Creating certificates for elasticSearch install via docker-compose.
Gets an error 'Mac verify error: Invalid Password?' while running the command: sudo docker-compose -f create-certs.yml run --rm create_certs
I'm creating the certificates again as faced an issue during initial setup. Is this error of any concern for the setup?
Also, when i run openssl pkcs12 -info -in /home/elastic/es11/es11/es11.p12 and enters the password. get below error :
Enter Import Password:
MAC Iteration 10000
Mac verify error: invalid password?
Related
My BBB secret is valid and is the same for Greenlight .env file.
All of a sudden, I got the error
Server Error - Invalid BigBlueButton Endpoint and Secret
and when I run:
docker run --rm --env-file .env <container-image> bundle exec rake conf:check
I get:
Checking environment: Passed
Checking Connection: Failed
Error connecting to BigBlueButton server - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (certificate has expired)
I have manually updated the certificate of my Ubuntu server but the error still persists. My BBB version 2.2.9.
While browsing online, I read that you have to log into your container using bash by typing:
docker exec -it <container-id> /bin/bash
and trying to download a certificate (somewhere they was mentioned https://curl.haxx.se but I am not 100% sure about the URL). However curl in the docker container also complains about an SSL error.
The issue was caused because of an expired Let's Encrypt SSL certificate. More information can be found here. Removing the certificate and updating the certificates resolves the issue.
There is already ssl certificate on the server, the issue is it works fine if someone writes website as borroup.com but when write www.borroup.com it says connection not secure. Im not sure how to access the cert from the server to config the issue.
borroup.com
www.borroup.com
here is the sudo ls /etc
I tried this
sudo certbot --nginx -d borroup.com -d www.borroup.com
and this
sudo ./letsencrypt-auto --apache -d borroup.com -d www.borroup.com
i kept getting command not found
command not found
I am behind a corporate proxy and I'm trying to install Hyperledger Sawtooth on an Ubuntu machine.
Part of that setup is installing rust which is failing.
It uses the following command which is taken from a 'Dockerfile' file as part of the command docker-compose up:
curl --insecure https://sh.rustup.rs -sSf > /usr/bin/rustup-init && chmod +x /usr/bin/rustup-init && rustup-init -y
This gives me an error:
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
rustup: command failed: downloader https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init /tmp/tmp.KEMZg5vZRK/rustup-init
Apparently, the command rustup-init -y is failing as I'm behind a corporate proxy and it failed to connect the url https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init.
Where do I do the modification (add the -k flag) to turn off curl's certificate verification option so that I get an insecure connection and my installation is successful?
I tried modifying the rustup-init.sh file, but it is of no use.
I have a remote Docker registry setup. It has a go-daddy SSL cert installed.
If I curl it I get an 'unknown authority' error:
curl https://example.com:5000/v2/
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
...
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
So I then use the 'insecure' curl:
curl -k https://example.com:5000/v2
and I get
{} //which I guess is because there is nothing in the registry?
to check, I curl a non-existent endpoint:
curl -k https://example.com:5000/moo
404 page not found //which is positive, as it means the -k flag is suppressing the 'unknown authority' correctly
So, now I know that it is possible to connect to the registry by curl I try using Docker client to push an image:
docker push example.com:5000/my-image
The push refers to a repository [example.com:5000/my-image]
unable to ping registry endpoint https://example.com:5000/v0/
v2 ping attempt failed with error: Get https://example.com:5000/v2/: x509: certificate signed by unknown authority
v1 ping attempt failed with error: Get https://example.com:5000/v1/_ping: x509: certificate signed by unknown authority
So I then try to suppress the error by adding 'insecure-registry' to DOCKER_OPTS (as explained here):
DOCKER_OPTS="--insecure-registry example.com:5000"
[restart docker daemon]
And it does not work. I get the same 'unknown authority' warning.
Firstly, why is a certificate from Go Daddy not trusted? I have it setup on an nginx server and it is working fine with the 'green bar' on the browser.
Secondly, how can I get the 'insecure-registry' to work with Docker? Thanks
Ok, I got to the bottom of this.
Turns out I didn't need to modify /etc/default/docker with this:
DOCKER_OPTS="--insecure-registry example.com:5000"
The issue was that the Go-Daddy certificate I installed in the registry needed to have the intermediate certificates too. I received the following from Go-Daddy:
domain.crt
some-bundle.crt
You need to
cat bundle.crt >> domain.crt
so that the certificate chain is complete. Then it all works fine
I want to run a private docker registry which is widely available.
So I will be able to push and pull images from other servers.
I'm following this tutorials: doc1 & doc2
I performed 3 steps:
First I've created my certificate and key (as CNAME I filled in my ec2-hostname)
mkdir -p certs && openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt
Than I've created my docker registry, using this key.
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
Than I copied the content of domain.crt to /etc/docker/certs.d/ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/ca.crt
I restarted my docker: sudo service docker restart
When I try to push an image I get the following error:
unable to ping registry endpoint https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v0/
v2 ping attempt failed with error: Get https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v2/: net/http: TLS handshake timeout
v1 ping attempt failed with error: Get https://ec2-xx-xx-xx-xx.compute.amazonaws.com:5000/v1/_ping: net/http: TLS handshake timeout
I really don't know what I'm missing or doing wrong. Can someone please help me. Thanks
I'm not sure if you copy/pasted your pwd directly... but the file path should be /etc/docker/certs.d
You currently have etc/docker/cert.d/registry.ip:5000/domain.crt
The error message says "TLS handshake timeout". This indicates that either no process is listening on port 5000 (check using netstat) or the port is closed from the location where you are trying to push the image (open port in the AWS security group).
From what I've seen docker login is way more sensitive to properly crafted self-signed certs than browsers are + there's an interesting gotcha I'll point out at the very bottom, so read the whole thing.
According to this site:
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
Bash# openssl x509 -noout -text -in ca.crt
X509v3 Basic Constraints: critical
CA:TRUE
^You should see something like this is you provisioned your certs right.
While following random how-to guides on the net I was able to generate ca.crt and website.crt
When I ran the above command I didn't see that output, but I noticed:
If I imported the cert as trusted in Mac or Win my browser would be happy and say yeap valid cert, but docker login on RHEL7 would complain with messages like)
x509: certificate signed by unknown authority
I tried following directions related to using: /etc/docker/certs.d/mydockerrepo.lan:5000/ca.crt
on https://docs.docker.com/engine/security/certificates/
It got me a better error message (which caused me to find the above site in the first place)
x509: certificate signed by unknown authority (possibly because of
"x509: invalid signature: parent certificate cannot sign this kind of
certificate" while trying to verify candidate authority certificate
After 2 days of messing around I figured it out:
When I was taught programming I was taught the concept of a short self-contained example, so going to try doing that here for ansible, leveraging the openssl built-in modules, I'm running latest ansible 2.9, but this should work for ansible 2.5++ in theory:
Short Self Contained Example:
#Name this file generatecertificates.playbook.yml
#Run using Bash# ansible-playbook generatecertificates.playbook.yml
#
#What to Expect:
#Run Self Contained Stand Alone Ansible Playbook --Get-->
# currentworkingdir/certs/
# ca.crt
# ca.key
# mydockerrepo.private.crt
# mydockerrepo.private.key
#
#PreReq Ansible 2.5++
#PreReq Bash# pip3 install cryptograph >= 1.6 or PyOpenSSL > 0.15 (if using selfsigned provider)
---
- hosts: localhost
connection: local
gather_facts: no
vars:
- caencryptionpassword: "myrootcaencryptionpassword"
- dockerepodns: "mydockerrepo.private"
- rootcaname: "My Root CA"
tasks:
- name: get current working directory
shell: pwd
register: pathvar
- debug: var=pathvar.stdout
- name: Make sub directory
file:
path: "{{pathvar.stdout}}/certs"
state: directory
register: certsoutputdir
- debug: var=certsoutputdir.path
- name: "Generate Root CA's Encrypted Private Key"
openssl_privatekey:
size: 4096
path: "{{certsoutputdir.path}}/ca.key"
cipher: auto
passphrase: "{{caencryptionpassword}}"
- name: "Generate Root CA's Self Signed Certificate Signing Request"
openssl_csr:
path: "{{certsoutputdir.path}}/ca.csr"
privatekey_path: "{{certsoutputdir.path}}/ca.key"
privatekey_passphrase: "{{caencryptionpassword}}"
common_name: "{{rootcaname}}"
basic_constraints_critical: yes
basic_constraints: ['CA:TRUE']
- name: "Generate Root CA's Self Signed Certificate"
openssl_certificate:
path: "{{certsoutputdir.path}}/ca.crt"
csr_path: "{{certsoutputdir.path}}/ca.csr"
provider: selfsigned
selfsigned_not_after: "+3650d" #Note: Mac won't trust by default due to https://support.apple.com/en-us/HT210176, but you can explitly trust to make it work.
privatekey_path: "{{certsoutputdir.path}}/ca.key"
privatekey_passphrase: "{{caencryptionpassword}}"
register: cert
- debug: var=cert
- name: "Generate Docker Repo's Private Key"
openssl_privatekey:
size: 4096
path: "{{certsoutputdir.path}}/{{dockerepodns}}.key"
- name: "Generate Docker Repo's Certificate Signing Request"
openssl_csr:
path: "{{certsoutputdir.path}}/{{dockerepodns}}.csr"
privatekey_path: "{{certsoutputdir.path}}/{{dockerepodns}}.key"
common_name: "{{dockerepodns}}"
subject_alt_name: 'DNS:{{dockerepodns}},DNS:localhost,IP:127.0.0.1'
- name: "Generate Docker Repo's Cert, signed by Root CA"
openssl_certificate:
path: "{{certsoutputdir.path}}/{{dockerepodns}}.crt"
csr_path: "{{certsoutputdir.path}}/{{dockerepodns}}.csr"
provider: ownca
ownca_not_after: "+365d" #Cert valid 1 year
ownca_path: "{{certsoutputdir.path}}/ca.crt"
ownca_privatekey_path: "{{certsoutputdir.path}}/ca.key"
ownca_privatekey_passphrase: "{{caencryptionpassword}}"
register: cert
- debug: var=cert
Interesting Gotcha/Final Step:
RHEL7Bash# sudo cp ca.crt /etc/pki/ca-trust/source/anchors/ca.crt
RHEL7Bash# sudo update-ca-trust
RHEL7Bash# sudo systemctl restart docker
The gotcha is that you have to restart docker, for docker login to recognize updates to CA's newly added to the system.