Hyperledger Fabric CA - Certificate expired - hyperledger

i read this post on official documentation
https://hyperledger-fabric.readthedocs.io/en/latest/certs_management.html#certificate-renewal
I have some certified expired. I configure my Fabric CA adding env var FABRIC_CA_SERVER_CA_REENROLLIGNORECERTEXPIRY=true
and changing also fabric-ca-server-config.yaml with reenrollIgnoreCertExpiry: true
After restart the docker i use the command
fabric-ca-client reenroll --csr.keyrequest.reusekey -u https://localhost:11054 --mspdir /usr/src/hyperledger/fabric-samples/my-network/crypto-config/peerOrganizations/network.eu/msp --caname ca-test but
have this response
Post "https://localhost:11054/reenroll": x509: certificate has expired or is not yet valid: current time 2022-11-30T12:15:04Z is after 2022-11-24T14:09:00Z
Can you help me?
After this configuration i think that the previous command create new certficate without control expired date.

Related

Problem with generating signed certificate for docker when using extfile.cnf

I am trying to generate a signed certificate for docker using openssl, but I seem to be running into an error when trying to actually generate the signed certificate using the extfile.cnf
I am essentially following this guide:
https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket
When it comes to the step "Now, generate the signed certificate:"
I get the error: "x509: Error on line 1 of config file "extfile.cnf""
I am sure this is not docker specific or anything, and relates to openssl itself.
Can someone assist me here? thanks
OpenSSL version: OpenSSL 1.1.1l 24 Aug 2021
Please change your extfile.cnf file with
subjectAltName = #alt_names
[alt_names]
DNS.1 = *.domain.com
IP.1 = xxx.xxx.xxx.xxx
Hopefully will work for you

Could not verify the SSL certificate error when running bundle install in ruby on rails app

I have a ruby on rails app that is throwing an error when I try to run bundle install. The error is the following:
bundle stdout: Could not verify the SSL certificate for https://rails-assets.org/ There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for verification
Our SSL certificate was updated just a few days ago and we haven't changed anything in the app. It started to throw this error out of the blue.
Is there any chance we need to update the root certificates in the system? I mean like running sudo update-ca-certificates or something like that? is it safe to do that?
The app is in digitalOcean and we use capistrano gem to deploy the app
#lingYan Thanks a lot for guiding me in the right direction! I read the links you posted but in my case I had to change the steps a little bit because I am not on Centos-7. So this is exactly what I did:
Made a backup of the certificates file in /etc/ssl/certs:
cp ca-certificates.crt
~/certificatesBackup/ca-certificates-backup.crt
Made a backup of the config file in /etc:
cp ca-certificates.conf
~/certificatesBackup/ca-certificates-backup.conf
Made a backup of the expired certificate in /etc/ssl/certs:
cp DST_Root_CA_X3.pem ~/certificatesBackup/DST_Root_CA_X3_backup.pem
Removed DST_Root_CA_X3.pem from ca-certificates.conf:
I opened the file with vim and removed the line
Removed expired certificate in /etc/ssl/certs:
sudo rm DST_Root_CA_X3.pem
Updated certificates:
update-ca-certificates -f -v
Checked if expired certificate was removed from the chain in ca-certificates.crt:
diff ~/certificatesBackup/ca-certificates-backup.crt
ca-certificates.crt
It showed the new certificate
It was still throwing the error after doing all the steps above so I realized that I didn't have the ISRG Root CA certificate. In order to add the ISRG Root CA I did the following (which I think it is not correct or maybe I am missing something):
Went to this page https://letsencrypt.org/certificates/ and
downloaded the file called ISRG Root X1 (self-signed / pem format)
Went to /usr/local/share/ca-certificates/
Created a new folder called isrgrootx1
Copied the pem file I downloaded previously into the isrgrootx1
folder
Made sure the permissions were OK (755 for the folder, 644 for the
file)
updated the certificates with update-ca-certificates -f -v
Checked if the certificate was added using the diff command: When I
ran the diff command it didn't show any change so I guess the
certificate was not added and the error is still there
Am I doing someting wrong? Are the steps above correct to add a new certificate? I am starting to feel frustrated with this :(
I checked the certificate of https://rails-assets.org/, it's signed by LetsEncrypt and one of the Root CA from LetsEncrypt is expired and that would be the cause of your issue.
To understand the issue:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
The possible solution:
https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4
Basically, if that's the cause, you need to remove the DST Root CA and make sure ISRG Root CA is in your certificate store.
For ubuntu or Debian system, the following document describes how to update the certificates:
/usr/share/doc/ca-certificates/README.Debian
Run the following command to create a directory for your own trusted ca-certificates:
sudo mkdir /usr/local/share/ca-certificates/extra
Copy the root certificate to the new directory:
sudo cp rootCA.crt /usr/local/share/ca-certificates/extra/
Make sure that the certificate file has the .crt extension.
Run the following command to update the system certificates:
sudo update-ca-certificates

Docker go image - cannot go get - x509: certificate signed by unknown authority

inside docker golang image i am trying to go install a package and fail on this error:
go install google.golang.org/protobuf/cmd/protoc-gen-go#1.27.0: google.golang.org/protobuf/cmd/protoc-gen-go#1.27.0: invalid version: Get "https://proxy.golang.org/google.golang.org/protobuf/cmd/protoc-gen-go/#v/1.27.0.info": x509: certificate signed by unknown authority
i tried installing CA certificates unsuccessfully
any idea what could be the problem ?
Ok so the problem was my security client: Cisco AnyConnect "Umbrella".
it was acting like a man in the middle and re-sign the request with its own certificate.
in order for the in-docker go client to trust the traffic re-signed by the Cisco Umbrella, the "Cisco Umbrella Root CA" certificate was needed to be added to the docker file:
so clicking on the .cer URI we can see that certificate.
now inside my container i could:
$ wget http://www.cisco.com/security/pki/certs/ciscoumbrellaroot.cer
then convert it from .cer to a .crt file:
$ openssl x509 -inform DER -in ciscoumbrellaroot.cer -out ciscoumbrellaroot.crt
then copy it to the certificate folder:
$ cp ciscoumbrellaroot.crt /usr/local/share/ca-certificates/ciscoumbrellaroot.crt
and lastly update certificates:
$ update-ca-certificates
which outputs this:
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
done! now we can go get any package:
$ go install google.golang.org/protobuf/cmd/protoc-gen-go#v1.27.1
go: downloading google.golang.org/protobuf v1.27.1
this was written about cisco security client but can be applied to any client out there

Container root certification update problem

I am facing an issue that I want to ask here.
I have a container that must reach an URL. But, because of root certificate problem, I cannot reach that URL.
When I am trying to curl from inside of container, I am getting below error.
***curl: (60) SSL certificate problem: certificate has expired
More details here .
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.***
I am trying to add this certificate and update them in Dockerfile with lines below.
ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates
but, getting this error.
What I have tried;
tried to delete entire certificates and install new ones.
tried to use "update ca-certificates -f"
But did not work.
So, any suggestions?

Cannot exchange AccessToken from Google API inside Docker container

I have a web app written in Go, use oauth2 (package golang.org/x/oauth2) to sign user in by Google (follow this tutorial https://developers.google.com/identity/sign-in/web/server-side-flow).
When I test app on local, it works fine but when I deploy app and run inside a Docker container (base on alpine:latest, run binary file), it has an error:
Post https://accounts.google.com/o/oauth2/token: x509: certificate signed by unknown authority
Here is my code to exchange the accessToken:
ctx = context.Background()
config := &oauth2.Config{
ClientID: config.GoogleClientId,
ClientSecret: config.GoogleClientSecret,
RedirectURL: config.GoogleLoginRedirectUrl,
Endpoint: google.Endpoint,
Scopes: []string{"email", "profile"},
}
accessToken, err := config.Exchange(ctx, req.Code)
if err != nil {
log.Println(err.Error()) // Error here
}
The problem is not caused by Go but Alpine image.
Default Alpine image does not have certificates so the app cannot call to https address (this case is https://accounts.google.com/o/oauth2/token).
To fix this problem, install 2 packages openssl and ca-certificates. Example in Dockerfile:
apk add --no-cache ca-certificates openssl
You will need to add the Google Issuing CA certificate to the trusted cert store of the docker image.
The Google CA cert is this https://pki.google.com/GIAG2.crt .
More info on the certificate can be found from here
Then within the Dockerfile , you will need to do something like this
cp GIAG2.crt /usr/local/share/ca-certificates/GIAG2.crt
update-ca-certificates

Resources