IT team sent me an "cert.pfx" ssl certificate file to use our "subdomain.domain.com" web site.
I have to add this ssl cert to Jenkins and as I know it uses *.jks files. But I'm not sure how to convert pfx to jks.
I used the command below, it's creating an jks file but Jenkins giving error.
keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS
Any help appreciated.
Thanks!
Above command to generate .jks from .pfx looks fine, make sure that you have given the password to your jks file (Best practice to give password for .jks file).
Next step is, you need to make sure that %Jenkins_Home%\jenkins.xml has a correct configuration for .jks file.
Here is an example of Jenkins HTTPS connection setting,
-httpPort=-1 (To stop Jenkins from listening over plain HTTP)
-httpsPort=8080 (or 8181 or whatever SSL port you want Jenkins to listen on)
-httpsKeyStore="<JavaKeystore_path>\clientcert.jks"
-httpsKeyStorePassword="<cleartext-password-to-keystore>"
After modification of jenkins.xml, restart the windows jenkins service, it must be running.
I have little idea in security aspects in and outside docker world.
As the document states, I tried the below command
docker trust key generate jeff
Whenever I run this command first time it will automatically generate a root key. Isn't it possible to generate a root key based on my own existing pem file? I have checked docker and notary client/ server etc there is no information regarding this. I hope this is a valid question.
Yes we can do that
Reference Link:https://docs.docker.com/engine/reference/commandline/trust_key_load/#:~:text=docker%20trust%20key%20load%20adds%20private%20keys%20to,this%20command%2C%20refer%20to%20the%20examples%20section%20below.
Below are the steps to load existing pem file (ie private key) .It works only in windows VM Image.(Not Ubuntu Image)
set DOCKER_CONTENT_TRUST=1
docker trust key load privatekey.pem --name username
Enter passphrase :
docker trust signer add --key publickey.pem username dockerimageregistry.azurecr.io/hello-world:signed
I am trying to write .netCore 3.1 API in an Ubuntu Linux container that runs the equivalent of this Curl command.
WORKING LINUX CONTAINER CURL COMMAND:
curl --cacert /etc/root/trustedroot.crt --cert /etc/mutualauth/tls.crt --key /etc/mutualauth/tls.key
--header "SOAPAction:actionName" --data #test.xml https://this.is.the/instance --verbose
Enter PEM pass phrase: *****
<Success...>
We use Windows development laptops so everything starts with Windows.
So far, I have the following HttpClientHandler that my HttpClient is using on a Windows development machine. This code works on Windows with the cert in my local machine and current user personal stores and does not work in Linux:
WORKING WINDOWS HTTPCLIENTHANDLER CODE:
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
try
{
var cert = store.Certificates.Find(X509FindType.FindByThumbprint, "<<cert thumbprint here>>", true);
var handler = new HttpClientHandler
{
ClientCertificateOptions = ClientCertificateOption.Manual,
SslProtocols = SslProtocols.Tls12,
AllowAutoRedirect = false,
AutomaticDecompression = DecompressionMethods.Deflate | DecompressionMethods.GZip
};
handler.ClientCertificates.Add(cert[0]);
}
catch (Exception e)
{
//Handle errors
}
finally
{
store.Close();
}
The cert I imported was .PFX format so as I understand it, the password went in at the time of import and the code for Windows doesn't need to be concerned with it.
The Curl command mentioned above works from the container. So by that logic, if coded or configured properly, the code should be able to do the same thing. As I see it, the Curl command shown above contains four elements that I need to account for in my HttpClientHandler somehow:
The Trusted Root(CA) Certificate: /etc/root/trustedroot.crt
The TLS Certificate: /etc/mutualauth/tls.crt
The Private Key - /etc/mutualauth/tls.key
The PEM Passphrase
I have been reading into this for a couple of months now and have seen various articles and stack overflow posts but there is a staggering amount of variables and details involved with SSL and I cant find anything that directly addresses this in a way that makes sense to me with my limited understanding.
I also have the option of running a Linux script at the time of deployment to add different/other formats of certs/keys to the stores/filesystem in the container. This is how I get the certs and keys into the container in the first place, so I have some control over what I can make happen here as well:
LINUX CONFIG SCRIPT:
cp /etc/root/trustedroot.crt /usr/share/ca-certificates
cp /etc/mutualauth/tls.crt /usr/share/ca-certificates
cp /etc/mutualauth/tls.key /etc/ssl/private
echo "trustedroot.crt" >> /etc/ca-certificates.conf
echo "tls.crt" >> /etc/ca-certificates.conf
update-ca-certificates
dotnet wsdltest.dll --environment=Production --server.urls http://*:80
I do not believe I can get the binary .PFX file into the container due to security policies and limitations, but I definitely can get its string encoded cert and key formats into the container.
...so if there is a way of using different styles of certs that I can extract from the .PFX or specifying password and cert when the server 'spins up' to make my code not require a password, that would work too - I might just be missing something basic in the Linux config.
Would anyone be so kind as to point me in the proper direction to find out how I can uplift my HttpClientHandler code OR Linux config to be able to make this API call? Any ideas are welcome at this point, this has been a thorn in my side for a long time now... Thank you so much!
This was not the right approach.
The correct approach was an NGINX reverse proxy terminating mutual auth TLS so that Dotnetcore doesn't have to.
Save yourself some time and go NGINX!. :D
I can authenticate successfully with putty on the server with my private key and passphrase. But when I try to do it with jenkins publish over SSH plugin (using Test for configuration), I get the following error message:
jenkins.plugins.publish_over.BapPublisherException: Failed to connect session for config myconfig. Message [Auth fail]
I entered the same information as in putty:
Hostname : myhostname
Username : myusername
Remote Directory :
Use password authentication, or use a different key Passphrase / Password
Path to key : checked
Path to key : mypath
Passphrase : mypasssword
Key:
Port:22
Timeout(ms):300000
If you have any idea ...
Thanks for your help.
Looks like you're using keyfile authentication, so you'll get this error from Jenkins if you haven't set the permissions correctly on your .ssh folder and/or ~/.ssh/authorized_keys file.
the .ssh folder should have drwx------ permissions (read/write/execute owner only)
the authorized_keys file should have -rw------- permissions (read/write owner only)
To fix it:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
I ran into the same issue today and it turned out i was accidentally supplying the path to the public key instead of the private one.
So the "path to key" should be something like
.ssh/id_rsa
instead of
.ssh/id_rsa.pub
Because your linux login need password, the answer is :
1. Passphrase: your passphrase
2. path to key: your private key path
3. key : blank
4. Disable exec : un-check
SSH Servers
1. Name: remote_user#remotehost.com
2. hostname: remotehost.com
3. Username: remote_user
4. Remote Directory: empty
Advanced --
5. check the box "use passsword authentication, or use a different key"
`important`
6. Passphrase / Password: your linux login password`important`
7. path to key: blank
8. key:blank
9. port: 22
10. Timeout(ms): 300000
'Test Configuration'
success
Check that the public key is in the .ssh/authorized_keys file on the target server, even if the target server is the same as the jenkins server. I had what is probably the same problem, and it turned out that I needed this, even though ssh localhost worked fine.
(Addendum: also check that the jenkins server has the target server in its .ssh/known_hosts file, as that can affect this as well.)
I think as it says this is a authentication issue:
Use password authentication, or use a different key
Selecting this option will produce 3 more configuration boxes that mirror the options available for the Jenkins SSH Key.
Passphrase / Password
If either Path to key or Key are configured then this is the passphrase to use with the encrypted key.
If no key is configured then this is the password that will be used for password authentication.
Path to key
See description above.
Key
See description above.
Disable exec
This option will remove the ability to execute commands using this configuration.
LINK HERE
I am facing same issue , the following steps work for me:- ( i am using jenkins 1.57)
Go to http:///jenkins/manage
Configure System
Browse to Publish over SSH section
Passphrase: blank
path to key: blank
key : blank
Disable exec : un-check
SSH Servers
-- Name: remote_user#remotehost.com
-- hostname: remotehost.com
-- Username: remote_user
-- Remote Directory: empty
-- Advanced
-- check the box "use passsword authentication, or use a different key"
-- port: 22
-- Timeout(ms): 300000
-- 'Test Configuration'
success
Try restarting ssh of remote server
/etc/init.d/sshd restart
Don't do any ssh-keygen. Just enter the pem key details under key field,
Add SSH server details: Name, Hostname and Username as ec2-user.
Click test connection and it works.
Sometimes the SSH connection would fail, if the destination server doesnt have enough disk space to perform PUT operation
{ERROR: Exception when publishing, exception message [Failure]}
Make sure to verify the destination server has enough disk space.
In case of Linux, you can use 'df -kh /directoryname' to check the disk space
Just copy jenkins-user's id_rsa.pub to the end of ~/.ssh/authorized_keys on remote host.
I was having the same exact issue today and thought I would share what worked for me
Normally when I would SSH into my ec2 instance AWS likes the username to be
ubuntu#[ip address/url]
Jenkins likes it to be just the username so remove the rest
ubuntu
If you use RSA key, and see string like this in your private key:
-----BEGIN RSA PRIVATE KEY-----
***************************************
-----END RSA PRIVATE KEY-----
You need edit config file sshd on remote machine:
sudo vim /etc/ssh/sshd_config
add in this file stoke:
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
I have the same problem,I am on windows, the solution:
open the openssh debug model, no can see the error detail, detail click
Stop the sshd service
Type 'sshd -d' in PowerShell
no if you connect again ,you can see the error detail, my error is
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
we can add PubkeyAcceptedKeyTypes=+ssh-rsa in server sshd_config file, detail click
now test success, if still has error like Failed to connect SFTP channel and debug is
debug1: subsystem: cannot stat sftp-server.exe: No such file or directory
this because the openssh no in windows system path. detail click
I am following this guide: https://thesweetsetup.com/how-to-use-digital-ocean-for-web-development-on-an-ipad/ To setup an environment on an iPad using Blink/Mosh.
I generated a droplet in the DO UI and added the public key I created using ssh-keygen in blink (also tried ssh-keygen -m pem). When I do ssh root#<IP-ADDRESS. I get the usual dialog:
Ed25519 key fingerprint is SHA256:<key>.
The server is unknown.
Do you trust the host key? (yes/no): yes
This new key will be written on disk for further usage.
Do you agree? (yes/no): yes
After this I just get back to blink. If I try to SSH again nothing happens. If I try to say ssh -i id_rsa root#<IP-ADDRESS> also nothing happens.
What am I doing wrong? I found this: https://github.com/blinksh/blink/issues/725 But do not understand what to do to fix.
I had this same problem. The blink terminal didn't give me any output or anything. The problem is that you have to give the full path of the id_rsa file (from the perspective of your default blink directory). So instead of ssh -i id_rsa root#<IP-ADDRESS>, do ssh -i .ssh/id_rsa root#<IP-ADDRESS>.
Btw one difference in our ssh key creation is that you created your key with the command ssh-keygen -m pem while I used ssh-keygen -t rsa -b 4096. I don't think that should be a problem though.
I had this same issue on some DO droplets I had. I had already set up the droplets with another key and added a new one for my blink app through the DO interface with no luck.
Realized that I had to still add the new public key to the authorized keys file in your users .ssh directory. ( ~/.ssh/authorized_keys ) and this solved my problem.
I did this through the device I was already using successfully, and copied to new key to that device to paste in.