I am starting out with Istio and trying to enable TLS on north-south traffic by creating a gateway resource enabled with TLS and am following this doco https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-mount/.
I have following everything to the dot but I keep getting this error from the Istiod pod logs:
2020-05-21T04:41:44.467181Z info grpc: Server.Serve failed to complete security handshake from "10.x.x.x:34774": remote error: tls: bad certificate
2020-05-21T04:41:54.416502Z info grpc: Server.Serve failed to complete security handshake from "10.x.x.x:56768": remote error: tls: error decrypting message
2020-05-21T04:42:00.305269Z info grpc: Server.Serve failed to complete security handshake from "10.x.x.x:56834": remote error: tls: error decrypting message
Any idea why this is happening? I did check for typos while creating certs but cannot find any.
This works for when I disable TLS and use HTTP. So I am assuming that the error is from using the certificates and the logs tell the same thing too.
Details about the cluster:
AWS EKS Version: 1.14
Istio Version: 1.51
Any help would be greatly appreciated!
I am trying to enable SSL Authentication on my Kafka server. I am following 7.2 section in the Kafka documentation.
Followed all steps, but while calling the producer.bat file to send data in to the topic i get below error.
ERROR [Producer clientId=console-producer] Connection to node -1 failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
Caused by: java.security.cert.CertificateException: No name matching localhost found
I did create the certificate with CN=localhost.
The server host name verification may be disabled by setting ssl.endpoint.identification.algorithm to an empty string on the client.
Just set
ssl.endpoint.identification.algorithm=
It can help you.
I.e with an empty value:
ssl.endpoint.identification.algorithm=
For me it is an issue with input given to first name and last name for Keytool
Generally java.security.cert.CertificateException: No name matching localhost found means that the hostname in the certificate does not match the hostname of the server.
There is a great explanation of this error here: CertificateException: No name matching ssl.someUrl.de found
We encounterd the following errors, this might because the upgrade of Kafka's version from 1.x to 2.x.
javax.net.ssl.SSLHandshakeException: General SSLEngine problem ... javax.net.ssl.SSLHandshakeException: General SSLEngine problem ... java.security.cert.CertificateException: No name matching *** found
or
[Producer clientId=producer-1] Connection to node -2 failed authentication due to: SSL handshake failed
The default value for ssl.endpoint.identification.algorithm was changed to https, which performs hostname verification (man-in-the-middle attacks are possible otherwise). Set ssl.endpoint.identification.algorithm to an empty string to restore the previous behaviour. Apache Kafka Notable changes in 2.0.0
Solution:
SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, ""
When using Strimzi Kafka operator, use the cluster ca cert (add to jks truststore) to avoid this error. The client CA certificate was always throwing this error for me.
I got this error because of connection problems. Cause by me firewall.
The connection can be checked with:
openssl s_client -debug -connect servername:port -tls1_2
Answer should be "Verify return code: 0 (ok)
Other return codes could suggest that you have no access.
Application – GITLAB
We have been facing intermittent issue with GITLAB.
Users are not able to do, a) Git status, b) git clone, c) git pull
Errors –
fatal: The remote end hung up unexpectedly
error: RPC failed; HTTP 401 curl 22 The requested URL returned error: 401
..
remote: HTTP Basic: Access denied
fatal: Authentication failed for
Few errors we noticed in unicorn.log
ERROR -- omniauth: (ldapmain) Authentication failure! invalid_credentials encountered.
I, [2018-02-12T11:08:00.926120 #2992] INFO -- omniauth: (ldapmain) Callback phase initiated.
This issue is intermittent and coming once in three or four tries.
We already tried –
Restarting gitlab service,
Server reboot
Git client upgrade
Setting SSH keys in git client
Changing ldap authentication user
POST buffer size for both client and Server end
Nothing worked. Pl. help.
I am getting the following error in debug mode
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: tuser
[mschap] Client is using MS-CHAPv2 for tuser, we need NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
I am pretty sure this is the issue. I am using OpenDJ as the backend ldap server and using freeradius with ldap. Please tell me if I would be missing anything or if there is a specific configuration I have to make. There is nothing network wise that is blocking ports. Note: I am using a Mac to authenticate.
Can you login locally on freeradius server with LDAP creds?
radtest $login $pass 127.0.0.1 10 $secret
If yes, you should probably stop freeradius service and run "freeradius -X" which show you debug from the server side.
Paste your sites-enabled/default config, do you have ms-chap uncommented there?
I want to create a LDAP authentication for my OSS Nexus repository.
I use below info
Protocol : ldap
Authentication method : DIGEST-MD5
But When I create a LDAP connection in Nexus OSS it getting below error
Failed to connect to LDAP Server: a.b.c.d:636; socket closed
connectivity from My repository to LDAP server is OK.
What is the issue.
the ldap works on port 389 and it operates on 636 for ldaps. you might need to add the certificates you can do:openssl s_client -showcerts -connect server.com:369.This command will give you pem's you can copy and paste it through ui to ssl certificates.