I tried searching for this error and I read this article but I don't know what the issue is:
https://www.telerik.com/blogs/faq---certificates-in-fiddler
How can I fix these errors so Fiddler can capture my requests and responses in my app?
-= Fiddler Event Log =-
See http://fiddler2.com/r/?FiddlerLog for details.
15:13:46:5212 Fiddler Running...
15:13:46:5592 !WARNING Fiddler has detected that Chrome GPO specifies proxy configuration 'system'.
15:13:54:5022 /Fiddler.CertMaker> Using Fiddler.DefaultCertificateProvider+CertEnrollEngine for certificate generation
15:13:54:5252 /Fiddler.CertMaker> Failed to identify private key location for Root Certificate. Exception: System.NullReferenceException Object reference not set to an instance of an object.
15:13:54:5272 /Fiddler.CertMaker> Invoking CertEnroll for arguments: CN=doesitmatter.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
15:13:54:8502 !ERROR: Failed to generate Certificate using CertEnroll. System.Reflection.TargetInvocationException Exception has been thrown by the target of an invocation. < CertEnroll::CSignerCertificate::Initialize: The certificate does not have a property that references a private key. 0x8009200a (-2146885622)
15:13:54:8502 /Fiddler.CertMaker> Failed to identify private key location for Root Certificate. Exception: System.NullReferenceException Object reference not set to an instance of an object.
15:13:54:8502 !Fiddler.CertMaker> Tried to create cert for doesitmatter.com, but can't find it from thread 10!
15:13:54:8512 fiddler.https> Failed to obtain certificate for doesitmatter.com due to Certificate Maker returned null when asked for a certificate for doesitmatter.com
15:13:59:8712 /Fiddler.CertMaker> Invoking CertEnroll for arguments: CN=some-url.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
15:13:59:8712 /Fiddler.CertMaker> Reusing PrivateKey for new certificate.
15:13:59:8812 !ERROR: Failed to generate Certificate using CertEnroll. System.Reflection.TargetInvocationException Exception has been thrown by the target of an invocation. < CertEnroll::CSignerCertificate::Initialize: The certificate does not have a property that references a private key. 0x8009200a (-2146885622)
15:13:59:8812 /Fiddler.CertMaker> Failed to identify private key location for Root Certificate. Exception: System.NullReferenceException Object reference not set to an instance of an object.
15:13:59:8812 !Fiddler.CertMaker> Tried to create cert for some-url.com, but can't find it from thread 13!
15:13:59:8812 fiddler.https> Failed to obtain certificate for some-url.com due to Certificate Maker returned null when asked for a certificate for some-url.com
When I use makeCert:
-= Fiddler Event Log =-
See http://fiddler2.com/r/?FiddlerLog for details.
17:27:43:2012 Fiddler Running...
17:27:43:2322 !WARNING Fiddler has detected that Chrome GPO specifies proxy configuration 'system'.
17:27:48:1422 /Fiddler.CertMaker> Using Fiddler.DefaultCertificateProvider+MakeCertEngine for certificate generation
17:27:48:1652 /Fiddler.CertMaker> Failed to identify private key location for Root Certificate. Exception: System.NullReferenceException Object reference not set to an instance of an object.
17:27:48:1682 /Fiddler.CertMaker> Invoking makecert.exe with arguments: -pe -ss my -n "CN=something.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha256 -m 132 -b 09/04/2018
17:27:48:8222 /Fiddler.CertMaker>11-CreateCert(something.com) => (-1)
Results from C:\Program Files (x86)\Fiddler2\MakeCert.exe -pe -ss my -n "CN=something.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha256 -m 132 -b 09/04/2018
Error: Fail to acquire a security provider from the issuer's certificate
Failed
-------------------------------------------
17:27:48:8222 Fiddler.CertMaker> [C:\Program Files (x86)\Fiddler2\MakeCert.exe -pe -ss my -n "CN=something.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha256 -m 132 -b 09/04/2018 ] Returned Error: Creation of the interception certificate failed.
makecert.exe returned -1.
Results from C:\Program Files (x86)\Fiddler2\MakeCert.exe -pe -ss my -n "CN=something.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha256 -m 132 -b 09/04/2018
Error: Fail to acquire a security provider from the issuer's certificate
Failed
-------------------------------------------
8 Answers, 1 is accepted
Rank 1
Rank 1
Hi Philip,
It looks like the Certificate Common Name (CN) is incorrect. This is usually DO_NOT_TRUST_FiddlerRoot which I don't see where the doesitmatter.com is being set. I recommend resetting the configuration using the below steps.
Step 1 - Go to, Tools -> Fiddler Options -> HTTPS
Step 2 - Untick "Decrypt HTTPS"
Step 3 - Click Remove Interception Certificates. (Accept All Prompts)
Step 4 - Retick "Decrypt HTTPS"
For setting up the reverse proxy, see the Use Fiddler as a Reverse Proxy documentation.
Please give this a try and let me know the results. Thank you and I look forward to your reply.
Regards,
Eric R | Technical Support Engineer
Progress Telerik
Rank 1
I did what you said and now my app isn't running at all. Giving this error:
java.rmi.RemoteException: Error when invoking remote method: somesoapservice; nested exception is:
java.lang.reflect.InvocationTargetException
Caused by: javax.xml.ws.soap.SOAPFaultException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: com.ibm.jsse2.util.h: KeyUsage does not allow digital signatures
Can you update these instructions they weren't right for me. I had to create the DWORD string and give is the value of my port. It did not already exist.
Rank 1
I'm getting this error along with "KeyUsage does not allow digital signatures" error.
CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=myservice.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" was sent from target host:port "127.0.0.1:8888". The signer may need to be added to local trust store "C:/Program Files (x86)/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/MYNode01Cell/nodes/MYNode01/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "KeyUsage does not allow digital signatures".
As you can see I've already added the fiddler and myservice.com cert to my trust.p12 that's shown in the above error. However I think it's looking for the cert Fiddler created for myservice.com. I don't know where that cert is or why I would need to add it.
$ keytool -list -v -keystore trust.p12
Enter keystore password: WebAS
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: fiddlernew
Creation date: Sep 11, 2019
Entry type: trustedCertEntry
Owner: CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
Issuer: CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com
Serial number: 414c37d1e9259bb6431f9bd685b66439
Valid from: Sun Sep 09 06:28:18 EDT 2018 until: Sun Sep 08 06:28:18 EDT 2024
Certificate fingerprints:
MD5: 23:46:FD:3B:30:16:9D:98:68:2A:8B:64:6C:32:CA:A7
SHA1: 23:B0:43:DF:37:1A:C7:2E:BB:D4:47:A1:ED:24:86:9B:1F:CA:04:6A
SHA256: EB:39:30:D0:31:41:3F:28:DE:2F:B2:1A:A7:87:E0:99:A7:D4:9D:EB:A2:24:65:B5:26:EA:38:3A:AD:43:66:43
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6B 59 E5 48 17 90 8D A8 69 20 C2 A3 9C 79 1E 9F kY.H....i ...y..
0010: 9E A9 7F 8D ....
]
]
*******************************************
*******************************************
Alias name: myservice
Creation date: Sep 11, 2019
Entry type: trustedCertEntry
Owner: CN=myservice.com......the rest of my myservice.com ...
I'm trying different ciphers now incase it's a cipher issue instead of a cert one. I was able to run my app and hit myservice.com fine, the request just werent showing in Fiddler. But now the requests don't complete.
Rank 1
16:19:40:9857 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. on pipe to (CN=myservice.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)
16:42:14:1337 !SecureClientPipeDirect failed: System.IO.IOException Unable to read data from the transport connection: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. < A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond on pipe to (CN=myservice.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)
Rank 1
I finally got it working. I had to disable all SSL_ECDHE_* and SSL_DHE_* ciphers in my WebSphere 8.5.0.0. Now it's using SSL_RSA_WITH_AES_128_GCM_SHA256 to connect successfully. I'm pretty sure this defect was the cause of my issue.
http://www-01.ibm.com/support/docview.wss?uid=swg1PM68915
Hi Philip,
I am glad to hear this resolved your scenario. As always, if you have any additional questions please don't hesitate to create a new thread.
Thank you for using the Fiddler Forums.
Regards,
Eric R | Technical Support Engineer
Progress Telerik