let's encrypt > certbot > openssl certificate (2048 bit key issue) - ssl

I'm trying to generate a wildcard PFX certificate for my domain example.com with Let's Entrypt, then using certbot and finally converting .pem to pfx using OpenSSL.
The problem is that it seems the final PFX file doesn't meet security browser requiements and the key doesn't have at least 2048 characters, but this is really strange as Certbot by default works at 2048 bits for RSA keys (already tried forcing to 4096 but I get the same result).
This is the procedure I followed:
from Certbot (installed via Anaconda Python) I ran
call C:\ProgramData\Anaconda3\Scripts\activate.bat
certbot certonly --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example#example.com
After, from OpenSSL I ran
openssl pkcs12 -export -out "C:\Users\administrator.EXAMPLE\Desktop\certificati\EXAMPLE.com.pfx" -inkey "C:\Certbot\live\EXAMPLE.com\privkey.pem" -in "C:\Certbot\live\EXAMPLE.com\fullchain.pem" -password pass:TEST2023!
From Sangfor VDI interface an alert appears when I try to import the certificate and if I test to access the FQDN from Chrome for example, the domain cannot be loaded due to SSL mismatch.

certbot certonly --rsa-key-size 2048 --key-type rsa --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example#example.com

Related

ISPConfig wont accept new certificate

I was using certificate which expired. I requested new one with new private key and request file.
But when I add new certificate to ISPConfig vhost, even after running
/usr/local/ispconfig/server/server.sh
the new certificate wont be accepted by ISPConfig and is still using the old one which expired, so my site is not working with HTTPS. Is there possibility that ISPConfig have this old certificate stored somewhere?
I also deleted content of SSL folder in my vhost but did not worked either.
Site is working with generated Let's Encrypt certificate.
I also faced the same error and I fixed it by applying the second method. I've mentioned both methods for you. Please try any to renew your SSL Certificate.
Method 1:
Create a new ISPConfig 3 SSL Certificate with OpenSSL
Login to your server on the shell as a root user. Before we create a new SSL Cert, backup the current ones. SSL Certs are security-sensitive so I'll store the backup in the /root/ folder.
# tar pcfz /root/ispconfig_ssl_backup.tar.gz /usr/local/ispconfig/interface/ssl
# chmod 600 /root/ispconfig_ssl_backup.tar.gz
Now create a new SSL Certificate key, Certificate Request (csr) and a self-signed certificate.
# cd /usr/local/ispconfig/interface/ssl
# openssl genrsa -des3 -out ispserver.key 4096
# openssl req -new -key ispserver.key -out ispserver.csr
# openssl x509 -req -days 3650 -in ispserver.csr \
-signkey ispserver.key -out ispserver.crt
# openssl rsa -in ispserver.key -out ispserver.key.insecure
# mv ispserver.key ispserver.key.secure
# mv ispserver.key.insecure ispserver.key
Restart Apache to load the new SSL Certificate.
# service apache2 restart
Method 2:
Renew the SSL Certificate with the ISPConfig installer
The alternative way to get a new SSL Certificate is to use the ISPConfig update script.
Download ISPConfig to the /tmp folder, unpack the archive and start the update script.
# cd /tmp
# wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
# tar xvfz ISPConfig-3-stable.tar.gz
# cd ispconfig3_install/install
# php -q update.php
The update script will ask the following question during the update:
Create new ISPConfig SSL certificate (yes,no) [no]:
Answer "yes" here and the SSL Certificate creation dialog will start.
Thank you!

HTTPS issue "Your connection is not private", Ngnix

I'm trying to get HTTPS work on all subdomains using"Nginx", but receive:
This server could not prove that it is api.wokcraft.com; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.
URL: https://api.wokcraft.com/
Can any one inform what missing?
thx
edit: I followed this instructions: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1091/0/certificate-installation--nginx
Nginx doesn't send the correct list of intermediate certificates: https://www.ssllabs.com/ssltest/analyze.html?d=api.wokcraft.com&latest
Create the correct bundle:
You want to create Comodo Bundle this way (replacing your_cert with actual name of your file):
cat your_cert.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > your_cert.ca-bundle
Get the new ca-bundle onto your server
Once that is done copy this to your server as in the Nginx set it this way:
ssl_certificate /your/ssl/path/your_cert.ca-bundle;
ssl_certificate_key /your/ssl/path/your_cert_privateKey.key;
Verify the cert and key are matching after they have been copied (compare md5 hashes).
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
Test the config (need to run as sudo):
sudo nginx -t
If no errors, reload nginx and re-run you SSLlabs check:
https://www.ssllabs.com/ssltest/analyze.html?d=api.wokcraft.com

HTTPS inspection on my server

I have been trying to inspect all the traffic going through my machine. I have a server directly connected to Internet. And I would like to log all the youtube request made on internet with the URL.
As youtube is based on SSL, so I must need to inspect the HTTPS traffic. I have read it somewhere that I must need to create MITM attack on my own server in order to view the HTTPS request. I have followed following steps in order to create a certificate I own.
1 - Generate a 2048 bit RSA Key: openssl genrsa -des3 -out private.pem
2048
2 - Export the RSA Public Key to a File: openssl rsa -in private.pem
-outform PEM -pubout -out public.pem
3 - Check The public key File (Certificate) Now: less public.pem
4 - Export the RSA Public Key to a File: openssl rsa -in private.pem
-out private_unencrypted.pem -outform PEM -pubout
5 - Check The Private File Now: less private.pem
6 - Copied certificate into certificate directory
7 - Configure certificate by using following command: sudo dpkg-reconfigure ca-certificates
In the end executed all the possible ways available:
mitmproxy -T
Above command open a console application and I accessed all the HTTPs sites but no effect on this window.
And
sudo ssldump -Ad -k cert.pem -p password -i wlo1
This command just printed some handshake stuff in console and after that terminated. But, nothing is related to URL.
And
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 1024
sudo sslstrip -l 1024
This commands keep on listening but, nothing comes out as a result in sslstrip.log file.
I am using all these things with Ubuntu 15 and want to dump ssl request in transparent mode i.e. without setting up proxy on client's machine.

Can't restart nginx https certificate routine private key missmatch

I have updated my certificate on Gandi like this :
sudo openssl genrsa -des3 -out mywebsite.com_encrypted.key 4096
sudo openssl req -new -key mywebsite.com_encrypted.key -out mywebsite.com.csr
cd /etc/nginx/ssl/
sudo nano mywebsite.com.crt # > pasted the Gandi certificate in this file
sudo wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
sudo cat GandiStandardSSLCA.pem >> mywebsite.com.crt
sudo openssl rsa -in mywebsite.com_encrypted.key -out mywebsite.com.key
sudo chown root:root mywebsite.com.key
sudo chmod 400 mywebsite.com.key
Everything was working good with older certificate but since I updated configuration with new certificate here is is my log on nginx. I can't restart :
Nginx logs :
2015/05/12 20:53:03 [emerg] 7515#0: SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mywebsite.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
What's wrong with process ?
Configuration of nginx is ok.
Here is my nginx configuration :
ssl on;
ssl_certificate /etc/nginx/ssl/mywebsite.com.crt;
ssl_certificate_key /etc/nginx/ssl/mywebsite.com.key;
I have no idea what you are trying to achieve. It looks like you replaced the key in /etc/nginx/ssl/mywebsite.com.key, leaving the original certificate /etc/nginx/ssl/mywebsite.com.crt unchanged (the mywebsite.com.crt certificate is still bound to the original key - and you cannot change that - public key is an integral part of X509 certificate). This is exactly what openssl is trying to tell you - you are trying to use a certificate with different private key that was originaly created with.
BTW: I also have no idea why you created a certificate request (along with the new key) and then left it unused (without actually using it to create new certificate).

How to setup Dart to use a CA SSL certificate?

I recently deployed a Dart server application that serves HTTP requests. I wanted to add support for HTTPS so I have been trying to add SSL to the Dart server application.
This answer gives a clear explanation of how to add a self-signing SSL certificate to Dart. However, I want to add an SSL certificate I bought from an SSL provider.
The SSL provider e-mailed my 4 files:
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - my_domain.crt
I have been trying to figure out how certutil works and how to add these certificates to the certificate database, but I just can't figure it all out.
Anyone with experience enabling a CA SSL certificate in Dart?
SOLVED: Thanks to suggestion in the comments, I solved the issue. This is the gist of my complete setup: https://gist.github.com/stevenroose/e6abde14258971eae982
First of all, you probably have three files generated with openssl for your private key, server certificate and CA certificate. To convert all those into a PKCS12 file, you can use openssl:
openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile CAcert.crt
Then, you can adapt the certutil commands as shown to load you PKCS12 instead of generating new certificates:
certutil -N -d sql:certdb
certutil -A -n mycertnick -i server.crt -t "TCu,Cu,Tuw" -d sql:certdb
certutil -A -n myCA -i CAcert.crt -t "TCu,Cu,Tuw" -d sql:certdb
pk12util -i server.p12 -d sql:certdb
It seems to work with the sample code in the referenced question.
Unfortunately the SSL management in Dart is known to be very lacking.
I reported this many times, with no serious answer from the Dart team.
Star this issue if you want something done about it:
https://code.google.com/p/dart/issues/detail?id=20967