I'm using docker to start cadence server, but I can't connect to my cockroachDB, the following error occurs.
enter image description here
How can i resolve this problem?
In your connection string, could you try adding ?sslmode=require or ?sslmode=verify-ca/full. Clusters on Cockroach Cloud require a secure connection in order to connect to the DB.
Our recommendation is to use verify-full or verify-ca which protect against MITM attacks and enforce verifying that the server certificate is signed by known certificate authority.
We've got some docs on additional connection parameters here! https://www.cockroachlabs.com/docs/stable/connection-parameters.html#additional-connection-parameters
And some more specific docs on SSL Modes with Cockroach Cloud here:
https://www.cockroachlabs.com/docs/cockroachcloud/authentication.html#ssl-mode-settings
Related
I'm trying to run neo4j community on a vps via a docker image managed with plesk.
I am however having issues configuring the SSL certificate so I can connect to it securely from nodejs.
Currently, the error I'm getting is quite straightforward in node:
Neo4jError: Failed to connect to server.
Please ensure that your database is listening on the correct host and port and that you have
compatible encryption settings both on Neo4j server and driver. Note that the default encryption
setting has changed in Neo4j 4.0. Caused by: Server certificate is not trusted. If you trust the
database you are connecting to, use TRUST_CUSTOM_CA_SIGNED_CERTIFICATES and add the signing
certificate, or the server certificate, to the list of certificates trusted by this driver using
`neo4j.driver(.., { trustedCertificates:['path/to/certificate.crt']}). This is a security measure
to protect against man-in-the-middle attacks. If you are just trying Neo4j out and are not
concerned about encryption, simply disable it using `encrypted="ENCRYPTION_OFF"` in the driver
options. Socket responded with: DEPTH_ZERO_SELF_SIGNED_CERT
I've mapped the volumes as follows:
/certificates to the letsencrypt live folder for the domain db.example.com
Then I'm trying to connect to it via: bolt://db.example.com:32771
When i check via browser, the certificate being served is self-signed. I have try to add this certificate to the trusted certificates in windows but it didn't do anything at all.
Also added the path to the trusted certificates when instantiating the driver:
this._driver = neo4j.driver(process.env.Neo4jUri, token, {
encrypted: true,
trustedCertificates: ['ssl/neo4j.crt'],
});
I've also tried to copy the files within that certificate folder so that the appropriate files are named as mentioned in this article.
I wanted to know if there was a way to secure the traffic between my Rapsberry Pi, which runs Docker, and my computer on the same local network with SSL protocol. I just want to be able to connect HTTPS to my containers, just in local with let's encrypt (I use raspberrypi.local domain).
Thanks,
You can use SSL to connect to a local (not registered) domain, but not using letsencrypt.
Letsencrypt (and any other service that provides certificates) needs to verify the ownership of the domain in order to deploy a certificate.
This is done in various ways (out of the scope of this question) but in any case, an existing domain name, publicly resolvable, must exist.
This is not your case obviously.
What you can do, is generate a self-signed certificate and use that to connect through SSL.
This is a tutorial for generating an SSL certificate using docker only: https://codefresh.io/blog/using-docker-generate-ssl-certificates/
Once you have a certificate, you have to deploy it in your docker app stack, but I guess this is off-topic for your question.
I am trying to deploy a data flow server on Cloud foundry and create a simple app.
Only https end point could be exposed. I cannot enable https using this :
http://docs.spring.io/spring-cloud-dataflow/docs/current-SNAPSHOT/reference/htmlsingle/#configuration-security-enabling-https
As ssl is managed by cf. How do I make data flow server using https?
I have this error:
dataflow:>app list
Command failed org.springframework.web.client.ResourceAccessException: I/O error on GET request for "http://dataflow-server.run.aws-usw02-pr.ice.predix.io/apps": Connect to dataflow-server.run.aws-usw02-pr.ice.predix.io:80 [dataflow-server.run.aws-usw02-pr.ice.predix.io/54.201.89.124, dataflow-server.run.aws-usw02-pr.ice.predix.io/52.88.128.224] failed: Connection refused (Connection refused); nested exception is org.apache.http.conn.HttpHostConnectException: Connect to dataflow-server.run.aws-usw02-pr.ice.predix.io:80 [dataflow-server.run.aws-usw02-pr.ice.predix.io/54.201.89.124, dataflow-server.run.aws-usw02-pr.ice.predix.io/52.88.128.224] failed: Connection refused (Connection refused)
Thanks in advance.
Best Regards
as you already mentioned, you can not enable https at the container level inside cloudfoundry today. The traffic between the router and diego cell is not encrypted (unless you are using IPSEC).
So your dataflow server would not be configured with https, just deploy the server as it is. You should rely on your cloudfoundry install to have an open port at 443 on it's loadbalancer that forwards traffic to the router. Later CF incarnations support certificate placement at the router level.
Now, at the client (dataflow-shell) if you are using a valid certificate you don't need to do anything, but if you have a selfsigned certificate, you need to tell it to accept self-signed certificates, or skip validation all together.
When upgrading to docker 1.3 the docker client produced the following error:
...
If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry <my registry>` to the daemon's arguments.
...
This registry is behind our company's firewall, so I do not wish to add any security. Is there a way to remove this error at the registry server? What is the simplest way to do this? Is it enabling https or is there a simpler trick?
I do not want to update the config for all the registry clients
You have to use https if you want to to avoid this warning. Also you need a certificate signed by a known CA. Docker is trying to force security by this.
The other possibility is to use --insecure-registry when using the client.
WL 5.0.6, HTTP adapter, running on Liberty
We want to make simple connection from our adpater to a backend over SSL, the backend team have provided us their certificate.
Our symptom is
FWLSE0101E: Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
We have read the infocenter here but clearly have got something wrong. Steps we took
Used the JRE keystore tool to add the cert to a keystore.
Adjusted the worklight properties to point to the kaystore.
Restarted the WL Server
Any suggestions for how to diagnose or fix?
The issue in this case was that the certificate referenced hosts that were not visible to our DNS server. We worked around this by adding entries to /etc/hosts.