localhost self-signed certificate across LAN in XAMPP - ssl

I have localhost with ssl and working fine on my local pc but ssl doesn't work across LAN. Because I'm using self-signed certificate I have to install certificate in every PC in which I'll open site but it's only working on PC in which website is hosted but not on other PC on LAN.
I don't want to host my website online because I'm in development mode.
My Local PC:
host file:
127.0.0.1 gofashion_chat.test
httpd-xampp.conf
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs/gofashion"
ServerName gofashion_chat.test
ServerAlias *.gofashion_chat.test
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "C:/xampp/htdocs/gofashion"
ServerName gofashion_chat.test
ServerAlias *.gofashion_chat.test
SSLEngine on
SSLCertificateFile "C:/xampp/htdocs/gofashion/cert/gofashion_chat.test/server.crt"
SSLCertificateKeyFile "C:/xampp/htdocs/gofashion/cert/gofashion_chat.test/server.key"
</VirtualHost>
Certificate in browser:
PC on LAN:
host file:
192.168.10.7 gofashion_chat.test
Certificate in browser on LAN PC:
In have installed server.crt on both PC
How do I solve ssl issue across LAN?
Edit:
This is my bat file which I used to generate certificate
#echo off
set /p domain="Enter Domain without TLD (E.g 'facebook', 'google'): "
set /p com_tld="Enter Domain TLD (E.g 'com', 'test'): "
SET HOSTNAME=%domain%
SET DOT=%com_tld%
SET COUNTRY=US
SET STATE=KS
SET CITY=Olathe
SET ORGANIZATION=IT
SET ORGANIZATION_UNIT=IT Department
SET FULL_DOMAIN=%HOSTNAME%.%DOT%
SET EMAIL=webmaster#%FULL_DOMAIN%
SET OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf
if not exist .\%HOSTNAME%.%DOT% mkdir .\%FULL_DOMAIN%
(
echo [req]
echo default_bits = 2048
echo prompt = no
echo default_md = sha256
echo req_extensions = v3_req
echo x509_extensions = x509_ext
echo distinguished_name = dn
echo:
echo [dn]
echo C = %COUNTRY%
echo ST = %STATE%
echo L = %CITY%
echo O = %ORGANIZATION%
echo OU = %ORGANIZATION_UNIT%
echo emailAddress = %EMAIL%
echo CN = %FULL_DOMAIN%
echo:
echo [v3_req]
echo subjectAltName = #alt_names
echo subjectKeyIdentifier = hash
echo authorityKeyIdentifier = keyid:always, issuer:always
echo basicConstraints = critical, CA:TRUE, pathlen:1
echo keyUsage = critical, cRLSign, digitalSignature, keyCertSign
echo nsComment = "OpenSSL Generated Certificate"
echo:
echo [x509_ext]
echo subjectAltName = #alt_names
echo subjectKeyIdentifier = hash
echo authorityKeyIdentifier = keyid:always, issuer:always
echo basicConstraints = critical, CA:TRUE, pathlen:1
echo keyUsage = critical, cRLSign, digitalSignature, keyCertSign
echo nsComment = "OpenSSL Generated Certificate"
echo:
echo [alt_names]
echo DNS.1 = *.%FULL_DOMAIN%
echo DNS.2 = %FULL_DOMAIN%
)>%FULL_DOMAIN%\%HOSTNAME%.cnf
C:\xampp\apache\bin\openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %FULL_DOMAIN%\server.key -days 356 -out %FULL_DOMAIN%\server.crt -config %FULL_DOMAIN%\%HOSTNAME%.cnf
echo.
echo -----
echo The certificate was provided.
echo.
pause
This is another I used to generate certificate.
#echo off
set /p domain="Enter Domain without TLD (E.g 'facebook', 'google'): "
set /p com_tld="Enter Domain TLD (E.g 'com', 'test'): "
SET HOSTNAME=%domain%
SET DOT=%com_tld%
SET COUNTRY=US
SET STATE=KS
SET CITY=Olathe
SET ORGANIZATION=IT
SET ORGANIZATION_UNIT=IT Department
SET FULL_DOMAIN=%HOSTNAME%.%DOT%
SET EMAIL=webmaster#%FULL_DOMAIN%
SET OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf
if not exist .\%HOSTNAME%.%DOT% mkdir .\%FULL_DOMAIN%
(
echo [ req ]
echo default_bits = 2048
echo default_keyfile = server-key.pem
echo distinguished_name = subject
echo req_extensions = req_ext
echo x509_extensions = x509_ext
echo string_mask = utf8only
echo:
echo [ subject ]
echo countryName = Country Name ^(2 letter code^)
echo countryName_default = %COUNTRY%
echo stateOrProvinceName = State or Province Name ^(full name^)
echo stateOrProvinceName_default = %STATE%
echo localityName = Locality Name ^(eg, city^)
echo localityName_default = %CITY%
echo organizationName = Organization Name ^(eg, company^)
echo organizationName_default = %ORGANIZATION%
echo commonName = Common Name ^(e.g. server FQDN or YOUR name^)
echo commonName_default = %HOSTNAME%.%DOT%
echo emailAddress = Email Address
echo emailAddress_default = %EMAIL%
echo:
echo [ x509_ext ]
echo subjectKeyIdentifier = hash
echo authorityKeyIdentifier = keyid,issuer
echo basicConstraints = CA:FALSE
echo keyUsage = digitalSignature, keyEncipherment
echo subjectAltName = #alternate_names
echo nsComment = "OpenSSL Generated Certificate"
echo:
echo [ req_ext ]
echo subjectKeyIdentifier = hash
echo basicConstraints = CA:FALSE
echo keyUsage = digitalSignature, keyEncipherment
echo subjectAltName = #alternate_names
echo nsComment = "OpenSSL Generated Certificate"
echo:
echo [ alternate_names ]
echo:
echo DNS.1 = *.%HOSTNAME%.%DOT%
echo DNS.2 = %HOSTNAME%.%DOT%
)>%FULL_DOMAIN%\%HOSTNAME%.cnf
C:\xampp\apache\bin\openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %FULL_DOMAIN%\server.key -days 356 -out %FULL_DOMAIN%\server.crt -config %FULL_DOMAIN%\%HOSTNAME%.cnf
echo.
echo -----
echo The certificate was provided.
echo.
pause

This might be late but it is worth a try ^_^
Instead of specifying your localhost with gofashion_chat.test, just use computername.domain. This will save you time editing the hosts of each computer you want to access your website.
Create a folder inside apache. Folder name: crt
Create a file with the name of cert-template.conf and save it in crt folder. Below is the command for cert-template.conf.
[ req ]
default_bits = 2048
default_keyfile = server-key.pem
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = TE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = TEST
localityName = Locality Name (eg, city)
localityName_default = TEST
organizationName = Organization Name (eg, company)
organizationName_default = TEST
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = computername.domain
emailAddress = Email Address
emailAddress_default = test#example.com
[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = #alternate_names
nsComment = "OpenSSL Generated Certificate"
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = #alternate_names
nsComment = "OpenSSL Generated Certificate"
[ alternate_names ]
DNS.1 = computername.domain
Create this file also: make-cert.bat and save it in crt folder. Below is the command of make-cert.bat.
#echo off
set /p domain="Domain Name: "
set OPENSSL_CONF=../conf/openssl.cnf
REM
REM Read the "cert-template.conf" file and replace all {{DOMAIN}} placeholders by the entered domain.
REM Write the result into a new file called "cert.conf".
REM
REM #see https://stackoverflow.com/questions/5273937/how-to-replace-substrings-in-windows-batch-file#20227248
REM
setlocal enabledelayedexpansion
set INTEXTFILE=cert-template.conf
set OUTTEXTFILE=cert.conf
set SEARCHTEXT={{DOMAIN}}
set REPLACETEXT=%domain%
if exist %OUTTEXTFILE% del /F %OUTTEXTFILE%
for /f "tokens=1,* delims=ΒΆ" %%A in ( '"findstr /n ^^ %INTEXTFILE%"') do (
SET string=%%A
for /f "delims=: tokens=1,*" %%a in ("!string!") do set "string=%%b"
if "!string!" == "" (
echo.>>%OUTTEXTFILE%
) else (
SET modified=!string:%SEARCHTEXT%=%REPLACETEXT%!
echo !modified! >> %OUTTEXTFILE%
)
)
REM
REM Create the target directory.
REM
if not exist .\%domain% mkdir .\%domain%
REM
REM Create the certificate and key files.
REM
..\bin\openssl req -config %OUTTEXTFILE% -new -sha256 -newkey rsa:2048 -nodes -keyout %domain%\server.key -x509 -days 365 -out %domain%\server.crt
REM
REM Delete the written file "cert.conf" as this file would only be used to create the certificate.
REM
if exist %OUTTEXTFILE% del /F %OUTTEXTFILE%
echo.
echo -----
echo The certificate was provided.
echo.
pause
Run make-cert.bat, a command prompt will show and ask you for a domain name. Your domain name is your computername.domain. After that, there are question you need to answer and the most important question is the Common Name. Common Name = Computername.domain.
Install the certificate you created located at crt/computername.domain/server.crt. Install Certificate>Local Machine> Place all certificates in the following store> Browse> Trusted Root Certification Authorities> Next > Finish.
Insert this script in the bottom of httpd-xampp.conf
<VirtualHost computername.domain:8080>
DocumentRoot "C:/xampp/htdocs"
</VirtualHost>
<VirtualHost computername.domain:4433>
DocumentRoot "C:/xampp/htdocs"
SSLEngine on
SSLCertificateFile "crt/computername.domain/server.crt"
SSLCertificateKeyFile "crt/computername.domain/server.key"
</VirtualHost>
Restart XAMPP and try to access your localhost using https://computername.domain:4433.
That's all. I hope you get all of the steps.

Your screenshot shows that the used certificate is allowed for the purposes
All issuance policies
All application policies
But you want to use it an web server certificate, therefore the certificate requires the following purpose:
Ensures the identity of a remote computer
I assume on your computer it works as the web browser recognizes that the server is running on a local network interface - hence it is not a "remote computer" and therefore it works without this purpose allowed in the certificate.

Related

Creating a Certificate Signing Request failed

I am trying to create a Certificate Signing Request in Rust programmatically with the binding library https://docs.rs/openssl/latest/openssl/index.html.
The following statement creates a CSR with openssl library:
openssl ecparam -name prime256v1 \
-genkey \
-noout \
-out server.key.pem
status=$?
if [ $status -eq 1 ]; then
echo "Creating private key failed"
exit 1
fi
openssl req \
-key server.key.pem \
-subj "/CN=server.acme.io/C=CH/L=Zurich/ST=ZH/O=acme/OU=acme" \
-new -sha256 \
-out server.csr
status=$?
if [ $status -eq 1 ]; then
echo "CSR creation failed"
exit 1
fi
Unfortunately, the following code snippet using the Rust binding library does not work:
use openssl::nid::Nid;
use openssl::ec::{EcGroup, EcKey};
use openssl::error::ErrorStack;
use openssl::x509::{X509NameBuilder, X509ReqBuilder};
use openssl::hash::MessageDigest;
use openssl::pkey::{PKey};
fn main() -> Result<(), ErrorStack> {
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1)?;
let ec = EcKey::generate(&group)?;
let private_key = PKey::from_ec_key(ec)?;
let mut name = X509NameBuilder::new()?;
name.append_entry_by_nid(Nid::COUNTRYNAME, "CH")?;
name.append_entry_by_nid(Nid::STATEORPROVINCENAME, "ZH")?;
name.append_entry_by_nid(Nid::LOCALITYNAME, "Zurich")?;
name.append_entry_by_nid(Nid::ORGANIZATIONALUNITNAME, "ACME")?;
name.append_entry_by_nid(Nid::ORGANIZATIONNAME, "ACME")?;
name.append_entry_by_nid(Nid::COMMONNAME, "acme.io")?;
let mut req = X509ReqBuilder::new()?;
req.set_subject_name(name.build().as_ref())?;
req.sign(private_key.as_ref(), MessageDigest::sha256())?;
Ok(())
}
It shows the error message:
Error: ErrorStack([Error { code: 109052126, library: "asn1 encoding routines", function: "asn1_template_ex_i2d", reason: "illegal zero content", file: "crypto/asn1/tasn_enc.c", line: 374 }, Error { code: 109838595, library: "asn1 encoding routines", function: "ASN1_item_sign_ctx", reason: "internal error", file: "crypto/asn1/a_sign.c", line: 265 }])
What am I doing wrong? All the required fields are filled with values.

Self-Signed SSL certificate for local IP

Development certificate created by command dotnet dev-certs https --trust is works. I want to create a self-signed certificate for local IP in my LAN.
I've created a self-signed certificate by command:
New-SelfSignedCertificate -NotBefore (Get-Date) -NotAfter (Get-Date).AddYears(2) -Subject "192.168.1.100" -KeyAlgorithm "RSA" -KeyLength 2048 -HashAlgorithm "SHA256" -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsage KeyEncipherment -FriendlyName "HTTPS development certificate" -TextExtension #("2.5.29.19={critical}{text}","2.5.29.37={critical}{text}1.3.6.1.5.5.7.3.1","2.5.29.17={critical}{text}DNS=192.168.1.100")
Then I copied certificate in trusted folder in certificates store:
After this I edited appsettings.Development.json:
"Kestrel": {
"Endpoints": {
"localhostHttp": {
"Url": "http://192.168.1.100:5000"
},
"localhostHttps": {
"Url": "https://192.168.1.100:5001",
"Certificate": {
"Subject": "192.168.1.100",
"Store": "Root",
"Location": "CurrentUser",
"AllowInvalid": true
}
}
}
But no result:
Is possible to create certificate like this?

mosquitto self signed certificate issue - handshake failure

I've created self signed CA and certs for mosquito acording to:
https://mosquitto.org/man/mosquitto-tls-7.html and
http://www.steves-internet-guide.com/mosquitto-tls/
Then added these to mosquitto dir and chmoded for mosquitto user, generally did that all with script which runs commands to:
- Create CA
- Create server certs
- Create client certs
#!/bin/bash
# FROM: https://mosquitto.org/man/mosquitto-tls-7.html and
# http://www.steves-internet-guide.com/mosquitto-tls/
set -e
# logging
RESTORE='\033[0m'
RED='\033[00;31m'
GREEN='\033[00;32m'
YELLOW='\033[00;33m'
BLUE='\033[00;34m'
PURPLE='\033[00;35m'
CYAN='\033[00;36m'
LIGHTGRAY='\033[00;37m'
LRED='\033[01;31m'
LGREEN='\033[01;32m'
LYELLOW='\033[01;33m'
LBLUE='\033[01;34m'
LPURPLE='\033[01;35m'
LCYAN='\033[01;36m'
WHITE='\033[01;37m'
REQNUM=0
print_err() {
echo -e "${RED}ERROR $# ${RESTORE}"
}
print_succ() {
echo -e "${GREEN} SUCCES: $# ${RESTORE}"
}
print_warn() {
echo -e "${BLUE} WARN: $# ${RESTORE}"
}
# CA & SRV need to have different params for mosquitto broker to work & to avoid needles asking
SUBJ="-subj "'/C=GB/ST=London/L=London/O='"$((++REQNUM))$1"'/OU=IT_Department/CN=localhost.local'
# gen CA
gen_CA() {
print_warn "generate CA"
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 ${DAYS} -out ca.crt ${SUBJ}
}
# SERVER
gen_server_keys() {
print_warn "Generate a server key"
openssl genrsa ${PSWD} -out server.key 2048 ${SUBJ}
print_warn "Generate a certificate signing request to send to the CA"
openssl req -out server.csr -key server.key -new ${SUBJ}
print_warn "Send the CSR to the CA, or sign it with your CA key"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt ${DAYS}
}
# CLIENT
gen_client_keys() {
print_warn "Generate a client key"
openssl genrsa ${PSWD} -out client.key 2048 ${SUBJ}
print_warn " Generate a certificate signing request to send to the CA"
openssl req -out client.csr -key client.key -new ${SUBJ}
print_warn "Send the CSR to the CA, or sign it with your CA key"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -addtrust clientAuth -CAcreateserial -out client.crt ${DAYS}
}
mosq_install() {
print_warn "Install mqtt certs"
sudo systemctl stop mosquitto
sudo cp server.* ca.crt /etc/mosquitto/certs/
sudo chown -R mosquitto:mosquitto /etc/mosquitto/certs
sudo bash -c 'cat << EOF > /etc/mosquitto/conf.d/tls.conf
listener 8883
tls_version tlsv1.2
require_certificate false
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
EOF'
sudo chown -R mosquitto:mosquitto /etc/mosquitto/certs/ /etc/mosquitto/conf.d/
sudo systemctl restart mosquitto && print_warn "MQTT restarted!"
}
print_help() {
echo "usage: "
echo "--CA or --SRV or --CLI"
echo "--des3 to use passwd on cers"
echo "--days 'N' to use expirydate"
echo "--mosq install to mosquitto certs"
}
[ $1 ] || print_help
for a in $#; do
case "$a" in
"--CA")
gen_CA && print_succ "CA" || print_err "CA failed"
;;
"--SRV")
gen_server_keys && print_succ "server" || print_err "server keys failed"
;;
"--CLI")
gen_client_keys && print_succ "cli" || print_err "client keys failed"
;;
"--pass")
PSWD="-des3"
;;
"--days")
DAYS="-days $2"
shift
;;
"--mosq")
mosq_install && print_succ "" || print_err "install mosquitto"
;;
-h|--help)
print_help
;;
*)
print_help;
echo "bad param! $a"
;;
esac
done
After that I get error in mosquitto logs:
159 1528809795: Config loaded from /etc/mosquitto/mosquitto.conf.
160 1528809795: Opening ipv4 listen socket on port 8883.
161 1528809795: Opening ipv6 listen socket on port 8883.
162 1528809806: New connection from 127.0.0.1 on port 8883.
163 1528809806: OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
164 1528809806: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
165 1528809806: Socket error on client , disconnecting.
166 1528809809: New connection from 127.0.0.1 on port 8883
mosquitto.conf
# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
In sourced conf.d dir tls.conf:
listener 8883
tls_version tlsv1.2
require_certificate true
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
mosquitto_sub command to test:
mosquitto_sub -h localhost -p 8883 --cafile ca.crt -v -t '#'
The only issue in I get with openssl s_client I get is:
"verify return code: 18 (self signed certificate)"
I can't connect with either python paho mqtt, or mosquitto_sub/pub. I've wanted to test connections on localhost, then make certs for my local network server and use it with my devices for testing - but can't make it connect even on localhost.

logstash http_poller ssl certification issue

I am trying to use logstash http_poller to query a server RESTAPI. I download the server pem through explore, and generate jks file with keytool. but we still get error "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". Don't know what wrong.
The config like below:
http_poller {
urls => {
restapi => {
method => get
url => "https://path_to_resources
headers => {
Accept => "application/json"
}
truststore => "/path/generated.truststore.jks"
truststore_password => "xxx"
ssl_certificate_validation => false
auth => {
user => "xxx"
password => "xxx"
}
}
}
request_timeout => 60
interval => 60000
codec => "json"
metadata_target => "http_poller_metadata"
}
}
By the way, what impact if ssl_certificate_validation is set as false?
I interpret OPs intention as to hopefully being able to disable TLS verification, which we still cant (logstash-7.11.1) and I plow on with how to get a trust store for these cases. This Q was one of my hits in pursuit of the same.
Some appliances will be running self signed certificates (another discussion ppl...) - so a small script to setup such a trust store could be helpful, especially if you are about to set up some automation internally.
Another caveat is that the self signed certificate still has to have a matching host name.
Based on the example from https://www.elastic.co/guide/en/logstash/current/plugins-inputs-http_poller.html
NB! Further error checking, etc. is left at your discretion.
#!/bin/bash
# Fetch an http server's TLS certificate and
# create or update a JAVA keystore / truststore
usage () {
echo "usage: get-cert.sh <hostname>:<port>"
exit 1
}
TRUSTSTORE=cacert/trust.jks
PARAM=$1
HOSTNAME=$(echo "$PARAM" | cut -d: -f 1)
PORT=$(echo "$PARAM" | cut -d: -f 2)
REST=$(echo "$PARAM" | cut -d: -f 3-)
[ -z "$HOSTNAME" ] && usage
[ -z "$PORT" ] && usage
[ -n "$REST" ] && usage
OUTPUT=$(
openssl \
s_client \
-showcerts \
-connect "${HOSTNAME}":"${PORT}" </dev/null 2>/dev/null | \
openssl \
x509 \
-outform PEM)
EC=$?
[ $EC -ne 0 ] && { echo "ERROR EC=$EC - $OUTPUT" ; exit $EC ; }
keytool \
-import \
-storepass changeit \
-alias ${HOSTNAME} \
-noprompt \
-file <(echo "$OUTPUT") \
-keystore ${TRUSTSTORE}
Using some bash specific possibilities here. The alternative is to go through temporary files, as pr the official example (see link above).
Apparently your certificate is invalid .
Regarding
ssl_certificate_validation
it doesn't have real impact , http-puller is based on manticore, a ruby libary which relay on Apache HC
which does not support this hook see

How to generate cert with -extfile option by bcprov.jar

I need to write java code generate a X509 certificate by bcprov.jar.
My openssl.cnf is as below:
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:TURE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
basicConstraints = CA:true
I found the JcaX509v3CertificateBuilder with addExtension function will be ok, but I didn't know how the specify the desired section.
For example, I want to set basicConstraints in [v3_req] section to true, and set that in [v3_ca] to false, how can I specify the section?
addExtension function only accept the basicConstraints parameter, and doesn't have a parameter accept the section.