We Keep Coding

asp.net core web api local https problems

I can not use HTTPS with my web api so I tried running this command:
dotnet dev-certs https --trust
But I got this error :
Trusting the HTTPS development certificate was requested. A confirmation prompt will be displayed if the certificate was not previously trusted. Click yes on the prompt to trust the certificate.
There was an error trusting HTTPS developer certificate.
I also tried to clean and create a new one
dotnet dev-certs https -v
The HTTPS developer certificate was generated successfully.
But still facing the same issue.
I can not see localhost certificate in CurrentUser\Personal\Certificates

Sometimes this happens if you have multiple Certificates.
Execute certmgr.msc in Run
Clear all localhost certificates
On the commandline execute dotnet dev-certs https -t
You can check the certificate with dotnet dev-certs https --check. if this command returned nothing, every thing is OK.
run your application using dotnet run

Unable to create dev https certificate with .NET Core

I am unable to generate a valid dev localhost certificate for .NET Core.
When I run the dotnet dev-certs https -c -v command, I get the result No valid certificate found. When I subsequently run dotnet dev-certs https -v I get the message A valid HTTPS certificate is already present.
These messages seem to be conflicting. When I try to run a project using the localhost dev cert, I get the [expected] error:
System.InvalidOperationException: Unable to configure HTTPS endpoint. No server certificate was specified, and the default developer certificate could not be found.
To generate a developer certificate run 'dotnet dev-certs https'. To trust the certificate (Windows and macOS only) run 'dotnet dev-certs https --trust'.
Also, as an addition validation that things don’t seem to be working right, when I check my Keychain after running dotnet dev-certs https & dotnet dev-certs https --trust, no certificate is generated and/or placed in the Keychain.
Any thoughts on the cause of this? It seems from the command outputs that the CLI is writing to one location (unknown) where it thinks it already exists, but trying to read from another (active Keychain) where it is unable to find it.

I ended up recreating my macOS keychain and the issue was resolved.

I went to tools> nuget package manager > package manager console
copy pasted 'dotnet dev-certs https' and pressed enter. it worked fine thereafter

How to manually install SSL certificate on Apache without Cpanel access?

How to manually install SSL certificate without Cpanel access on Centos 7/Apache? My Cpanel license is expired (simply have no money), so I can't login and can't use WHM API (command line) because API try to read Cpanel license file.
The certificate is already stored on system (issued by Lets Encrypt plugin). But I don't know how to make it effective on my site since Apache config folder is different on Cpanel system. What file should I edit to input my cert address?
Certificate is stored at: /etc/letsencrypt/live/mydomain.com/fullchain.pem
Private key is stored at: /etc/letsencrypt/live/mydomain.com/privkey.pem
Note: I use Engintron (Nginx Cpanel plugin), don't know if this change anything. I have root access.

I got to install SSL certificate (by Let's Encrypt) on cPanel directly by running Certbot-Auto command on SSH screen. Certbot-Auto will generate certificate and install it. It is very simple: https://certbot.eff.org/docs/install.html#certbot-auto.
I had to delete the old expired certificates from my /home/mydomain/ssl folder to avoid conflict. I don't know how things are inside cPanel cause I still have no license to access. I will renew license soon, but can't stop working on my site just because I have no SSL.

Enabling TLS in NiFi

I enabled TLS in NiFi by running the below command,
nifi-toolkit/nifi-toolkit-assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/bin/tls-toolkit.sh standalone -n "{my-ip},localhost" -C 'CN={my-ip}' -C 'CN=localhost' -o ./certs
This created the files required for TLS under the directory certs.
I moved the files under the directory certs into the conf folder of the deployment in my machine.
Installed the certificate to my machine's Keychain Access.
Now started the server using bin/nifi.sh start. My server starts, I am able to hit the server, But my request is not authorized.
I am getting the below error,
Not authorized for the requested resource. Contact the system
administrator.

Once TLS is enabled in Apache NiFi, anonymous access is no longer enabled by default. You will need to authenticate as a user in order to access the UI/API. There are three authentication mechanisms available -- client certificates, LDAP, or Kerberos. Once you configure an Initial Admin Identity in $NIFI_HOME/conf/authorizers.xml (this would be the exact CN of the client certificate you issued in the TLS Toolkit command), that user can authenticate and use the user management tools in NiFi to add additional users.
You can find more information in the NiFi Admin Guide. Bryan Bende has also written a detailed walkthrough of the process.
One note about the command you posted above -- I am not sure what your desired output is, but the command is issuing a server certificate for my-ip and another for hostname, but then two client certificates with those DNs as well. In general, you want a server certificate for hostname (possibly with a SAN entry for my-ip), and a client certificate with a DN like CN=alopresto, OU=Apache NiFi.
For example:
./bin/tls-toolkit.sh standalone
-n 'nifi.nifi.apache.org'
--subjectAlternativeNames '123.234.234.123'
-C 'CN=alopresto, OU=Apache NiFi'
-P password
-S password
-B password
-f ...conf/nifi.properties
-o ...conf/

git not fully working with self-signed cert

I use self-signed certificate to crypt.
after some work, the https is working for git, but the git#xxxxx way does not work. here's the output:
Cloning into 'test'...
/usr/lib/ruby/1.9.1/net/http.rb:762:in `initialize': Connection refused - connect(2 (Errno::ECONNREFUSED)
from /usr/lib/ruby/1.9.1/net/http.rb:762:in `open'
from /usr/lib/ruby/1.9.1/net/http.rb:762:in `block in connect'
from /usr/lib/ruby/1.9.1/timeout.rb:54:in `timeout'
from /usr/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
from /usr/lib/ruby/1.9.1/net/http.rb:762:in `connect'
from /usr/lib/ruby/1.9.1/net/http.rb:755:in `do_start'
from /usr/lib/ruby/1.9.1/net/http.rb:744:in `start'
from /home/git/gitlab-shell/lib/gitlab_net.rb:56:in `get'
from /home/git/gitlab-shell/lib/gitlab_net.rb:17:in `allowed?'
from /home/git/gitlab-shell/lib/gitlab_shell.rb:51:in `validate_access'
from /home/git/gitlab-shell/lib/gitlab_shell.rb:21:in `exec'
from /home/git/gitlab-shell/bin/gitlab-shell:16:in `<main>'
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
both ssh and http works fine before I start the self-signed cert thing, so now the ssh+ssl not working.
I'm using nginx, gitlab 5.3, followed the install instruction on gitlab website.
I did a check, too.
~> sudo -u git -H /home/git/gitlab-shell/bin/check
Check GitLab API access: FAILED. code: 301
Check directories and files:
/home/git/repositories: OK
/home/git/.ssh/authorized_keys: OK
I think the 301 might be this part in my nginx config:
server {
listen 80;
server_name gitlab.MYDOMAIN.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
don't know if it's related or something
thanks.

The issue you're having is when you enabled ssl you also redirected http to https.
Accessing the old http:// url works on most clients, but gitlab-shell (used as part of the login process on the gitlab server) will not follow 3xx redirects and instead return an error, thus disabling ssh-based access.
The fix is to edit /home/git/gitlab-shell/config.yml and replace the http:// in gitlab_url: with https://.
If you're using self-signed certificates, you may also have to set self_signed_cert: true under http_settings:

for gitlab 6.0 this fixed the error for me: if using self signed certificates make sure that in gitlab-shell/config.yml your gitlab_url is https://... rather than http://... and that you specify self_signed_cert: true

ssh+ssl ?
But the two aren't related from the client's side perspective (unless you want to do some kind of ssh tunneling through NGiNX)
An ssh connection would talk to the ssh daemon (which doesn't need any certificate) and would require that the correct ssh public key has been registered to the server account ~/.ssh/authorized_keys (done by GitLab when a user register said public key in his/her profile page).
The gitlab-shell/bin/check error is another issue, again not related with ssh issue.
It is gitlab-shell which tries to contact locally gitlab through an https API.
Solve that locally, and any connection (https or ssh) from the client will succeed.
In particular, check issues 3892, and see if you need to add a CA to the .crt file served by NGiNX.
LJ Vankuiken adds in the comments:
the self-signed flag needs to be set to "true" if the certificate chain presented by your gitlab server cannot be completely verified by the gitlab-shell.
I was able to set the self-signed flag to "false" by adding the signing authority's certificate to the system certificate store.

For what it's worth in case anyone gets similar, I am running Gitlab on port 8080 and because gitlab_url in gitlab-shell/config.yml was NOT pointing to port 8080 it was failing with a redirect error (which my server running on 80 was kicking up).
So to summarize, if you access gitlab via http://gitlab.mydomain.com:8080/ make sure gitlab_url points to http://gitlab.mydomain.com:8080/ as well!