Following this cli command:
npm run webpack-dev-server --mode development --open --cert=../../ssl/server.pem --key=../../ssl/server.pem
I would like to add the files in my webpack.config file.. something like:
module.exports = {
...
ssl: {
cred: "../../ssl/server.pem",
key: "../../ssl/server.pem"
}
...
}
The question was open in my browser for an hour while I was trying to solve it... and eventually I did.. so hopefully I can save someone else and hour :)
link to reference
module.exports = {
...
devServer: {
https: {
key: fs.readFileSync('/path/to/server.key'),
cert: fs.readFileSync('/path/to/server.crt'),
ca: fs.readFileSync('/path/to/ca.pem'),
}
}
...
}
Maybe 3 hours.. if you need to generate your own certificate.. and Chrome just breaks.. 🤦🏾
To generate your dev certificate:
openssl req \
-newkey rsa:2048 \
-x509 \
-nodes \
-keyout server.pem \
-new \
-out server.pem \
-subj /CN=localhost \
-reqexts SAN \
-extensions SAN \
-config <(cat /System/Library/OpenSSL/openssl.cnf \
<(printf '[SAN]\nsubjectAltName=DNS:localhost')) \
-sha256 \
-days 3650
Related
I am trying to create a Certificate Signing Request in Rust programmatically with the binding library https://docs.rs/openssl/latest/openssl/index.html.
The following statement creates a CSR with openssl library:
openssl ecparam -name prime256v1 \
-genkey \
-noout \
-out server.key.pem
status=$?
if [ $status -eq 1 ]; then
echo "Creating private key failed"
exit 1
fi
openssl req \
-key server.key.pem \
-subj "/CN=server.acme.io/C=CH/L=Zurich/ST=ZH/O=acme/OU=acme" \
-new -sha256 \
-out server.csr
status=$?
if [ $status -eq 1 ]; then
echo "CSR creation failed"
exit 1
fi
Unfortunately, the following code snippet using the Rust binding library does not work:
use openssl::nid::Nid;
use openssl::ec::{EcGroup, EcKey};
use openssl::error::ErrorStack;
use openssl::x509::{X509NameBuilder, X509ReqBuilder};
use openssl::hash::MessageDigest;
use openssl::pkey::{PKey};
fn main() -> Result<(), ErrorStack> {
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1)?;
let ec = EcKey::generate(&group)?;
let private_key = PKey::from_ec_key(ec)?;
let mut name = X509NameBuilder::new()?;
name.append_entry_by_nid(Nid::COUNTRYNAME, "CH")?;
name.append_entry_by_nid(Nid::STATEORPROVINCENAME, "ZH")?;
name.append_entry_by_nid(Nid::LOCALITYNAME, "Zurich")?;
name.append_entry_by_nid(Nid::ORGANIZATIONALUNITNAME, "ACME")?;
name.append_entry_by_nid(Nid::ORGANIZATIONNAME, "ACME")?;
name.append_entry_by_nid(Nid::COMMONNAME, "acme.io")?;
let mut req = X509ReqBuilder::new()?;
req.set_subject_name(name.build().as_ref())?;
req.sign(private_key.as_ref(), MessageDigest::sha256())?;
Ok(())
}
It shows the error message:
Error: ErrorStack([Error { code: 109052126, library: "asn1 encoding routines", function: "asn1_template_ex_i2d", reason: "illegal zero content", file: "crypto/asn1/tasn_enc.c", line: 374 }, Error { code: 109838595, library: "asn1 encoding routines", function: "ASN1_item_sign_ctx", reason: "internal error", file: "crypto/asn1/a_sign.c", line: 265 }])
What am I doing wrong? All the required fields are filled with values.
I've created self signed CA and certs for mosquito acording to:
https://mosquitto.org/man/mosquitto-tls-7.html and
http://www.steves-internet-guide.com/mosquitto-tls/
Then added these to mosquitto dir and chmoded for mosquitto user, generally did that all with script which runs commands to:
- Create CA
- Create server certs
- Create client certs
#!/bin/bash
# FROM: https://mosquitto.org/man/mosquitto-tls-7.html and
# http://www.steves-internet-guide.com/mosquitto-tls/
set -e
# logging
RESTORE='\033[0m'
RED='\033[00;31m'
GREEN='\033[00;32m'
YELLOW='\033[00;33m'
BLUE='\033[00;34m'
PURPLE='\033[00;35m'
CYAN='\033[00;36m'
LIGHTGRAY='\033[00;37m'
LRED='\033[01;31m'
LGREEN='\033[01;32m'
LYELLOW='\033[01;33m'
LBLUE='\033[01;34m'
LPURPLE='\033[01;35m'
LCYAN='\033[01;36m'
WHITE='\033[01;37m'
REQNUM=0
print_err() {
echo -e "${RED}ERROR $# ${RESTORE}"
}
print_succ() {
echo -e "${GREEN} SUCCES: $# ${RESTORE}"
}
print_warn() {
echo -e "${BLUE} WARN: $# ${RESTORE}"
}
# CA & SRV need to have different params for mosquitto broker to work & to avoid needles asking
SUBJ="-subj "'/C=GB/ST=London/L=London/O='"$((++REQNUM))$1"'/OU=IT_Department/CN=localhost.local'
# gen CA
gen_CA() {
print_warn "generate CA"
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 ${DAYS} -out ca.crt ${SUBJ}
}
# SERVER
gen_server_keys() {
print_warn "Generate a server key"
openssl genrsa ${PSWD} -out server.key 2048 ${SUBJ}
print_warn "Generate a certificate signing request to send to the CA"
openssl req -out server.csr -key server.key -new ${SUBJ}
print_warn "Send the CSR to the CA, or sign it with your CA key"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt ${DAYS}
}
# CLIENT
gen_client_keys() {
print_warn "Generate a client key"
openssl genrsa ${PSWD} -out client.key 2048 ${SUBJ}
print_warn " Generate a certificate signing request to send to the CA"
openssl req -out client.csr -key client.key -new ${SUBJ}
print_warn "Send the CSR to the CA, or sign it with your CA key"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -addtrust clientAuth -CAcreateserial -out client.crt ${DAYS}
}
mosq_install() {
print_warn "Install mqtt certs"
sudo systemctl stop mosquitto
sudo cp server.* ca.crt /etc/mosquitto/certs/
sudo chown -R mosquitto:mosquitto /etc/mosquitto/certs
sudo bash -c 'cat << EOF > /etc/mosquitto/conf.d/tls.conf
listener 8883
tls_version tlsv1.2
require_certificate false
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
EOF'
sudo chown -R mosquitto:mosquitto /etc/mosquitto/certs/ /etc/mosquitto/conf.d/
sudo systemctl restart mosquitto && print_warn "MQTT restarted!"
}
print_help() {
echo "usage: "
echo "--CA or --SRV or --CLI"
echo "--des3 to use passwd on cers"
echo "--days 'N' to use expirydate"
echo "--mosq install to mosquitto certs"
}
[ $1 ] || print_help
for a in $#; do
case "$a" in
"--CA")
gen_CA && print_succ "CA" || print_err "CA failed"
;;
"--SRV")
gen_server_keys && print_succ "server" || print_err "server keys failed"
;;
"--CLI")
gen_client_keys && print_succ "cli" || print_err "client keys failed"
;;
"--pass")
PSWD="-des3"
;;
"--days")
DAYS="-days $2"
shift
;;
"--mosq")
mosq_install && print_succ "" || print_err "install mosquitto"
;;
-h|--help)
print_help
;;
*)
print_help;
echo "bad param! $a"
;;
esac
done
After that I get error in mosquitto logs:
159 1528809795: Config loaded from /etc/mosquitto/mosquitto.conf.
160 1528809795: Opening ipv4 listen socket on port 8883.
161 1528809795: Opening ipv6 listen socket on port 8883.
162 1528809806: New connection from 127.0.0.1 on port 8883.
163 1528809806: OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
164 1528809806: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
165 1528809806: Socket error on client , disconnecting.
166 1528809809: New connection from 127.0.0.1 on port 8883
mosquitto.conf
# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
In sourced conf.d dir tls.conf:
listener 8883
tls_version tlsv1.2
require_certificate true
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
mosquitto_sub command to test:
mosquitto_sub -h localhost -p 8883 --cafile ca.crt -v -t '#'
The only issue in I get with openssl s_client I get is:
"verify return code: 18 (self signed certificate)"
I can't connect with either python paho mqtt, or mosquitto_sub/pub. I've wanted to test connections on localhost, then make certs for my local network server and use it with my devices for testing - but can't make it connect even on localhost.
I am trying to use logstash http_poller to query a server RESTAPI. I download the server pem through explore, and generate jks file with keytool. but we still get error "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". Don't know what wrong.
The config like below:
http_poller {
urls => {
restapi => {
method => get
url => "https://path_to_resources
headers => {
Accept => "application/json"
}
truststore => "/path/generated.truststore.jks"
truststore_password => "xxx"
ssl_certificate_validation => false
auth => {
user => "xxx"
password => "xxx"
}
}
}
request_timeout => 60
interval => 60000
codec => "json"
metadata_target => "http_poller_metadata"
}
}
By the way, what impact if ssl_certificate_validation is set as false?
I interpret OPs intention as to hopefully being able to disable TLS verification, which we still cant (logstash-7.11.1) and I plow on with how to get a trust store for these cases. This Q was one of my hits in pursuit of the same.
Some appliances will be running self signed certificates (another discussion ppl...) - so a small script to setup such a trust store could be helpful, especially if you are about to set up some automation internally.
Another caveat is that the self signed certificate still has to have a matching host name.
Based on the example from https://www.elastic.co/guide/en/logstash/current/plugins-inputs-http_poller.html
NB! Further error checking, etc. is left at your discretion.
#!/bin/bash
# Fetch an http server's TLS certificate and
# create or update a JAVA keystore / truststore
usage () {
echo "usage: get-cert.sh <hostname>:<port>"
exit 1
}
TRUSTSTORE=cacert/trust.jks
PARAM=$1
HOSTNAME=$(echo "$PARAM" | cut -d: -f 1)
PORT=$(echo "$PARAM" | cut -d: -f 2)
REST=$(echo "$PARAM" | cut -d: -f 3-)
[ -z "$HOSTNAME" ] && usage
[ -z "$PORT" ] && usage
[ -n "$REST" ] && usage
OUTPUT=$(
openssl \
s_client \
-showcerts \
-connect "${HOSTNAME}":"${PORT}" </dev/null 2>/dev/null | \
openssl \
x509 \
-outform PEM)
EC=$?
[ $EC -ne 0 ] && { echo "ERROR EC=$EC - $OUTPUT" ; exit $EC ; }
keytool \
-import \
-storepass changeit \
-alias ${HOSTNAME} \
-noprompt \
-file <(echo "$OUTPUT") \
-keystore ${TRUSTSTORE}
Using some bash specific possibilities here. The alternative is to go through temporary files, as pr the official example (see link above).
Apparently your certificate is invalid .
Regarding
ssl_certificate_validation
it doesn't have real impact , http-puller is based on manticore, a ruby libary which relay on Apache HC
which does not support this hook see
So I've been trying to implement ABAC authorization in the kubernetes API, with the following arguments in my kube-api manifest file.
- --authorization-mode=ABAC
- --authorization-policy-file=/etc/kubernetes/auth/abac-rules.json
And the following content in the abac-rulse.json file.
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"*", "nonResourcePath": "*", "readonly": true}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*" }}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "apiGroup": "*", "namespace": "*", "resource": "*", "readonly": false}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "apiGroup": "*", "namespace": "*", "resource": "*", "readonly": false }}
However, the kubelets can't seem to connect to the api servers. I read that the username is taken from the CN field of the -subject in the certificate used to authenticate the connection, see here. In this case that's the fqdn of the hose, i've tried that too with no luck.
Any ideas what i'm doing wrong?
Cheers in advance
Edit:
I'm using Kubernetes version 1.2.2, both kubectl and hyperkube docker image.
Figured out the answer, documenting here for anyone else having the same issue with ABAC.
The kubelet user is define in the worker configuration, which in my case is a yaml file which i store here - /etc/kubernetes/worker-kubeconfig.yaml, the content of which is shown below:
apiVersion: v1
kind: Config
clusters:
- name: default
cluster:
server: https://10.96.17.34:8443
certificate-authority: /etc/kubernetes/ssl/ca.pem
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/ssl/worker.pem
client-key: /etc/kubernetes/ssl/worker-key.pem
contexts:
- context:
cluster: default
user: kubelet
name: kubelet-context
current-context: kubelet-context
So the user it's connecting with is kubelet.
In my case I had create my certificates with the CN=${MINION_FQDN}, and since this did not match "kubelet" then the ABAC policies weren't met. I regenerated my certifcates with the following arguments and now the nodes authenticate succesfully :)
# Create worker key
openssl genrsa -out $OUT/${WORKER_HOSTNAME}/worker-key.pem 2048
#Creating Worker CSR...
WORKER_FQDN=${WORKER_FQDN} WORKER_IP=${WORKER_IP} openssl req -new -key $OUT/${WORKER_HOSTNAME}/worker-key.pem -out $OUT/${WORKER_HOSTNAME}/worker.csr -subj "/CN=kubelet" -config $SSL_CONFIG
# Creating Worker Cert
WORKER_FQDN=${WORKER_FQDN} WORKER_IP=${WORKER_IP} openssl x509 -req -in $OUT/${WORKER_HOSTNAME}/worker.csr -CA $CA/ca.pem -CAkey $CA/ca-key.pem -CAcreateserial -out $OUT/${WORKER_HOSTNAME}/worker.pem -days 365 -extensions v3_req -extfile $SSL_CONFIG
The important part of which is this:
-subj "/CN=kubelet"
Hope this helps someone else.
I create a db with certutil
myproject/bin/pkcert
echo "dartdart" > pwdfile
certutil -N -d 'sql:./' -f pwdfile
Then, I import my certificate validated by an authority
certutil -d "sql:./" -A -t "C,C,C" -n "my_cert" -i certificate.crt
I check if it work
certutil -L -d 'sql:./'
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
my_cert C,C,C
My main.dart
library main;
import "dart:io";
void main() {
var testPkcertDatabase = Platform.script.resolve('./pkcert')
.toFilePath();
SecureSocket.initialize(database: testPkcertDatabase,
password: 'dartdart');
HttpServer
.bindSecure(InternetAddress.ANY_IP_V6,
8443,
certificateName: 'my_cert')
.then((server) {
server.listen((HttpRequest request) {
request.response.write('Hello, world!');
request.response.close();
});
});
}
I execute, and I get this error:
Uncaught Error: CertificateException: Cannot find server certificate by nickname: my_cert (OS Error: security library: read-only database., errno = -8126)
I missed something or I should report a bug?
Thank you.
Have you tried to add -s "cn=mycert" to
certutil -d "sql:./" -A -t "C,C,C" -n "my_cert" -i certificate.crt
and use it with
HttpServer
.bindSecure(InternetAddress.ANY_IP_V6,
8443,
certificateName: 'CN=my_cert')
as shown in this blog post http://jamesslocum.com/post/70003236123 ?