I am trying to generate a signed certificate for docker using openssl, but I seem to be running into an error when trying to actually generate the signed certificate using the extfile.cnf
I am essentially following this guide:
https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket
When it comes to the step "Now, generate the signed certificate:"
I get the error: "x509: Error on line 1 of config file "extfile.cnf""
I am sure this is not docker specific or anything, and relates to openssl itself.
Can someone assist me here? thanks
OpenSSL version: OpenSSL 1.1.1l 24 Aug 2021
Please change your extfile.cnf file with
subjectAltName = #alt_names
[alt_names]
DNS.1 = *.domain.com
IP.1 = xxx.xxx.xxx.xxx
Hopefully will work for you
Related
I have a ruby on rails app that is throwing an error when I try to run bundle install. The error is the following:
bundle stdout: Could not verify the SSL certificate for https://rails-assets.org/ There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for verification
Our SSL certificate was updated just a few days ago and we haven't changed anything in the app. It started to throw this error out of the blue.
Is there any chance we need to update the root certificates in the system? I mean like running sudo update-ca-certificates or something like that? is it safe to do that?
The app is in digitalOcean and we use capistrano gem to deploy the app
#lingYan Thanks a lot for guiding me in the right direction! I read the links you posted but in my case I had to change the steps a little bit because I am not on Centos-7. So this is exactly what I did:
Made a backup of the certificates file in /etc/ssl/certs:
cp ca-certificates.crt
~/certificatesBackup/ca-certificates-backup.crt
Made a backup of the config file in /etc:
cp ca-certificates.conf
~/certificatesBackup/ca-certificates-backup.conf
Made a backup of the expired certificate in /etc/ssl/certs:
cp DST_Root_CA_X3.pem ~/certificatesBackup/DST_Root_CA_X3_backup.pem
Removed DST_Root_CA_X3.pem from ca-certificates.conf:
I opened the file with vim and removed the line
Removed expired certificate in /etc/ssl/certs:
sudo rm DST_Root_CA_X3.pem
Updated certificates:
update-ca-certificates -f -v
Checked if expired certificate was removed from the chain in ca-certificates.crt:
diff ~/certificatesBackup/ca-certificates-backup.crt
ca-certificates.crt
It showed the new certificate
It was still throwing the error after doing all the steps above so I realized that I didn't have the ISRG Root CA certificate. In order to add the ISRG Root CA I did the following (which I think it is not correct or maybe I am missing something):
Went to this page https://letsencrypt.org/certificates/ and
downloaded the file called ISRG Root X1 (self-signed / pem format)
Went to /usr/local/share/ca-certificates/
Created a new folder called isrgrootx1
Copied the pem file I downloaded previously into the isrgrootx1
folder
Made sure the permissions were OK (755 for the folder, 644 for the
file)
updated the certificates with update-ca-certificates -f -v
Checked if the certificate was added using the diff command: When I
ran the diff command it didn't show any change so I guess the
certificate was not added and the error is still there
Am I doing someting wrong? Are the steps above correct to add a new certificate? I am starting to feel frustrated with this :(
I checked the certificate of https://rails-assets.org/, it's signed by LetsEncrypt and one of the Root CA from LetsEncrypt is expired and that would be the cause of your issue.
To understand the issue:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
The possible solution:
https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4
Basically, if that's the cause, you need to remove the DST Root CA and make sure ISRG Root CA is in your certificate store.
For ubuntu or Debian system, the following document describes how to update the certificates:
/usr/share/doc/ca-certificates/README.Debian
Run the following command to create a directory for your own trusted ca-certificates:
sudo mkdir /usr/local/share/ca-certificates/extra
Copy the root certificate to the new directory:
sudo cp rootCA.crt /usr/local/share/ca-certificates/extra/
Make sure that the certificate file has the .crt extension.
Run the following command to update the system certificates:
sudo update-ca-certificates
inside docker golang image i am trying to go install a package and fail on this error:
go install google.golang.org/protobuf/cmd/protoc-gen-go#1.27.0: google.golang.org/protobuf/cmd/protoc-gen-go#1.27.0: invalid version: Get "https://proxy.golang.org/google.golang.org/protobuf/cmd/protoc-gen-go/#v/1.27.0.info": x509: certificate signed by unknown authority
i tried installing CA certificates unsuccessfully
any idea what could be the problem ?
Ok so the problem was my security client: Cisco AnyConnect "Umbrella".
it was acting like a man in the middle and re-sign the request with its own certificate.
in order for the in-docker go client to trust the traffic re-signed by the Cisco Umbrella, the "Cisco Umbrella Root CA" certificate was needed to be added to the docker file:
so clicking on the .cer URI we can see that certificate.
now inside my container i could:
$ wget http://www.cisco.com/security/pki/certs/ciscoumbrellaroot.cer
then convert it from .cer to a .crt file:
$ openssl x509 -inform DER -in ciscoumbrellaroot.cer -out ciscoumbrellaroot.crt
then copy it to the certificate folder:
$ cp ciscoumbrellaroot.crt /usr/local/share/ca-certificates/ciscoumbrellaroot.crt
and lastly update certificates:
$ update-ca-certificates
which outputs this:
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
done! now we can go get any package:
$ go install google.golang.org/protobuf/cmd/protoc-gen-go#v1.27.1
go: downloading google.golang.org/protobuf v1.27.1
this was written about cisco security client but can be applied to any client out there
I have been trying to get this to work for days, but can anyone point me in the right direction (tutorial ect.) for how to get LetsEncypt certs to run in Solr?
I have a Rails site running on 443 with LetsEncrypt and have added solr on the same machine, on a different port. The Solr is running SSL with self-signed certs.
Can i use the same Certs for the main site as both the site and the solr can be accessed on the same URL?
Obviously the solr instance is secured via IP tables as it seemed an easyier setup than reverse proxying while trying to use the same cert.
Any pointers or hints greatly appreciated!
Thanks
Sometimes i overlook the obvious!
As i have a key for the Domain already, and Solr responds on mydomain.com:8983 all that is needed is to create a Java Key Store (jks) from the existing keys on the system.
So all that was needed is
openssl pkcs12 -export -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -inkey /etc/letsencrypt/live/mydomain.com/privkey.pem -out pkcs.p12 -name NAME
specifing the location of the Lets-Encrypt Cert (on my system /etc/letsencrypt/live/mydomain.com/)
Then convert the PKCS12 key to a jks...
keytool -importkeystore -deststorepass PASSWORD_STORE -destkeypass PASSWORD_KEYPASS -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass STORE_PASS -alias NAME
replacing password where needed.
I would have thought the best practace here would be to Automate this in a bash script to be run when the Lets-encrypt certs are renewed.
I'm trying to set up a Rails application using the Rapns library to send push notifications. The project already has this gem configured, I am working toward upgrading it to Rpush. However, I'm having a lot of trouble setting up my certificates.
I've generated all the key pairs and certificates I need with much help from the following articles:
Apple Push Notifications, how do I properly export my cert?
http://quickblox.com/developers/How_to_create_APNS_certificates
http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
Running the following command
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert /path/to/my/sandbox.pem -debug -showcerts
returns the following
Verify return code: 20 (unable to get local issuer certificate)
So with help from Apple's docs I downloaded a CA certificate and ran the following
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert /path/to/my/sandbox.pem -debug -showcerts -CAfile /path/to/my/entrust_2048_ca.cer
and got
Verify return code: 0 (ok)
Success! However, my call to run the notifying application
bundle exec rapns development
Outputs 2 lines initially
[2014-08-04 14:29:42] [my app ID] Started, 1 handler.
[2014-08-04 14:29:43] [my app ID] Connected to feedback.sandbox.push.apple.com:2196
but then does nothing as I attempt to trigger notifications. Additionally it will re-prompt me for my PEM pass phrase periodically, making me think it's not really authenticating (which may be a symptom of the return code 20 from before).
I didn't actually fix the certificate itself (I don't think) by downloading the CA certificate. How do I incorporate that into the PEM so this works, or otherwise configure Rapns such that I don't need the CA cert?
I'm working on an app for a client that requires an SSL connection with an API. I've been provided with three files; a trust root certificate (.cer) file, an intermediate certificate (.cer) file and a signed response file. The instructions I've been given to install this relate to either IIS or the Java keytool program; I'm building the app in Ruby on Rails so neither is an option (as far as I am aware).
The certificates are self-signed by the organisation who runs the API service and it appears I get given client certificates to mutually authenticate an https connection. I'm unsure how to
use the certificates in my application to connect and use the API
what the signed response file does
I've read "Using a self-signed certificate" and this article on OpenSSL in Ruby but neither seems to quite hit the spot (and both have some reliance on Java/JRuby which confuses things).
Any pointers would be greatly appreciated.
Based on your comments, I'm assuming that the certificates are in DER format, which you can convert to PEM with the openssl x509 command (see: openssl x509 command):
openssl x509 -inform DER -outform PEM -in certfile.cer -out certfile.pem
After that, you can instruct the Ruby OpenSSL library to use the trusted root certificate to authenticate the SSL connection with something like this:
require 'socket'
require 'openssl'
tcp_sock = TCPSocket.new("my.host.tld", 443)
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
#You may need to specify the absolute path to the file
ctx.ca_file = "certfile.pem"
ssl_sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx)
ssl_sock.sync_close = true
ssl_sock.connect
begin
ssl_sock.post_connection_check('my.host.tld')
rescue
puts "Certificate host did not match expected hostname"
end
After that, you should be able to read and write to ssl_sock like any other Ruby IO object. If you are given a client certificate to use to allow the server to authenticate you, you can configure the SSL context with:
ctx.cert = OpenSSL::X509::Certificate.new(File.read("my_cert.pem"))
ctx.key = OpenSSL::PKey::RSA.new(File.read("my_key.rsa"))
before you create ssl_sock. The OpenSSL library also supports other key types besides RSA, such as DSA (see: OpenSSL::PKey module.)
Finally, a last piece of advice, if you are accessing a RESTful API, you may want to consider using a gem like rest-client instead of handling all of the HTTP/S connection stuff directly. Whether or not such a library is appropriate or useful will depend on the service you are using, of course.