Self-signed SLL certificate for Nextcloud Onion: "ERR_SSL_PROTOCOL_ERROR" - ssl

Context
After setting up a self-hosted nextcloud server on Ubuntu 22.10 over a tor domain, I created a self-signed SLL certificate using the script below:
Code
This script first
generates the certificate authority (CA) and SSL certificates, and then it adds the CA private key to: "/usr/local/share/ca-certificates/$ca_public_key_filename" and reloads the trusted ca certificates with:
sudo update-ca-certificates
It also adds the SSL prublic and private key and the full chain certificate into Nextcloud.
The fullchain.pem consists of the SSL certificate, followed by the CA certificate.
#!/usr/bin/env bash
# Here is the list of certificates and their description:
# First you create your own certificate authority.
CA_PRIVATE_KEY_FILENAME="ca-key.pem"
CA_PUBLIC_KEY_FILENAME="ca.pem"
# Same file as ca.pem except different file extension and content.
CA_PUBLIC_CERT_FILENAME="ca.crt"
# Then you create a SSL certificate.
SSL_PRIVATE_KEY_FILENAME="cert-key.pem"
# Then create a sign-request (for your own CA to sign your own SSL certificate)
CA_SIGN_SSL_CERT_REQUEST_FILENAME="cert.csr"
SIGNED_DOMAINS_FILENAME="extfile.cnf"
# Then create the signed public SSL cert.
SSL_PUBLIC_KEY_FILENAME="cert.pem"
# Then merge the CA and SLL cert into one.
MERGED_CA_SSL_CERT_FILENAME="fullchain.pem"
setup_tor_ssl() {
local onion_address="$1"
# Create domains accepted by certificate.
local domains
#domains="DNS:$onion_address,IP:127.0.0.1"
#domains="DNS:localhost,IP:$onion_address" # IP onion does not work
#domains="DNS:*.$onion_address" # Does not work.
#domains="DNS:$onion_address" # Does not work.
domains="DNS:localhost,DNS:$onion_address" # Works for localhost
echo "domains=$domains.end_without_space"
delete_target_files
# Generate and apply certificate.
generate_ca_cert "$CA_PRIVATE_KEY_FILENAME" "$CA_PUBLIC_KEY_FILENAME"
generate_ssl_certificate "$CA_PUBLIC_KEY_FILENAME" "$CA_PRIVATE_KEY_FILENAME" "$CA_SIGN_SSL_CERT_REQUEST_FILENAME" "$SIGNED_DOMAINS_FILENAME" "$SSL_PUBLIC_KEY_FILENAME" "$SSL_PRIVATE_KEY_FILENAME" "$domains"
verify_certificates "$CA_PUBLIC_KEY_FILENAME" "$SSL_PUBLIC_KEY_FILENAME"
merge_ca_and_ssl_certs "$SSL_PUBLIC_KEY_FILENAME" "$CA_PUBLIC_KEY_FILENAME" "$MERGED_CA_SSL_CERT_FILENAME"
install_the_ca_cert_as_a_trusted_root_ca "$CA_PUBLIC_KEY_FILENAME" "$CA_PUBLIC_CERT_FILENAME"
add_certs_to_nextcloud "$SSL_PUBLIC_KEY_FILENAME" "$SSL_PRIVATE_KEY_FILENAME" "$MERGED_CA_SSL_CERT_FILENAME"
}
generate_ca_cert() {
local ca_private_key_filename="$1"
local ca_public_key_filename="$2"
# Generate RSA
openssl genrsa -aes256 -out "$ca_private_key_filename" 4096
# Generate a public CA Cert
openssl req -new -x509 -sha256 -days 365 -key "$ca_private_key_filename" -out "$ca_public_key_filename"
}
generate_ssl_certificate() {
local ca_public_key_filename="$1"
local ca_private_key_filename="$2"
local ca_sign_ssl_cert_request_filename="$3"
local signed_domains_filename="$4"
local ssl_public_key_filename="$5"
local ssl_private_key_filename="$6"
local domains="$7"
# Example supported domains:
# DNS:your-dns.record,IP:257.10.10.1
# Create a RSA key
openssl genrsa -out "$ssl_private_key_filename" 4096
# Create a Certificate Signing Request (CSR)
openssl req -new -sha256 -subj "/CN=yourcn" -key "$ssl_private_key_filename" -out "$ca_sign_ssl_cert_request_filename"
# Create a `extfile` with all the alternative names
echo "subjectAltName=$domains" >>"$signed_domains_filename"
# optional
#echo extendedKeyUsage = serverAuth >> "$ca_sign_ssl_cert_request_filename"
# Create the public SSL certificate.
openssl x509 -req -sha256 -days 365 -in "$ca_sign_ssl_cert_request_filename" -CA "$ca_public_key_filename" -CAkey "$ca_private_key_filename" -out "$ssl_public_key_filename" -extfile "$signed_domains_filename" -CAcreateserial
}
verify_certificates() {
local ca_public_key_filename="$1"
local ssl_public_key_filename="$2"
openssl verify -CAfile "$ca_public_key_filename" -verbose "$ssl_public_key_filename"
}
merge_ca_and_ssl_certs() {
local ssl_public_key_filename="$1"
local ca_public_key_filename="$2"
local merged_ca_ssl_cert_filename="$3"
cat "$ssl_public_key_filename" >"$merged_ca_ssl_cert_filename"
cat "$ca_public_key_filename" >>"$merged_ca_ssl_cert_filename"
}
install_the_ca_cert_as_a_trusted_root_ca() {
local ca_public_key_filename="$1"
local ca_public_cert_filename="$2"
# The file in the ca-certificates dir must be of extension .crt:
openssl x509 -outform der -in "$ca_public_key_filename" -out "$ca_public_cert_filename"
# First remove any old cert if it existed.
sudo rm "/usr/local/share/ca-certificates/$ca_public_cert_filename"
sudo update-ca-certificates
# TODO: Verify target directory exists.
# On Debian & Derivatives:
#- Move the CA certificate (`"$ca_private_key_filename"`) into `/usr/local/share/ca-certificates/ca.crt`.
sudo cp "$ca_public_cert_filename" "/usr/local/share/ca-certificates/$ca_public_cert_filename"
# TODO: Verify target file exists.
# TODO: Verify target file MD5sum.
# Update the Cert Store with:
sudo update-ca-certificates
}
add_certs_to_nextcloud() {
local ssl_public_key_filename="$1"
local ssl_private_key_filename="$2"
local merged_ca_ssl_cert_filename="$3"
# First copy the files into nextcloud.
# Source: https://github.com/nextcloud-snap/nextcloud-snap/issues/256
# (see nextcloud.enable-https custom -h command).
#sudo cp ca.pem /var/snap/nextcloud/current/ca.pem
sudo cp "$ssl_public_key_filename" /var/snap/nextcloud/current/"$ssl_public_key_filename"
sudo cp "$ssl_private_key_filename" /var/snap/nextcloud/current/"$ssl_private_key_filename"
sudo cp "$merged_ca_ssl_cert_filename" /var/snap/nextcloud/current/"$merged_ca_ssl_cert_filename"
# CLI sudo /snap/bin/nextcloud.enable-https custom Says:
sudo /snap/bin/nextcloud.enable-https custom "/var/snap/nextcloud/current/$ssl_public_key_filename" "/var/snap/nextcloud/current/$ssl_private_key_filename" "/var/snap/nextcloud/current/$merged_ca_ssl_cert_filename"
}
delete_target_files() {
rm "$CA_PRIVATE_KEY_FILENAME"
rm "$CA_PUBLIC_CERT_FILENAME"
rm "$CA_PUBLIC_KEY_FILENAME"
rm "$SSL_PRIVATE_KEY_FILENAME"
rm "$CA_SIGN_SSL_CERT_REQUEST_FILENAME"
rm "$SIGNED_DOMAINS_FILENAME"
rm "$SSL_PUBLIC_KEY_FILENAME"
rm "$MERGED_CA_SSL_CERT_FILENAME"
sudo rm "/usr/local/share/ca-certificates/$CA_PUBLIC_KEY_FILENAME"
sudo rm "/usr/local/share/ca-certificates/$CA_PUBLIC_CERT_FILENAME"
sudo rm "/var/snap/nextcloud/current/$SSL_PUBLIC_KEY_FILENAME"
sudo rm "/var/snap/nextcloud/current/$SSL_PRIVATE_KEY_FILENAME"
sudo rm "/var/snap/nextcloud/current/$MERGED_CA_SSL_CERT_FILENAME"
}
Output
The output of this script can be read as:
$src/main.sh -h
domains=DNS:some_onion.onion,IP:127.0.0.1.end_without_space
rm: cannot remove 'ca.pem': No such file or directory
rm: cannot remove 'cert.csr': No such file or directory
rm: cannot remove 'extfile.cnf': No such file or directory
rm: cannot remove 'cert.pem': No such file or directory
rm: cannot remove 'fullchain.pem': No such file or directory
rm: cannot remove '/usr/local/share/ca-certificates/ca.pem': No such file or directory
Generating RSA private key, 4096 bit long modulus (2 primes)
................................................................................................................................................................................++++
...................................................................................................................................................................................................................................++++
e is 65537 (0x010001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:so
State or Province Name (full name) [Some-State]:state3
Locality Name (eg, city) []:locality3
Organization Name (eg, company) [Internet Widgits Pty Ltd]:org3
Organizational Unit Name (eg, section) []:orgunit3
Common Name (e.g. server FQDN or YOUR name) []:cn3
Email Address []:email3#email.com
Generating RSA private key, 4096 bit long modulus (2 primes)
...................................................................++++
.............................................++++
e is 65537 (0x010001)
Signature ok
subject=CN = yourcn
Getting CA Private Key
Enter pass phrase for ca-key.pem:
cert.pem: OK
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Processing triggers for ca-certificates-java (20220719) ...
done.
Updating Mono key store
Mono Certificate Store Sync - version 6.8.0.105
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
Importing into legacy system store:
I already trust 124, your new list has 124
Import process completed.
Importing into BTLS system store:
I already trust 124, your new list has 124
Import process completed.
Done
done.
Installing custom certificate... done
Restarting apache... done
Error Message
After running the script successfully, I can manually import the ca.crt into brave at: brave://settings/certificates This ensures https works for https://localhost:81 . However, when I open the tor browser in brave, and visit the some_onion.onion it returns:
This site can’t provide a secure connection
some_onion.onion sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
Question
How can I ensure the certificate is trusted on both the some_onion.onion link, as well as on localhost?
Doubt
I am unsure whether:
echo "subjectAltName=DNS:some_onion_link.onion"
is permitted. for an SSL certificate. I wonder why the tor version of Brave does not show why the certificate is not trusted.

Related

How do I install SSL certificate on my ubuntu server

I have been given a .pfx file and a pass key. How do I install ssl certificate on my ubuntu server through cli. The server is nginx.
SSL certificate should be installed on your webserver directly. Please edit your question with a server name you have running on Ubuntu instance (e.g. Apache, Nginx, etc.) The further flow will depend on your webserver specifically.
As for SSL certificate file you have, that is a file in PKCS#12 standard. It contains your end-entity certificate in pair with Certification Authority bundle along with private key. As was aforementioned, SSL installation flow depends on a particular webserver. You will need to convert the certificate in the PEM format (3 separate files: end-entity certificate, CA bundle, and the private key) for SSL installation on most common servers like Apache or Nginx. PKCS#12 file can be converted to PEM via openssl according to this answer.
If you want to make https calls, do install openssl on ubuntu machine and create a certificate using following commands (use sudo before every command, if required)
openssl genrsa -out key.pem
openssl req -new -key key.pem -out csr.pem
openssl x509 -req -days 9999 -in csr.pem -signkey key.pem -out cert.pem
rm csr.pem
To check https is working or not, use following code
const https = require('https');
const fs = require('fs');
const options = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem')
};
https.createServer(options, function (req, res) {
res.writeHead(200);
res.end("hello world\n");
}).listen(8000);
Test it on https://localhost:8000 or https://domain_name:8000

ISPConfig wont accept new certificate

I was using certificate which expired. I requested new one with new private key and request file.
But when I add new certificate to ISPConfig vhost, even after running
/usr/local/ispconfig/server/server.sh
the new certificate wont be accepted by ISPConfig and is still using the old one which expired, so my site is not working with HTTPS. Is there possibility that ISPConfig have this old certificate stored somewhere?
I also deleted content of SSL folder in my vhost but did not worked either.
Site is working with generated Let's Encrypt certificate.
I also faced the same error and I fixed it by applying the second method. I've mentioned both methods for you. Please try any to renew your SSL Certificate.
Method 1:
Create a new ISPConfig 3 SSL Certificate with OpenSSL
Login to your server on the shell as a root user. Before we create a new SSL Cert, backup the current ones. SSL Certs are security-sensitive so I'll store the backup in the /root/ folder.
# tar pcfz /root/ispconfig_ssl_backup.tar.gz /usr/local/ispconfig/interface/ssl
# chmod 600 /root/ispconfig_ssl_backup.tar.gz
Now create a new SSL Certificate key, Certificate Request (csr) and a self-signed certificate.
# cd /usr/local/ispconfig/interface/ssl
# openssl genrsa -des3 -out ispserver.key 4096
# openssl req -new -key ispserver.key -out ispserver.csr
# openssl x509 -req -days 3650 -in ispserver.csr \
-signkey ispserver.key -out ispserver.crt
# openssl rsa -in ispserver.key -out ispserver.key.insecure
# mv ispserver.key ispserver.key.secure
# mv ispserver.key.insecure ispserver.key
Restart Apache to load the new SSL Certificate.
# service apache2 restart
Method 2:
Renew the SSL Certificate with the ISPConfig installer
The alternative way to get a new SSL Certificate is to use the ISPConfig update script.
Download ISPConfig to the /tmp folder, unpack the archive and start the update script.
# cd /tmp
# wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
# tar xvfz ISPConfig-3-stable.tar.gz
# cd ispconfig3_install/install
# php -q update.php
The update script will ask the following question during the update:
Create new ISPConfig SSL certificate (yes,no) [no]:
Answer "yes" here and the SSL Certificate creation dialog will start.
Thank you!

x509 error when trying to login to a trusted (?) docker registry

I have set up a docker registry using harbor.
I have copied the appropriate certificates in /usr/share/local/ca-certificates and run sudo update-ca-certificates with success. (indicated the number of newly certs added).
When trying to login to the specific registry:
ubuntu#master1:/home/vagrant$ docker login my.registry.url
Username: pkaramol
Password:
Error response from daemon: Get https://my.registry.url/v2/: x509: certificate signed by unknown authority
However the following test succeeds:
openssl s_client -connect my.registry.url:443 -CApath /etc/ssl/certs/
...coming back with a lot of verbose output, the certificate itself and ending in :
Verify return code: 0 (ok)
curl also succeeds to the above https link (it fails when the site is not trusted).
Any suggestions?
If you read the documentation
Use self-signed certificates
Warning: Using this along with basic authentication requires to also trust the certificate into the OS cert store for some versions of docker (see below)
This is more secure than the insecure registry solution.
Generate your own certificate:
$ mkdir -p certs
$ openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt
Be sure to use the name myregistrydomain.com as a CN.
Use the result to start your registry with TLS enabled.
Instruct every Docker daemon to trust that certificate. The way to do this depends on your OS.
Linux: Copy the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt on every Docker host. You do not need to restart Docker.
See below link for more details
https://docs.docker.com/registry/insecure/#use-self-signed-certificates

Amazon EC2 Install SSL certificate on Apache

I have followed the Amazon tutorial to install the SSL certificate on the EC2 instance. However at the end of procedure, I cannot start the HTTPD server.
My detailed steps:
Installed the module: sudo yum install -y mod24_ssl AND I tested with the local signed SSL certificate, it worked.
Generate myprivate.key and my.csr: openssl req -newkey rsa:2048 -keyout myprivate.key -out my.csr
Submit my.csr to Startcom and get the certificate file: mycertificate.pem
Put the myprivate.key in the folder: /etc/pki/tls/private/
Put the mycertificate.pem in the folder: /etc/pki/tls/certs/
Change the /etc/httpd/conf.d/ssl.conf: SSLCertificateFile /etc/pki/tls/certs/mycertificate.pem
Change the /etc/httpd/conf.d/ssl.conf:SSLCertificqteKeyFile /etc/pki/tls/private/myprivate.key
Note: I've deleted both localhost.key and localhost.crt.
Was it due to the deletion of localhost.key file?

Can't restart nginx https certificate routine private key missmatch

I have updated my certificate on Gandi like this :
sudo openssl genrsa -des3 -out mywebsite.com_encrypted.key 4096
sudo openssl req -new -key mywebsite.com_encrypted.key -out mywebsite.com.csr
cd /etc/nginx/ssl/
sudo nano mywebsite.com.crt # > pasted the Gandi certificate in this file
sudo wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
sudo cat GandiStandardSSLCA.pem >> mywebsite.com.crt
sudo openssl rsa -in mywebsite.com_encrypted.key -out mywebsite.com.key
sudo chown root:root mywebsite.com.key
sudo chmod 400 mywebsite.com.key
Everything was working good with older certificate but since I updated configuration with new certificate here is is my log on nginx. I can't restart :
Nginx logs :
2015/05/12 20:53:03 [emerg] 7515#0: SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mywebsite.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
What's wrong with process ?
Configuration of nginx is ok.
Here is my nginx configuration :
ssl on;
ssl_certificate /etc/nginx/ssl/mywebsite.com.crt;
ssl_certificate_key /etc/nginx/ssl/mywebsite.com.key;
I have no idea what you are trying to achieve. It looks like you replaced the key in /etc/nginx/ssl/mywebsite.com.key, leaving the original certificate /etc/nginx/ssl/mywebsite.com.crt unchanged (the mywebsite.com.crt certificate is still bound to the original key - and you cannot change that - public key is an integral part of X509 certificate). This is exactly what openssl is trying to tell you - you are trying to use a certificate with different private key that was originaly created with.
BTW: I also have no idea why you created a certificate request (along with the new key) and then left it unused (without actually using it to create new certificate).