Getting Error when Enabling Https on `CapRover` - caprover

When enabling https on CapRover got the following error:
1107 : Unexpected output when enabling SSL forcaptain. with ACME Certbot Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for captain.cr.<your sub-domain> Using the webroot path /captain-webroot/captain.cr.<your sub-domain> for all unmatched domains. Waiting for verification... [31mChallenge failed for domain captain.cr.<your sub-domain>[0m http-01 challenge for captain.cr.<your sub-domain> Cleaning up challenges [31mSome challenges have failed.[0m [1m IMPORTANT NOTES: [0m - The following errors were reported by the server: Domain: captain.cr.<your sub-domain> Type: connection Detail: Fetching http://captain.cr.<your sub-domain>/.well-known/acme-challenge/<your-challenge-hash>: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

Error message pointed to the right issue - firewall problem
After configuring firewall to open port 80 the problem got resolved.
p.s. ❤️ love CapRover (on Hetzner)

Related

WSO2 EI 6.4.0 Docker Container -javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null

There is an implementation where API-1 is calling another API-2, Both are deployed in same WSO2 docker container 6.4.0.
Internal API Call is not working, Got below ERROR in logs.
Unable to sendViaPost to url[https://integ.company.com/wso2/api/queue_service]
javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233)
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194)
In the background, There is some SSL Certificate renewal activity happened at HA Proxy level, Post this we started to get above ERROR.
Can I get some suggestion to resolve this ERROR?
Try importing the certificate used for 'https://integ.company.com/wso2/api/queue_service' to WSO2 servers client-trustore. If that doesn't resolve the issue add the full Stacktrace of the exception.

docker connect cockroachDB failed

I'm using docker to start cadence server, but I can't connect to my cockroachDB, the following error occurs.
enter image description here
How can i resolve this problem?
In your connection string, could you try adding ?sslmode=require or ?sslmode=verify-ca/full. Clusters on Cockroach Cloud require a secure connection in order to connect to the DB.
Our recommendation is to use verify-full or verify-ca which protect against MITM attacks and enforce verifying that the server certificate is signed by known certificate authority.
We've got some docs on additional connection parameters here! https://www.cockroachlabs.com/docs/stable/connection-parameters.html#additional-connection-parameters
And some more specific docs on SSL Modes with Cockroach Cloud here:
https://www.cockroachlabs.com/docs/cockroachcloud/authentication.html#ssl-mode-settings

Unable to connect to OpenVPN client in Docker

I have tried to set up an OpenVPN client under docker, using the dperson/openvpn-client image. I get the following error:
UDPv6: Address not available (code=99)
When googling this problem, I've come across this discussion, but I'm not sure how to look at the client and server logs separately.
I'have the full logs on pastebin here
I am able to get the IP of my home address inside the container, but not the IP from the VPN. I appreciate any help
!
The problem here is that the TLS handshake fails.
I extracted this from your logs:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
Make sure your server is setup correctly.

Using data flow with https on cloud foundry

I am trying to deploy a data flow server on Cloud foundry and create a simple app.
Only https end point could be exposed. I cannot enable https using this :
http://docs.spring.io/spring-cloud-dataflow/docs/current-SNAPSHOT/reference/htmlsingle/#configuration-security-enabling-https
As ssl is managed by cf. How do I make data flow server using https?
I have this error:
dataflow:>app list
Command failed org.springframework.web.client.ResourceAccessException: I/O error on GET request for "http://dataflow-server.run.aws-usw02-pr.ice.predix.io/apps": Connect to dataflow-server.run.aws-usw02-pr.ice.predix.io:80 [dataflow-server.run.aws-usw02-pr.ice.predix.io/54.201.89.124, dataflow-server.run.aws-usw02-pr.ice.predix.io/52.88.128.224] failed: Connection refused (Connection refused); nested exception is org.apache.http.conn.HttpHostConnectException: Connect to dataflow-server.run.aws-usw02-pr.ice.predix.io:80 [dataflow-server.run.aws-usw02-pr.ice.predix.io/54.201.89.124, dataflow-server.run.aws-usw02-pr.ice.predix.io/52.88.128.224] failed: Connection refused (Connection refused)
Thanks in advance.
Best Regards
as you already mentioned, you can not enable https at the container level inside cloudfoundry today. The traffic between the router and diego cell is not encrypted (unless you are using IPSEC).
So your dataflow server would not be configured with https, just deploy the server as it is. You should rely on your cloudfoundry install to have an open port at 443 on it's loadbalancer that forwards traffic to the router. Later CF incarnations support certificate placement at the router level.
Now, at the client (dataflow-shell) if you are using a valid certificate you don't need to do anything, but if you have a selfsigned certificate, you need to tell it to accept self-signed certificates, or skip validation all together.

Worklight adapter connecting to backend over SSL

WL 5.0.6, HTTP adapter, running on Liberty
We want to make simple connection from our adpater to a backend over SSL, the backend team have provided us their certificate.
Our symptom is
FWLSE0101E: Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
We have read the infocenter here but clearly have got something wrong. Steps we took
Used the JRE keystore tool to add the cert to a keystore.
Adjusted the worklight properties to point to the kaystore.
Restarted the WL Server
Any suggestions for how to diagnose or fix?
The issue in this case was that the certificate referenced hosts that were not visible to our DNS server. We worked around this by adding entries to /etc/hosts.

Resources