I am running SignTool with the following arguments and keep getting the same failure.
D:\Sectigo-Signmycode>"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" ^
sign /debug /fd SHA256 ^
/f keyfile.pfx /p password ^
/td SHA256 ^
/a MyExecutable.exe
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: Store::ImportCertObject() failed." (-2146885630/0x80092002)
Error lookup returns "An error occurred during encode or decode operation". Windows 10 system.
I've tried SHA384 with same results. Passing invalid arguments gives the standard expected errors. However, and invalid password gives the above error. Numerous argument combinations have been tried.
The Security Certificate has only just been acquired.
Generation of the keyfile.pfx with correct password has been triple checked.
/debug has no effect.
Any ideas and/or help would be appreciated.
I had the exact same problem. Code-signing cert obtained from Sectigo via SignMyCode.com ... the problem was not with any of the signtool paramaters rather that SignMyCode.com gave me the wrong instructions to convert the .crt file(s) and .key file into a .pfx file. If you are using an online tool to create your .pfx file then you might have the same problem.
They initially advised I use the SSL Tools site which does not work to create valid .pfx files (ie resulting in the 0x80092002 error) ... when I went back to them and challenged this, they then said to use SSL Shopper. I created a .pfx file using this site and it worked perfectly first time.
I appreciate you may not be using any online tool to create your .pfx file (or you might have been provided with a .pfx file directly), but if you are, try the second link above.
Related
I've try to apply my CA certificate to Solr. I've already reach solr with http or self-signed certificate following their own recipe in there: enabling ssl
But, when I try to apply my CA certificate I take an error : "HTTP ERROR 404 javax.servlet.UnavailableException: Error processing the request. CoreContainer is either not initialized or shutting down."
Full error message that I've take on browser
My solr.in.sh config is:
SOLR_SSL_ENABLED=true
SOLR_SSL_KEY_STORE=/etc/default/mykeystore
SOLR_SSL_KEY_STORE_PASSWORD=********
SOLR_SSL_TRUST_STORE=/etc/default/mykeystore
SOLR_SSL_TRUST_STORE_PASSWORD=********
SOLR_SSL_NEED_CLIENT_AUTH=false
# SOLR_SSL_WANT_CLIENT_AUTH=false
#SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=true
SOLR_SSL_CHECK_PEER_NAME=false
SOLR_SSL_KEY_STORE_TYPE=JKS
SOLR_SSL_TRUST_STORE_TYPE=JKS
I followed this two link for convert my pem file to key store: first:1 then:2 (I applied just fourth step in second link) then named the file as mykeystore.
I tried a lot of solution which some of them in stackoverflow. But none of them are my answer. Any help, any idea can be very useful. I'm totally stuck. What can I do/check?
I desperately need some help on 2 questions:
I'm trying to connect a LILYGO TTGO T-Call SIM800L (IP5306 20190610) to AWS IoT, which requires an SSL authentication through a Root Certificate, a Client Certificate and a Private Key.
I'm able to successfully create the .crt files, write on them and set the Client Certificate through the AT Command:
modem.sendAT(GF("+SSLSETCERT=C:\User\clientcert.crt"));
But when I try to set the RootCA like this:
modem.sendAT(GF("+SSLSETROOT=C:\User\rootca.crt,1188"));
the GSM module returns "ERROR".
This is the documentation I'm using as a reference (Page 13):
https://microchip.ua/simcom/2G/Application%20Notes/SIM800%20Series_SSL_Application%20Note_V1.05.pdf
In the "Reference" section of the command "AT+SSLSETROOT", it's written "The files to be imported must be binary encoded". This confused me a little, so at first I simply wrote on the file the string format of the certificate, but I've also tried to change the extension to .der (which technically is the binary encoded format for certificates). I've tried to write on the file the hexdump version of the string format, and tried all the other avaiable extensions (.crt, .cer, .pem, .p12).
I've also tried to update the firmware following the procedure here: https://github.com/Xinyuan-LilyGO/LilyGo-T-Call-SIM800/blob/master/doc/How%20to%20update%20firmware.md
The only difference is that I used the Download Tool v1.10, because the other versions of the tool hanged on "Waiting" whenever I started the update. I retrieved it from here: https://simcom.ee/documents/?dir=SIM800x
I saw on other discussions that the SIM800L does not support TLS 1.2, but on page 6 of the SIM800 documentation regarding SSL, it's reported that "SIM800 series support SSL2.0, SSL3.0, TLS1.0 and TLS1.2."
On top of that, the command "AT+CIPSSL=1" works fine since it returns "OK".
I also read this: https://github.com/vshymanskyy/TinyGSM/issues/29#issuecomment-328802556
I'm attaching the function that sets up the certificates.
void setCertificates() {
modem.getModemInfo();
modem.sendAT(GF("+FSCREATE=C:\\User\\rootca.crt"));
modem.waitResponse();
modem.sendAT(GF("+FSCREATE=C:\\User\\clientcert.crt"));
modem.waitResponse();
char rootcertific[1188];
strcpy(rootcertific,rootCA);
modem.sendAT(GF("+FSWRITE=C:\\User\\rootca.crt,0,1188,1"));
modem.waitResponse(">");
SerialAT.print(rootcertific);
modem.waitResponse();
delay(1000 / portTICK_PERIOD_MS);
char clientcertific[2903];
strcpy(clientcertific,certificate_pem_crt);
modem.sendAT(GF("+FSWRITE=C:\\User\\clientcert.crt,0,2900,2"));
modem.waitResponse(">");
Serial1.print(strcat(clientcertific,private_pem_key));
modem.waitResponse();
delay(1000 / portTICK_PERIOD_MS);
modem.sendAT(GF("+FSREAD=C:\\User\\rootca.crt,0,1188,1"));
modem.waitResponse();
modem.waitResponse();
modem.sendAT(GF("+FSREAD=C:\\User\\clientcert.crt,0,2900,1"));
modem.waitResponse();
modem.waitResponse();
modem.sendAT(GF("+SSLSETROOT=C:\\User\\rootca.crt,1188"));
modem.waitResponse();
modem.sendAT(GF("+SSLSETCERT=C:\\User\\clientcert.crt"));
modem.waitResponse();
}
On page 11 of the SIM800 SSL documentation, the command AT+SSLSETCERT is described as "Client Client Certificate File with Private Key". Does this mean that I somehow have to write both the Client Cert and the Private Key on the same file?
As you might have noticed in the function, I used "strcat(clientcertific,private_pem_key)" and it returns no error, but I'm not sure whether this is the correct way to do this.
If anyone can help me out on this one I'd be infinitely grateful. It's been keeping me stuck for almost a month now.
Thank you!
I have been learning with WebSocket++ and built some of the server examples (Windows 10 Visual Studio 2019). The non-TLS examples work without issues, however, the TLS-enabled examples (echo_server_both.cpp and echo_server_tls.cpp) can't do the handshake. I am very new to web development in general so I know I must be doing something wrong with regards to the certificate and keys.
I am testing the servers with WebSocket King client, an extension of Google Chrome that connects correctly to other websocket servers like wss://echo.websocket.org and to my own localhost when I don't use TLS.
The echo_server_both example comes with a server.pem file, and the echo_server_tls example comes with server.pem and dh.pem. I have used the same files that come with the samples, and I have also tried generating and registering my own .pem files using openSSL. In both cases I get this when the client tries to connect:
[2021-06-29 20:51:21] [error] handle_transport_init received error: sslv3 alert certificate unknown
[2021-06-29 20:51:21] [fail] WebSocket Connection [::1]:63346 - "" - 0 asio.ssl:336151574 sslv3 alert certificate unknown
[2021-06-29 20:51:21] [info] asio async_shutdown error: asio.ssl:336462231 (shutdown while in init)
I discovered these errors after I edited handle_init() in tls.hpp, following a suggestion in another site, to look like this:
void handle_init(init_handler callback,lib::asio::error_code const & ec) {
if (ec) {
//m_ec = socket::make_error_code(socket::error::tls_handshake_failed);
m_ec = ec;
} else {
m_ec = lib::error_code();
}
callback(m_ec);
}
This change let the actual openSSL error to show in the console, otherwise it would show a generic "handshake failed" error.
I know I'm not doing what I should with the certificates, but I have no idea where else to look or what to do next. Can anyone here help please? Should I use the .pem files that come with the examples, or should I generate my own? in case I should generate my own, what would be the openSSL command to do that correctly and how do I tell my PC to recognize these as valid so that the server works?
Found the problem: WebSocket++ will not accept a self-signed certificate (the ones you can create directly in your own PC using OpenSSL or the Windows utilities). There is no way around it. You must have a valid, authority-validated and endorsed certificate. You can get such a certificate for free (valid only for 90 days) from https://zerossl.com/. The site has detailed instructions on how to request, obtain and install a certificate. After getting a valid certificate and installing it on my server, everything worked as it should.
I'm trying to configure rsyslog tls with relp but keep getting errors.
I'm using RHEL 7.2 with rsyslog 8.15.
I do manage to send messages using relp + tls but without using the certificates. When I'm adding the certificates I'm getting the following error:
Jan 20 11:00:17 ip-10-0-0-114 rsyslogd-2353: imrelp[514]: error 'Failed to set certificate trust files [gnutls error -64: Error while reading file.]', object 'lstn 514' - input may not work as intended [v8.15.0 try http://www.rsyslog.com/e/2353 ]
Jan 20 11:00:17 ip-10-0-0-114 rsyslogd-2291: imrelp: could not activate relp listner, code 10031 [v8.15.0 try http://www.rsyslog.com/e/2291 ]
Server conf:
module(load="imrelp" ruleset="relp")
input(type="imrelp" port="514" tls="on"
tls.caCert="/home/ec2-user/rsyslog/ca.pem"
tls.myCert="/home/ec2-user/rsyslog/server-cert.pem"
tls.myPrivKey="/home/ec2-user/rsyslog/server-key.pem"
tls.authmode="name"
tls.permittedpeer=["client.example.co"]
)
ruleset(name="relp") {
action(type="omfile" file="/var/log/relptls2")
}
The following is the client configuration:
module(load="omrelp")
action(type="omrelp" target="10.0.0.114" port="514" tls="on"
tls.caCert="/home/ec2-user/rsyslog/ca.pem"
tls.myCert="/home/ec2-user/rsyslog/client-cert.pem"
tls.myPrivKey="/home/ec2-user/rsyslog/client-key.pem"
tls.authmode="name"
tls.permittedpeer=["server.example.co"]
)
When I remove the tls cert fields from the server configration I get client error:
Jan 20 10:35:29 ip-10-0-0-206 rsyslogd-2353: omrelp[10.0.0.114:514]:
error 'Failed to set certificate trust file [gnutls error -64: Error
while reading file.]', object 'conn to srvr 10.0.0.114:514' - action
may not work as intended [v8.15.0 try http://www.rsyslog.com/e/2353 ]
Help would be really really appreciated as I'm stack with this for long time.
Thanks!!!!
The gnutls error -64: Error while reading file error message means either:
The certificates actual path is different from what is in the
configuration file
Rsyslog service cannot read the certificates
because of permission problem
In case of permission issue you may move the certificates under /etc/rsyslog.d
In case of path issue, just fix the path :)
I'm having some trouble getting a password protected PFX certificate to install through WiX.
I'm using WiX 3.5.2519.0.
I include a PFX file as follows:
<Binary Id="My.Binary"
SourceFile="$(var.ProjectDir)MyProject$(var.ConfigSuffix).pfx" />
The value of $(var.ConfigSuffix) varies based on solution configuration (e.g. " (Debug)", " (Stage)"). For "Release", it is set to an empty string.
I have various solution configurations, all but one use a non-password protected PFX certificate, "Release" uses a password protected PFX. I deal with this by conditionally defining $(var.PfxPassword) in "Release" configuration only, and then installing the certificate as follows:
<?ifdef $(var.PfxPassword) ?>
<iis:Certificate
Id="My.Certificate"
StoreName="root"
Overwrite="yes"
Name="My Web Site$(var.ConfigSuffix)"
Request="no"
BinaryKey="MyCertificate.Binary"
StoreLocation="localMachine"
PFXPassword="$(var.PfxPassword)" />
<?else?>
<iis:Certificate
Id="My.Certificate"
StoreName="root"
Overwrite="yes"
Name="My Web Site$(var.ConfigSuffix)"
Request="no"
BinaryKey="MyCertificate.Binary"
StoreLocation="localMachine" />
<?endif?>
I have also tried replacing "$(var.PfxPassword)" with "[PFXPASSWORD]" (having defined this elsewhere), and the actual password in plain text. In every case, installation fails with the following log snippet:
Action start 12:29:02: InstallCertificates.
InstallCertificates: Error 0x80070056: Failed to open PFX file.
InstallCertificates: Error 0x80070056: Failed to get SHA1 hash of certificate.
InstallCertificates: Error 0x80070056: Failed to resolve certificate: LinnRecords.Certificate
CustomAction InstallCertificates returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 12:29:02: InstallCertificates. Return value 3.
I believe error 0x80070056 indicates an incorrect password, however I have used the Get-PfxCertificate in PowerShell to verify that the password I am using is correct.
For all configurations where the PFX file does not use a password, the installation works without issue.
Looking at a similar problem elsewhere on the internet, it looks like return code 3 is a "File not found" problem. Are you sure the correct pfx file is being included?