I have the following config file for Sentry Relay:
---
relay:
mode: static
upstream: "https://sentry.io/"
host: 0.0.0.0
port: 3000
tls_port: 3001
tls_identity_path: /etc/cert/keyStore.p12
tls_identity_password: xxx
I am able to ping sentry via port 3000 on the command line:
export SENTRY_DSN="http://nfvu4830bvfu3iuujfnvb3809#domain:3000/43275240"
sentry-cli send-event -m "test event"
But not port 3001:
export SENTRY_DSN="https://nfvu4830bvfu3iuujfnvb3809#domain:3001/43275240"
sentry-cli send-event -m "secure test event"
keyStore.p12 was generated by doing:
openssl req -x509 -newkey rsa:4096 -keyout myKey.pem -out cert.pem -days 365
openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in cert.pem
And my Sentry Relay server was started using the docker command:
sudo docker run --rm -d \
-v $(pwd)/config/:/etc/relay/ \
-v $(pwd)/cert/:/etc/cert/ \
-p 3000:3000 \
-p 3001:3001 \
getsentry/relay run --config /etc/relay/
In the logs, I can see that both port 3000 and 3001 were opened and ready for connection:
INFO relay_server::service > spawning http server
INFO relay_server::service > listening on: http://0.0.0.0:3000/
INFO relay_server::service > listening on: https://0.0.0.0:3001/
INFO actix_net::server::server > Starting 2 workers
INFO actix_net::server::server > Starting server on 0.0.0.0:3000
INFO actix_net::server::server > Starting server on 0.0.0.0:3001
I cannot figure out what the issue is and why I am unable to send a message through https on port 3001.
Related
I'm having trouble setting up mosquitto to encrypt over SSL/TLS. I have followed the instructions of mosquitto to generate the certificate and key. The code used is as follows:
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout ca.key -out ca.crt.crt
openssl genrsa -out server.key 2048
openssl req -out server.csr -key server.key -new
openssl x509 -req -in server.csr -CA ca.crt.crt -CAkey ca.key -CAcreateserial -out
server.crt.crt -days 3650
Then I configured in mosquitto.conf as follows:
listener 8883
allow_anonymous true
cafile d:\etc\mosquitto\ca_certificates\ca.crt.crt
certfile d:\etc\mosquitto\certs\server.crt.crt
keyfile d:\etc\mosquitto\certs\server.key
Then I used the code
mosquitto -v -c mosquitto.conf
The results of running mosquitto are as follows:
D:\etc\mosquitto>mosquitto -v -c mosquitto.conf
1663109874: mosquitto version 2.0.15 starting
1663109874: Config loaded from mosquitto.conf.
1663109874: Opening ipv6 listen socket on port 8883.
1663109874: Opening ipv4 listen socket on port 8883.
1663109874: mosquitto version 2.0.15 running
But I have a problem when I want to try to make the subscribe and publish commands.I ran the following code:
mosquitto_sub -d -v -h 91.121.93.94 -p 8883 -t test --cafile d:\etc\mosquitto\ca_certificates\ca.crt.crt
91.121.93.94 is the Common Name I set to generate the server key.Then I got the error as below:
Client null sending CONNECT
OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Error: protocol error
I don't know where I am going wrong or if I have not configured something in mosquitto.conf.
I have a simple python Kafka producer, and i'm trying to access the Strimzi Kafka Cluster on GKE, and i'm getting following error :
cimpl.KafkaException: KafkaError{code=_INVALID_ARG,val=-186,str="Failed to create producer: ssl.key.location failed: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch"}
Here is the Kafka producer code:
from confluent_kafka import Producer
kafkaBrokers='<host>:<port>'
caRootLocation='/Users/karanalang/Documents/Technology/strimzi/gcp_certs_nov28/pem-user2/cacerts.pem'
certLocation='/Users/karanalang/Documents/Technology/strimzi/gcp_certs_nov28/pem-user2/cert.pem'
keyLocation='/Users/karanalang/Documents/Technology/strimzi/gcp_certs_nov28/pem-user2/key.pem'
password='<password>'
conf = {'bootstrap.servers': kafkaBrokers,
'security.protocol': 'SSL',
'ssl.ca.location':caRootLocation,
'ssl.certificate.location': certLocation,
'ssl.key.location':keyLocation,
'ssl.key.password' : password
}
topic = 'my-topic1'
producer = Producer(conf)
for n in range(100):
producer.produce(topic, key=str(n), value="val -> "+str(n))
producer.flush()
To get the pem files (from the secrets - PKCS files), here are the commands used
kubectl get secret my-cluster-lb-ssl-certs-cluster-ca-cert -n kafka -o jsonpath='{.data.ca\.p12}' | base64 -d > ca.p12
kubectl get secret my-cluster-lb-ssl-certs-cluster-ca-cert -n kafka -o jsonpath='{.data.ca\.password}' | base64 -d > ca.password
kubectl get secret my-bridge1 -n kafka -o jsonpath='{.data.user\.p12}' | base64 -d > user2.p12
kubectl get secret my-bridge1 -n kafka -o jsonpath='{.data.user\.password}' | base64 -d > user2.password
- to get the user private key i.e. key.pem
openssl pkcs12 -in user2.p12 -nodes -nocerts -out key.pem -passin pass:<passwd>
# CARoot - extract cacerts.cer
openssl pkcs12 -in ca.p12 -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cacerts.cer
# convert to pem format
openssl x509 -in cacerts.cer -out cacerts.pem
# get the ca.crt from the secret
kubectl get secret my-cluster-lb-ssl-certs-cluster-ca-cert -n kafka -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
# convert to pem
openssl x509 -in ca.crt -out cert.pem
Any ideas how to fix this issue ?
Pls note -
I'm able to access Kafka Cluster using commandline Kafka producer/consumer on SSL
This is fixed, pls see below configuration that is expected:
'ssl.ca.location' -> CARoot (certifying authority, used to sign all the user certs)
'ssl.certificate.location' -> User Cert (used by Kubernetes to authenticate to API server)
'ssl.key.location' -> User private key
The above error was due to incorrect User Cert being used, it should match the User Private Key
Env:
Red Hat Enterprise Linux Server release 7.7 (Maipo)
# openssl version
OpenSSL 1.0.2g 1 Mar 2016
so a self-sign cert is generated using OpenSSL and the cacert.pem is put under /etc/pki/ca-trust/source/anchors/.
Now according to the man from update-ca-trust, the cmd should be run to add the cert into the trust store and the cert are to be added under /etc/pki/ca-trust/extracted/.
After running the said cmd, I see that the cert is added only to /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt. But most of the application like curl refer the OS ca trust at /etc/pki/ca-trust/extracted/openssl/ca-bundle.crt which is link to /etc/pki/tls/certs/ca-bundle.crt.
curl -v https://172.21.19.92/api
* About to connect() to 172.21.19.92 port 443 (#0)
* Trying 172.21.19.92...
* Connected to 172.21.19.92 (172.21.19.92) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
I understand that passing --cacert option would be a way to overcome it but I want to know why update-ca-trust only update ca-bundle-trust.crt and not ca-bundle.crt or the java Keystore extracted one as well /etc/pki/ca-trust/extracted/java/cacerts
The actual command that import certificates to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem is:
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
So the filters here are --filter=ca-anchors + --purpose server-auth. When you generate cert you have to add the purpose extendedKeyUsage=serverAuth explicitly:
openssl x509 -req -in $SRV_NAME.csr -CA $CA_NAME.crt -CAkey $CA_NAME.key -passin pass:"$PASS" -out $SRV_NAME.crt \
-days 3650 -CAcreateserial \
-extensions v3_ca \
-extfile <(echo "[v3_ca]"; echo "extendedKeyUsage=serverAuth"; echo "subjectAltName=$SRV_DNS_NAMES_TEXT,email:$SRV_EMAIL")
I have implemented the mosquitto broker for ubuntu on port 8883 and port 1883 and can't figure out why I keep getting the CA related errors shown below.
It happens when I test it using mosquitto_pub locally on the server and when I use the Paho/Python script as the client on my MacBook. My mosquitto.config file, mosquitto_pub command, and my mosquitto log messages are shown below. I've also included my openssl certificate creation commands in case I did something wrong.
This is my mosquitto.conf file
# Place your local configuration in /etc/mosquitto/conf.d/
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
#log_dest file /var/log/mosquitto/mosquitto.log
log_dest stdout
include_dir /etc/mosquitto/conf.d
log_type all
#-----------------------------------------------
#Default Listener
#-----------------------------------------------
port 8883
#------------------------------------------------
#Certificate Based SSL/TLS Support
#------------------------------------------------
cafile /../etc/mosquitto/ca_certificates/ca.crt
keyfile /../etc/mosquitto/certs/server.key
certfile /../etc/mosquitto/certs/server.crt
listener 1883
This is the mosquitto_pub command I use to test it.
sudo mosquitto_pub -h 305.875.987.34 -t test -m "Typing this" -p 8883 --cafile /../etc/mosquitto/ca_certificates/ca.crt
This is what the mosquitto log says when I run it.
1546507891: mosquitto version 1.5.5 starting
1546507891: Config loaded from /../etc/mosquitto/mosquitto.conf.
1546507891: Opening ipv4 listen socket on port 1883.
1546507891: Opening ipv6 listen socket on port 1883.
1546507891: Opening ipv4 listen socket on port 8883.
1546507891: Opening ipv6 listen socket on port 8883.
1546507929: New connection from 305.875.987.34 on port 8883.
1546507929: OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
1546507929: Socket error on client <unknown>, disconnecting.
These are the openssl commands I used to create ca.crt, server.crt, and server.key. I created them in a folder called certs.
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
I then moved ca.crt to /../etc/mosquitto/ca_certifications after deleting an old ca.crt I had made trying to fix the problem. I did this with the following two commands.
sudo rm /../etc/mosquitto/ca_certifications/ca.crt
sudo mv ca.crt /../etc/mosquitto/ca_certifications
I did the same thing with server.crt and server.key except I put them in /../etc/mosquitto/certs.
The broker seems to work fine on port 1883.
Let me know if you need any more info.
To start with I would rearrange your mosquitto.conf to make things more obvious what is linked to what and to remove the relative paths to your certs/key files as follows:
# Place your local configuration in /etc/mosquitto/conf.d/
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
#log_dest file /var/log/mosquitto/mosquitto.log
log_dest stdout
include_dir /etc/mosquitto/conf.d
log_type all
#-----------------------------------------------
#Default Listener
#-----------------------------------------------
port 1883
#------------------------------------------------
#Certificate Based SSL/TLS Support
#------------------------------------------------
listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
I've swapped the port/listener entries to make it obvious that the SSL setup is bound to the port 8883 listener. I've also removed the /../ from the start of the paths as this is meaningless as it's impossible to go "up" a directory from the / "root".
Likewise you should use the direct paths for the mosquitto_pub command.
Also as you are copying files around as root (with sudo), make sure that the cert/key files are readable by the mosquitto user.
I have very limited knowledge about TLS certification. I wanted to enable https for docker daemon. I followed this tutorial but at the end failed to start docker daemon.
I am using docker in a Ubuntu 16.04 VM and my client and server is the same machine. So I use the $hostname as the 'Common Name' during all the process.
After following the whole process in docker documentation when I run
sudo dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376
I get the INFO log that "API listen on [::]:2376"
When I use the below command:
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version
I get proper response.
But when I reload the daemon and try to start docker it says failed to start docker and give the following message-
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xe" for details.
Output of 'journalctl -xe' is:
I copied the necessary certificate to ~/.docker/ and the 'ExecStart' in my /lib/systemd/system/docker.service file is:
ExecStart=/usr/bin/dockerd -H fd:// -H 0.0.0.0:2376 \
--tlsverify --tlscacert=/home/sakib/.docker/ca.pem \
--tlskey=/home/sakib/.docker/key.pem \
--tlscert=/home/sakib/.docker/cert.pem
When I try to communicate with the API I get the following response:
$ curl -X GET https://0.0.0.0:2376/images/json
curl: (35) gnutls_handshake() failed: Certificate is bad
$ docker version
Client:
Version: 1.12.1
API version: 1.24
Go version: go1.6.3
Git commit: 23cf638
Built: Thu Aug 18 05:33:38 2016
OS/Arch: linux/amd64
An error occurred trying to connect: Get https://EL802:2376/v1.24/version: x509: certificate is valid for $HOST, not EL802
NOTE: EL802 is my hostname which I set as the 'HOST' environment variable.
I think the problem is with the 'CN' name that I chose while creating client certificate. I create the server and client certificate as below-
Server:
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
Client:
openssl req -subj '/CN=$HOST' -new -key key.pem -out client.csr
As my client and server is my host machine(EL802) which I set as the $HOST variable.
Your picture does not show the full error line, but if the error message is:
pid file found, ensure docker is not running or delete /var/run/docker.pid
Try and delete the pid, and restart.
Also double-check your docker installation on Ubuntu, and its systemd configuration.
x509: certificate is valid for $HOST, not EL802
That means the certificate has been created with the string $HOST instead of its actual value.
openssl req -subj '/CN=$HOST'
The strong quoting of the single quotes would prevent the shell to replace $HOST with its value. Use double quotes.