Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Acesso negado a URL do QrCode payload no ambiente de desenvolvimento no QrTester. #582

Open
kadubezas opened this issue Jan 18, 2024 · 8 comments
Open

Acesso negado a URL do QrCode payload no ambiente de desenvolvimento no QrTester. #582

kadubezas opened this issue Jan 18, 2024 · 8 comments

Comments

@kadubezas
Copy link

Ao tentar testar um QrCode gerado no ambiente de homologação foi encontrado um erro de acesso negado.
segue a imagem.
MicrosoftTeams-image
@rubenskuhl
Copy link

O que o QR-Tester está dizendo é o servidor do Banpará recusou o acesso, com código HTTP de acesso negado... não é o do Banco Central que está negando.

@leolima77
Copy link

o endpoint da location precisa estar público.

@dev-gto
Copy link

dev-gto commented Jan 24, 2024

Precisa resolver esses erros de certificado ssl:

openssl s_client -connect qrcode-h.banpara.b.br:443
CONNECTED(00000003)
depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br
verify error:num=21:unable to verify the first certificate
verify return:1
---

@arantesxyz
Copy link

Precisa resolver esses erros de certificado ssl:

openssl s_client -connect qrcode-h.banpara.b.br:443
CONNECTED(00000003)
depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br
verify error:num=21:unable to verify the first certificate
verify return:1
---

Tenho o mesmo erro no qrtester (Acesso negado), ao testar com openssl, não parece ter nenhum erro. Funciona normalmente quando outras instituições tentam pagar.

ga@sandbox % openssl s_client -connect {{URL}}:443

CONNECTED(00000006)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = BR, O = CERTDATA SERVICOS DE INFORMACAO LTDA, CN = CERTDATA SSL EV CA  [Run by the Issuer]
verify return:1
depth=0 serialNumber = 31.818.873/0001-30, jurisdictionC = BR, businessCategory = Private Organization, C = BR, ST = Minas Gerais, O = QESH INSTITUICAO DE PAGAMENTO LTDA, CN = {{URL}}
verify return:1
---
Certificate chain
 0 s:serialNumber = 31.818.873/0001-30, jurisdictionC = BR, businessCategory = Private Organization, C = BR, ST = Minas Gerais, O = QESH INSTITUICAO DE PAGAMENTO LTDA, CN = {{URL}}
   i:C = BR, O = CERTDATA SERVICOS DE INFORMACAO LTDA, CN = CERTDATA SSL EV CA  [Run by the Issuer]
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  3 00:00:00 2023 GMT; NotAfter: Aug  2 23:59:59 2024 GMT
 1 s:C = BR, O = CERTDATA SERVICOS DE INFORMACAO LTDA, CN = CERTDATA SSL EV CA  [Run by the Issuer]
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar  5 00:00:00 2020 GMT; NotAfter: Mar  5 23:59:59 2030 GMT
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate

{{ decodificado no próximo bloco }}

subject=serialNumber = 31.818.873/0001-30, jurisdictionC = BR, businessCategory = Private Organization, C = BR, ST = Minas Gerais, O = QESH INSTITUICAO DE PAGAMENTO LTDA, CN = {{URL}}
issuer=C = BR, O = CERTDATA SERVICOS DE INFORMACAO LTDA, CN = CERTDATA SSL EV CA  [Run by the Issuer]
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5315 bytes and written 394 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: C4F68D51FC429700940E48C82868EA5DB995A5A499EE8A7A346470605941714B
    Session-ID-ctx: 
    Resumption PSK: 31007118010DE0D39573E0C7E8F75F7B1A1C92C9959415E879579768EADF3953C24EE1FF1F97DCF59A40004FFCD84945
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 1c 6b 28 7c 76 19 54 5a-ec c5 0a 57 80 1b f6 37   .k(|v.TZ...W...7
    0010 - 7a 16 74 1f 9f b6 61 76-06 5d 29 6b 47 a5 d6 d5   z.t...av.])kG...
    0020 - af a2 c5 cf 71 d3 25 a6-76 8d 4d d0 97 3e bc 1d   ....q.%.v.M..>..
    0030 - 46 ea 49 d2 99 25 0e 13-04 92 6c d9 c8 f5 4a 70   F.I..%....l...Jp
    0040 - a9 5c ea 3f 47 0b 7d 47-95 6e 2b b6 4f 39 17 ae   .\.?G.}G.n+.O9..
    0050 - 8f c4 a5 6d a4 cd 5d 64-92 08 1f 5c ee 95 d5 f5   ...m..]d...\....
    0060 - 91 35 1d c7 f5 55 69 ad-d5 16 52 07 66 9d d8 46   .5...Ui...R.f..F
    0070 - c5 b8 44 e5 08 88 cd 8b-32 86 ed b3 7e 80 69 94   ..D.....2...~.i.
    0080 - 2b                                                +

    Start Time: 1706739065
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

Certificado decodificado do resultado acima:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f2:1b:a1:2e:b7:47:45:60:53:ee:f9:41:3c:2c:78:37
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = BR, O = CERTDATA SERVICOS DE INFORMACAO LTDA, CN = CERTDATA SSL EV CA  [Run by the Issuer]
        Validity
            Not Before: Aug  3 00:00:00 2023 GMT
            Not After : Aug  2 23:59:59 2024 GMT
        Subject: serialNumber = 31.818.873/0001-30, jurisdictionC = BR, businessCategory = Private Organization, C = BR, ST = Minas Gerais, O = QESH INSTITUICAO DE PAGAMENTO LTDA, CN = {{URL}}
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ae:43:c3:07:26:d4:92:ee:48:f7:f0:8a:0c:68:
                    57:b2:4b:1b:e3:89:2f:4a:47:cd:64:04:50:34:35:
                    36:00:e0:64:6e:72:82:3f:9d:70:46:08:5e:b4:87:
                    7a:45:a4:ee:d3:c0:b7:a4:12:1e:f9:db:17:e7:83:
                    c4:97:8b:e3:0a:5a:b0:5f:1f:dd:3a:46:bf:77:ba:
                    54:8f:22:c0:0c:3e:3c:34:33:3d:b3:39:54:5a:7b:
                    84:c7:8e:e0:1a:2f:e6:d4:4b:b8:ea:56:ac:d7:1d:
                    a3:14:ac:64:b5:5f:b8:bf:a5:25:ad:da:16:2f:d0:
                    40:cc:24:db:43:19:ee:c7:90:b4:4e:07:d5:f0:5d:
                    78:a2:ff:0b:86:a4:4d:b0:cd:cd:15:88:8b:3b:21:
                    af:86:ec:23:32:e0:c2:47:e4:fc:53:b7:74:e1:8a:
                    34:3a:41:f8:ac:94:d1:f5:bf:6b:4c:66:22:a4:fb:
                    f4:c2:1b:a6:c1:4e:7c:fd:80:f0:77:ca:66:04:4f:
                    31:78:43:77:11:90:87:53:9c:ca:a4:00:50:b3:b8:
                    5a:43:2d:58:18:67:71:d6:5a:ca:9a:81:da:9c:5a:
                    71:c4:4e:72:00:8d:96:53:51:b5:fe:2a:03:2e:d0:
                    c0:57:b1:32:ec:0c:11:d7:9e:b8:2b:b9:fc:69:67:
                    61:25
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                39:48:24:86:9F:D3:37:B5:49:71:AA:C8:A8:40:34:F8:6B:87:CC:D9
            X509v3 Subject Key Identifier: 
                B8:16:89:97:91:B0:E1:00:02:ED:13:71:27:64:0E:6E:68:08:A4:53
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.1.5.1
                  CPS: https://sectigo.com/CPS
                Policy: 2.23.140.1.1
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://certdata.crl.sectigo.com/CERTDATASSLEVCA.crl
            Authority Information Access: 
                CA Issuers - URI:http://certdata.crt.sectigo.com/CERTDATASSLEVCA.crt
                OCSP - URI:http://certdata.ocsp.sectigo.com
            X509v3 Subject Alternative Name: 
                DNS:{{URL}}, DNS:www.{{URL}}
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
                                B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
                    Timestamp : Aug  3 12:08:21.633 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:1C:10:F7:4A:01:59:E0:7C:85:AB:42:D0:
                                9F:E3:A5:09:17:BC:F4:05:33:5B:F5:EF:DE:DB:D8:58:
                                1F:A0:33:A3:02:21:00:81:55:C2:2D:AB:07:16:78:6F:
                                27:C9:4D:91:14:1C:7A:8B:8A:12:43:E0:6D:2E:82:74:
                                81:3E:14:71:E0:08:7F
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
                                91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
                    Timestamp : Aug  3 12:08:21.722 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:69:49:C7:2C:C4:4A:02:B6:55:A9:E5:34:
                                62:FE:D5:27:4C:B1:D6:62:30:F6:DE:7E:C9:AD:4D:EE:
                                92:B2:CB:7B:02:20:6F:7D:D4:EF:80:84:D3:49:7B:29:
                                02:5C:0D:88:98:C7:73:D3:EC:79:5F:96:39:4A:50:A8:
                                F5:23:0E:54:77:53
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
                                32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
                    Timestamp : Aug  3 12:08:21.675 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:7C:40:7A:8A:1A:AD:75:F8:6E:8E:3D:CF:
                                7E:26:86:D7:68:C4:DA:AB:F5:BB:98:5B:CC:6D:0C:04:
                                34:AC:B9:D6:02:21:00:A6:B8:95:4E:DE:E0:BC:0F:F5:
                                8B:56:C6:5A:3D:72:8C:5B:C4:C8:18:EB:40:86:41:A9:
                                6C:33:D4:24:67:99:5D
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        c4:32:c9:38:25:5f:c9:78:01:f9:a7:38:63:62:2c:01:5e:6b:
        73:99:e3:d4:43:b9:0b:a8:b9:42:92:c4:20:58:12:0c:35:b4:
        c0:88:99:ee:d1:53:e9:c4:87:cf:81:cf:ce:82:ab:20:48:41:
        ef:2a:5d:78:cd:80:7b:10:12:f3:4e:e6:31:d4:53:5f:75:f2:
        cf:9c:6b:ce:c2:9a:a6:05:3f:79:8e:8a:65:cf:02:f4:d3:87:
        85:eb:d5:ef:0d:45:38:ce:04:46:36:df:f1:e5:7e:3b:f0:cd:
        56:ab:21:94:04:e9:e1:48:51:17:9f:08:1b:70:f3:99:58:15:
        05:7b:45:66:1b:09:72:f8:18:00:dd:37:44:14:eb:50:15:cc:
        f8:ab:3b:34:03:5f:5d:e6:e0:39:c3:a4:6a:a7:7f:20:f8:e1:
        7e:97:67:da:72:43:11:4c:15:96:18:d6:84:67:ce:31:7e:32:
        9c:22:18:3d:4d:71:6c:6b:b8:e3:12:e1:37:e3:3d:08:e9:3f:
        7c:68:4e:e7:a7:ac:bf:52:7f:87:4c:79:ee:2f:66:a5:cf:f8:
        68:e0:80:b6:56:f2:25:68:0d:17:b4:6d:89:44:30:df:3a:68:
        3a:50:e5:17:0f:9b:92:a4:60:d7:71:ef:57:14:91:50:ff:3e:
        c6:ca:26:39

@rubenskuhl
Copy link

Precisa resolver esses erros de certificado ssl:

openssl s_client -connect qrcode-h.banpara.b.br:443
CONNECTED(00000003)
depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br
verify error:num=21:unable to verify the first certificate
verify return:1
---

Tenho o mesmo erro no qrtester (Acesso negado), ao testar com openssl, não parece ter nenhum erro. Funciona normalmente quando outras instituições tentam pagar.

O que diz o relatório completo de https://www.ssllabs.com/ssltest/ ?

@arantesxyz
Copy link

Precisa resolver esses erros de certificado ssl:

openssl s_client -connect qrcode-h.banpara.b.br:443
CONNECTED(00000003)
depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br
verify error:num=21:unable to verify the first certificate
verify return:1
---

Tenho o mesmo erro no qrtester (Acesso negado), ao testar com openssl, não parece ter nenhum erro. Funciona normalmente quando outras instituições tentam pagar.

O que diz o relatório completo de https://www.ssllabs.com/ssltest/ ?

image

Mas o QRTester nem faz a chamada no meu servidor.

@rubenskuhl
Copy link

Esse é só o sumário.. no relatório completo que dá para ver potenciais problemas.

@arantesxyz
Copy link

Obrigado pelo auxílio, vou aguardar a resposta do BCB no email.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@leolima77 @rubenskuhl @kadubezas @arantesxyz @dev-gto