I am trying to connect Slack over a corporate network using a proxy and it gets blocked on the SSL interception. It gets stuck at:
DEBUG slack rtm start with options: {}
How to make it go through SSL interception? Is there a way to make Hubot trust SSL certificate?
One way is that you can skip the SSL by setting the environment variable called NODE_TLS_REJECT_UNAUTHORIZED as zero. This will skip the SSL. eg - for windows execute the following in your command prompt:
set NODE_TLS_REJECT_UNAUTHORIZED=0
Then run your process as usual
Related
Currently trying to see what https calls are made by a thick client application using JMeter HTTP(S) Test Script Recorder. However for some calls I am getting "Problem with SSL certificate for url for '...'? Ensure browser..."
The Apache Generated Certificate has been installed on the JRE used by the application as well as the keystores that are used by the application. This allowed us to begin recording and get some calls, however for one domain we do not get anything.
When the JMeter cert is installed on IE, we can access the domain without SSL error. Note that we do get an SSL error when trying to access without the proxy server - Is this related?
Bit stuck here unfortunately, I've been looking into a way we can use group policy to force the certificate to be used? Is this a good approach? (+ Would it even work?)
I am using self signed certificates in my Rabbitmq server and the broker is started successfully with SSL port. I am now trying to renew / use new SSL certificates, SSL key and truststore but I do not want to restart the running rabbitmq server as my application should run continously. I checked online for solutions to refresh / reload the erlang/rabbitmq on the runtime to read/reload these new SSL certificates and I stumbled upon few links where they suggested to use - rabbitmqctl eval "ssl:stop(), ssl:start()." to reload certs.
The command worked fine and the new SSL certs were refreshed without rabbitmq restart, but the Consumers / connections were RESET because of which my application cannot read the messages from the queues anymore.
Can you please help me with this issue? I like to reload the new SSL certificates without restarting my rabbitmq or application and the rabbitmq must work fine with my application without any connection reset.
If not kindly suggest me on how to re-establish the connections back again so that my application runs as expected.
Turns out newer versions of Erlang auto-update their PEM cache, so all you need to do is put the new certificate in place and then wait for a few minutes.
If you need to force the use of the new certificate sooner, you can use
rabbitmqctl eval 'ssl:clear_pem_cache().'
And this will reload the certificate without disconnecting any publishers or consumers.
I've connected my Lita bot to a Diaglogflow agent via the lita-api-ai plugin and (currently) a Firebase-enabled fulfillment script edited inline on the Dialogflow site.
I'd like to convert that webhook into ruby and host it as a handler in Lita itself, but Dialogflow requires SSL on the webhook endpoint.
I'm using the standard docker setup for Lita on CoreOS, and I'd like to use a Let's Encrypt cert. How can I do this? I'm not experienced with the innards of Docker or a ruby app like Lita (as opposed to a full-blown nginx/Apache setup) -- can I put something around Docker to handle the SSL? Do I need to modify the Docker image itself?
The best way to go about this is to install a web server (nginx, caddy, etc.) to handle SSL termination. It should then proxy requests to the Docker instance. You can use nginx-proxy with the LetsEncrypt companion as the basic setup, although you'll need to alter the Lita systemd script to include config and environment variables (e.g., VIRTUAL_HOST, expose).
nginx-proxy listens for container changes to dynamically update its proxying, but I created systemd services for both nginx-proxy and the LetsEncrypt companion so that they would start on boot.
I am dabbling with WCF and SSL and have hit a bit of a problem.
I have a self-hosted WCF service and a basic client which connects to request a token.
I have it set up on my development machine it appears to communicating over SSL just fine.
But when I set it up on a different machine to test the deployment the client keeps getting nothing back from the service.
I assume it has something to do with the certificates I have set up as this is the only thing I think could be different.
I have used the netsh command to associate my port with an existing certificate that was already on the server. And it appears the same as my dev machine (where I created the certificate with makecert manually.
I initially tried to follow the same steps on the deployment server but failed as there was already a certificate with a common name of the server, so eve though the certificate generated when ever I tried to use the cert hash thumbprint of the newly generated certificate I was being given the :
SSL Certificate add failed, Error: 1312
A specified logon session does not exist...
The only way I could get the netsh http add to work was by specifying the cert hash of the existing certificate.
Is this my problem or a red herring? How do you debug issues like this?
Personally I just configure WCF tracing. It usually provides more user friendly info about a problem. Here's a how to link Configuring Tracing
Hope it helps!
Scenario: calling a client web service over SSL (https) with mutual SSL authentication. Different service endpoint URLs and certs (both keystore and truststore) for test vs. production environments. Both test and production environments run tomcat / JBoss clustered. Production environment has load balancing / BigIP, runs Blade and non-Blade machines.
Truststore is set (using -Djavax.net.ssl.trustStore=value) at startup. Keystore is set using System.setProperty("javax.net.ssl.keyStore", "value") in Java code. Web service call made using Axis2. All works fine in test environment, but when we moved to production environment (6 servers), it appears certs are not being forwarded for the handshake. Here's what we've done:
in test environment, handshake using test versions of certs has been working all along, with no ssl debugging enabled
confirmed in test environment that handshake with client production
endpoint succeeds (production certs,
both ours and theirs, are fine) --
this was done using
-Djavax.net.debug=handshake,ssl
confirmed that the error condition occurs on all 6 production servers
took one server out of the cluster, turned on ssl debugging for
just that one (with a restart), hit
it directly, handshake works!
switched to a different server without the debugging turned on,
handshake error condition occurs
turned debugging on on that second server (with a restart), hit it directly, handshake works!
From the evidence, it seems like somehow the debugging being enabled causes the certificates to be properly retrieved/conveyed, although that makes no sense! I wonder whether somehow the enabled debugging makes the system pay attention to the System.setProperty call, and ignore it otherwise. However, in local and test environments, handshake worked without debugging enabled.
Do I maybe need to be setting keystore on server startup like I'm setting truststore? Have been avoiding that because the keystore will differ for each of our test environments (16 of them).
Turns out that the debug setting was a red herring. What actually bit us was that there was an existing client with an SSL/basic authentication web service we call when one of their users logs in. Since in that context the keystore wasn't relevant, the javax.net.ssl.keyStore property doesn't get set -- but the SSL exchange still tries to load a keyStore (which ends up not loading any certs). Since, unfortunately, even if the javax.net.ssl.keyStore value is changed, it does not get reloaded, calls to the other client's web service sent along no keystore certs.
The solution was to set the keyStore property at server startup rather than at the point of the web service call. If at some point in the future we need to be able to use different keyStores in different contexts, it looks like we'd need to implement a custom SocketFactory.