I have a crl.cnf as below:
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = _CA_dir_
database = _index_fname_ # database index file.
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
In the above file, What does CA_dir , index_fname and ca_default variables refer to or how to find what values those variables hold? It would be really helpful if someone helps me to understand this. Thanks in advance!
Related
I have configured Verdaccio on my local machine for testing. Below is my configuration,
#
# This is the default configuration file. It allows all users to do anything,
# please read carefully the documentation and best practices to
# improve security.
#
# Look here for more config file examples:
# https://github.com/verdaccio/verdaccio/tree/5.x/conf
#
# Read about the best practices
# https://verdaccio.org/docs/best
# path to a directory with all packages
storage: /verdaccio/storage/data
# path to a directory with plugins to include
plugins: /verdaccio/plugins
# https://verdaccio.org/docs/webui
# https://verdaccio.org/docs/configuration#uplinks
# a list of other known repositories we can talk to
uplinks:
npmjs:
url: https://registry.npmjs.org/
cache: false
# https://verdaccio.org/docs/configuration#authentication
auth:
htpasswd:
file: /verdaccio/htpasswd
# Learn how to protect your packages
# https://verdaccio.org/docs/protect-your-dependencies/
# https://verdaccio.org/docs/configuration#packages
packages:
'#mycompany/*':
access: $authenticated
publish: $authenticated
unpublish: $authenticated
'#*/*':
# scoped packages
access: $all
publish: $authenticated
unpublish: $authenticated
proxy: npmjs
'**':
access: $all
publish: $authenticated
unpublish: $authenticated
# publish: azuread
# unpublish: azuread
# if package is not available locally, proxy requests to 'npmjs' registry
proxy: npmjs
# To improve your security configuration and avoid dependency confusion
# consider removing the proxy property for private packages
# https://verdaccio.org/docs/best#remove-proxy-to-increase-security-at-private-packages
# https://verdaccio.org/docs/configuration#server
# You can specify HTTP/1.1 server keep alive timeout in seconds for incoming connections.
# A value of 0 makes the http server behave similarly to Node.js versions prior to 8.0.0, which did not have a keep-alive timeout.
# WORKAROUND: Through given configuration you can workaround following issue https://github.com/verdaccio/verdaccio/issues/301. Set to 0 in case 60 is not enough.
server:
keepAliveTimeout: 60
# Allow `req.ip` to resolve properly when Verdaccio is behind a proxy or load-balancer
# See: https://expressjs.com/en/guide/behind-proxies.html
# trustProxy: '127.0.0.1'
# https://verdaccio.org/docs/configuration#offline-publish
# publish:
# allow_offline: false
# https://verdaccio.org/docs/configuration#url-prefix
# url_prefix: /verdaccio/
# VERDACCIO_PUBLIC_URL='https://somedomain.org';
# url_prefix: '/my_prefix'
# // url -> https://somedomain.org/my_prefix/
# VERDACCIO_PUBLIC_URL='https://somedomain.org';
# url_prefix: '/'
# // url -> https://somedomain.org/
# VERDACCIO_PUBLIC_URL='https://somedomain.org/first_prefix';
# url_prefix: '/second_prefix'
# // url -> https://somedomain.org/second_prefix/'
# https://verdaccio.org/docs/configuration#security
# security:
# api:
# legacy: true
# jwt:
# sign:
# expiresIn: 29d
# verify:
# someProp: [value]
# web:
# sign:
# expiresIn: 1h # 1 hour by default
# verify:
# someProp: [value]
# https://verdaccio.org/docs/configuration#user-rate-limit
# userRateLimit:
# windowMs: 50000
# max: 1000
# https://verdaccio.org/docs/configuration#max-body-size
# max_body_size: 10mb
# https://verdaccio.org/docs/configuration#listen-port
# listen:
# - localhost:4873 # default value
# - http://localhost:4873 # same thing
# - 0.0.0.0:4873 # listen on all addresses (INADDR_ANY)
# - https://example.org:4873 # if you want to use https
# - "[::1]:4873" # ipv6
# - unix:/tmp/verdaccio.sock # unix socket
# The HTTPS configuration is useful if you do not consider use a HTTP Proxy
# https://verdaccio.org/docs/configuration#https
# https:
# key: ./path/verdaccio-key.pem
# cert: ./path/verdaccio-cert.pem
# ca: ./path/verdaccio-csr.pem
# https://verdaccio.org/docs/configuration#proxy
# http_proxy: http://something.local/
# https_proxy: https://something.local/
# https://verdaccio.org/docs/configuration#notifications
# notify:
# method: POST
# headers: [{ "Content-Type": "application/json" }]
# endpoint: https://usagge.hipchat.com/v2/room/3729485/notification?auth_token=mySecretToken
# content: '{"color":"green","message":"New package published: * {{ name }}*","notify":true,"message_format":"text"}'
middlewares:
audit:
enabled: true
# https://verdaccio.org/docs/logger
# log settings
logs: { type: stdout, format: pretty, level: http }
#experiments:
# # support for npm token command
# token: false
# # disable writing body size to logs, read more on ticket 1912
# bytesin_off: false
# # enable tarball URL redirect for hosting tarball with a different server, the tarball_url_redirect can be a template string
# tarball_url_redirect: 'https://mycdn.com/verdaccio/${packageName}/${filename}'
# # the tarball_url_redirect can be a function, takes packageName and filename and returns the url, when working with a js configuration file
# tarball_url_redirect(packageName, filename) {
# const signedUrl = // generate a signed url
# return signedUrl;
# }
# translate your registry, api i18n not available yet
# i18n:
# list of the available translations https://github.com/verdaccio/verdaccio/blob/master/packages/plugins/ui-theme/src/i18n/ABOUT_TRANSLATIONS.md
# web: en-US
# minio configuration
store:
minio:
# The HTTP port of your minio instance
port: 9000
# The endpoint on which verdaccio will access minio (without scheme)
endPoint: 172.17.0.4
# The minio access key
accessKey: ***
# The minio secret key
secretKey: *****
# Disable SSL if you're accessing minio directly through HTTP
useSSL: false
# The region used by your minio instance (optional, default to "us-east-1")
# region: eu-west-1
# A bucket where verdaccio will store it's database & packages (optional, default to "verdaccio")
bucket: 'npm'
# Number of retry when a request to minio fails (optional, default to 10)
retries: 3
# Delay between retries (optional, default to 100)
delay: 50
I am able to login and I can publish and pull private packages. However, whenever I try to pull any package which is not present on my machine, and it gets pulled from registry.npmjs.org I get a warning which states that tarball data seems to be corrupted. Trying again. for any random package and then the command crashes with ERR: CODE EINTEGRITY, sha256:****
I am not able to figure this out.
I have been struggling to combine flask_ldap3_login and flask_httpauth into a simple Flask app and test the result against the only free LDAP server that's available: ldap.forumsys.com
There a lot of information out there but none showed how to set all the config parameters correctly to get it to work just right. After a lot of trial and error, I got it to work.
If you have a better/simpler solution, please share!
Here's the code (I'll also be sharing in https://gist.github.com/jeromegit/f987b081afa3cbc09ed47a3089b32079):
(Also check out the information re: the free LDAP server: https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ )
from flask import Flask
import logging
from flask_ldap3_login import LDAP3LoginManager, AuthenticationResponseStatus
from flask_httpauth import HTTPBasicAuth
# Extra logging to help troubleshoot
logging.getLogger('flask_ldap3_login').setLevel(logging.DEBUG)
logger = logging.getLogger('flask_ldap3_login')
logger.addHandler(logging.StreamHandler())
logger.setLevel(logging.DEBUG)
app = Flask(__name__)
auth = HTTPBasicAuth(realm="Private!")
# Setup LDAP Configuration Variables. Change these to your own settings.
# All configuration directives can be found in the documentation.
# See https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
config = dict()
# Hostname of your LDAP Server
config['LDAP_HOST'] = 'ldap.forumsys.com'
# The Username to bind to LDAP with
config['LDAP_BIND_USER_DN'] = 'cn=read-only-admin,dc=example,dc=com'
# The Password to bind to LDAP with
config['LDAP_BIND_USER_PASSWORD'] = 'password'
# Base DN of your directory
config['LDAP_BASE_DN'] = 'dc=example,dc=com'
# Users DN to be prepended to the Base DN
#config['LDAP_USER_DN'] = 'ou=scientists'
# Groups DN to be prepended to the Base DN
config['LDAP_GROUP_DN'] = ''
# The RDN attribute for your user schema on LDAP
config['LDAP_USER_RDN_ATTR'] = 'uid'
# The Attribute you want users to authenticate to LDAP with.
config['LDAP_USER_LOGIN_ATTR'] = 'uid'
config['LDAP_GROUP_OBJECT_FILTER'] = '(objectclass=*)'
# Setup a LDAP3 Login Manager.
ldap_manager = LDAP3LoginManager()
# Init the manager with the config
ldap_manager.init_config(config)
#auth.verify_password
def verify_password(username, password):
# Check if the credentials are correct
response = ldap_manager.authenticate(username, password)
if response.status == AuthenticationResponseStatus.success:
return username
else:
print(response.status)
#app.route('/')
#auth.login_required
def index():
return "Hello, {}!".format(auth.current_user())
if __name__ == '__main__':
app.run(port=5003)
Recently I was working on a project that utilized the Alexa AVS Sample App (the one written in java, and currently in maintenance mode: https://github.com/alexa/alexa-avs-sample-app/wiki/Mac#4---generating-self-signed-certificates) and when I was attempting to follow the given instruction:
Edit the ssl.cnf configuration file with your favorite text editor. Replace any placeholder values that start with YOUR_.
Note: countryName must be two characters (e.g. US). If it is not two characters, certificate creation will fail. Additionally, if you will be accessing your device from any IP or DNS entry besides localhost (127.0.0.1 or 10.0.2.2), you must add the additional IP or or DNS entries to [alt_names]. One situation where you will need to add entries to [alt_names] is if you are going to authenticate using an Android or iOS companion app from a device instead of from the Android or iOS emulators on the same machine as the Node.js server and sample app.
I edited the file as said, and not sure if I did do it correctly, but her goes:
[req]
distinguished_name = req_distinguished_name
prompt = no
[v3_req]
subjectAltName = #alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
IP.2 = 10.0.2.2
[req_distinguished_name]
commonName = $ENV::COMMON_NAME # CN= Random
countryName = YOUR_COUNTRY_NAME # C= US
stateOrProvinceName = YOUR_STATE_OR_PROVINCE # ST= CA
localityName = YOUR_CITY # L= San Francisco
organizationName = YOUR_ORGANIZATION # O= VEor
organizationalUnitName = YOUR_ORGANIZATIONAL_UNIT # OU= VE
I also did previously replace the YOUR_ORGANIZATION and etc. with the country codes and etc. themselves, like the following:
[req]
distinguished_name = req_distinguished_name
prompt = no
[v3_req]
subjectAltName = #alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
IP.2 = 10.0.2.2
[req_distinguished_name]
commonName = $ENV::COMMON_NAME # CN= Random
countryName = US # C=
stateOrProvinceName = CA # ST=
localityName = San Francisco # L=
organizationName = VEor # O=
organizationalUnitName = VE
Yet, I still get this output:
❯ ./generate.sh
Generating RSA private key, 4096 bit long modulus
...........................++
.........................................................................................................................................................................................................................................++
e is 65537 (0x10001)
error on line 14 of ssl.cnf
140736175395720:error:0E065068:configuration file routines:STR_COPY:variable has no value:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/conf/conf_def.c:573:line 14
Generating RSA private key, 2048 bit long modulus
...........+++
........+++
e is 65537 (0x10001)
error on line 14 of ssl.cnf
140736175395720:error:0E065068:configuration file routines:STR_COPY:variable has no value:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/conf/conf_def.c:573:line 14
certs/client/client.csr: No such file or directory
Error opening input file certs/client/client.crt
certs/client/client.crt: No such file or directory
Generating RSA private key, 2048 bit long modulus
......................................................................................................................................+++
....+++
e is 65537 (0x10001)
error on line 14 of ssl.cnf
140736175395720:error:0E065068:configuration file routines:STR_COPY:variable has no value:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/conf/conf_def.c:573:line 14
certs/server/node.csr: No such file or directory
Generating RSA private key, 2048 bit long modulus
....+++
...................................+++
e is 65537 (0x10001)
error on line 14 of ssl.cnf
140736175395720:error:0E065068:configuration file routines:STR_COPY:variable has no value:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/conf/conf_def.c:573:line 14
error on line 14 of config file 'ssl.cnf'
Error opening input file certs/server/jetty.crt
certs/server/jetty.crt: No such file or directory
cp: certs/ca/ca.crt: No such file or directory
Error opening Certificate certs/ca/ca.crt
140736175395720:error:02001002:system library:fopen:No such file or directory:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/bio/bss_file.c:255:fopen('certs/ca/ca.crt', 'r')
140736175395720:error:20074002:BIO routines:FILE_CTRL:system lib:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/bio/bss_file.c:257:
unable to load certificate
cp: certs/ca/ca.der: No such file or directory
What should I do differently to ensure it works?
please modify ur openssl directory in generate.sh
->/usr/local/opt/openssl/bin/openssl
https://github.com/alexa/alexa-avs-sample-app/issues/1004
I am attempting to run my buildbot master server behind a cherokee reverse proxy with the buildbot instance as cherokee's information source in a round robin reverse proxy layout.
This is the buildbot master.cfg configuration file:-
# -*- python -*-
# ex: set syntax=python:
# This is a sample buildmaster config file. It must be installed as
# 'master.cfg' in your buildmaster's base directory.
# This is the dictionary that the buildmaster pays attention to. We also use
# a shorter alias to save typing.
c = BuildmasterConfig = {}
####### BUILDSLAVES
# The 'slaves' list defines the set of recognized buildslaves. Each element is
# a BuildSlave object, specifying a unique slave name and password. The same
# slave name and password must be configured on the slave.
from buildbot.buildslave import BuildSlave
c['slaves'] = [BuildSlave("example-slave", "pass")]
# 'slavePortnum' defines the TCP port to listen on for connections from slaves.
# This must match the value configured into the buildslaves (with their
# --master option)
c['slavePortnum'] = 9989
####### CHANGESOURCES
# the 'change_source' setting tells the buildmaster how it should find out
# about source code changes. Here we point to the buildbot clone of pyflakes.
from buildbot.changes.gitpoller import GitPoller
c['change_source'] = []
c['change_source'].append(GitPoller(
'git://github.com/buildbot/pyflakes.git',
workdir='gitpoller-workdir', branch='master',
pollinterval=300))
####### SCHEDULERS
# Configure the Schedulers, which decide how to react to incoming changes. In this
# case, just kick off a 'runtests' build
from buildbot.schedulers.basic import SingleBranchScheduler
from buildbot.schedulers.forcesched import ForceScheduler
from buildbot.changes import filter
c['schedulers'] = []
c['schedulers'].append(SingleBranchScheduler(
name="all",
change_filter=filter.ChangeFilter(branch='master'),
treeStableTimer=None,
builderNames=["runtests"]))
c['schedulers'].append(ForceScheduler(
name="force",
builderNames=["runtests"]))
####### BUILDERS
# The 'builders' list defines the Builders, which tell Buildbot how to perform a build:
# what steps, and which slaves can execute them. Note that any particular build will
# only take place on one slave.
from buildbot.process.factory import BuildFactory
from buildbot.steps.source import Git
from buildbot.steps.shell import ShellCommand
factory = BuildFactory()
# check out the source
factory.addStep(Git(repourl='git://github.com/buildbot/pyflakes.git', mode='copy'))
# run the tests (note that this will require that 'trial' is installed)
factory.addStep(ShellCommand(command=["trial", "pyflakes"]))
from buildbot.config import BuilderConfig
c['builders'] = []
c['builders'].append(
BuilderConfig(name="runtests",
slavenames=["example-slave"],
factory=factory))
####### STATUS TARGETS
# 'status' is a list of Status Targets. The results of each build will be
# pushed to these targets. buildbot/status/*.py has a variety to choose from,
# including web pages, email senders, and IRC bots.
c['status'] = []
from buildbot.status import html
from buildbot.status.web import authz, auth
authz_cfg=authz.Authz(
# change any of these to True to enable; see the manual for more
# options
auth=auth.BasicAuth([("pyflakes","pyflakes")]),
gracefulShutdown = False,
forceBuild = 'auth', # use this to test your slave once it is set up
forceAllBuilds = False,
pingBuilder = False,
stopBuild = False,
stopAllBuilds = False,
cancelPendingBuild = False,
)
c['status'].append(html.WebStatus(http_port=8010, authz=authz_cfg))
####### PROJECT IDENTITY
# the 'title' string will appear at the top of this buildbot
# installation's html.WebStatus home page (linked to the
# 'titleURL') and is embedded in the title of the waterfall HTML page.
c['title'] = "Pyflakes"
c['titleURL'] = "http://divmod.org/trac/wiki/DivmodPyflakes"
# the 'buildbotURL' string should point to the location where the buildbot's
# internal web server (usually the html.WebStatus page) is visible. This
# typically uses the port number set in the Waterfall 'status' entry, but
# with an externally-visible host name which the buildbot cannot figure out
# without some help.
c['buildbotURL'] = "http://localhost:8010/"
####### DB URL
c['db'] = {
# This specifies what database buildbot uses to store its state. You can leave
# this at its default for all but the largest installations.
'db_url' : "sqlite:///state.sqlite",
}
# change any of these to True to enable; see the manual for more
# options
auth=auth.BasicAuth([("pyflakes","pyflakes")]),
And this is the cherokee configuration:-
Unfortunately, I get 502 Bad gateway when I go to my web url but on the other hand, I know that my buildbot master server instance is working correctly because going to the same web url and appending :8010 behind the web url gives me the "Welcome to the Buildbot ..." page.
Is your proxy on the same machine as the buildbot? If not, you will need to adjust the URL in cherokee, to point to the machine running buildbot (localhost points to the machine cherokee is running on).
In any case, c['buildbotURL'] should be changed to point to the public URL that the buildbot is available under (i.e. what cherokee exposes, rather than the URL being proxied).
I want to have a self-signed SSL Certificate for my local development server. I was following the guide on https://help.ubuntu.com/community/OpenSSL and at the last step where you issue the command to sign the certificate by issuing the following command:
openssl ca -in tempreq.pem -out server_crt.pem
I get the following error: (last line)
Using configuration from /home/user_name/.ssl/caconfig.cnf
Enter pass phrase for /home/user_name/.ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'localhost'
stateOrProvinceName :PRINTABLE:'AA'
countryName :PRINTABLE:'ET'
emailAddress :IA5STRING:'user#example.com'
organizationName :PRINTABLE:'Example Inc'
organizationalUnitName:PRINTABLE:'Development'
localhost:invalid type in 'policy' configuration
What can I do to solve it? Just to serve as a back ground, I don't have a domain name for my server, so I just used localhost to be the commanName. Is that the problem?
Thanks for your help.
Copy the policy from /etc/ssl/openssl.cnf to your configuration file
Rebuild all the file from beginning
The policy section is like following:
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional