Heroku CLI error: unable to get local issuer certificate - ssl

I am behind in my company's firewall. We use a certificate file *.crt provided from our company to access SSL enabled web sites.
So I am getting unable to get local issuer certificate error when using heroku login.
I am using Windows 10 and Heroku CLI 7.14.1 and tried adding HEROKU_SSL_VERIFY=disable and SSL_CERT_FILE=C:\certificate.crt as environment variable but no success.
How can I solve that?

Solved from https://devcenter.heroku.com/articles/using-the-cli
Add an environment variable as NODE_EXTRA_CA_CERTS that points to the certificate.
For Windows:
set NODE_EXTRA_CA_CERTS=C:\path\to\ca_cert.pem or .crt
For Linux:
export NODE_EXTRA_CA_CERTS=/path/to/ca_cert.pem

For Windows 10:
Go to System variable (Windows logo key > type: "environment variables" > click Environment Variables button)
Check/Set Variable SSL_CERT_DIR=YourCetrFolder
Certificate folder Example:

Ask your organization network team to provide the ca cert or pem file. Once you have the cer or .pem file in your local computer, place it in some directory and set it in environment variable.
For example: I have .pem file placed in this location. 'C:\keys\xxx.pem'.
In environment variable i will add new system variable with below given name and value.
Variable Name: 'NODE_EXTRA_CA_CERTS'
Variable Value: 'C:\keys\xxx.pem'
Once the above steps are followed, open command prompt (close if you have one already opened) and try to enter 'heroku login' and press any key on your keyboard to take you to browser. It will take you to browser to authenticate your user credentials. If your organization has SSO enabled it will take care of itself if not you have to enter your heroku user credentials to authenticate. Once successfully authenticated, you will get back to command prompt with below messages.
Opening browser to 'https://cli-auth.heroku.com/auth/cli/browser/XXXXXXXX'
Logging in... done
Logged in as 'your user name appear here'
That's it.

Related

How can I sign an Oracle VirtualBox virtual appliance (.OVA)

I want to sign an Oracle VirtualBox Virtual Appliance, an OVA file. I am looking for instructions.
I have had extensive conversations with Comodo and Sectigo. They don't know how and had trouble even understanding the question.
When I load my VM in VirtualBox it says that it is unsigned but gives no information as to how to correct that.
I have a code signing certificate, and I have no trouble signing and timestamping an executable file:
signtool sign /t http://timestamp.comodoca.com t_hello.exe
Done Adding Additional Store
Successfully signed: t_hello.exe
Attempting with an .ova file gives an error:
signtool sign /t http://timestamp.comodoca.com ACoreTpl.ova
Done Adding Additional Store
SignTool Error: This file format cannot be signed because it is not recognized.
SignTool Error: An error occurred while attempting to sign: ACoreTpl.ova
I took a shot at downloading a tool from VMWare, but it did not work on my VirtualBox appliance. It just gave error messages.
Unless the error message is meaningless and just hardcoded in VirtualBox, there is code inspecting something. I really don't want to go fishing through the code, but at this point it seems like I might have to.
The purpose of this exercise is so that I can publish a working system as a virtual appliance that is 'known good' and can be verified as the real thing when it loads.
[Note: There are images in the document I pasted this from, but they would not paste in here.]
I was able to muddle through a work-around. The workaround involves getting a tool from VMWare (ovftool.exe), which seems a bit strange. It allows the import of the OVA, showing the certificate and marking it as 'safe'. It still has a couple of issues. One is an annoying warning message issued while creating the signed file, for which I was unable to find a cure. The other is that it does not seem to contact a timeserver to timestamp the file. Presumably that means that when the signing certificate expires, you get warnings again when loading.
I would still like to know how you are supposed to do it properly according to Oracle. Surely, Oracle is not using VMWare's software to sign their Virtual Appliances.
This is my journey under Windows 10. At the end, I have a publishable appliance.
You need a virtual appliance (*.ova)
You need a signing certificate.
You need to have OpenSSL installed.
You need the program ovftool.exe from VMWare
To get the .ova file, you need to export one of your VMs as a virtual appliance:
Open the export virtual appliance dialog:
File->Export Appliance [Alternatively E]
Choose the virtual machine to export. Fill in whatever Virtual system settings apply.
For appliance settings, set the Format to Open Virtualization Format 1.0
Make sure the 'Write Manifest file' checkbox is checked.
Click on the button to write file.
You should have the signing certificate installed in the certificate store. If you don't have this already, you need to consult your certificate provider.
To get the signing certificate in a usable form, you have to jump through a few hoops to get an old-timey Privacy Enhanced Mail (PEM) file.
You need to get the certificate into a file first.
Start the Certificate Manager by running certmgr.msc
Open Personal->Certificates and right-click on your signing certificate
Open the All tasks menu and choose Export
This should open the Certificate Export Wizard
Click [Next]
Choose the radio button marked "Yes, export the private key"
Click [Next]
Choose "Personal Information Exchange - PKCS (.PFX)"
Check "Include all certificates in the certification path if possible"
Check "Export all extended properties"
Check "Enable certificate privacy"
Click [Next]
Check the Password checkbox, and enter and confirm a password [using password "IMPPass" in this example]
Change the Encryption dropdown to AES256-SHA256
Click [Next]
Assign the filename and path for the exported certificate. In this example, I called it "MyCert". Note that you don't put the file extension on the name here. The Certificate Export Wizard adds it when it writes the file. You should save it on the path where you saved the OVA file.
Click [Next]
Review settings and Click
It should pop up a message box saying the export was successful. Dismiss it by clicking on the button.
You need to do the next steps at the command line.
Open a console window.
Change to the directory where you have saved your OVA and PFX files.
cd c:<yoursavelocation>
You now need to convert the certificate to a form that can be used (.pem). To do this, you need to use OpenSSL. Here is the form of the command:
openssl pkcs12 -in MyCert.pfx -out MyCert.pem
Respond to the prompts for Import Password and PEM pass phrase:
Enter Import Password: IMPPass
Enter PEM pass phrase: PEMPass
Verifying - Enter PEM pass phrase: PEMPass
Finally, you can sign the exported OVA with ovftool with a command like this:
ovftool --privateKey=MyCert.pem --shaAlgorithm=SHA1 DamnSmall.ova DSL.ova
Opening OVA source: DamnSmall.ova
Opening OVA target: DSL.ova
Writing OVA package: DSL.ova
Transfer Completed
The manifest validates
Enter passphrase for MyCert.pem: PEMPass
A warning is issued here, but it will not interfere with the signing.
Warning:
No supported manifest(sha1, sha256, sha512) entry found for: 'DamnSmall-disk001.vmdk'.
Completed successfully
At this point, there should be a signed file called DSL.ova. It will indicate that when imported in VirtualBox.
To test, import the newly created and signed OVA file. Open the import dialog:
File->Import Appliance or alternatively I
Enter the path and name of the signed Virtual Appliance.
Click [Next]
The Appliance settings dialog should have text in the bottom left corner indicating that you have signed the appliance, and that it is trusted.
Appliance is signed

What is the password for a Local HubL Server?

I am following the documentation here http://designers.hubspot.com/docs/tools/local-hubl-server but when running the local-hubl-server Batch file (after unzipping the package), the browser opens a username/password window. What are the credentials? I tried root/root, admin/admin and blank username and password. I also checked the config.yaml file but I couldn't see any parameter to set the username and password. I am running on Windows 7 and JDK 1.8.0_144
Issue was another service was running in the same port as the HubL server was supposed to run. Edited the port in the config.yaml file and no username/password prompt appeared anymore.

Why won't fiddler install my certificate windows 8? - unable to configure windows to trust Fiddler Root certificate

I have an application which is making calls to twitter and I need to inspect the traffic so that I can learn more about oAuth.
When I double click the ssl traffic I get a yellow box which prompts me to go and change the options (by the way I am running my app through a proxy).
After having read about using a certificate on my machine which fiddler creates I have clicked the link to let fiddler install certificates on my machine by following these instructions...
http://docs.telerik.com/fiddler/configure-fiddler/tasks/configurefiddlerforwin8
However instead of this happening...
I get this error message...
"unable to configure windows to trust Fiddler Root certificate" here is a screen shot....
When I checked the logs as suggested (although is confusing as I thought the log was to do with each individual request), anyway I saw this...
I have even tried installing the certificate manually no no avail. Hope someone can help me get fiddler/ssl decryption working with windows 8! :-)
UPDATE : In response to Erics questions he made in the below answer...
Hi Eric thanks for replying.
1) A box popped up saying 'Certificate Trust' this is the box I have taken a screen shot of above. It was the box that told me to check the log.
2) I have an account and when I check my users it says I am an Administrator underneath my username.
3) I have tried to run Fiddler as an Administrator to no avail.
I also tried to drag and drop the certificate manually into the certmgr.msc tool and it comes up with a little round cursor with a line through it. Sounds like permissions but I just cant see why as I have full everything....
I finally found a way to workaround cases where group policy tries to limit who you can trust.
METHOD 1
Go into the fiddler HTTPS options and export the root cert to your
desktop.
Open up mmc.exe and add in the certificate widgets for
Local Computer
Import the fiddler certificate into the Third-Party
Root Certificate Store
Go ahead and use fiddler and see it generate new certs and watch your system trust them.
Method 2
Run afoul and bypass an intentional security control.
reg delete HKLM\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots /f
Go back into fiddler HTTP options, and toggle Decrypt HTTPS traffic off and on again. press okay to install the cert in the usual way
maybe run a gpupdate /force to get your setting back to the way your admins intended.
For insight, the problem group policy settings may look something like this:
If you have any Flags value in your registry under Local_Machine \ Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots, this lock-down is probably in effect.
#EricLaw - Are you up for maybe changing fiddler to try to import into the third-party store by default? It seems like the "third-party store" may be less subject to lockdown.
This is the best write-up of third-party-store i've seen: http://kreelbits.blogspot.com/2014/02/whats-purpose-of-users-third-party-root.html
I managed to solve a similar problem I was having (in windows 7) by following the instructions here: http://casualtechs.blogspot.com.au/2010/06/problem-when-trying-to-import.html (with the only difference being that we want to add the Fiddler certificate to "Trusted Root Certification Authorities -> Local Computer" instead of the "Trusted Publishers" that is mentioned on that site). My modified steps were:
Obtain the Fiddler root certificate from the "fiddler options" -> "Https" -> "Export root certificate to desktop" menu
Open the certificate (double click on it)
Click on the Install certificate button
Click the "Next" button
Select "Place all certificates in the following store"
Click the "Browse" button
Tick the "Show physical stores" checkbox
Expand the "Trusted Root Certification Authorities" folder
Click "Local Computer"
Click the "OK" button.
Click the "Next" button, then click the "Finish" button
Basically the bit I was missing when trying to import the Fiddler Root certificate was to drill down into the "Local Computer" folder underneath the "Trusted Root Certification Authorities" folder. You will have to make sure that the "Show physical stores" checkbox is ticked as shown below:
The error message in question indicates that your Per-User certificate store does not allow you to put certificates into it. Sometimes this happens if your Corporate Group Policy prevents end-users from trusting certificates. Sometimes it happens if your software configuration has been changed by 3rd party software (E.g. VPN or security clients). Sometimes it happens when there's a corrupt ACL somewhere.
Questions
What dialog box immediately preceded the error message on the Log
tab?
Are you an admin on the box?
If so, if you run Fiddler as Admin and try again does it succeed or fail?
Workarounds
If #3 doesn't work, click the Export root certificate to desktop button. Then launch certmgr.msc using Start > Run. Attempt to drag the certificate from your Desktop into the Trusted Root Certification Authorities folder. What, if any, error messages are shown?
When configuring Telerik's Fiddler to handle HTTPS, I could not get root certificate installed. The error was "Failed to find the root certificate in User Root List". I solved the problem by temporarily turning off WebRoot, my antivirus program, then reattempting to enable HTTPS handling which installs Fiddler's root certificate. You may have to click the Action button on the HTTPS tab to remove/reset previous certificates before being able to create a new certificate.
I reset my certificates by Tool > Options > HTTPs > Action > Reset all certificates but it doesn't work.
This is how I fixed my problem
Restart service CryptSvc.
Right click HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
Permission > Current Windows Users > Full Access
Delete Full Key HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
Restart Windows and that's it
Ref: https://www.addictivetips.com/windows-tips/fix-chrome-not-working-windows-10/

SSH to Amazon EC2 instance using PuTTY in Windows

I am a newbie to Amazon web services, was trying to launch an Amazon instance and SSH to it using putty from windows. These are the steps I followed:
Created a key pair.
Added a security group rule for SSH and HTTP.
Launched and instance of EC2 using the above key pair and security group.
Using PuTTYgen converted the *.pem file to *.ppk
Using putty tried connecting to the public DNS of the instance and provided the *.ppk file.
I logged in using 'root' and 'ec2-user', and created the PPK file using SSH1 and SSH2, for all these attempts I get the following error in putty,
"Server refused our key"
Can you guys please help, any suggestions would be greatly appreciated.
I assume that the OP figured this out or otherwise moved on, but the answer is to use ubuntu as the user (if the server is ubuntu).
1) Make sure you have port 22 (SSH) opened in Security Group of EC2 Instance.
2) Try connecting with Elastic IP instead of public DNS name.
I hope you have followed these steps Connecting EC2 from a Windows Machine Using PuTTY
Another situation where I got the "Server refused our key" error when using putty, from windows, to ssh to an EC2 instance running ubuntu:
The private key was wrongly converted from .pem to .ppk.
puttygen has two options for "converting keys".
Load your .pem file into puttygen using the File->Load Private Key option and then save as .ppk file using the Save Private Key Button.
DO NOT use the menu option Conversions->Import Key to load the .pem file generated by EC2.
See the puttygen screenshots below, with the two menu options marked.
Check the username, it should be "ubuntu" for your machine.
Check if traffic is enabled on port 22 in Security group.
Check if you are using the correct url i.e ubuntu#public/elasticip
Maybe worth of checking one more thing. Go to AWS console, right mouse click on the instance and choose "Connect...". It will show you the DNS name that you want to use. If you restarted that instance at some point, that DNS name could have changed.
I had a similar problem when I tried to connect an instance created automatically by the Elastic Beanstalk service (EBS). But, once I linked my existing key name to the EBS (under Environment Details -> Edit Configuration -> Server Tab -> Existing Key Pair), I was able to login with 'ec2-user' and my existing key file (converted to .ppk) with putty.
This, however, terminates the running instance and rebuilds a new instance with access through the key pair named above.
Just in case it helps anyone else, I encountered this error after changing the permissions on the home folder within my instance. I was testing something and had executed chmod -R 777 on my home folder. As soon as this had occurred, once I had logged out I was effectively locked out.
You won't face this error if you SSH AWS directly using ".pem" file instead of converted ".ppk" file.
1) Use Git Bash instead of putty. Since you can run all the Linux commands in Git Bash. By installing Git you get to access Git Bash Terminal
2) Right click from the folder where you have ".pem" and select "Git Bash Here".
3) Your key must not be publicly viewable for SSH to work. So run "chmod 400 pemfile.pem".
4) Connect to your instance using its Public DNS - "ssh -i "pemfile.pem" ec2-user#ec2-x-x-x-x.us-west-1.compute.amazonaws.com"
5) Make sure to whitelist your Network IP for SSH in your_instance->security_group->inbound_rules
I assume you're following this guide, and connecting using the instructions on the subsequent page. Verify a couple of things:
You converted the key correctly, e.g. selected the right .pem file, saved as private key, 1024-bit SSH-2 RSA
The Auth settings (step 4 in the connection tutorial) are correct
I was having the same trouble (and took the same steps) until I changed the user name to 'admin' for the debian AMI I was using.
You should lookup the user name ofthe AMI you are using. The debian AMI is documented here
http://wiki.debian.org/Cloud/AmazonEC2Image/Squeeze
I have had this same problem. The AMI you are using is the one that is also used by the "Cloud Formation" templating solution.
In the end I gave up with that, and created a Red Hat instance. I was then able to connect by SSH fine using the user root.
The instructions here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html work fine using a Red Hat instance but not using an Amazon Linux instance. I assume they have some username that I didn't think to try (root, ec2-user, and many other obvious ones, all were refused)
Hope that helps someone!
I use Debain AMI and I try ec2-user, root but correct login is 'admin'.
I was getting the same error when I tried to create a new key pair and tried to use that new pem/ppk file. I noticed that the Key Pair Name field on the instance was still the old one and in poking around. Apparently, you can't change a key pair. So I went back to the original key pair. Fortunately, I didn't delete anything so this was easy enough.
Try an alternative SSH client, like Poderosa. It accepts pem files, so you will not need to convert the key file.
If you already have a key pair, follow these steps:
Convert *.pem to *.ppk using PuTTYgen (Load pem file key then Save ppk)
Add ppk auth key file to Putty SSH>Auth options
Enter "Host Name (or IP address)" field: ubuntu#your-ip-address-of-ubuntu-ec2-host))

Safari doesn't detect my Extension Certificate

I have registered for the Safari Development Program and have a valid Apple ID. I've followed all the steps given by Apple.
The problem is that Windows XP (Service Pack 2) does not recognize the command 'certreq', whereas the instructions said it would work on any Windows machine.
However, the command 'certreq' was working on Windows Vista on the machine of my co-worker's, I downloaded the certificate (the .cer file) and installed it and Safari detected it.
However, I don't have Windows Vista.
I installed Windows 7 now on my machine, the command 'certreq' works and I have the Safari Extension Certificate (the .cer file) but when I open Safari's Extension Builder, my certificate does not appear there.
I entered mmc in Start --> Run and checked if the certificate was installed there. It was in the 'Other People' but not in 'Personal'.
Even on Internet Explorer 7+, when I go to Tools --> Internet Options --> Content (Tab) --> Certificates, the certificate is not there in the Personal tab, (WHEREAS IT GOT INSTALLED IN THE PERSONAL FOLDER AUTOMATICALLY IN WINDOWS VISTA). I tried importing the certificate (the .cer file) into the Peronal folder, the import is successful but still neither does it appear in the personal folder nor does Safari recognize/detect it when I go to the Extension Builder.
ANY HELP?!
I need to make an extension for my office project and the deadline is approaching. I really need to get it done.
Thanks a million in anticipation.
I was facing the similar problem. After struggling a lot the following worked for me:
Install (Windows Server 2003 service pack 2) Administration Tools pack as shown on “Generate a Certificate Signing Request” screen shown by Safari Extension Certificate assistant: http://www.microsoft.com/download/en/confirmation.aspx?id=6315
Install IIS resource kit for SelfSSL- http://www.microsoft.com/download/en/confirmation.aspx?id=17275
As indicated by Safari Extension certificate assistant, save the following as certreq.txt --https://devimages.apple.com.edgekey.net/safari/files/certreq.txt
Run cmd, and then change directory to where you saved certreq.txt
On command prompt type: certreq –new certreq.txt newcsr.pem
Press Continue on the Safari Assistant screen, and upload this newcsr.pem
It will generate a certificate that you need to install by double-clicking on the installed file.
You are done!
Go to Develop (in Safari menu bar)>> Show Extension Builder >> Click + and select new extension.
By generating the cert request on another machine you don't have the private key associated with the cert on your own. Generate a cert request on your Win7 machine now, go get a new cert from Apple, and it should work fine.
To use the certificate on Windows, I needed to click on the file that was created (safari_identity.cer). That installed the certificate in the Windows Certificate store. Rrun certmgr.msc and look under the Personal..Certificates folder to see it. My installed cert looked something like this in the Microsoft Management Console for Certificates: "Safari Developer: (xxxxxxxxxxx) me#zzz.com".
this is an answer for Mac users who may be experiencing this problem.
Once you install your certificate, double click it, go under Trust, and set Always Trust for When using this certificate. Your certificate should work then.
It's got something to do with the private key - On me Vista it says CertReq: Request Created and it installs fine, but then on Windows 7 it just creates the file and when you look at the info before/after install it doesn't display that it is associated with the private key on the computer. Very confused I am.
when you enter something like "certmgr.msc" in the run command in window, you will get to see something like this:
So using the certificate consists of the following steps:
first save the file and run the command in cmdd.exe as directed in the developer certificate generator in extension certificate developer.
when you are done, check the certmgr [shown above in the image] and see a certificate named safari developer installed somewhere near Certificate Enrollment Requests. cut the certificate and paste one copy inside trusted root certification Authorities and another inside Personal.
then generate the csr file and install the file inside Personal folder and trusted root certification Authorities folder.
extension builder will recognize the certificate.
Best of luck.
If the certificate has an incomplete chain, it may be necessary to install the certificates on Apple's certificate page . I believe "Worldwide Developer Relations" (and possibly the 2 root certificates) are necessary for Safari Development.