I have a custom wildcard cert like *xyz.domain.com.
And I have my grafana url as test-xyz.domain.com. I have enabled generic oauth in grafana.
I have enabled oauth through keycloak IDP.
When I try to login to grafana, it gives me the following error
t=2019-08-06T18:00:46+0000 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error="Post https://test-xyz.domain.com:31809/auth/realms/ABC/protocol/openid-connect/token: x509: certificate is valid for *xyz.domain.com, not test-xyz.domain.com"
Grafana fails to recognize the IDP's cert. So are special characters allowed in wildcard certs?
Related
My postman request errors-out with status: 401 Unauthorized and "error_description": "proper client ssl certificate was not presented".
I have confirmed in both MMC and MS Edge that ADP certificate is installed - it shows-up in a list of certificates. The status of certificate reads - "This certificate is OK", "Windows does not have enough information to verify this certificate".
Can this cause the Postman error? What else should I pay attention to?
I'm following Making Your First API Call Using Postman directions and trying to request a bearer token from ADP.
Problem starts by getting many errors like this in my logs:
{
"#mt": "Your license for Duende IdentityServer only permits {issuerLimit} number of issuers.
You have processed requests for {issuerCount}. The issuers used were: {issuers}.",
"#l": "Error",
"issuerLimit": 1,
"issuerCount": 2,
"issuers": [
"https://www.example.org",
"https://example.org"
],
"SourceContext": "Duende.IdentityServer",
"RequestPath": "/connect/checksession"
},
I am using default MS template for Hosted Blazor WebAssembly with Individual accounts. I did not set any issuer explicitly because I have test.mydomain.org and it seemed convenient.
I have DNS CNAME www.example.org to example.org, and in IIS I have one site example.org with 4 bindings: http and https for www and non www versions.
When everything work normally, no matter how I try to open my site using www or non www version, in incognito mode, logged in or logged out, no matter what I try I cannot intentionally get this error in log.
But then it starts to appear and it is noticed by user who can log in normally, but trying to access any API endpoint requiring authorization returns Bearer error="invalid_token", error_description="The issuer 'https://example.com' is invalid" (How to debug only occasional Bearer error="invalid_token").
I wonder how is it even possible to receive request from www.mydomain.org to IdentityServer if I cant do it by manually requesting www version? Where does the IdentityServer get these issuers from? And, does Identity server starts throwing these error on purpose after some time?
I am attempting to upgrade EJBCA.
I attempted to run this on ubuntu 20.04, locally, using wildfly 18. Wildfly 18 results in this error: "CAUSE: Client certificate or OAuth bearer token required."
I have tried this two ways, by importing the keystore, truststore and superadmin from another instance and by creating the CA fresh and using the resulting superadmin.p12.
The home page loads, but the administration gives me the following error:
"AUTHORIZATIONDENIED
CAUSE: Client certificate or OAuth bearer token required. "
I can really use some help with this.
Things I have tried:
(1) I have downloaded superadmin.p12 and imported it into my browsers
(2) I have attempted to upload the superdmin cert:
bin/ejbca.sh ca importcacert ${NAME} ${NAME}.cacert.pem -initauthorization -superadmincn SuperAdmin
This results in The CA certificate is already imported.
(3) Both my keystore.jks and truststore.jks are moved into /ejbca/p12 and /opt/wildfly/standalone/configuration/keystore
(4) I did set "web.reqcertindb=false"
(6) I did try to enable ssl on wildfly 14 (https://docs.bitnami.com/bch/infrastructure/wildfly/administration/enable-ssl-wildfly/)
(7) I have tried a fresh Management_CA as well
The log of /ejbca/adminweb:
"08:20:01,270 ERROR [org.ejbca.ui.web.admin.configuration.EjbcaJSFHelperImpl] (default task-4) org.cesecore.authentication.AuthenticationFailedException: Client certificate or OAuth bearer token required.
08:20:01,279 WARN [org.ejbca.ui.web.admin.configuration.EjbcaWebBeanImpl] (default task-4) Language was not initialized for this session
08:20:01,279 WARN [org.ejbca.ui.web.admin.configuration.EjbcaWebBeanImpl]
I can provide more information if needs be.
Thank you
So, I have it running today. Here is what I learned:
It seems that if you set wildfly up as a service (per instructions) it is going to set up wildfly to run with launch.sh. Launch.sh is going to result in a cipher mistmatch. I needed to run the standalone.sh file instead
Adminweb must be contacted on 8443
if you need to run this thing on domain setup your going to need to post another question
Best,
On our SharePoint 2010 farm we renewed our SSL certificate, and after renewal we started to get following error in Event Log
Event ID 8311
An operation failed because the following certificate has validation errors:\n\nSubject Name:
CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: \n\nErrors:\n\n
RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
Website is generally working with correct renewed certificate. Even Claims Authentication between SharePoint and custom security app is also working. But some of the SharePoint services are giving serious issues like search is not working and giving following error:
The requested service, 'http://server:32843/f6a9024b8bbe48ebae7e9ffc8f5809dd/SearchService.svc' could not be activated. See the server's diagnostic trace logs for more information.
Stack trace:
Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory, WebException responseException, ChannelBinding channelBinding)
When I run Get-SPSite command in powershell I get following error
Get-SPSite : ID4257: X.509 certificate 'CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US' validation failed by the token handler.
I am not able to deactivate/activate any features on the server, it throws certificate error.
I have already tried following:
1. Recreating the local trust relationship using following commands
$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
2. Adding "SharePoint Root Authority" certificate to certificate store on each server in the farm, in mmc SharePoint certificates "SharePoint Security Token Service" certificate is displayed under "SharePoint Root Authority" certificate.
I had a similar issue, our symptom was
<EventID>8311</EventID>
...
<Data Name="string3">NotTimeValid: Unknown error.</Data>
the root cause was that the site was surfacing SSRS (on the same host) and it was the SSRS (which has a different binding engine to IIS) certificate had expired, but was being logged by SharePoint.
I have just installed Orbeon 3.9 CE on a WebSphere WAS 7.0 environment all was looking well but when I tried to add a form I got and error sating "peer not authenticated".
I turned on debugging in the log4j.xml file and this is what I got out of it:
2011-05-27 16:34:13,051 ERROR ProcessorService - Exception at oxf:/apps/fr/components/components.xsl (executing XSLT transformation)
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.ibm.jsse2.fc.getPeerCertificates(fc.java:46)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:488)
at org.apache.http.conn.scheme.SchemeSocketFactoryAdaptor.connectSocket(SchemeSocketFactoryAdaptor.java:62)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:562)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
at org.orbeon.oxf.resources.handler.HTTPURLConnection.connect(HTTPURLConnection.java:219)
at org.orbeon.oxf.util.Connection.connect(Connection.java:494)
at org.orbeon.oxf.util.Connection.open(Connection.java:94)
at org.orbeon.oxf.processor.generator.URLGenerator$URLResourceHandler.openConnection(URLGenerator.java:817)
at org.orbeon.oxf.processor.generator.URLGenerator$URLResourceHandler.getResourceMediaType(URLGenerator.java:770)
at org.orbeon.oxf.processor.generator.URLGenerator$1.readImpl(URLGenerator.java:420)
at org.orbeon.oxf.processor.impl.ProcessorOutputImpl$TopLevelOutputFilter.read(ProcessorOutputImpl.java:263)
at org.orbeon.oxf.processor.impl.ProcessorOutputImpl.read(ProcessorOutputImpl.java:406)
at org.orbeon.oxf.processor.ProcessorImpl.readInputAsSAX(ProcessorImpl.java:260)
at org.orbeon.oxf.processor.pipeline.TeeProcessor$TeeProcessorOutputImpl.readImpl(TeeProcessor.java:89)
at org.orbeon.oxf.processor.impl.ProcessorOutputImpl$TopLevelOutputFilter.read(ProcessorOutputImpl.java:263)
at org.orbeon.oxf.processor.impl.ProcessorOutputImpl.read(ProcessorOutputImpl.java:406)
at org.orbeon.oxf.processor.ProcessorImpl.readInputAsSAX(ProcessorImpl.java:260)
at org.orbeon.oxf.processor.ProcessorImpl.readInputAsTinyTree(ProcessorImpl.java:286)
at org.orbeon.oxf.processor.ProcessorImpl$3.read(ProcessorImpl.java:315)
at org.orbeon.oxf.processor.ProcessorImpl.readCacheInputAsObject(ProcessorImpl.java:365)
at org.orbeon.oxf.processor.ProcessorImpl.readCacheInputAsObject(ProcessorImpl.java:330)
at org.orbeon.oxf.processor.ProcessorImpl.readCacheInputAsTinyTree(ProcessorImpl.java:313)
This looks like an error that would happen if you use HTTPS with an invalid certificate (such as a self-signed certificate). If this is what you are doing, you can either:
Add the your certificate to your VM trust store. (I'll let you lookup how to do this on WebSphere.)
Use HTTP instead of HTTPS, at least during development where you don't have a valid certificate.
Get a real certificate, for instance from StartSSL which issues class 1 certificate for free.