enabling SSL for Hyperledger Fabric couchdb - ssl

I want to use couchDB(V. 2.3.1) with SSL enabled, so I added [ssl] part to /opt/couchdb/etc/local.d/docker.ini file as shown below:
[ssl]
port = 6984
enable = true
cert_file = /etc/hyperledger/fabric/tls/server.crt
key_file = /etc/hyperledger/fabric/tls/server.key
cacert_file = /etc/hyperledger/fabric/tls/ca.crt
[daemons]
httpsd = {couch_httpd, start_link, [https]}
[admins]
Admin = ...
[couchdb]
uuid = ...
but i can't access the webUI with https! having this error:
This site can’t provide a secure connection
"IP" uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
this is the logs:
[error] 2020-05-17T06:52:18.046389Z nonode#nohost <0.19077.3> -------- SSL: hello: tls_handshake.erl:127:Fatal error: handshake failure - malformed_handshake_data
[error] 2020-05-17T06:52:18.046426Z nonode#nohost <0.18899.3> -------- application: mochiweb, "Accept failed error", "{error,{tls_alert,\"handshake failure\"}}"
[error] 2020-05-17T06:52:18.046508Z nonode#nohost <0.18899.3> -------- CRASH REPORT Process (<0.18899.3>) with 0 neighbors exited with reason: {error,accept_failed} at mochiweb_acceptor:init/4(line:75) <= proc_lib:init_p_do_apply/3(line:247); initial_call: {mochiweb_acceptor,init,['Argument__1','Argument__2',...]}, ancestors: [https,couch_secondary_services,couch_sup,<0.202.0>], messages: [], links: [<0.253.0>], dictionary: [], trap_exit: false, status: running, heap_size: 1598, stack_size: 27, reductions: 954
can somebody please help me?


I found the solution and wrote a post about it:
https://medium.com/#pouyashojaei85/enabling-ssl-for-docker-couchdb-container-127388eca1a8

Related

How to reuse ssh_keypair in packer

So, I’ve tried to build a new image exist snapshot from my ec2 instance with current keypair and having this issue.
Error message:
2021/08/31 15:13:42 packer-plugin-amazon_v1.0.0_x5.0_darwin_amd64 plugin: 2021/08/31 15:13:42 [DEBUG] SSH handshake err: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
2021/08/31 15:13:42 packer-plugin-amazon_v1.0.0_x5.0_darwin_amd64 plugin: 2021/08/31 15:13:42 [DEBUG] Detected authentication error. Increasing handshake attempts
2021/08/31 15:13:42 ui error: ==> amazon-ebs.vl-template: Error waiting for SSH: Packer experienced an authentication error when trying to connect via SSH. This can happen if your username/password are wrong. You may want to double-check your credentials as part of your debuggin
g process. original error: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
Here is my template:
source "amazon-ebs" "my-template" {
profile = "${var.profile}"
region = "${var.region}"
ami_name = "${var.ami_name}-${local.timestamp}"
ami_virtualization_type = "hvm"
communicator = "ssh"
ssh_interface = "public_ip"
ssh_username = "${var.ssh_username}"
ssh_keypair_name = "${var.ssh_keypair_name}"
ssh_private_key_file = "${var.ssh_private_key_file}"
ssh_agent_auth = true
ssh_timeout = "10m"
aws_polling {
delay_seconds = 60
max_attempts = 60
}
ebs_optimized = false
instance_type = "${var.instance_type}"
vpc_id = "${var.vpc_id}"
subnet_id = "${var.subnet_id}"
security_group_id = "${var.security_group_id}"
launch_block_device_mappings {
device_name = "/dev/sda1"
volume_size = "${var.root_volume_size_gb}"
volume_type = "${var.volume_type}"
delete_on_termination = true
}
source_ami_filter {
filters = {
name = "${var.filter_name}"
root-device-type = "ebs"
virtualization-type = "hvm"
}
most_recent = true
owners = ["${var.owner_id}"]
}
}
build {
sources = ["source.amazon-ebs.my-template"]
}
My packer command:
packer build -var “ssh_private_key_file=/Users/movmac024/.ssh/mykey.pem” -var “profile=myaws” -var “region=ap-southeast-1” hcl/mytemplate.pkr.hcl

Found out that only use ssh_private_key_file or ssh_agent_auth when ssh_keypair_name is utilized.

Continuous TLS handshake error logs in vault nodes due to LB health check

I am getting continuous TLS handshake errors every 5 sec due to my load balancer pinging vault nodes in every 5 seconds. Kube load balancer is pinging my vault nodes using
nc -vz podip podPort every 5 sec
I have already disabled client cert verification in my config.hcl but still see below logs in my kubectl logs for vault
kubectl logs pod-0 -n mynamespace
[INFO] http: TLS handshake error from 10.x.x.x:60056: EOF 2020-09-02T01:13:32.957Z
[INFO] http: TLS handshake error from 10.x.x.x:23995: EOF 2020-09-02T01:13:37.957Z
[INFO] http: TLS handshake error from 10.x.x.x:54165: EOF 2020-09-02T01:13:42.957Z
Below is my config.hcl which I am loading via kube config map
apiVersion: v1
kind: ConfigMap
metadata:
name: raft-config
labels:
name: raft-config
data:
config.hcl: |
storage "raft" {
path = "/vault-data"
tls_skip_verify = "true"
retry_join {
leader_api_addr = "https://vault-cluster-0:8200"
leader_ca_cert_file = "/opt/ca/vault.crt"
leader_client_cert_file = "/opt/ca/vault.crt"
leader_client_key_file = "/opt/ca/vault.key"
}
retry_join {
leader_api_addr = "https://vault-cluster-1:8200"
leader_ca_cert_file = "/opt/ca/vault.crt"
leader_client_cert_file = "/opt/ca/vault.crt"
leader_client_key_file = "/opt/ca/vault.key"
}
retry_join {
leader_api_addr = "https://vault-cluster-2:8200"
leader_ca_cert_file = "/opt/ca/vault.crt"
leader_client_cert_file = "/opt/ca/vault.crt"
leader_client_key_file = "/opt/ca/vault.key"
}
}
seal "transit" {
address = "https://vaulttransit:8200"
disable_renewal = "false"
key_name = "autounseal"
mount_path = "transit/"
tls_skip_verify = "true"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/opt/ca/vault.crt"
tls_key_file = "/opt/ca/vault.key"
tls_skip_verify = "true"
tls_disable_client_certs = "true"
}
ui=true
disable_mlock = true
As I am using external open source vault image and my load balancer is an internal LB (which has internal CA cert). I am suspecting my vault pod is not able to recognize the CA cert provided by my load balancer when it tries to ping port 8200(TCP listener is started by vault on this port)
These logs are harmless and not causing any issue but they are unnecessary noise which I want to avoid. My vault nodes are working on https and there seems to be no issue in their functionality.
Can someone please help understand why vault TCP listener is trying to do TLS handshake even though I have explicitly specified tls_disable_client_certs = "true"
Again these logs are flooding my pods every 5 sec when my LB tries to do a health check on my pods using nc -vz podip podPort
My vault version is 1.5.3

The messages are not about client certs or CA certs, a TLS handshake happens whether the client presents a certificate or not.
Instead, it is because a TCP connection is created and established and the Go library now wants to start a TLS handshake. Instead, the other side (the health checker) just hangs up and the TLS handshake never happens. Go then logs this message.
You are correct in saying that it is harmless, this is purely a side effect of port-liveness health checking. It is however spammy and annoying.
You have two basic options to get around this:
filter the messages out of the logs when persisting them
change to a different type of health check
I would recommend the second option: switch to a different health check. Vault has a /sys/health endpoint that can be used with HTTPS health checks.
In addition to getting rid of the TLS warning messages, the health endpoint also allows to you check for active and unsealed nodes.

RabbitMQ TLS Authentication

There is a task to configure the operation of some web services using certificate authorization.
There is:
Erlang 22.3.3
RabbitMQ 3.8.3
It makes no sense to describe their installation.
What has been done next:
1. In accordance with the article (https://www.rabbitmq.com/ssl.html) we perform the following actions:
git clone https://github.com/michaelklishin/tls-gen tls-gen
cd tls-gen / basic
CN = client PASSWORD = 123 make
make verify
make info
Copy the created certificates, change the owner
mv testca/ /etc/rabbitmq/
mv server/ /etc/rabbitmq/
mv client/ /etc/rabbitmq/
chown -R rabbitmq: /etc/rabbitmq/testca
chown -R rabbitmq: /etc/rabbitmq/server
chown -R rabbitmq: /etc/rabbitmq/client
We bring the configuration file to the form (/etc/rabbitmq/rabbitmq.config):
[
{ssl, [{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}]},
{rabbit, [
{ssl_listeners, [5671]},
{auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
{ssl_cert_login_from, 'client'},
{ssl_options, [{cacertfile, "/ etc / rabbitmq / testca / cacert.pem"},
{certfile, "/ etc / rabbitmq / server / cert.pem"},
{keyfile, "/ etc / rabbitmq / server / key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true}]}]}}
].
We start the server, try to connect from the client. We get the error:
2020-05-18 17: 21: 57.166 +03: 00 [ERR] Failed to connect to broker 10.10.11.16, port 5671, vhost dmz
RabbitMQ.Client.Exceptions.BrokerUnreachableException: None of the specified endpoints were reachable
---> RabbitMQ.Client.Exceptions.PossibleAuthenticationFailureException: Possibly caused by authentication failure
---> RabbitMQ.Client.Exceptions.OperationInterruptedException: The AMQP operation was interrupted: AMQP close-reason, initiated by Library, code = 0, text = 'End of stream', classId = 0, methodId = 0, cause = System .IO.EndOfStreamException: Reached the end of the stream. Possible authentication failure.
at RabbitMQ.Client.Impl.InboundFrame.ReadFrom (Stream reader)
at RabbitMQ.Client.Impl.SocketFrameHandler.ReadFrame ()
at RabbitMQ.Client.Framing.Impl.Connection.MainLoopIteration ()
at RabbitMQ.Client.Framing.Impl.Connection.MainLoop ()
at RabbitMQ.Client.Impl.SimpleBlockingRpcContinuation.GetReply (TimeSpan timeout)
at RabbitMQ.Client.Impl.ModelBase.ConnectionStartOk (IDictionary`2 clientProperties, String mechanism, Byte [] response, String locale)
at RabbitMQ.Client.Framing.Impl.Connection.StartAndTune ()
--- End of inner exception stack trace ---
at RabbitMQ.Client.Framing.Impl.Connection.StartAndTune ()
at RabbitMQ.Client.Framing.Impl.Connection.Open (Boolean insist)
at RabbitMQ.Client.Framing.Impl.Connection..ctor (IConnectionFactory factory, Boolean insist, IFrameHandler frameHandler, String clientProvidedName)
at RabbitMQ.Client.Framing.Impl.ProtocolBase.CreateConnection (IConnectionFactory factory, Boolean insist, IFrameHandler frameHandler, String clientProvidedName)
at RabbitMQ.Client.ConnectionFactory.CreateConnection (IEndpointResolver endpointResolver, String clientProvidedName)
--- End of inner exception stack trace ---
at RabbitMQ.Client.ConnectionFactory.CreateConnection (IEndpointResolver endpointResolver, String clientProvidedName)
at RabbitMQ.Client.ConnectionFactory.CreateConnection (String clientProvidedName)
at EasyNetQ.ConnectionFactoryWrapper.CreateConnection ()
at EasyNetQ.PersistentConnection.TryToConnect ()
In the rabbitmq log:
2020-05-18 17: 24: 59.880 [info] <0.3442.0> accepting AMQP connection <0.3442.0> (10/10/15/14/1561 -> 10/10/11/166767)
2020-05-18 17: 25: 02.887 [error] <0.3442.0> closing AMQP connection <0.3442.0> (10/10/15/14/1561 -> 10/10/11/1667671):
{handshake_error, starting, 0, {error, function_clause, 'connection.start_ok', [{rabbit_ssl, peer_cert_auth_name, [client, << 48,130,3,42,48,130,2,18,160,3,2,1,2,2 , 1,2,48,13,6,9,42,134,72,134,247,13,1,1,11,5,0,48,4,49,49,32,48,30,6,3,85,4,3 12,23,84,76,83,71,101,110,83,101,108,102,83,105,103,110,101,100,116,82,111,111,116,67,65,49,13,48,11,6,3,85,4,7,12,4,36,36,36 , 36.48,30,23,13,50,48,48,53,49,56,49,52,48,49,53,53,90,23,13,51,48,48,53,49 , 54,49,52,48,49,53,53,90,48,34,49,15,48,13,6,3,85,4,3,12,6,99,108,105,101,110,116,49,15,48 , 13,6,3,85,4,10,12,6,99,108,105,101,110,116,48,130,1,34,48,13,6,9,42,134,72,134,247,13,1,1,1,5,0,3,130 1,15,0,48,130,1,10,2,130,1,1,0,183,198,116,156,3,177,131,5,148,11,154,34,99,210,88,115,60,228,180,245,80,212,113,57,181,249,20,5,164,49,72,95,153,116,103,49 , 58,119,15,48,147,107,112,243,105,122,189,44,0,193,114,138,169,250,165,97,188,158,188,95,163,37,30,75,143,21,103,11,131,223,124,96,244,111,210,30,8,175,72,206,162,14,86,63,146,215,179,226,239,48,76,122,150,200,183,82,114,1 73,116,32,224,202,196,129,131,96,34,237,34,144,177,92,200,105,212,0,133,141,118,146,229,140,246,229,137,0,9,27,180,163,233,134,0,187,110,9,126,92,172,105,96,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,1,118,11,11,118,11,118,11,118,11,118,11,118,11,118,11,118,11,118,11,118,11,118,11,118,1,118,11,11,118,11,11,11,11,1,1,1,1,1,1,1,1,1,1,1,1,1,111,1'''1,11,11,1'''1,1''''N''O'', '' 92,181,68,172,135,15,90,152,209,242,31,138,135,34,95,29,162,226,175,253,176,14
UPDATE
New rabbitmq.config:
[
{rabbit,[
{auth_backends, [rabbit_auth_backend_internal]},
{auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
{ssl_listeners,[5671]},
{ssl_options,[
{versions,['tlsv1.2', 'tlsv1.1']},
{cacertfile, "/etc/rabbitmq/testca/cacert.pem"},
{certfile, "/etc/rabbitmq/server/cert.pem"},
{keyfile, "/etc/rabbitmq/server/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,true}]}
]}
].
New error:
2020-05-18 18:48:56.681 [info] <0.1410.0> Connection <0.1410.0> (10.10.15.14:52744 -> 10.10.11.16:5671) has a client-provided name: Viber.CallbackService.dll
2020-05-18 18:48:56.682 [error] <0.1410.0> Error on AMQP connection <0.1410.0> (10.10.15.14:52744 -> 10.10.11.16:5671, state: starting):
EXTERNAL login refused: user 'O=client,CN=client' - invalid credentials

Have you enabled the ssl plugin and restarted the broker?
sudo rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl
sudo systemctl restart rabbitmq-server
You may also try and set the following in rabbitmq.conf:
ssl_cert_login_from = common_name
ssl_options.password = 123
And create a user called client in the broker to match the CN name in your certificate.

SNI : SSLHandshakeException unrecognized_name

I have the following error when trying to contact some website :
10:29:32.228 [ForkJoinPool-1-worker-1] ERROR com.intuit.karate - javax.net.ssl.SSLHandshakeException: Received fatal alert: unrecognized_name, http call failed after 35 milliseconds for URL: https://{redacted}
10:29:32.229 [ForkJoinPool-1-worker-1] ERROR com.intuit.karate - http request failed: javax.net.ssl.SSLHandshakeException: Received fatal alert: unrecognized_name
I have found the following answer : https://stackoverflow.com/a/14884941/10791639
I edited karate-apache/src/main/java/com/intuit/karate/http/apache/ApacheHttpClient.java L125, removing the comment from this line :
System.setProperty("jsse.enableSNIExtension", "false");
But I still have the same problem as before. I haven't found a public website that is requiring strict Server Name Indication to reproduce my problem.

We found a solution by changing something in karate-apache/src/main/java/com/intuit/karate/http/apache/ApacheHttpClient.java :
SSLConnectionSocketFactory socketFactory = new LenientSslConnectionSocketFactory(sslContext, new NoopHostnameVerifier());
becomes
SSLConnectionSocketFactory socketFactory = new SslConnectionSocketFactory(sslContext, new NoopHostnameVerifier());
#Peter, do you think a parameter to use strict or lenient SSL connection can be a possibility?

Adding WSS to Websocket/Autobahn/WAMP/Twisted

There doesn't seem to be much out there right now on how to properly add WSS support to an Autobahn/Twisted setup. I'm starting with the Crossbar serial2ws example, which shows a WS-based connection between frontend and backend.
I'd like to know how to adapt the serial2ws example for an SSL connection.
I changed:
# serial2ws.py
router = args.router or 'ws://localhost:8080'
to
router = args.router or 'wss://localhost:8080'
And on the website JS:
connection = new autobahn.Connection({
url: (document.location.protocol === "http:" ? "ws:" : "wss:") + "//" + ip + ":" + port,
realm: 'realm1',
...
})
But, when I try to connect, it fails with:
WebSocket connection to 'wss://192.168.0.12:8080/' failed: Error in connection establishment: net::ERR_CONNECTION_CLOSED
The Python server logs:
2016-06-30 16:52:57-0400 [-] Log opened.
2016-06-30 16:52:57-0400 [-] Using Twisted reactor <class
'twisted.internet.epollreactor.EPollReactor'>
2016-06-30 16:52:59-0400 [-] WampWebSocketServerFactory starting on 8080
2016-06-30 16:52:59-0400 [-] Starting factory <autobahn.twisted.websocket.WampWebSocketServerFactory instance at 0x76669dc8>
2016-06-30 16:53:00-0400 [-] Starting factory <autobahn.twisted.websocket.WampWebSocketClientFactory instance at 0x766112b0>
2016-06-30 16:53:05-0400 [WampWebSocketClientProtocol (TLSMemoryBIOProtocol),client] Stopping factory <autobahn.twisted.websocket.WampWebSocketClientFactory instance at 0x766112b0>
To be clear, when the "wss" instances above are reverted to the original "ws", everything works.
Also tried:
Adding to serial2ws.py:
contextFactory = ssl.DefaultOpenSSLContextFactory('/root/keys/server.key', '/root/keys/server.crt')
# Change
reactor.listenTCP(args.web, Site(File(".")))
# to
reactor.listenSSL(args.web, Site(File(".")), contextFactory)