Jenkins use client certificate when calling other endpoints - ssl

I have a Jenkins instance from which I need to call other services/endpoints which reside behind a load balancer. This load balancer requires and does SSL client certificate validation.
Is it possible to make Jenkins use an SSL client certificate for the calls it makes towards those endpoints residing behind that load balancer?
Something like below:
Jenkins call ---present_SSL_client_cert---> LB(verify client cert) ---> endpoint
Thank you in advance!

To get Jenkins to use a client cert for other endpoints start Jenkins with
JAVA_OPTS="-Djavax.net.ssl.keyStorePassword=changeme -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=/cert/jenkins.p12"
I used a normal client cert:
openssl req -nodes -newkey rsa:4096 -days 365 -keyout cert/jenkins.key -out cert/jenkins.csr -subj "/C=DE/ST=somewhere/L=inCity/O=someOrg/OU=someBla/CN=jenkins"
signed it:
openssl x509 -req -days 365 -in ../jenkins/cert/jenkins.csr -CA ca/ca.crt -CAkey ca/ca.key -out ../jenkins/cert/jenkins.crt -passin env:CA_KEY
and converted it to PKCS12:
openssl pkcs12 -nodes -export -in cert/jenkins.crt -inkey cert/jenkins.key -out cert/jenkins.p12 -certfile ../nginx/ca/ca.crt -passout pass:changeme
It was important use a non empty keyStorePassword, otherwise Jenkins threw an Exception java.security.UnrecoverableKeyException: Get Key failed: null
Furthermore I added the server cert to the Java keystore:
keytool -import -alias server.domain.de -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -file /root/server.crt -noprompt -storepass changeit
I've tested this setup with jenkins:lts docker container and keycloak, both behind an nginx reverse proxy using client cert auth.
Using env-variables like JENKINS_HTTPS_KEYSTORE which one can sometime see for configuring Jenkins to use https itself did NOT work for client auth. I did not investigate further, but I assume the plugin OpenId Connect Authentication Plugin which I used did not honor this variable and uses basic java functionality.

Related

how to add an openssl created certificate to trusted certificates

I used openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365 to generate a cert.pem and key.pem and it has executed correctly. Now what I want is how can I add the openssl generated certificate to trusted certificates so that I don't get greeted with Your connection isn't private page before loading my flask https site. Any help is appreciated.
EDIT: OS - Windows. I am trying to add the OpenSSL generated certificate to Trusted Root Certification Authorities inside the Microsoft Management console (MMC)
depending on the browser you need to run certutil with a specific db location:
chromium-based (most) -d sql:$HOME/.pki/nssdb
firefox -d %userprofile%\Application Data\Mozilla\Firefox\Profiles\%randomalphanum%.default\cert8.db

Updating SSL certificates for ActiveMQ Artemis 2.18.0

I'm using ActiveMQ Artemis 2.17.0 replication with self-signed certificates. After trying to update to 2.18.0 I realized that something wrong with my certificates (see this thread). There is no SSL connections between brokers and clients.
Here is how I generated my certificates:
openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out brokerRoot.pem -subj "/C=US/ST=Maryland/L=Aberdeen/O=TestCompany/OU=IT/CN=test/emailAddress=test#gmail.com" -passin pass: passphrase
openssl pkcs12 -inkey private.key -in brokerRoot.pem -export -out broker_ks.p12 -password pass:keyStorePassword
keytool -import -alias broker -keystore client_ts.p12 -file brokerRoot.pem -deststoretype pkcs12 -storepass trustStorePassword -noprompt
and I'm using same client_ts.p12 and broker_ks.p12 on clients and on brokers. So the hostnames should match but it doesn't work anyway.
The ActiveMQ Artemis upgrade instructions for 2.18.0 references says:
...core clients will now expect the CN or Subject Alternative Name values of the broker's SSL certificate to match the hostname in the client's URL.
When you use the openssl command to create private.key you specify CN=test. This means your hostname must be test and your client should also use test in its URL.
Since it's not working my guess is that your hostname is not test. Therefore you need to change your SSL cert on the broker to use the proper CN value which matches the hostname of the broker and then use that in the client's URL.

Page is working but showing "Not Secure" sign on browser (configured with Traefik v2 using self-signed cert)

I apologize if this is a silly rookie question, I'm not really experience in dealing with SSL / https so please help me out.
I have docker swarm setup and using Traefik to handle all the HTTPS services. when I first load the page (take grafana page for example), there is a warning page and I click "Advanced" and "Proceed (accept risk)", then the page display and working just fine, the only problem is the "Not Secure" sign showing on browser.
A few things could be contributing to this:
Self-created CA and self-signed cert: I'm at development stage so I created my own CA and signed the cert using openssl, and use this cert in Traefik dynamic configuration.
Command to generate CA:
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca.pem
Command to generate self-signed cert:
openssl req -newkey rsa:2048 -days 365 -nodes -keyout key.pem -out req.pem
openssl x509 -req -in req.pem -days 365 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out cert.pem
See attached screenshot for the errors of the certs: "Subject Alternative Name missing" & "This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID)."
Chrome Dev Tool Certificate Error
Traefik configuration: Not using Let's Encrypt since I don't have an account, so using my own self-signed cert. I don't think this is the issue because I can see the page is using the cert I provided. But if anyone has similar experience with Traefik v2 maybe can give me some pointer if there is anything I set wrong?
Dynamic configuration file that declares the certs:
tls:
stores:
default:
defaultCertificate:
certFile: configuration/cert.pem
keyFile: configuration/key.pem
Question:
Is missing SAN a really important factor that will causes my page to be not secure? If yes, how can I add SAN while creating cert with openssl?
I understand that 2nd error "ERR_CERT_AUTHORITY_INVALID" means browser doesn't recognize the cert's validity. Does that mean I have to install my CA? Where and how to install it? Is it on docker swarm's manager node (this is where Traefik service and the certs at), or is it on any client's machine that trying to access the page?

Kibana is not connecting with elasticsearch shield SSL

We are try to set up the shield SSL in local machine.
Elasticsearch version : 2.2.1
Kibana version : 4.4.1
Shield version : Latest version
We generated self signed crt, key, pem file as below:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
openssl req -out CSR.csr -key privateKey.key -new
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
openssl x509 -in certificate.crt -out certificate.pem
keytool -importcert -keystore node01.jks -file certificate.pem -alias my_ca
keytool -certreq -alias node01 -keystore node01.jks -file CSR.csr -keyalg rsa -ext san=dns:XXX.com,ip:XXXX.xxxx.xxx
keytool -importcert -keystore node01.jks -file Certificate-signed.crt -alias node01
openssl x509 -in Certificate-signed.crt -out node01-signed-noheaders.crt
and added in shield configuration.
Shield configuration:
shield.http.ssl: true
shield.transport.ssl: true
shield.ssl.keystore.key_password: XXXXX
shield.ssl.keystore.password: XXXX
shield.ssl.keystore.path: /es/config/shield/node01.jks
network.host: XX.XX.XX.XX
Kibana configuration:
elasticsearch.url: "https://XXXXX:9200"
elasticsearch.username: "username"
elasticsearch.password: "password"
elasticsearch.ssl.cert: /XXX/XXX/XXX/elasticsearchtls.crt
elasticsearch.ssl.key: /XXX/XXX/XXX/elasticsearchtls.key
elasticsearch.ssl.ca: /XXX/XXX/XXX/elasticsearch.pem
elasticsearch.ssl.verify: true
So when run the kibana the below error is displayed in elasticsearch log:
log [12:24:25.512] [error][elasticsearch] Request error, retrying -- self signed certificate
log [12:24:25.622] [warning][elasticsearch] Unable to revive connection: https://XXXX:9200/
log [12:24:25.624] [warning][elasticsearch] No living connections
log [12:24:25.627] [error][status][plugin:elasticsearch] Status changed from yellow to red - Unable to connect to Elasticsearch at https://XXXXXX:9200.
After that when I change the elasticsearch.ssl.verify: false Kibana is working fine, but showing some error in elasticsearch log:
ElasticsearchSecurityException[missing authentication token for REST request [/_mget?timeout=0&ignore_unavailable=true&preference=1461307913497]]
In elastic client also the same issue is coming. When we use rejectUnauthorized: true then client is not connecting to elasticsearch.
My questions are:
is the self signed certificate working in Elasticsearch, Kibana or not?
do we have to buy a commercial CA certificate?
are we missing anything?
You are using unnecessary steps when generating and importing the key. Also the certificate you are generating is not signed by the CA and hence it will never be trusted
Unless you have a large deployment I would just use a selfsigned certificate, rather than a certificate signed by a selfsigned CA.
1) Generate a selfsigned certificate with SAN extensions as indicated here How can I generate a self-signed certificate with SubjectAltName using OpenSSL?
2) Merge the key and certificate in a PKCS12 container and import it to the a java keystore as explained here importing an existing x509 certificate and private key in Java keystore to use in ssl

Trouble getting https to work with self signed certificate on aws elastic load balancer

I am having issue configuring https on my aws elastic load balancer using a self-signed certificate. After I've done with the set up, making connection to https endpoint does not work. http connection is still fine.
Here's what I did.
Generate the self-signed certificate using this command
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
Verified the key and certificate is working by using this command:
openssl rsa -in privateKey.key -check
openssl x509 -in certificate.crt -text -noout
Convert the certificate the key and the cert into a .pem encoded format to comply with aws certificate requirement.
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in certificate.crt > public.pem
Upload the certificate to my elastic load balancer using the the AWS Management Console
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_UpdatingLoadBalancerSSL.html. For the private key and public cert value, I used the private.pem and public.pem that were generated in step 3.
Go into EBL Listener configuration, added a https listener and used the certificate that I just uploaded. Here's the configuration for the Listener:
Any thought on what might be wrong in my configuration? Thanks!!!
Does the Security Groups of the Load Balancer include an inbound HTTPS 443 Port for source 0.0.0.0/0? I just spent a few hours until I finally found this solution.