I am using Windows Chef cookbook https://supermarket.chef.io/cookbooks/windows/versions/5.0.0#readme
to create and bind ssl.
First I tried:
# Create/update certificate
windows_certificate "create cert" do
source "c://hn/ssl/cert.pfx"
pfx_password {cert_pass}
store_name "WEBHOSTING"
action :create
end
# Bind certificate
windows_certificate_binding "bind to IIS" do
action :create
cert_name "{my_ssl_hash_number}"
name_kind :hash
port 443
store_name "WEBHOSTING"
end
And I'm getting below error:
STDOUT: SSL Certificate add failed, Error: 1312 A specified
logon session does not exist. It may already have been terminated.
And I did some research, looks like the cert I imported is not exportable, need to grant private key access, reference from:
SSL Certificate add failed when binding to port
And below is my second attempt:
# Create/update certificate
windows_certificate "create cert" do
source "c://hn/ssl/cert.pfx"
pfx_password {cert_pass}
store_name "WEBHOSTING"
private_key_acl ["IIS_IUSRS"]
action [:create, :acl_add]
end
# Bind certificate
windows_certificate_binding "bind to IIS" do
action :create
cert_name "{my_ssl_hash_number}"
name_kind :hash
port 443
store_name "WEBHOSTING"
end
However, I'm still getting error:
STDOUT:
STDERR: C:\Users\Administrator\AppData\Local\Temp\chef-script20180823-492-10cuvyo.ps1
: no private key exists.
Can anyone help me out? How can I correctly import the ssl and bind to the IIS? Thanks in advance.
Below code chef recipe i have used to bind ssl certificate and https port.I have also take care if new certificate get added then it should be added.
hostname = node['hostname']
hostnamelike = 'CN=' + node['hostname'].to_s + '*'
powershell_script 'find ssl certificate on local machine root and assign certificate' do
code <<-EOH
$iisSite='your site name'
$hostname="#{hostname}"
$hostnamelike="#{hostnamelike}"
$protocol='https'
$port=443
Get-WebBinding -Port $port -Name $iissite | Remove-WebBinding
$guid_value = [GUID]::NewGUID().ToString('B')
$thumbprint = (Get-ChildItem cert:\\LocalMachine\\my | where-object { $_.Subject -like $hostnamelike } | Select-Object -First 1).Thumbprint
New-WebBinding -Name $iissite -IP "*" -Port $port -Protocol https
netsh http show sslcert ipport=0.0.0.0:$port
if ($LASTEXITCODE -eq 1) {
netsh http add sslcert ipport=0.0.0.0:$port certhash=$thumbprint appid=$guid_value certstorename=MY
}
else {
netsh http delete sslcert ipport=0.0.0.0:$port
netsh http add sslcert ipport=0.0.0.0:$port certhash=$thumbprint appid=$guid_value certstorename=MY
}
EOH
end
The alternative solution for me is to use powershell script to add the SSL certificate instead of using the windows cookbook
Related
I have a Sails.js Application enabled with SSL mode with key,cert,ca information provided in local.js.
I am able to start the server and able to communicate using certificates successfully.
By default hostname provided in the request is verified against the hostname matching the server certificate CN.
For example if server certificate CN is example.net and curl request is made with proper certificates and hostname is provided as example.net(like curl --cacert path_to_cacert --cert path_to_client_cert --key path_to_client_key https://example.net:port_number/) the communication is success and expected response is received.
If the server has DNS FQDN different from server certificate CN then curl command with DNS FQDN fails with error "subjectAltName does not match SERVER_CN"
Example: curl --cacert path_to_cacert --cert path_to_client_cert --key path_to_client_key https://newexample.org:port_number/
(newexample.org in this case resolves to same server to which example.net is configured)
I would like to know if there is a way to skip this hostname verification by default?
For example, I should be able to get expected response with hostname other than example.net also in above case.
I have tried adding "checkServerIdentity:false" in ssl config to see hostname verification is skipped.But that didn't help.
please let me know if we have a way to skip hostname verification in sails.js similar to hostnameVerifier in Java
I am currently running a Chef Server.
There are 2 ways to access the server :
<HOSTNAME_OF_SERVER_OR_FQDN>
OR
<ACTUAL_URL_THAT_SHOULD_BE_OR_CNAME>
When I try to run knife ssl check, I get:
root#host:/opt/chef-server/embedded/jre# knife ssl check
Connecting to host <ACTUAL_URL_THAT_SHOULD_BE_OR_CNAME>:443
ERROR: The SSL certificate of <HOSTNAME_OF_SERVER_OR_FQDN> could not be verified
Certificate issuer data: /C=US/ST=MA/L=Boston/O=YouCorp/OU=Operations/CN=<HOSTNAME_OF_SERVER_OR_FQDN>.com/emailAddress=you#example.com
Configuration Info:
OpenSSL Configuration:
* Version: OpenSSL 1.0.1p 9 Jul 2015
* Certificate file: /opt/chefdk/embedded/ssl/cert.pem
* Certificate directory: /opt/chefdk/embedded/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/root/.chef/trusted_certs"
I want the knife ssl check command to be successful. Basically I want it to be able to successfully connect using <ACTUAL_URL_THAT_SHOULD_BE_OR_CNAME>
How can I add the CNAME to the current certificate which I believe is /opt/chefdk/embedded/ssl/cert.pem ?
One strange aspect about the certificate file is that when I try to read it and grep for the Hostnames or CNAMES, I do not find any :
# /opt/chef-server/embedded/jre/bin/keytool -printcert -file /opt/chefdk/embedded/ssl/cert.pem | grep <ACTUAL_URL_THAT_SHOULD_BE_OR_CNAME>
No result
# /opt/chef-server/embedded/jre/bin/keytool -printcert -file /opt/chefdk/embedded/ssl/cert.pem | grep <HOSTNAME_OF_SERVER_OR_FQDN>
No result
this is how i did it in the past
The Chef server can be configured to use SSL certificates by adding the following settings to the server configuration file
For example:
nginx['ssl_certificate'] = "/etc/pki/tls/certs/your-host.crt"
nginx['ssl_certificate_key'] = "/etc/pki/tls/private/your-host.key"
Save the file, and then run the following command:
$ sudo chef-server-ctl reconfigure
I've managed to setup a broker using SSL using Let's Encrypt certs.
I've tried testing a websockets client connecting to wss://broker:9002/mqtt, and it's working. I've also tried using mqtt.js command-line interface to subscribe to a topic on the broker mqtts://broker:8883/mqtt successfully.
However, I can't get mosquitto_sub and mosquitto_pub to work.
I tried with,
$ mosquitto_sub -h www.my-host.com.ar -p 8883 -t hello -d --cafile fullchain.pem
Client mosqsub/21069-atlantis sending CONNECT
Error: A TLS error occurred.
where fullchain.pem is the same ca cert that's on the server.
The mosquitto.log's broker shows,
1456709201: OpenSSL Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
1456709201: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1456709201: Socket error on client <unknown>, disconnecting.
1456709206: New connection from <my-ip> on port 8883.
What could be happening? I didn't provide any cert for mqtt.js lib...
This is my broker conf (splitted in two files),
#################################
# /etc/mosquitto/mosquitto.conf #
#################################
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
listener 1883
listener 8883
cafile /etc/letsencrypt/live/www.my-host.com.ar/fullchain.pem
certfile /etc/letsencrypt/live/www.my-host.com.ar/cert.pem
keyfile /etc/letsencrypt/live/www.my-host.com.ar/privkey.pem
include_dir /etc/mosquitto/conf.d
#############################################
# /etc/mosquitto/conf.d/websockets_ssl.conf #
#############################################
listener 9002
protocol websockets
cafile /etc/letsencrypt/live/www.my-host.com.ar/fullchain.pem
certfile /etc/letsencrypt/live/www.my-host.com.ar/cert.pem
keyfile /etc/letsencrypt/live/www.my-host.com.ar/privkey.pem
Try adding "--insecure" at the end of the mosquitto_sub and mosquitto_pub commands. This allows the clients to bypass the check that matches the certificate hostname with the remote host name. I've had to do this with some of the self-signed certs that I generated.
Here is the relevant comments from the "--help" for those commands:
--insecure : do not check that the server certificate hostname matches the remote
hostname. Using this option means that you cannot be sure that the
remote host is the server you wish to connect to and so is insecure.
Do not use this option in a production environment.
I'm selfhosting a NancyFx service with Owin (on intranet from a Windows 8 machine) and it works fine. Trying to switch to HTTPS but have run into problems.
I have:
Created self-signed root CA
Created exchange-cert using above CA (CN=mycomputer)
Exported public key of CA and installed on client-machine
Used netsh to add urlacl to https://+:5001
Used netsh to add sslcert with thumb-hash etc.
The service-host looks to start allright on my address, https://mycomputer:5001, but when I try to access this address I first get the warning about unsecure connection (which I shouldn't if I have installed the public key CA-cert right?) and when continuing anyway I get a "service not available"-respons.
Any hints to what could be wrong?
Do I have to config Nancy/Owin to use the certificate somehow or is it enough to have it attached to the endpoint with netsh?
I've got it working. I've found it useful to have a number of checks in the process.
CHECK1 - Cert import ok:
- After you install the cert on the machine run certutil -store MY
- You shoudle see the cert details there (sha/user created/name etc)
- If not STOP. You probably imported into the user store (or the cert is invalid). You MUST start with empty mmc and import certificates for the MACHINE.
CHECK2 - url is added to urlacl list in netsh
- After you add the uri to acl run netsh http show urlacl
- If your uri / port is not listed STOP. The url isn't added correctly.
CHECK3 - ssl is bound to urlacl
- After running the add sslcert command run netsh http show sslcert
- If your port/sha combination is not listed then check the sha has no spaces / appid is unique / app id + braces surrounded by quotes (if executing from PS)
Hope it helps. I created the above after 6 hours of head banging. It now works!
I have a WCF service that I want to access using SSL. I'm on my developer machine, so I was thinking of self-hosting the service. I've been following Configuring HTTP and HTTPS.
I've created a self-signed certificate which I added to the Trusted Root Certification Authorities. I've created another two certificates signed by the first one, one for the client and the other for the server. I followed Using makecert to create certificates for development.
I can't get past the SSL certificates configuration step. When I'm binding the certificate to the port number using netsh it throws an SSL error:
Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.
Does the certificate need some special field or some other thing for this to work?
CA certificate:
makecert -n "CN=TestCA" -cy authority -a sha1 -sv "TestCA.pvk" -r "TEST_CA.cer"
Service certificate:
makecert -n "CN=rneapp.com" -ic "TEST_CA.cer" -iv "TestCA.pvk" -a sha1 -sky exchange -pe -sv "rneapp.com.pvk" "rneapp.com.cer"
Client certificate:
makecert -n "CN=rneClient" -ic "TEST_CA.cer" -iv "TestCA.pvk" -a sha1 -sky exchange -pe -sv "rneClient.pvk" "rneClient.cer"
I'm using this command to bind the certificate to the port:
netsh http add sslcert ipport=0.0.0.0:8465 certhash=a853f3b5b48b8a506bdc4212ba2726a3bfea2bb6 appid={2E53B9B0-17AE-4EBC-A1AE-43D53A6FD07D} clientcertnegotiation=enable
When I encountered the same issue, moving the certificate from Current User to Local Computer storage helped, so try checking your certificate storage.
Built-in help for netsh http add sslcert also mentions this with regard to certstorename option:
certstorename - Store name for the certificate. Defaults
to MY. Certificate must be stored in the
local machine context.
I also run into similar error code through different process of creating the self-signed certificate and find the source of my own problem. Using netsh, bind an SSL certificate to a port number is failing
Here is the article I follow to create the self-signed certificate and it is quite complete and thorough.
I have exactly the same issue on Windows 7 and Windows Server 2008 R2 but for me it is working the first time I bind the certificate with the port. However if I delete the binding (netsh.exe http delete sslcert ipport=0.0.0.0:9101) and bind again with the same certificate, it fails. If I try another port, it fails. If I create a brand new certificate then I can bind again. But again deleting/binding will fail.
I follow the same rules as this question:
Can't register a C# generated selfsigned SSL certificate with netsh (error 1312)
I also tried to install KB981506 http://support.microsoft.com/kb/981506 but it failed to install "The update is not applicable to your computer". Maybe I have it already.
I have a feeling something is not deleted in a right way when the binding is deleted. ProcessMonitor doesn't show any thing weird when I try to bind again.
This seems to be a known issue. Check out this Microsoft KB article.
You may also be setting up the certificates incorrectly. Check out this MSDN forum post for how another person was making a similar mistake and getting the 1312 error which was just distracting him from the real problem which was his certificate configuration.
I had a similar problem today, and this is how I fixed it. When I have watched certificates installed on my local computer/my in mmc.exe, I have seen that my certificate haven't icon with key.
So when I combine *.cer and *.pvk file to *.pfx with:
pvk2pfx -pvk "private_key.pvk" -spc "public.cert" -pfx "test.pfx"
And then import *.pfx file with mmc.exe.
Then the next commands will execute with no errors:
netsh http add sslcert...
netsh http delete sslcert...
I have posted this answer to similar Stack Overflow question, Can't register a C# generated selfsigned SSL certificate with netsh (error 1312).