I have a simple python Kafka producer, and i'm trying to access the Strimzi Kafka Cluster on GKE, and i'm getting following error :
cimpl.KafkaException: KafkaError{code=_INVALID_ARG,val=-186,str="Failed to create producer: ssl.key.location failed: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch"}
Here is the Kafka producer code:
from confluent_kafka import Producer
kafkaBrokers='<host>:<port>'
caRootLocation='/Users/karanalang/Documents/Technology/strimzi/gcp_certs_nov28/pem-user2/cacerts.pem'
certLocation='/Users/karanalang/Documents/Technology/strimzi/gcp_certs_nov28/pem-user2/cert.pem'
keyLocation='/Users/karanalang/Documents/Technology/strimzi/gcp_certs_nov28/pem-user2/key.pem'
password='<password>'
conf = {'bootstrap.servers': kafkaBrokers,
'security.protocol': 'SSL',
'ssl.ca.location':caRootLocation,
'ssl.certificate.location': certLocation,
'ssl.key.location':keyLocation,
'ssl.key.password' : password
}
topic = 'my-topic1'
producer = Producer(conf)
for n in range(100):
producer.produce(topic, key=str(n), value="val -> "+str(n))
producer.flush()
To get the pem files (from the secrets - PKCS files), here are the commands used
kubectl get secret my-cluster-lb-ssl-certs-cluster-ca-cert -n kafka -o jsonpath='{.data.ca\.p12}' | base64 -d > ca.p12
kubectl get secret my-cluster-lb-ssl-certs-cluster-ca-cert -n kafka -o jsonpath='{.data.ca\.password}' | base64 -d > ca.password
kubectl get secret my-bridge1 -n kafka -o jsonpath='{.data.user\.p12}' | base64 -d > user2.p12
kubectl get secret my-bridge1 -n kafka -o jsonpath='{.data.user\.password}' | base64 -d > user2.password
- to get the user private key i.e. key.pem
openssl pkcs12 -in user2.p12 -nodes -nocerts -out key.pem -passin pass:<passwd>
# CARoot - extract cacerts.cer
openssl pkcs12 -in ca.p12 -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cacerts.cer
# convert to pem format
openssl x509 -in cacerts.cer -out cacerts.pem
# get the ca.crt from the secret
kubectl get secret my-cluster-lb-ssl-certs-cluster-ca-cert -n kafka -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
# convert to pem
openssl x509 -in ca.crt -out cert.pem
Any ideas how to fix this issue ?
Pls note -
I'm able to access Kafka Cluster using commandline Kafka producer/consumer on SSL
This is fixed, pls see below configuration that is expected:
'ssl.ca.location' -> CARoot (certifying authority, used to sign all the user certs)
'ssl.certificate.location' -> User Cert (used by Kubernetes to authenticate to API server)
'ssl.key.location' -> User private key
The above error was due to incorrect User Cert being used, it should match the User Private Key
Related
I want to convert the following curl command into a Karate script:
curl --cacert ca.crt --key client.key --cert client.crt "https://myurl"
All three SSL parts are required, i.e. client cert, client key AND server cert.
Is this possible in Karate?
To resolve this I converted ca.crt, client.key and client.crt into a .pfx file using this command:
openssl pkcs12 -export -out certificate.pfx -inkey client.key -in client.crt -certfile CA.crt
This created a file called certificate.pfx
I then added this line to karateconfig.js:
karate-configure('ssl', { trustAll: true });
I copied my new certificate.pfx file into this location:
src\test\resources\sslCertificates\certificate.pfx
I added the following line to the Background section of my feature file:
* configure ssl = { keyStore: 'classpath:sslCertificates/certificate.pfx', keyStorePassword: '', keyStoreType: 'pkcs12' }
I then received a successful response for my request.
I am learning OAUTH2 and OpenID Connect and configuring multiply tomcat servers (a Client for the UI, and multiply Resource Servers for the APIs) to use SSL. So I have created a PKCS12 keystore with a self-signed certificate + private key the following way and then I pushed it under my 1st Tomcat:
(I know that the commands bellow can be simplify and combine into one (or two) but I deliberately keep tem separately because that way I can see and understand the steps better)
(1) The keypair was created with openssl this way:
openssl genrsa \
-des3 \
-passout pass:$phrase \
-out id_rsa_$domain.key $numbits
(2) Then I created a Certificate Signing Request with this command:
openssl req \
-new \
-key id_rsa_$domain.key \
-passin pass:$phrase \
-subj "$subj" \
-out $domain.csr
(3) After that I created a x509 certificate:
openssl x509 \
-req \
-days $days \
-in $domain.csr \
-signkey id_rsa_$domain.key \
-passin pass:$phrase \
-out $domain.crt
(4) Finnaly I have created a key-store in PKCS12 format:
pem=$domain.pem
cat id_rsa_$domain.key > $pem
cat $domain.crt >> $pem
openssl pkcs12 \
-export \
-in $pem \
-passin pass:$phrase \
-password pass:$keystore_pwd \
-name $domain \
-out example.com.pkcs12
rm $pem
At the end of this process I have the following files:
id_rsa_authserver.example.com.key: the private (and public) key
authserver.example.com.crt: the self signed certificate
example.com.pkcs12: the keystore
Inside the .pkcs12 file I only have one key-pair entry under the authserver.example.com alias. I have checked the result with KeyStore Explorer as well and everything looks fine and the 1st Tomcat works properly with that keystore.
Then I repeated the steps (1), (2) and (3) and I generated new files for order.example.com host machine and at the end I have two new files:
id_rsa_order.example.com.key
order.example.com.crt
Now I would like to add to my "root" example.com.pkcs12 keystore this new keypair + certificate under the order.example.com alias in order to I keep all certs that I use for my demo in one keystore. I can do it easily with the KeyStore Explorer tool via the tools > import key pair > openSSL > browse the private key and cert files, but this is not enough good for me. I would like to do the import via command line using OpenSSL.
Unfortunately I have not found the proper openssl command that I can use to ADD my 2nd key+cert to the existing keystore.
What is the command that I can use?
This is the certificate https://gist.github.com/larytet/2fb447e875831577584592cd99980fd1 (x5t VjWIUjS5JS3eAFdm2dnydlZfY-I)
I am doing
openssl verify -verbose -x509_strict certificate.pen
I am getting
CN = estsclient.coreauth.outlook.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error certificate.pem: verification failed
Where do I find the certificate, the whole chain or the root which should be installed in my system?
You need to provide the CA certificate, and most real CAs will list locations where its certificate can be found in an extension in each certificate they issue.
With OpenSSL, you can view this extension:
openssl x509 -text -noout < certificate.pem
Look for the "Authority Information Access extension", and its "CA Issuers" field to find the URL and download the certificate from Microsoft.
Because this file is encoded with DER, it needs to be transcoded to PEM for use with openssl verify:
openssl x509 -inform der < Microsoft\ IT\ TLS\ CA\ 2.crt > Microsoft\ IT\ TLS\ CA\ 2.pem
Because you just downloaded this file from who knows where over HTTP, you need some way to verify its authenticity.
You'll notice that it too lists an issuer, so you can perform this process recursively to obtain the entire certificate chain back to a root certificate that you already trust. Usually, we trust the certificates that come pre-installed on our systems. But, in theory, an attacker could have compromised that set, so people sometimes do find out-of-band means to verify their root CA certificates. What's appropriate for you depends on your application.
The chain of certificates that you download on your way to the trust anchor are "intermediate" certificates; you don't have to trust them directly, because you'll be verifying a chain starting with one of the anchors on your system.
Concatenate the PEM-encoded certificates, including headers and footers, together in a single file of untrusted certificates. In my case, the "Baltimore CyberTrust Root" certificate that issued the "Microsoft IT TLS CA 2" intermediate certificate is pre-installed as a root CA on my system, so I only have to download the Microsoft certificate, and it's the only one in my file of "untrusted" certificates.
Now you have the necessary information to attempt your original command:
openssl verify --verbose -untrusted Microsoft\ IT\ TLS\ CA\ 2.pem -x509_strict certificate.pem
In case anyone finds this question I ended up with something like this + lot of comment
RUN curl --silent https://outlook.com/autodiscover/metadata/json/1 > ./outlook.com.autodiscover.metadata.json.1
RUN pem_file=certificate.pem \
&& echo "-----BEGIN CERTIFICATE-----" > $pem_file \
&& cat ./outlook.com.autodiscover.metadata.json.1 | jq --raw-output '.keys[0].keyvalue.value' >> $pem_file \
&& echo "-----END CERTIFICATE-----" >> $pem_file \
&& cat $pem_file \
&& openssl x509 -text -noout < $pem_file | grep "CA Issuers" \
&& curl https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem > rootCA.pem \
&& curl http://www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%202.crt | openssl x509 -inform der >> rootCA.pem \
&& curl https://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt | openssl x509 -inform der >> rootCA.pem \
&& cat rootCA.pem \
&& cat certificate.pem
RUN pem_file=certificate.pem && openssl verify -verbose -x509_strict -untrusted rootCA.pem $pem_file
I want to create new user admin in kubernetes ,i do all the steps for creating and authorizing the certificates but when i want to access to api,i receive anuthorized error.
i do these steps to create user-admin:
1/ openssl genrsa -out user.key 2048
2/ openssl req -new -key user.key -out user.csr -subj "/CN=kube-user"
3/
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: user
spec:
request: $(cat user.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
4/ k certificate approve user
5/ k get csr user -o jsonpath='{.status.certificate}' | base64 --decode > user.crt
6/ kubectl config view -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' --raw | base64 --decode - > ca.crt
7/
curl https://$Kube-Master-Ip:6443/api/v1 \
--key user.key \
--cert user.crt \
--cacert ca.crt
8/ and this is what i've receive:
{
"kind":"Status",
"apiVersion":"v1",
"metadata":{},
"status":"Failure",
"message":"Unauthorized",
"reason":"Unatuhorized",
"code":401
}
document source: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
The step 2 command is wrong. The admin user should be part of system:masters group.
openssl req -new -key user.key -out user.csr -subj "/CN=kube-user/O=system:masters"
I have replaced mod_ssl with mod_nss for FIPS cryptography and it works great with Apache but now we have wildcard certificate which i want to import into NSS database but i don't know how do i import certificate private key?
I am using following command
certutil -A -d /etc/httpd/alias/ -n "GlobalSign" -t "CT,," -a -i wildcard_domain.crt
How do i import private key? or is there something i am missing?
[root#web01 ~]# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
cacert CTu,Cu,Cu
Server-Cert u,u,u
GlobalSign-Intermediate CT,,
GlobalSign CTu,u,u
alpha
u,pu,u
solution:
Convert crt file in PEM format
create pem file from original certificate.
openssl x509 -inform PEM -in ./ssl.crt/example.com.GlobalSign-2010.crt > /root/example.com.GlobalSign-2010.pem
openssl x509 -inform PEM -in ./ssl.crt/intermediate.GlobalSign.crt > /root/intermediate.GlobalSign.crt.pem
Concatenate PEM certificate in single file, Root crt and Chain crt.
cat /root/example.com.GlobalSign-2010.pem /root/intermediate.GlobalSign.crt.pem > /root/example.com-GlogalSign-2010.pem
Export PEM cert and private key in PKCS12 format
openssl pkcs12 -export -in example.com-GlogalSign-2010.pem -inkey ./ssl.key/example.com.GlobalSign.key -out /root/example.com-Globalsign.p12 -name Example-GlobalSign
Import PKCS12 (.p12) certificate in NSS DB
pk12util -i /root/example.com-Globalsign.p12 -d /etc/httpd/alias
You can verify your certificate using following command
certutil -L -d /etc/httpd/alias -n Example-GlobalSign
Notes: put Example-GlobalSign nickname in nss.conf config file and Voila!!