx\prince\bin\prince.exe --version
Prince 20220715
Copyright 2002-2022 YesLogic Pty. Ltd.
Non-commercial License



Besides, I cannot find these new flags in the documentation:
https://www.princexml.com/doc/command-line/



csant
Besides, I cannot find these new flags in the documentation


The documentation is only for the latest release. If you want to check out docs for the latest builds, you can directly browse the Github repo - you might find more on there (but keep in mind that it is work in progress).
wangp
Can you post the output with the --curl-verbose option?

The --ssl-no-revoke option allows https://revoked.badssl.com to be loaded. But the error there is CERT_TRUST_IS_REVOKED instead of the CERT_TRUST_IS_UNTRUSTED_ROOT error that you are getting.

without --ssl-no-revoke
C:\prince-20220715-win64\bin>prince https://revoked.badssl.com/ -o test.pdf -v --curl-verbose
prince: loading document: C:\prince-20220715-win64\license\license.dat
prince: Loading document...
prince: loading document: https://revoked.badssl.com/
*   Trying 104.154.89.105:443...
* Connected to revoked.badssl.com (104.154.89.105) port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: added 135 certificate(s) from CA file 'C:\prince-20220715-win64/etc/curl-ca-bundle.crt'
* schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED
* Closing connection 0
prince: loading HTML5 input: https://revoked.badssl.com/
prince: loading document: https://revoked.badssl.com/
prince: https://revoked.badssl.com/: error: schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED
prince: https://revoked.badssl.com/: error: could not load input file
prince: error: failed to load all input documents
prince: Finished: failure

with --ssl-no-revoke
C:\prince-20220715-win64\bin>prince https://revoked.badssl.com/ -o test.pdf -v --curl-verbose --ssl-no-revoke
prince: loading document: C:\prince-20220715-win64\license\license.dat
prince: Loading document...
prince: loading document: https://revoked.badssl.com/
*   Trying 104.154.89.105:443...
* Connected to revoked.badssl.com (104.154.89.105) port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: added 135 certificate(s) from CA file 'C:\prince-20220715-win64/etc/curl-ca-bundle.crt'
* schannel: connection hostname (revoked.badssl.com) validated against certificate name (revoked.badssl.com)
> GET / HTTP/1.1
Host: revoked.badssl.com
User-Agent: Prince/20220715 (www.princexml.com)
Accept: */*
Accept-Encoding: deflate, gzip

* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Mon, 01 Aug 2022 06:20:38 GMT
< Content-Type: text/html
< Last-Modified: Tue, 17 May 2022 21:15:46 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< ETag: W/"62841082-23f"
< Cache-Control: no-store
< Content-Encoding: gzip
<
* Connection #0 to host revoked.badssl.com left intact
prince: loading HTML5 input: https://revoked.badssl.com/
prince: loading document: https://revoked.badssl.com/
prince: Applying style sheets...
* Found bundle for host: 0x79d3480 [serially]
* Re-using existing connection #0 with host revoked.badssl.com
* Connected to revoked.badssl.com (104.154.89.105) port 443 (#0)
> GET /style.css HTTP/1.1
Host: revoked.badssl.com
User-Agent: Prince/20220715 (www.princexml.com)
Accept: */*
Accept-Encoding: deflate, gzip
Referer: https://revoked.badssl.com/

prince: loading style sheet: https://revoked.badssl.com/style.css
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.10.3 (Ubuntu)
< Date: Mon, 01 Aug 2022 06:20:38 GMT
< Content-Type: text/css
< Content-Length: 1506
< Last-Modified: Tue, 17 May 2022 16:17:37 GMT
< Connection: keep-alive
< ETag: "6283caa1-5e2"
< Cache-Control: no-store
< Accept-Ranges: bytes
<
* Connection #0 to host revoked.badssl.com left intact
prince: https://revoked.badssl.com/style.css: warning: unsupported properties: padding-inline-start
prince: Preparing document...
prince: Converting document...
prince: used font: Consolas, Bold
prince: used font: Arial, Regular
prince: Finished: success