We would like to use Traefik with our CA certificate. Is there an option to use your CA certificate for automaticly signing the Autogenerated certificate generated for Domains.
You can use the rootCAs option:
# Register Certificates in the RootCA.
#
# Optional
# Default: []
#
RootCAs = [ "/mycert.cert" ]
https://docs.traefik.io/v1.5/configuration/commons/#main-section
I know this is old but it took me a while until I found a solution.
To apply whole chain you have to create a bundle and pass it as regular CertFile. Order matters, first goes your service cert and then intermediate cert.
cat ca.crt > bundle
cat intermediate.crt >> bundle
Config part:
[[entryPoints.https.tls.certificates]]
CertFile = "bundle"
KeyFile = "tls.key"
Valid for Traefik 1.7
Related
I have a Lets Encrypt certificate which works on my Synology NAS using a DDNS name. I want to use the certificate for another service (ejabberd) on another machine (a Raspberry Pi), that would run under the same DDNS name, but on another port.
I can download the certificate from the NAS resulting in three files:
cert.pem (CERTIFICATE)
chain.pem (CERTIFICATE)
privkey.pem (RSA PRIVATE KEY)
ejbberd's configuration needs the certificate file in two places:
### ===============
### LISTENING PORTS
listen:
port:5222
[...]
certfile: "/etc/ejabberd/certfile.pem"
and
s2s_use_starttls: optional
s2s_certfile: "/etc/ejabberd/certfile.pem"
s2s_protocol_options:
- "no_sslv3"
I am not sure which file to use here. I had this working, but the certificate expired.
It could be done by cat cert.pem chain.pem privkey.pem > certfile.pem
Here is a description and also (under appendix) a description of the certfile format. https://www.process-one.net/blog/securing-ejabberd-with-tls-encryption/
I got valid https certificate from Let's Encrypt, but have trust issues giving it to vert.x version 3.6.2
I tested the cert with apache, it's ok, however if I try to reach the https vert.x server instance with wget I get:
$ wget https://www.myhost.mydomain/json/read/all-languages
--2019-01-22 10:30:56-- https://www.myhost.mydomain/json/read/all-languages
Resolving www.myhost.mydomain (www.myhost.mydomain)... 88.14.34.156
Connecting to www.myhost.mydomain >(www.myhost.mydomain)|88.14.34.156|:443... connected.
ERROR: cannot verify www.myhost.mydomain's certificate, issued by >‘CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US’:
Unable to locally verify the issuer's authority.
To connect to www.myhost.mydomain insecurely, use `--no-check->certificate'.
Hostname and ip is forged.
my working apache config snippet:
SSLCertificateFile /etc/certs/myhost.mydomain/cert.pem
SSLCertificateKeyFile /etc/certs/myhost.mydomain/privkey.pem
SSLCertificateChainFile /etc/certs/myhost.mydomain/chain.pem
vert.x code:
val httpsOptions = HttpServerOptions()
.setPort(443)
.setSsl(true)
.setPemTrustOptions(PemTrustOptions()
.addCertPath("/etc/certs/myhost.mydomain/chain.pem"))
.setPemKeyCertOptions(PemKeyCertOptions()
.addKeyPath("/etc/certs/myhost.mydomain/privkey.pem")
.addCertPath("/etc/certs/myhost.mydomain/cert.pem")
)
vertx.createHttpServer(httpsOptions).requestHandler(router).listen()
I set vert.x logging to debug, but no error message appears.
What am I missing?
I found the solution here: https://community.letsencrypt.org/t/android-doesnt-trust-the-certificate/16498/2
I changed the cert.pem to fullchain.pem in the setPemKeyCertOptions settings, and it works.
Thank you for your effort.
The issue is in the certificate chain file chain.pem. It seems that it does not contain the full certificate chain. If you view the file it probably contains only one intermediate LE authority cert inside, i.e., Let's Encrypt Authority X3. It works with Apache because the SSLCertificateChainFile is actually deprecated and it is not being used at all.
Vert.x on the other side does use the chain.pem file. It returns only the intermediate cert and wget complains because of that. To fix the issue create a fullchain.pem file composed of both the chain.pem and the cert.pem files, e.g.,
cat cert.pem chain.pem > fullchain.pem
Then use the fullchain.pem with the PemTrustOptions configuration.
You don't need to put the LE root certificate in the fullchain.pem file, because it should already be present on both client and server side. Here's an excerpt from the TLS Protocol RFC about it.
certificate_list
This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following
certificate MUST directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority MAY be omitted from the chain, under the
assumption that the remote end must already possess it in order to
validate it in any case.
I have a SSL-certificate Comodo PositiveSSL.
There are files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
domain.com.key
domain_com.crt
Requirements vendor:
The certificate, private key, and certificate chain must be PEM-encoded
/ssl/test1.bx.key.pem
/ssl/test1.bx.cert.pem
/ssl/test1.bx.ca-chain.cert.pyem
Do I create PEM files correctly?
cat COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > domain.com.ca-chain.cert.pem
cat domain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > domain.com.cert.pem
cat domain.com.key domain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > domain.com.key.pem
Do I create PEM files correctly?
No. The key file should not be the result of concatenated files. I don't know your vendor, but I believe domain.com.key = /ssl/test1.bx.key.pem
What I suppose to be expected from your vendor, but I can't be sure of course
/ssl/test1.bx.cert.pem = domain_com.crt
/ssl/test1.bx.ca-chain.cert.pyem = AddTrustExternalCARoot.crt + COMODORSAAddTrustCA.crt + COMODORSADomainValidationSecureServerCA.crt
To setup certificates in bitrix env you need to do next:
Concatenate the CAbundle and the certificate file which we sent you using next:
1.1. To concatenate the certificate files into single bundle file, first open domainname.crt and domainname.ca-bundle files using any text editor.
1.2 Now copy all the content of domainname.crt and paste it on the top of domainname.ca-bundle file.
1.3 Now save the file name as ‘ssl-bundle.crt’.
Store the bundle and private key in the appropriate nginx ssl folder /etc/nginx/ssl/example_com/
Add this lines to your nginx config:
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/private/domainname.key;
ssl_prefer_server_ciphers on;
Restart nginx running command systemctl restart nginx.service.
Take a look into Comodo Knowledgebase about certificate installation on nginx. They described step-by-step how to install certificates on different web-servers.
Heroku gives simple instructions for updating your certificates for SSL:
$ heroku certs:update server.crt server.key
However, there is no indication that any verification is done before deploying. As this is production, I want to be sure that the two files I'm giving them will not cause any security snafus.
I have my foo_com.crt (which was signed by DigiCert), server.key, and DigitCertCA.crt.
I've found that I can use security verify-cert -c certificate.pem to verify my certificate (on OS X). My certificate doesn't verify though:
$ security verify-cert -c foo_com.crt
Cert Verify Result: CSSMERR_TP_NOT_TRUSTED
Which leads me to believe that my intermediary may not be trusted but:
$ security verify-cert -c DigiCertCA.crt
...certificate verification successful.
Specifying a purpose of SSL succeeds too
$ security verify-cert -p ssl -c foo_com.crt
...certificate verification successful.
I tried on a Linux box as well with similar mixed results.
$ openssl verify foo_com.crt
C = __, ST = ___, L = ___, O = "Foo Inc", CN = foo.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error foo_com.crt: verification failed
$ openssl verify -CAfile DigiCertCA.crt foo_com.crt
foo_com.crt: OK
$ openssl verify -purpose sslserver -CApath /etc/ssl/certs foo_com.crt
C = __, ST = ___, L = ___, O = "Foo Inc", CN = foo.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error foo_com.crt: verification failed
How can I be sure that when I update my certificates in Heroku, that everything will work smoothly?
Related: Renewing SSL certificate on Heroku
A suggestion from a colleague to run nginx led me to a confident way to know that everything would deploy smoothly.
I configured nginx with
server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
server_name server_IP_address;
ssl_certificate /Users/traff/cert/gd.crt;
ssl_certificate_key /Users/traff/cert/server.key;
server_name localhost;
...
}
Once I had my nginx server set up I ran openssl s_client -connect localhost:443 -CApath /etc/ssl/certs. Then, after setting up foo.com in my hosts to point to my nginx server. I used curl https://foo.com.
Using the concatenation of foo_com.crt and DigiCertCA.crt (in that order) and server.key, upload was successful.
Furthermore, though Heroku's documentation does not state it, the update step does verify that SSL will serve properly
$ heroku certs:update foo_com_DigiCertCA_cat.crt server.key -a my-app
Resolving trust chain... done
_ Potentially Destructive Action
_ This command will change the certificate of endpoint ____
_ (_______.herokussl.com) from _ my-app.
_ To proceed, type my-app or re-run this command with
_ --confirm my-app
> my-app
Updating SSL certificate _____ (____.herokussl.com) for _ my-app... done
Updated certificate details:
Common Name(s): foo.com
Expires At: DateTime
Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
Starts At: DigiCert
Subject: blah blah blah
SSL certificate is verified by a root authority.
The Dropwizard example project has a single certificate without intermediate certificate and the HTTPS configuration doesn't mention anything regarding intermediate certs. Is it possible to configure Dropwizard to deliver intermediate certificates?
You should be able to add the intermediate certificate to the key store that you use for your certificate. To do that when you add the private key you should be able to add a chain of the signed public key with the intermediate certificate. The intermediate certificates should not be added by them selves The intermediate certificate should then also be sent to the client.
Dropwizard uses Jetty 9. From the Jetty 9 documentation:
If you have a chain of certificates, because your CA is an
intermediary, build the PKCS12 file as follows:
$ cat example.crt intermediate.crt [intermediate2.crt] ... rootCA.crt > cert-chain.txt
$ openssl pkcs12 -export -inkey example.key -in cert-chain.txt -out example.pkcs12
The order of certificates must be from server to rootCA, as per
RFC2246 section 7.4.2.
I would not include the root CA in the chain because it should be already known to the client.
OpenSSL will ask for an export password. Enter something and remember it for the configuration. The documentation includes further steps to convert the PKCS12 keystore to a JKS one, but that’s not required (PKCS12 works fine on Java 8u261).
Then configure the connector in your Dropwizard configuration file with the filename and password you used:
server:
applicationConnectors:
- type: h2c
port: 80
- type: h2
jceProvider: Conscrypt
port: 443
keyStorePath: example.pkcs12
keyStorePassword: foo
You can verify your configuration using OpenSSL:
openssl s_client -connect localhost:443
The section Certificate chain should show entries for your server certificate and the intermediate CAs.