I am trying to run curl command from Red Hat Enterprise Linux 7 server with curl below:-
*curl -0 -v --cert-type p12 --cert /mycert.p12:<password> --cacert /my_sec_cert.cer -X GET "https://<url>"*
and ended up with the error :-
unable to load client cert: -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR)
NSS error -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR)
When i am using pem certificate for same curl command with private key. Its working fine for me.
Can anyone suggest how to use p12 with Rhel7 here? Thanks
Related
I have resolved this issue. My learnings so far...
CURL command accepts thumbprint in the command line instead of certificate files. We need to mention the thumbprint using the certificate store path. To get the certificate store and thumbprint run the following command in the powershell.
cd Cert:\LocalMachine\My\
Get-ChildItem -Path Cert:\LocalMachine\My\ (To get the certificate thumbprint)
PS Cert:\LocalMachine> curl.exe -X PUT -H "Content-Type: application/json" -d '{"DatabaseName": "DB_Name"}' --cert "LocalMachine\My\xxxxxx" --key "D:\RavenDB\certificates\xxx.key" https://xxx:000/admin/databases
This is the command which finally worked to create a database using CURL Command in Ravendb.
Thanks
Kannadasan
I am trying to get Redis 6 (with TLS enabled during compilation, tests after compilation were successful) to work. I am using Lets Encrypt certificate and following configuration:
tls-port 63790
tls-cert-file /etc/letsencrypt/live/myserver.net/cert.pem
tls-key-file /etc/letsencrypt/live/myserver.net/privkey.pem
tls-ca-cert-dir /etc/letsencrypt/live/myserver.net/
tls-auth-clients no
tls-protocols "TLSv1.2 TLSv1.3"
and this client command from localhost
redis-cli --tls --cert /etc/letsencrypt/live/myserver.net/cert.pem --key /etc/letsencrypt/live/myserver.net/privkey.pem --cacert /etc/letsencrypt/live/myserver.net/fullchain.pem -h myserver.net -p 63790 -a password
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
Could not connect to Redis at myserver.net:63790: SSL_connect failed: certificate verify failed
this is output from redis log:
Error accepting a client connection: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
While I am using openssl client with same certificates, i am able to connect and get ping reply from Redis server
No matter if I change
tls-ca-cert-dir /etc/letsencrypt/live/myserver.net/
to
tls-ca-cert
on server side
or
--cacert /etc/letsencrypt/live/myserver.net/fullchain.pem to chain.pem on client side
I tried to all versions of
tls-protocols ""
and change
tls-auth-clients no
to
tls-auth-clients optional
but I am still stuck with same error
OpenSSL version is 1.1.1
Redis version is 6.0.8
OS: Ubuntu 20.04
Can you help me to find out reason why is TLS not working, please?
Thank you
Wil
Ahh, SOLVED!
I was putting wrong CA chain. I had to chain root and intermediate certs downloaded from LE website into new file. It may come handy for someone with same problem.
I want to ask how to access Kubelet API from microk8s cluster.
I looked to this url and it says that Kubelet API requires client certificate.
So I called this (from /var/snap/microk8s/current/certs)
curl -v https://127.0.0.1:10250 --cert ca.crt --cert-type PEM --cacert ca.crt --key ca.key
But I got error saying:
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
How do I fix this issue? Also, what is the difference between kubelet.crt, server.crt, and ca.crt in microk8s?
Thank you!
Try this:
curl --verbose \
--cert ./server.crt \
--key ./server.key \
--insecure \
https://127.0.0.1:10250/healthz
The CA cert in the certs directory is not the signer of the cert :10250 presents to the user. I don't know where the CA cert being presented comes from, it looks like it's rotated as the issuer is CN=<servername>-ca#1567568834 ( hence the --insecure).
The kube-apiserver command line will include the exact path to the kubelet client certs (or could also be stored in a config file in the new k8s world)
--kubelet-client-certificate
--kubelet-client-key
$ pgrep -a kube-apiserver | perl -pe 's/ --/\n --/g'
22071 /snap/microk8s/1247/kube-apiserver
--cert-dir=/var/snap/microk8s/1247/certs
--service-cluster-ip-range=10.22.189.0/24
--authorization-mode=RBAC,Node
--basic-auth-file=/var/snap/microk8s/1247/credentials/basic_auth.csv
--service-account-key-file=/var/snap/microk8s/1247/certs/serviceaccount.key
--client-ca-file=/var/snap/microk8s/1247/certs/ca.crt
--tls-cert-file=/var/snap/microk8s/1247/certs/server.crt
--tls-private-key-file=/var/snap/microk8s/1247/certs/server.key
--kubelet-client-certificate=/var/snap/microk8s/1247/certs/server.crt
--kubelet-client-key=/var/snap/microk8s/1247/certs/server.key
--secure-port=16443
--token-auth-file=/var/snap/microk8s/1247/credentials/known_tokens.csv
--token-auth-file=/var/snap/microk8s/1247/credentials/known_tokens.csv
--etcd-servers=https://127.0.0.1:12379
--etcd-cafile=/var/snap/microk8s/1247/certs/ca.crt
--etcd-certfile=/var/snap/microk8s/1247/certs/server.crt
--etcd-keyfile=/var/snap/microk8s/1247/certs/server.key
--requestheader-client-ca-file=/var/snap/microk8s/1247/certs/front-proxy-ca.crt
--requestheader-allowed-names=front-proxy-client
--requestheader-extra-headers-prefix=X-Remote-Extra-
--requestheader-group-headers=X-Remote-Group
--requestheader-username-headers=X-Remote-User
--proxy-client-cert-file=/var/snap/microk8s/1247/certs/front-proxy-client.crt
--proxy-client-key-file=/var/snap/microk8s/1247/certs/front-proxy-client.key
Well, I am trying to run gitlab-runner on my PC, which should be connected to our Gitlab on the server.
I am getting
ERROR: Registering runner... failed runner=XXXXXX status=couldn't execute POST against https://XXXXXXXXXX/api/v4/runners: Post https://XXXXXXXXXX/api/v4/runners: x509: certificate signed by unknown authority
PANIC: Failed to register this runner. Perhaps you are having network problems
I ran through different advices, but nothing really changed.
My current setup is self-signed ceritificate generated by
wget "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt" -O "/Users/admin/gitlab-runner-certs/fs-tul-letsencrypt.pem"
(I also tried https://futurestud.io/tutorials/how-to-run-gitlab-with-self-signed-ssl-certificate),
script for gitlab-runner registration
#!/usr/bin/env bash
# tried also without sudo
sudo gitlab-runner register \
--non-interactive \
--registration-token OUR_GITLAB_TOKEN \
--url OUR_GITLAB_HOST_URL \
--tls-ca-file /Users/admin/gitlab-runner-certs/fs-tul-letsencrypt.pem \
--executor docker
And I am still getting that error. Any idea?
I also did not change anything on server side. Shouldn't I do anything there? (I did not find any mention about it, but still asking)
PS: gitlab-runner x509: certificate signed by unknown authority did not fix my problem
There was a problem on server side where gitlab was running.
There was wrong path to full-chain certificate.
there are a number of similar posts but I am trying to understand a little more than what those offer.
My curl commandline works fine and am able to talk to the server and get the data I want. The command looks like
curl -v --tlsv1.2 --cert ./service_cert.pem --key ./service_private.key "https://myserver"
But when I try to run my C program and examine the http client object I see this
errorBuffer = "NSS: client certificate not found (nickname not specified)
reading further I realized I have libcurl built with NSS which doesn't support reading cert from a flat file ( .pem)
How is then command line curl utility able to read the pem file ?
You need to import your client certificate into a NSS database, using certutil, and have your code use this database.
Reference:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil