I have to deploy a backend that wants to handle HTTPS on its own.
The README of that backend provides the following command to generate a self signed cert:
openssl req -x509 -nodes -newkey rsa:2048 -keyout tls.key -out tls.crt -days 3650
That gives me a tls.key and tls.crt file. However, the NGINX guide at https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/ requires some more stuff which I don't have.
It would be awesome if someone could tell me how to generate all the certificate files I need so that NGINX can talk to the backend via SSL.
The outside facing SSL connection is covered by Lets Encrypt.
Related
I used openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365 to generate a cert.pem and key.pem and it has executed correctly. Now what I want is how can I add the openssl generated certificate to trusted certificates so that I don't get greeted with Your connection isn't private page before loading my flask https site. Any help is appreciated.
EDIT: OS - Windows. I am trying to add the OpenSSL generated certificate to Trusted Root Certification Authorities inside the Microsoft Management console (MMC)
depending on the browser you need to run certutil with a specific db location:
chromium-based (most) -d sql:$HOME/.pki/nssdb
firefox -d %userprofile%\Application Data\Mozilla\Firefox\Profiles\%randomalphanum%.default\cert8.db
I apologize if this is a silly rookie question, I'm not really experience in dealing with SSL / https so please help me out.
I have docker swarm setup and using Traefik to handle all the HTTPS services. when I first load the page (take grafana page for example), there is a warning page and I click "Advanced" and "Proceed (accept risk)", then the page display and working just fine, the only problem is the "Not Secure" sign showing on browser.
A few things could be contributing to this:
Self-created CA and self-signed cert: I'm at development stage so I created my own CA and signed the cert using openssl, and use this cert in Traefik dynamic configuration.
Command to generate CA:
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca.pem
Command to generate self-signed cert:
openssl req -newkey rsa:2048 -days 365 -nodes -keyout key.pem -out req.pem
openssl x509 -req -in req.pem -days 365 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out cert.pem
See attached screenshot for the errors of the certs: "Subject Alternative Name missing" & "This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID)."
Chrome Dev Tool Certificate Error
Traefik configuration: Not using Let's Encrypt since I don't have an account, so using my own self-signed cert. I don't think this is the issue because I can see the page is using the cert I provided. But if anyone has similar experience with Traefik v2 maybe can give me some pointer if there is anything I set wrong?
Dynamic configuration file that declares the certs:
tls:
stores:
default:
defaultCertificate:
certFile: configuration/cert.pem
keyFile: configuration/key.pem
Question:
Is missing SAN a really important factor that will causes my page to be not secure? If yes, how can I add SAN while creating cert with openssl?
I understand that 2nd error "ERR_CERT_AUTHORITY_INVALID" means browser doesn't recognize the cert's validity. Does that mean I have to install my CA? Where and how to install it? Is it on docker swarm's manager node (this is where Traefik service and the certs at), or is it on any client's machine that trying to access the page?
I need to make client approve a server CA certificate which is not known to it.
I have generated cert.pem using the following command
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
And then using the following command I came to know that requests points to <full-path>/cacert.pem.
python -mrequests.certs
So, I have copied the generated cert.pem to the same path and gave it to verify. I have tried the following to do so. I don't want to use verify=False.
requests.get("https://<ip>:<port>/route1", verify='<full-path>/cert.pem')
Still I see that the client is throwing the following error.
SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
How do I make the client approve the server certificate? Am I missing anything? Any help would be appreciated.
Server side code
context = ('cert.pem', 'key.pem')
#app is flask object
app.run(host="<ip>", port=port, debug=Ture, ssl_context=context)
I have installed on my server IceCast with SSL. The program works perfectly but the SSL certificate is recognized as non-secure in the browser. I generated the certificate with the following code:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout icecast2.pem -out icecast2.pem
Page capture: http://i.imgur.com/V5V3zM4.png
Does anyone know how I can fix it?
PD: I´m running Apache2 Server and Debian.
Many Thanks.
You've got a self-signed certificate that is not contained in any trustchain. Hence, it is marked as insecure by your browser.
There is hardly any way to fix this with your existing certificate. You can try through the Let's Encrypt initiative.
I've installed HAPRoxy 1.5-dev19, adn I am trying to bind using SSL.
I generated openssl certs in /etc/ssl/certs keys and validated that they are there and look good, and updated haproxy.cfg as below:
openssl req -nodes -x509 -newkey rsa:2048 -keyout /etc/ssl/certs/private.key -out /etc/ssl/certs/cert.pem -days 2000
frontend XRE
bind *:9045 ssl crt /etc/ssl/certs/private.key
But I still get:
parsing [/etc/haproxy/haproxy.cfg:48] : 'bind :443' : unable to load SSL certificate from PEM file '/etc/ssl/certs/private.key'.
Proxy 'haproxyLoopback': no SSL certificate specified for bind ':443' at [/etc/haproxy/haproxy.cfg:48] (use 'crt').
Your help is appreciated,
Many thanks,
Charlie
You are pointing the wrong file. It should be like this:
frontend XRE bind *:9045 ssl crt /etc/ssl/certs/cert.pem