I have performed the following steps
obtained the pfx file from Ops Team
executed below command
sudo keytool -importkeystore -srckeystore /home/ec2-user/tmp/certs/caffe.com.pfx -srcstoretype pkcs12 -destkeystore caffe.com.jks -deststoretype JKS
Then moved the JKS to a local repository and used that in the jenkins config as below
sudo mkdir -p /etc/jenkins
sudo cp caffe.com.jks /etc/jenkins/
sudo chown -R jenkins: /etc/jenkins
sudo chmod 700 /etc/jenkins
sudo chmod 600 /etc/jenkins/caffe.com.jks
sudo vi /etc/sysconfig/jenkins
JENKINS_PORT="-1"
JENKINS_HTTPS_PORT="443"
JENKINS_HTTPS_KEYSTORE="/etc/jenkins/caffe.com.jks"
JENKINS_HTTPS_KEYSTORE_PASSWORD=""
JENKINS_HTTPS_LISTEN_ADDRESS="0.0.0.0"
Restarted the jenkins service from command line using systemctl start jenkins
I am not able to use command like solution given in Enable HTTPS in jenkins? because the above steps worked in old version of jenkins and also using the command has issues like restarting and permissions in linux (centos)
i am not able to access the jenkins app at https://caffe.com, instead it still works at http://caffe.com:8080
I do not see any error logs as well in jenkins as to why it is not able to pickup the SSL file.
Please let me know if there is something wrong in the above steps
Related
I am trying to call an aricGIS service for GEOCoding from Databricks. The URL needs a certificate which i have copied to Blob storage and referring to that in the
Verify = "Path to mycertificate"
section of the code.
the certificate is stored in the following location
/dbfs/mnt/tmp/myfolder/mycertificate.pem
When accessing the certificate from the above path i am getting a HTTP error as below
SSLError: HTTPSConnectionPool(host='MyDomain.com', port=443): Max retries exceeded with url: "MyURL" (Caused by SSLError(SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:1131)')))
when changing the above certificate path from
/dbfs/...
To
dbfs:/Path/To/Mycertificate
I get the following Error
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: dbfs:/mnt/tmp/path/to/mycertificate.pem
I have also tried the operation with the .pfx file but getting the same error.
Being new to the Certificates in Databricks any help on how to fix the errors and get the service working would be really appreciated.
Also i have googled and referred to many documents to no avail. Nothing is working and it appears i am missing something basic here.
Thanks
To fix this, SSL Certificate needs to be installed on the cluster nodes. For Python this could be two locations:
Linux CA Certificates chain for most of SSL connections
CA Certificates chain that is used by the requests package - provided by certifi package.
You can install the certificates using the following cluster init script that will install your CA certificate in PEM format into all CA certificate chains (Linux/Java/certifi) (you need to put your path /dbfs/.... into the certs variable):
#!/bin/bash
#
# File: install-ssl-certificates.sh
# Author: Alex Ott
# Created: Tuesday, September 28 2021
#
#set -x
declare -a certs=("/dbfs/tmp/myCA.pem" "/dbfs/tmp/myCA2.pem")
mkdir -p /usr/share/ca-certificates/extra
CERTIFI_HOME="$(python -m certifi 2>/dev/null)"
J_HOME="$(dirname $(realpath $(which java)))/.."
for cert in ${certs[#]}; do
BNAME="$(basename $cert)"
echo "cert=$cert BNAME=$BNAME"
cp $cert /usr/share/ca-certificates/extra/$BNAME
echo "extra/$BNAME" >> /etc/ca-certificates.conf
if [ -n "$CERTIFI_HOME" ]; then
cat $cert >> $CERTIFI_HOME
fi
keytool -importcert -keystore ${J_HOME}/lib/security/cacerts -file $cert -alias $(basename $cert .pem) -storepass changeit -noprompt
done
update-ca-certificates
I have found that the firewall was blocking the request. The solution was to just unblock the target IP address on the firewall and providing a certificate location to ".pem" file in the url in the format
session.post(url,data=d,verify=\path to my certificate.pemfile)
that resolved the issue.
Thanks
I was following commandline installation of CLM 6.0.5 with liberty profile (distributed environment) and I could complete the installation part of application successfully by following the ibm documents.
Also Ii have installed the IBM HTTP Server in separate server and now I need to do the SSL certificate import and handshake with the loberty profile.
The reference link which I am using here. - https://jazz.net/wiki/bin/view/Deployment/CLMDistributedSetupUsingLibertyProfile
part 1 -Create a key database and self-signed certificate for IHS
I completed these steps by below 2 Using gskcmd, command line and it was success.
On the IHS machine, Open a command terminal and cd to /bin, e.g. /opt/IBM/HTTPServer/bin,
Create the key database
./gskcmd -keydb -create -db ihskeys.kdb -pw xxxxx -expire 3650 -stash -type cms
Create the self-signed certificate for IHS URL
./gskcmd -cert -create -db ihskeys.kdb -label default -expire 3650 -size 2048 -dn "CN=xxxxx" -default_cert yes -pw xxxxx
But in part 2- Setup SSL Handshake between the Liberty profiles and IHS
I couldn't find any proper commandline guidance to do this through commands. From each application servers (JTS, CCM, QM, RM) I copied the default keystore files ([JAZZ_HOME]\server\liberty\servers\clm\resources\security\ibm-team-ssl.keystore)
to IHS server and I need to import these keystore file to IHS kdb file through command line. I tried with various option and its getting failed.
./gskcapicmd -cert -import -db /opt/IBM/HTTPServer/ibm-team-ssl.keystore -pw ibm-team -target /opt/IBM/HTTPServer/key.kdb -target_pw ibm-team
it's giving error as invalid keystore format. Here my aim is to import these copied keystore files to IHS kdb file in personal certificate)
IHS includes two command-line certificate management tools, only the java-based "[IHS Home]/bin/gskcmd" (aka ikeycmd) can read or write *.jks java keystores.
I just started to learn programming and tried to install SSL on my site.
I used a 90-day free trial SSL from Comodo and it worked well.
I purchased a new SSL from Comodo and generated CSR on the server (on my putty terminal)
My site is a Wordpress run by Bitnami and AWS.
Error message is that my site name is mismatched.
https://www.ssllabs.com/ssltest/analyze.html?d=www.cheeselab.co.kr#whyNotTrusted
How could I solve this problem? I tried to re-install it from the scratch but I don't know what I have to do.
Below codes are what I did
sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 204
sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
sudo nano /opt/bitnami/apache2/conf/cert.csr
sudo nano /opt/bitnami/apache2/conf/cert2.crt
sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami.conf
renamed the file from server.crt to cert2.crt
(above codes worked well)
sudo /opt/bitnami/ctlscript.sh restart apache
but error message with above code as below
Invalid command 'sudo', perhaps misspelled or defined by a module not included in the server configuration apache config test fails, aborting Monitored apache
I have scanned SO and found there is no detailed instructions on how to install letsencrypt.org SSL certificate on glassfish and specifically in this tutorial I will be using glassfish 4.1.2 build 1. After a lot of trial and error, I was able to put together the following guide. So I hope that it is fine to ask and answer my own question.
In this tutorial I shall be using an Ubuntu 16.04 LTS Server with Shell access from my Ubuntu 16.04 LTS desktop.
visit certbot and follow the instructions below to setup your system
Install
On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your
list of repositories all you'll need to do is apt-get the following packages.
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot
Get Started
Since your server architecture doesn't yet support automatic installation
you'll have to use the certonly command to obtain your certificate.
$ sudo certbot certonly
terminal will output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
We select the 1st option key in 1 and press enter
terminal will output
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):yoursite.com www.yoursite.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yoursite.com
http-01 challenge for www.yoursite.com
terminal will output
Select the webroot for yoursite.com:
1: Enter a new webroot
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Input the webroot for yoursite.com: (Enter 'c' to cancel):/home/yourUsername/glassfish4/glassfish/domains/domain1/docroot
Select the webroot for www.yoursite.com:
1: Enter a new webroot
2: /home/yoursite/glassfish4/glassfish/domains/domain1/docroot
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
terminal will output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/yoursite.com/fullchain.pem. Your cert will
expire on 2017-08-21. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
Automating renewal
The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:
certbot renew --dry-run
make the following script can automate importing certificate to glassfish
for further reading
https://community.letsencrypt.org/t/importing-letsencrypt-into-java-and-glassfish/9711
Now we import the certificates.
Make the following script and save it as yourscriptname.sh to automate the process then run it with the command
$ sh yourscriptname.sh
#!/bin/sh
DOMAIN=yoursite.com
#note that changeit is the default keystore password
KEYSTOREPW=changeit
GFDOMAIN=/home/yourUsername/glassfish4/glassfish/domains/domain1
LIVE=/etc/letsencrypt/live/$DOMAIN
mkdir etc
cd etc
sudo openssl pkcs12 -export -in $LIVE/cert.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name myalias -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias myalias -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore keystore.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW
sudo cp -f keystore.jks $GFDOMAIN/config/
sudo service glassfish stop
sudo service glassfish start
cd ..
sudo rm -rf etc
if you need to change the keystore password
Use keytool command. If it doesn't work you might have to cd to the path where it's located in your glassfish-install-dir/glassfish/domains/domain1/config directory and run the command in that directory.
keytool -storepasswd -keystore /path/to/keystore
Enter keystore password: changeit
New keystore password: new-password
Re-enter new keystore password: new-password
After successfully importing the certs and restarting glassfish server, SSL worked with the installed web application but unfortunately I was not able to log into the glassfish admin console from the browser, though the asadmin tool still worked.
solving unable to login to admin console after above changes
We need to add wget command to our script to download the most Recent CA file revisions per date of apperance from recent trusted ca revisions from mozilla
Add the following to the the yourname.sh script just above the command sudo service glassfish stop to fix the problem.
wget https://curl.haxx.se/ca/cacert-2017-01-18.pem --no-check-certificate -O cacert.pem
PEM_FILE=cacert.pem
KEYSTORE=cacerts.jks
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)
for N in $(seq 0 $(($CERTS -1))); do
ALIAS="${PEM_FILE%.*}-$N"
cat $PEM_FILE | awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
keytool -noprompt -import -trustcacerts \
-alias $ALIAS -keystore $KEYSTORE -storepass $KEYSTOREPW
done
sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW
sudo keytool -list -keystore cacerts.jks -storepass $KEYSTOREPW
if [ ! -f $GFDOMAIN/config/keystore-orig.jks ]; then
echo "Backing up original files..."
sudo cp -f $GFDOMAIN/config/keystore.jks $GFDOMAIN/config/keystore-orig.jks
sudo cp -f $GFDOMAIN/config/cacerts.jks $GFDOMAIN/config/cacerts-orig.jks
fi
echo "Updating certificates..."
sudo cp -f keystore.jks $GFDOMAIN/config/keystore.jks
sudo cp -f cacerts.jks $GFDOMAIN/config/cacerts.jks
cd ..
echo stop and restart glassfish domain to complete
cd ..
sudo rm -rf etc
I hope this helps someone cheers all!
I have created a Perl script to assist in the installation of Let's Encrypt certificates in Glassfish and Payara. I have successfully used it to not only install a certificate for multiple domains in about five minutes, but to automatically renew - via a cron job - those certificates when they were about to expire.
What I've done is broken the process of obtaining a Let's Encrypt certificate into the following steps, not all of which will be necessary:
Customize the script to the particular local installation
1a. List of domains for which a certificate is to be created
1b. Glassfish/Payara setup (where they're located in your filesystem)
1c. Password for Glassfish/Payara
Change Glassfish/Payara to listen on ports 80 and 443
Generate the Let's Encrypt certification keys
Insure that the keystore password matches that of the server
Create a keystore
Import the created keystore into the Glassfish/Payara keystore
Apply the new certificate to the https listener
Update the domain SSL information
Set (if necessary) the server admin password.
Set up the https domain
Additionally, the script can be invoked periodically (typically via 'cron') to check to see if any domains need to be renewed and if so, renew them automatically.
See: https://github.com/hbrednek/letsencrypt_glassfish for the script.
I'm trying to install ssl certificates created using the ZeroSSL.com page for Let's Encrypt, into the Google Cloud Platform.
I followed the FREE SSL Certificate Wizard to do so.
The ZeroSSL page generates four files in the process:
domain-crt.txt
domain-key.txt
account-key.txt
domain-csr.txt
The google Cloud Platform asks for two files:
PEM encoded X.509 public key certificate
Unencrypted PEM encoded RSA private key
I've made all the combinations, and followed all suggestion I could find in the web, but I had no success.
I asked this to the zeroSSL people, and Alexander answers me with the solution.
SSL Certificate Wizard generates a longer more secure 4096 bits key by default, but Google only accepts 2048 bits key. So you should generate the new CSR separately first by using CSR Generator at https://zerossl.com/free-ssl/#csr and making sure you select 2048 bits. Then download the produced key and CSR (please note that this is the domain key, not the LE key) and then use the same LE key as you used originally and this new CSR with the SSL Certificate Wizard.
At the last Wizard step, you might need to split the domain-crt.txt file in two. The first part between ---BEGIN CERTIFICATE----- and ---END CERTIFICATE----- will go into "Public key certificate" field.
Finally, the content of domain-key.txt should be pasted into "Private key" field.
You can do this from the command line for free:
Install Certbot client:
$ sudo brew install wget
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x ./certbot-auto
$ ./certbot-auto --help
Then, to generate cert:
$ cd certbot (if not already there)
$ sudo ./certbot-auto certonly --debug -a manual -d www.yoursite.com -d yoursite.com (<--if you want naked too.)
You should get to a screen telling you the challenge url and response needed to verify domain. Add each & deploy. Leave each url working. (They will be needed for renewing.)
If you do both naked and www, you will need to do the challenge urls twice, once for each subdomain. Finally, you should get this message:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.yoursite.com/fullchain.pem. Your cert will
expire on 2016-xx-07. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew all of your certificates, run
"certbot-auto renew"
Change directory to where pem files are placed:
$ cd /private/etc/letsencrypt/live/www.yoursite.com
Create unencrypted key (this is the one you upload to GAE. If fails, use the original privkey.pem):
$ sudo openssl rsa -in privkey.pem -out unencrypted_key.pem
Go to: https://console.cloud.google.com/appengine/settings/certificates?project=yoursite. Click on Upload a new SSL certificate
Open these PEM files in a text editor, and copy/paste the contents in the fields. (fullchain.pem is the public key. unencrypted_key.pem is the unencrypted private key.)
NOTE: Make sure you delete any trailing spaces or line feeds!
That should do it.
Debugging:
If, when you paste the certs into the GAE Settings page, you get an invalid error:
Make sure you delete any trailing line feeds or spaces!
If it still won't accept your PEM files, replace the code from unencrypted_key.pem with the code from the original privkey.pem
If you get homebrew error:
$ cd /usr/local/Library
$ sudo git pull origin master
if get augeas error:
$ brew install augeas
if get Warning: augeas-1.4.0 already installed, it's just not linked
$ sudo brew link augeas
if ExecutableNotFound:
$ brew install dialog
if get Warning: dialog-1.2-20150920 already installed, it's just not linked
$ sudo brew link dialog
Renewing:
$ cd certbot
$ ./certbot-auto certonly --debug --force-renew -a manual -d www.yoursite.com -d yoursite.com
( You may get an "unable to reach..." error, but the certs still created.)
Change directory to where pem files are placed:
$ cd /private/etc/letsencrypt/live/www.yoursite.com
Create unencrypted key (this is the one you upload to GAE. If fails, use the original privkey.pem):
$ sudo openssl rsa -in privkey.pem -out unencrypted_key.pem
fullchain.pem is the public key.
unencrypted_key.pem is the unencrypted private key
Go to GAE Settings and install as outlined above.