I'm using nodejs and expressjs for my backend restful api service. I'm trying to install configure SSL Certificate in my express service. I have already installed openssl in my Windows 10.
Below are my versions
Node Version 16.16.0, Express Version 4.16.4
But when I try to run the below command
openssl genrsa -out key.pem
This is what Im getting
I have tried explicitly passing the path of openssl in the command like this openssl genrsa -out key.pem "C:\Program Files\OpenSSL\openssl.cnf".
Also I have already set the environment / path variables
Related
I have set up a docker registry using harbor.
I have copied the appropriate certificates in /usr/share/local/ca-certificates and run sudo update-ca-certificates with success. (indicated the number of newly certs added).
When trying to login to the specific registry:
ubuntu#master1:/home/vagrant$ docker login my.registry.url
Username: pkaramol
Password:
Error response from daemon: Get https://my.registry.url/v2/: x509: certificate signed by unknown authority
However the following test succeeds:
openssl s_client -connect my.registry.url:443 -CApath /etc/ssl/certs/
...coming back with a lot of verbose output, the certificate itself and ending in :
Verify return code: 0 (ok)
curl also succeeds to the above https link (it fails when the site is not trusted).
Any suggestions?
If you read the documentation
Use self-signed certificates
Warning: Using this along with basic authentication requires to also trust the certificate into the OS cert store for some versions of docker (see below)
This is more secure than the insecure registry solution.
Generate your own certificate:
$ mkdir -p certs
$ openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt
Be sure to use the name myregistrydomain.com as a CN.
Use the result to start your registry with TLS enabled.
Instruct every Docker daemon to trust that certificate. The way to do this depends on your OS.
Linux: Copy the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt on every Docker host. You do not need to restart Docker.
See below link for more details
https://docs.docker.com/registry/insecure/#use-self-signed-certificates
I've set up an internal pypi server for internal projects.
It's hosted at https://<USER>:<PASS>#<INTERAL>/pypi with a self-signed certificate.
I can get pip to use this repository in addition to the central pypi server using extra-index-url in ~/.pip/pip.conf. As the certificate to my server is self-signed, and pip isn't using the system-wide (keychain) certificated, I've made it aware of it using cert = ... in the config file:
extra-index-url = https://<USER>:<PASS>#<INTERAL>/pypi
cert = /path/to/cert.pem
Now, whenever I install something using pip install, I get a warning that the certificate can't be verified for https://pypi.python.org:
$ pip install <PACKAGE-NAME>
Collecting <PACKAGE-NAME>
Could not fetch URL https://pypi.python.org/simple/<PACKAGE-NAME>/:
There was a problem confirming the ssl certificate: [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) -
skipping
Is there any way to tell pip only to use the self-signed certificate only for the extra-index-url repository?
Pip uses it's certificate bundle (a file) that can be found by running:
python -m pip._vendor.requests.certs
The bundle is just a file with certificates concatenated, one after another. We want to tell pip to use those AND our certificate,
so generate a new file using
cat $(python -m pip._vendor.requests.certs) /path/to/my/cert.pem > /path/to/my/bundle.pem
and make sure your .pip/pip.conf file contains something along these lines:
[global]
extra-index-url = https://user:pass#my-pypi.com
cert = /path/to/my/bundle.pem
Finally, you might want to periodically update /path/to/my/bundle.pem (in a cronjob or whatever).
Other notes
I also got the following error:
SubjectAltNameWarning: Certificate for my-pypi.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
Normally, you'd create a certificate something like:
openssl req -new -x509 -nodes -key my.key -out cert.csr -days 365
Instead, copy your openssl.cnf (possibly in /etc/pki/tls/openssl.cnf) to your working directory, and add an extension by adding the following to the end of the file:
[ san_env ]
subjectAltName=DNS:mypypi.com
and generating your certificate with
openssl req -new -x509 -nodes -key my.key -out cert.csr -days 365 -config openssl.cnf -extensions san_env
In addition, pip wants your certificate in a different format, which can be generated using
openssl x509 -inform der -in cert.cer -out cert.pem
This file cert.pem can be concatenated with the python ca bundle as described above to generate your custom bundle.
I created a p12 file on my MacOS ElCaptain, using a .pem and .key file via openssl command :
openssl pkcs12 -export -in <PEM_file>.pem -inkey <PRIVATE_KEY>.key -out <FILENAME>.p12
Everything went ok. I was able to make my cURL calls using this p12.
When I did the same on my Ubuntu 14.04.5 LTS (with the same .pem and .key), I started to receive this message when I used cURL with the p12:
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)
What I am missing?
curl supports about a dozen different SSL/TLS implementations and how certs&keys are supplied varies depending on which implementation is used in your build. Use curl -V (upper vee) to check. I'd guess, but don't know, the MacOS build uses SecureTransport; the (standard) package on my off-in-the-corner Ubuntu 14.04.4 definitely uses OpenSSL.
Per the man page and confirmed by experiment on my Ubuntu, this build wants PEM format files, not PKCS12. These are the same two files you used as input to openssl pkcs12 -export, or you can concatenate them and just use that for --cert (this can work because PEM format marks each block separately); and if you don't have them anymore you can just use openssl pkcs12 -in foo.p12 -out foo.pem (i.e. OMIT -export) to convert back.
I'm going to install SSL using OpenSSL on WAMPServer. The processes which I've been through are as follows:
I have installed apache, configured it and activated ssl module,
Added a new system variable OPENSSL_CONF:
Variable name: OPENSSL_CONF
Variable value: A:\wamp\bin\apache\apache2.4.9\conf\openssl.cnf
Restarted windows and made sure I saw the following line among the environment variables using command-line set | more command:
OPENSSL_CONF=A:\wamp\bin\apache\apache2.4.9\conf\openssl.cnf
Installed openSSL1.01Light(x64) on A:\OpenSSL and in its bin folder I have generated a key using command line command:
openssl req -new > webserver.csr
(Note that openSSL installation directory by default ain't have webserver.csr and I had to copy it from A:\wamp\bin\apache\apache2.4.9\bin directory)
The command ran and prompted me to enter a PEM pass phrase and verify it. I entered a pass phrase and verified it.
I entered information that would be incorporated into my certificate request.
I ran the following command:
openssl rsa -in privkey.pem -out webserver.key
I was prompted for the pass phrase from the previous step. The RSA key was written and the file webserver.key was then available in the folder.
Now I was going to covert the certificate into a signed one using the following command:
openssl x509 -in webserver.csr -out webserver.cert -req -signkey webserver.key -days 365
I got stock in this level that error occured with the following message:
5336:error:0906D06C:PEM routiness:PEM read bin:no start line:.\crypto\pem\pem_lib.c:703:Expecting: CERTIFICATE REQUEST
error in x509
How do I overcome this issue? Any idea? Thanks...
I deployed the IBM app center on IBM worklight server 6.1 and enabled the SSL by generating SSL certificate using Liberty core's common utility and updated the server.xml according to that.
When I am accessing the link https://< serverIP >:< sslPort >/appcenterconsole/inst.html
It shows SSL error SSL certificate not matches the server URL this is my first problem.
On chrome it shows an option to proceed anyway after that I am able to access the page which has IBM App Center installer application using my username and password.
But when I click on the link of the application to download and install the app it shows message that Cannot connect to < serverIP > this is my second problem
You generated a self-signed certificate. Per documentation, IBM Application Center does not support self-signed certificates. You need to purchase an official SSL certificate from a certificate authority. This limitation comes actually from iOS.
There is a complex workaround, but I recommend this only for testing. The workaround is not really suitable for production:
Generate a special self-signed certificate with CA flag set to true. This makes the certificate also a certificate authority. Note: Most instructions on the web are only valid for self-signed certificates with CA flag set to false. If you use openssl, use the options -reqexts v3_req -extensions v3_ca
Import this SSL certificate into your device. See here and in its subsections for details. This should also work for 6.1 even though the documentation link is for 6.2
Install this certificate for your webserver and proceed as usual.
You dont need to purchase nothing, you just need to create a CA certificate with an apple mac, install it to the device and u will be allowed to download the apps, easy peasy
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out cerficate.crt -reqexts v3_req -extensions v3_ca
put your domain in the name field when required.
then
cat cerficate.crt privateKey.key > server.pem
then
openssl pkcs12 -export -in certificate.crt -inkey server.pem -out server.p12 -passout pass:passServerP12 -passin pass:passServer
Then to try it out:
openssl s_client -connect hostname:port
Hope i could help ;D