Recently,I am learning about the authentication related knowledge of vault,and I plan to use the TLS Certificate Auth Method (API), but I have encountered some problems in the process of practice.
I have 4 self-generated certificates locally, clientCA.pem, serverCA.pem, client.pem and server.pem (cn is test.example.com). Here are the steps involved in the certificate.
1: My config.hcl file is as follows
listener "tcp" {
address = "[::]:8200"
tls_cert_file = "/certs/server.pem"
tls_key_file = "/certs/server.key"
tls_disable = false
}
2: Create CA Certificate Role
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--cacert clientCA.pem \
--data '{"display_name": "test-ca"}' \
https://test.example.com:8200/v1/auth/cert/certs/test-ca
3: Login with TLS Certificate Method
curl \
--request POST \
--cacert serverCA.pem \
--cert client.pem \
--key clientkey.pem \
--data '{"name": "test-ca"}' \
https://test.example.com:8200/v1/auth/cert/login|jq -r ".data"
When executing the second step, an error will be reported,
curl: (60) SSL certificate problem: unable to get local issuer certificate
Then I log in via rootToken and operate on the Web interface. Created a test-ca role, the imported Certificate is clientCA.pem
When executing the third cloth, an error is reported curl:
(60) SSL certificate problem: unable to get local issuer certificate
When I replace the serverCA.pem in the original command with server.pem, the error
{"errors":["invalid certificate or no client certificate supplied"]}
curl \
--request POST \
--cacert server.pem \
--cert client.pem \
--key clientkey.pem \
--data '{"name": "test-ca"}' \
https://test.example.com:8200/v1/auth/cert/login|jq -r ".data"
When I went to the interface to change the Certificate of test-ca from clientCA.pem to client.pem, the modified curl was executed successfully.
curl \
--request POST \
--cacert server.pem \
--cert client.pem \
--key clientkey.pem \
--data '{"name": "test-ca"}' \
https://test.example.com:8200/v1/auth/cert/login|jq -r ".data".
Now I feel that I don't know the relationship between these certificates, and I have consulted a lot of documents, but I still do not understand it so far. I hope you can help me and provide me with a solution.
Related
I have an issue when using certificate when using curl. I'm running centOS7. We managed to get the curl going in other places, but not our dev machine:
What we are trying to do:
sudo curl -X 'GET' 'https://webpage/document' --cert '/localization.crt.pem' --key '/localization.key.pem' -H 'accept: */*' -k
Im getting this error:
curl: (58) SSL peer cannot verify your certificate.
What I tried to do?(from centOS documentation)
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide_common_criteria_edition/importing_certificate_into_nssdb
# PKICertImport -d . -n "client name" -t ",," -a -i certificate.crt.pem -u C
after echo $? we get a 0, so i think it is installed properly?
Any idea on whats wrong would be great.
I have run into this recently on our linux environments. I've found that this tends to happen if you have an SSL Certificate issued that also includes a chain certificate. If that chain is not also configured on your server OpenSSL considers the certificate invalid.
I would test this using this command:
openssl s_client -showcerts -verify 5 -connect website.com:443
If you see a block like this that means you are missing the certificate chain in your server configuration:
---
SSL handshake has read 2162 bytes and written 401 bytes
Verification error: unable to verify the first certificate
---
Windows fills in the gaps and doesn't mind this type of configuration, but openssl is very particular.
I managed to solve the issue. Recompiled curl with openSSL with following tutorial:
Install curl with openssl
Works like a charm :)
I need to convert following curl command to JAVA code. to send HTTPS request with certificate,
curl https://connect2.pointclickcare.com/api/public/preview1/orgs/6a69f753-1353-4def-a428-e42e1206b90b/facs -H "Authorization: Bearer H6B2nrdEA9KuW6jrW3gOLJU5KwUd:2" --cert fullchain21.pem --key privkey21.pem
An SSL handshake error occurred in the process of making an API call with Python.
The reason for the SSL handshake error is that information such as client certificate, CA certificate, and client private key should be used as options.
Query curl -k --tlsv1.2 --cacert ./ca-chain.crt --cert ./client.crt --key ./client.key -H
You should have the above settings.
I found the tlsv1.2 part at the beginning through an internet search,
import ssl
I learned that I just need to add the syntax context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) .
Then cacert ./ca-chain.crt --cert ./client.crt --key ./client.key did not know how to implement this part in Python code, so I asked a question.
The client certificate, CA certificate, and client private key are in the state that I extracted and kept with openssl.
Query: curl -k --tlsv1.2 --cacert ./ca-chain.crt --cert ./client.crt --key ./client.key -H I would like to know how to implement this in python code.
Thanks for reading this long post.
Then cacert ./ca-chain.crt --cert ./client.crt --key ./client.key did not know how to implement this part in Python code, so I asked a question.
ctx.load_verify_locations('./ca-chain.crt')
ctx.load_cert_chain('./client.crt', './client.key')
For more see the documentation.
I use the C libcurl library.
I need to do OCSP stapling combined with mutual authentication. For that, I'll take model on the below exemples. However, I need the private key of my client certificate to be stored in the TPM chip. Do you know how to do that, using tpm2-tss-engine? Thanks for your help.
https://curl.haxx.se/libcurl/c/smtp-ssl.html
https://curl.haxx.se/libcurl/c/CURLOPT_SSLCERT.html
I was able use a key stored in TPM with openssl s_client (maybe it is possible with curl), but am able to make a HTTPS request and receive a response.
openssl allows you to read the key from the TPM. you can use the command s_client to connect via a TCP, then send your HTTP request.
Example command would look like:
File: http_request.txt (with two newlines at the end)
GET /url/path HTTP/1.0
Host: hostname.com
cat http_request.txt | \
openssl s_client \
-nocommands \
-ign_eof \
-msgfile /dev/null \
-quiet \
-keyform engine \
-engine pkcs11 \
-cert mycertificate.pem \
-CAfile root.ca.pem \
-key 'pkcs11:model=SWTPM;manufacturer=Intel;token=mytoken;object=myobject;type=private;pin-value=mypin' \
-connect hostname.com:443
This allows me to use TPM to make requests to AWS IoT: iot:AssumeRoleWithCertificate which assumes the key is a file on disk: https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html
I'm trying to get a cURL command to work and have been unable to figure out the correct syntax. Everything I've tried (listed below) results in an "Unknown SSL protocol error".
When I make the request in Chrome 42 I get a 200 response with the expected plaintext body "beat". There is a warning, however, and Chrome shows that the request is made using TLS 1.0 and the connection is encrypted using AES_128_CBC, with SHA1 for message authentication and RSA for key exchange.
Given this information, I would like to be able to make a request to the same URL using cURL and get the response "beat".
The certificates I am trying to pass to cURL were exported from Keychain into both the .pem and .cer formats.
Here's what I have tried. Every one of these commands has failed with the same message "curl: (35) Unknown SSL protocol error in connection to cxdev.sircon.com:-9824".
curl --trace - --ciphers ALL --cacert sircon.cer https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -k -v -1 -4 https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -k -v -1 https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -k -v https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v --cacert ./sircon.pem https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v --ciphers ALL --cacert sircon.cer https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v --tlsv1 --cacert ./sircon.pem https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v --tlsv1 --cacert sircon.cer https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v --tlsv1 --ciphers AES128 --cacert sircon.cer https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v --tlsv1 --ciphers AES128-SHA --cacert sircon.cer https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v --tlsv1 --ciphers ALL --cacert sircon.cer https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v -1 https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
A new internal CA and certificate fixed the issue. Using TLS 1.0 and encrypting the connection using AES_256_CBC with SHA1 for message authentication and ECDHE_RSA, I was able to get Chrome to show a nice green lock icon when accessing the URL and every single one of the curl commands that I posted in my question are now able to successfully retrieve the resource.