We Keep Coding

"Key_load_pubic: Invalid Format"

Experimenting with Terraform and Ansible deployment. I have a TF template that stands up a VPC and ec2 instances in AWS, and uses cloud-init scripts to prepare the instances. I've tried to upload my own SSH keys from Puttygen in the cloud-init scripts but I am receiving a "key_load_public: invalid format" error when testing Ansible. My cloud init is as follows:
#Add Users
users:
- name: ansadmin
sudo: ["ALL=(ALL) NOPASSWD:ALL"]
groups: [ sudo ]
homedir: /home/ansadmin
shell: /bin/bash
passwd: $6$UwvMBQ9VAUiKDcx$/kIbPH2GxwBbpevZEJtIyjXZIW7KJgth3MXEmxhqNH.TH2yonVMz2Ob7ROD7jGKCagF3iYkYVBnkL.okPkP/d0
ssh-authorized-keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCe5RaiG1mJ6QxN318GGY1ecihS61R0WssUceOnvetVeQmMdyn/H5+BFedb+RfNZwqWs0Bnj4i6fY9EDg7ylR5damZMMH+YZD4bkTkzwbjWiFudlWZYcGKorvg8mXUoI0tE9gJOtbTS2sv7M0jG3YnqEc3zY9sDTPxyjSWHXLnjF505Zk61rvXnc5fRkUKrSdrvzl3I+0kCWZ0dpQ0PSrDSVEiNR/5f5HhCaq2a16i7kW28amzdcUduX4h8/wwt83b+YxK9kV73LGsPTyB79LHVCL9QUt4ktnqU/yHQ2ZJwlsJtOIZRc5L2aPZBc+8OuEN/i5H28TbyBF1mvFezjfXt
ssh_keys:
rsa_private: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvV1UuXGnfWvoxoameuCuoUx1yPUeZeORovbzge0SpFctBs0k
Nqp37h8CG8wFADPXxK3xAMDunrY+HVPzQaVDeRlDIF5sRtb0vHS3NN9M6jmQb6W1
l/O3O1Brrp6oIEUxb1JOgCqHMw+48VFOmcdpvGZ4hf7a8w+OUK6XUGhC1A/nv6Dx
4Icv+KhX5OwxrytN7oCyHdQiQpPfB8fMtX31+lE1YBvwtcSJaNc/dOP9ONTYXPwe
fJYenapMTzewl1q+OkImf8DTgz9gmBMxydZdrwutOFrxpzkcVX0KITIyH1r0hTzY
1LEG1z/8qhxijfu49lYZ2YvB2TnlbiCN/9O6+QIDAQABAoIBADbvzbWjIGlFlhmK
VOAPMPqAmSc83Z3HoKe7pzeJVMAyvlBb0Wa+m96MRmtUDBtb7vwTTnjegBuxWWHe
yhLAZEvMpWnNmvIOSKAn6ELBianmG14YoA8+WGkv0p2tT69VA5t9MGMEc4a/x/LS
mNAKR0WuIMcXAeREHhCQJjvgk4q7trbOrKYgKxJsMRFwJXhYW95ZJSXjKuAVj8se
0B5BnVWTFj3cxhgf7DVVuXrb83zIBK+6Ucq4X+nMGy8pLBw+jmcgb/Y3ssXxnh6b
uijvUuc/i4yI9R4OwfV5tkpMFsbh2y74OS2UDfCtYCwiKjOGKEfv1oukfDSlCaqs
2DjgacUCgYEA4/DOCfJVGWmVGsVxsJjg5k8nt/6FdJ4zx7jkvFjZ7UB6QfCmznLs
3BRkX1ZrurRazMYNq56FXT8K6JPHsttwSy6zj/KYRRFhdEUo6EHJSELVZZHr9qIk
duE0Fz+9FddY2jno8jyxA1+tTYudV2lkp1cVVb/UvGQCXSadmJrt+x8CgYEA1Kzc
eRtpbKf+jPxYylqm7gPp3I3K5CgGa1gdjOTS8yc/DBbqPCQkrQe6pMKAaiWjwHz4
y77yYmp1JtsPip7kEm2pSXVfDBmdj+aVBRUm+mDa/lXC1BgG3zaz8MsnuqoMR+19
BO6PXN/yAEau5EnlNK6rD8A3VvvHDzXu/EPHnucCgYEAgLOa4qrdufePpQoO43Ou
qNvQxWcE24/oFMElBeP1SKy7WzgSN0dUzf8FnX8iXM0w56Z8WYasLrZF5oRqoWad
xRWddY24xGbH6+qQ6nMav55c93ipDx0GEcmeq/HlRcvN84n3Ka9zE0CWjc5jDNQJ
bSMSfNRPvf+KBiajnWL9NGkCgYA2d06/dVW6jguS782NhUnbCwWJhoa/h8CdHSP0
QWYE/7gV0IiMfnUmGyShrW5VwO3/DgJpq61Hpxv5p4CDb83ZKlyAg56j6qt/fv4L
Hy+sT8HGARC0YLLh15CdymmSVJpwkVHDQZVVo8TGbVO9A2+/3jvQ/NkvXavNKXLb
CEDHYQKBgQDJczoRCSmIQnloCFonNmCaWIGC7/dAjHU6VeNpbxyUGVqTiMBhG7Mk
XIR454e1RYrielxGlPJZYRmIcK1SmI0sb/obkqbr7qLxrIMrcFqHQLatLlu6rd2K
Url/rg6af1DzvYIrMGop4vbIZhBPeP0iyB9GGxIyE+Hh9VTU1MYEYQ==
-----END RSA PRIVATE KEY-----
rsa_public: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCe5RaiG1mJ6QxN318GGY1ecihS61R0WssUceOnvetVeQmMdyn/H5+BFedb+RfNZwqWs0Bnj4i6fY9EDg7ylR5damZMMH+YZD4bkTkzwbjWiFudlWZYcGKorvg8mXUoI0tE9gJOtbTS2sv7M0jG3YnqEc3zY9sDTPxyjSWHXLnjF505Zk61rvXnc5fRkUKrSdrvzl3I+0kCWZ0dpQ0PSrDSVEiNR/5f5HhCaq2a16i7kW28amzdcUduX4h8/wwt83b+YxK9kV73LGsPTyB79LHVCL9QUt4ktnqU/yHQ2ZJwlsJtOIZRc5L2aPZBc+8OuEN/i5H28TbyBF1mvFezjfXt
write_files:
- content: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCe5RaiG1mJ6QxN318GGY1ecihS
61R0WssUceOnvetVeQmMdyn/H5+BFedb+RfNZwqWs0Bnj4i6fY9EDg7ylR5damZM
MH+YZD4bkTkzwbjWiFudlWZYcGKorvg8mXUoI0tE9gJOtbTS2sv7M0jG3YnqEc3z
Y9sDTPxyjSWHXLnjF505Zk61rvXnc5fRkUKrSdrvzl3I+0kCWZ0dpQ0PSrDSVEiN
R/5f5HhCaq2a16i7kW28amzdcUduX4h8/wwt83b+YxK9kV73LGsPTyB79LHVCL9Q
Ut4ktnqU/yHQ2ZJwlsJtOIZRc5L2aPZBc+8OuEN/i5H28TbyBF1mvFezjfXt
path: /home/ansadmin/.ssh/id_rsa.pub
permissions: '0600'
owner: ansadmin:ansadmin
defer: true
- content: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvV1UuXGnfWvoxoameuCuoUx1yPUeZeORovbzge0SpFctBs0k
Nqp37h8CG8wFADPXxK3xAMDunrY+HVPzQaVDeRlDIF5sRtb0vHS3NN9M6jmQb6W1
l/O3O1Brrp6oIEUxb1JOgCqHMw+48VFOmcdpvGZ4hf7a8w+OUK6XUGhC1A/nv6Dx
4Icv+KhX5OwxrytN7oCyHdQiQpPfB8fMtX31+lE1YBvwtcSJaNc/dOP9ONTYXPwe
fJYenapMTzewl1q+OkImf8DTgz9gmBMxydZdrwutOFrxpzkcVX0KITIyH1r0hTzY
1LEG1z/8qhxijfu49lYZ2YvB2TnlbiCN/9O6+QIDAQABAoIBADbvzbWjIGlFlhmK
VOAPMPqAmSc83Z3HoKe7pzeJVMAyvlBb0Wa+m96MRmtUDBtb7vwTTnjegBuxWWHe
yhLAZEvMpWnNmvIOSKAn6ELBianmG14YoA8+WGkv0p2tT69VA5t9MGMEc4a/x/LS
mNAKR0WuIMcXAeREHhCQJjvgk4q7trbOrKYgKxJsMRFwJXhYW95ZJSXjKuAVj8se
0B5BnVWTFj3cxhgf7DVVuXrb83zIBK+6Ucq4X+nMGy8pLBw+jmcgb/Y3ssXxnh6b
uijvUuc/i4yI9R4OwfV5tkpMFsbh2y74OS2UDfCtYCwiKjOGKEfv1oukfDSlCaqs
2DjgacUCgYEA4/DOCfJVGWmVGsVxsJjg5k8nt/6FdJ4zx7jkvFjZ7UB6QfCmznLs
3BRkX1ZrurRazMYNq56FXT8K6JPHsttwSy6zj/KYRRFhdEUo6EHJSELVZZHr9qIk
duE0Fz+9FddY2jno8jyxA1+tTYudV2lkp1cVVb/UvGQCXSadmJrt+x8CgYEA1Kzc
eRtpbKf+jPxYylqm7gPp3I3K5CgGa1gdjOTS8yc/DBbqPCQkrQe6pMKAaiWjwHz4
y77yYmp1JtsPip7kEm2pSXVfDBmdj+aVBRUm+mDa/lXC1BgG3zaz8MsnuqoMR+19
BO6PXN/yAEau5EnlNK6rD8A3VvvHDzXu/EPHnucCgYEAgLOa4qrdufePpQoO43Ou
qNvQxWcE24/oFMElBeP1SKy7WzgSN0dUzf8FnX8iXM0w56Z8WYasLrZF5oRqoWad
xRWddY24xGbH6+qQ6nMav55c93ipDx0GEcmeq/HlRcvN84n3Ka9zE0CWjc5jDNQJ
bSMSfNRPvf+KBiajnWL9NGkCgYA2d06/dVW6jguS782NhUnbCwWJhoa/h8CdHSP0
QWYE/7gV0IiMfnUmGyShrW5VwO3/DgJpq61Hpxv5p4CDb83ZKlyAg56j6qt/fv4L
Hy+sT8HGARC0YLLh15CdymmSVJpwkVHDQZVVo8TGbVO9A2+/3jvQ/NkvXavNKXLb
CEDHYQKBgQDJczoRCSmIQnloCFonNmCaWIGC7/dAjHU6VeNpbxyUGVqTiMBhG7Mk
XIR454e1RYrielxGlPJZYRmIcK1SmI0sb/obkqbr7qLxrIMrcFqHQLatLlu6rd2K
Url/rg6af1DzvYIrMGop4vbIZhBPeP0iyB9GGxIyE+Hh9VTU1MYEYQ==
-----END RSA PRIVATE KEY-----
path: /home/ansadmin/.ssh/id_rsa
permissions: '0600'
owner: ansadmin:ansadmin
defer: true
- content: |
ansadmin ALL=(ALL) NOPASSWD: ALL
path: /etc/sudoers
append: true
If I replace the key using "ssh-keygen", I can use "ssh-copy-id" to the client node with no errors - so I presume something must be wrong with my format coming from Puttygen. The literal format - how the Puttygen public key is laid out in id_rsa.pub - looks exactly the same as the key produced by ssh-keygen. Any thoughts?

I solved it on my own by just copying a key directly from ssh-keygen instead. Not sure why the Puttygen key didn't work, but whatever works!

mosquitto self signed certificate issue - handshake failure

I've created self signed CA and certs for mosquito acording to:
https://mosquitto.org/man/mosquitto-tls-7.html and
http://www.steves-internet-guide.com/mosquitto-tls/
Then added these to mosquitto dir and chmoded for mosquitto user, generally did that all with script which runs commands to:
- Create CA
- Create server certs
- Create client certs
#!/bin/bash
# FROM: https://mosquitto.org/man/mosquitto-tls-7.html and
# http://www.steves-internet-guide.com/mosquitto-tls/
set -e
# logging
RESTORE='\033[0m'
RED='\033[00;31m'
GREEN='\033[00;32m'
YELLOW='\033[00;33m'
BLUE='\033[00;34m'
PURPLE='\033[00;35m'
CYAN='\033[00;36m'
LIGHTGRAY='\033[00;37m'
LRED='\033[01;31m'
LGREEN='\033[01;32m'
LYELLOW='\033[01;33m'
LBLUE='\033[01;34m'
LPURPLE='\033[01;35m'
LCYAN='\033[01;36m'
WHITE='\033[01;37m'
REQNUM=0
print_err() {
echo -e "${RED}ERROR $# ${RESTORE}"
}
print_succ() {
echo -e "${GREEN} SUCCES: $# ${RESTORE}"
}
print_warn() {
echo -e "${BLUE} WARN: $# ${RESTORE}"
}
# CA & SRV need to have different params for mosquitto broker to work & to avoid needles asking
SUBJ="-subj "'/C=GB/ST=London/L=London/O='"$((++REQNUM))$1"'/OU=IT_Department/CN=localhost.local'
# gen CA
gen_CA() {
print_warn "generate CA"
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 ${DAYS} -out ca.crt ${SUBJ}
}
# SERVER
gen_server_keys() {
print_warn "Generate a server key"
openssl genrsa ${PSWD} -out server.key 2048 ${SUBJ}
print_warn "Generate a certificate signing request to send to the CA"
openssl req -out server.csr -key server.key -new ${SUBJ}
print_warn "Send the CSR to the CA, or sign it with your CA key"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt ${DAYS}
}
# CLIENT
gen_client_keys() {
print_warn "Generate a client key"
openssl genrsa ${PSWD} -out client.key 2048 ${SUBJ}
print_warn " Generate a certificate signing request to send to the CA"
openssl req -out client.csr -key client.key -new ${SUBJ}
print_warn "Send the CSR to the CA, or sign it with your CA key"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -addtrust clientAuth -CAcreateserial -out client.crt ${DAYS}
}
mosq_install() {
print_warn "Install mqtt certs"
sudo systemctl stop mosquitto
sudo cp server.* ca.crt /etc/mosquitto/certs/
sudo chown -R mosquitto:mosquitto /etc/mosquitto/certs
sudo bash -c 'cat << EOF > /etc/mosquitto/conf.d/tls.conf
listener 8883
tls_version tlsv1.2
require_certificate false
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
EOF'
sudo chown -R mosquitto:mosquitto /etc/mosquitto/certs/ /etc/mosquitto/conf.d/
sudo systemctl restart mosquitto && print_warn "MQTT restarted!"
}
print_help() {
echo "usage: "
echo "--CA or --SRV or --CLI"
echo "--des3 to use passwd on cers"
echo "--days 'N' to use expirydate"
echo "--mosq install to mosquitto certs"
}
[ $1 ] || print_help
for a in $#; do
case "$a" in
"--CA")
gen_CA && print_succ "CA" || print_err "CA failed"
;;
"--SRV")
gen_server_keys && print_succ "server" || print_err "server keys failed"
;;
"--CLI")
gen_client_keys && print_succ "cli" || print_err "client keys failed"
;;
"--pass")
PSWD="-des3"
;;
"--days")
DAYS="-days $2"
shift
;;
"--mosq")
mosq_install && print_succ "" || print_err "install mosquitto"
;;
-h|--help)
print_help
;;
*)
print_help;
echo "bad param! $a"
;;
esac
done
After that I get error in mosquitto logs:
159 1528809795: Config loaded from /etc/mosquitto/mosquitto.conf.
160 1528809795: Opening ipv4 listen socket on port 8883.
161 1528809795: Opening ipv6 listen socket on port 8883.
162 1528809806: New connection from 127.0.0.1 on port 8883.
163 1528809806: OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
164 1528809806: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
165 1528809806: Socket error on client , disconnecting.
166 1528809809: New connection from 127.0.0.1 on port 8883
mosquitto.conf
# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
In sourced conf.d dir tls.conf:
listener 8883
tls_version tlsv1.2
require_certificate true
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
mosquitto_sub command to test:
mosquitto_sub -h localhost -p 8883 --cafile ca.crt -v -t '#'
The only issue in I get with openssl s_client I get is:
"verify return code: 18 (self signed certificate)"
I can't connect with either python paho mqtt, or mosquitto_sub/pub. I've wanted to test connections on localhost, then make certs for my local network server and use it with my devices for testing - but can't make it connect even on localhost.

logstash http_poller ssl certification issue

I am trying to use logstash http_poller to query a server RESTAPI. I download the server pem through explore, and generate jks file with keytool. but we still get error "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". Don't know what wrong.
The config like below:
http_poller {
urls => {
restapi => {
method => get
url => "https://path_to_resources
headers => {
Accept => "application/json"
}
truststore => "/path/generated.truststore.jks"
truststore_password => "xxx"
ssl_certificate_validation => false
auth => {
user => "xxx"
password => "xxx"
}
}
}
request_timeout => 60
interval => 60000
codec => "json"
metadata_target => "http_poller_metadata"
}
}
By the way, what impact if ssl_certificate_validation is set as false?

I interpret OPs intention as to hopefully being able to disable TLS verification, which we still cant (logstash-7.11.1) and I plow on with how to get a trust store for these cases. This Q was one of my hits in pursuit of the same.
Some appliances will be running self signed certificates (another discussion ppl...) - so a small script to setup such a trust store could be helpful, especially if you are about to set up some automation internally.
Another caveat is that the self signed certificate still has to have a matching host name.
Based on the example from https://www.elastic.co/guide/en/logstash/current/plugins-inputs-http_poller.html
NB! Further error checking, etc. is left at your discretion.
#!/bin/bash
# Fetch an http server's TLS certificate and
# create or update a JAVA keystore / truststore
usage () {
echo "usage: get-cert.sh <hostname>:<port>"
exit 1
}
TRUSTSTORE=cacert/trust.jks
PARAM=$1
HOSTNAME=$(echo "$PARAM" | cut -d: -f 1)
PORT=$(echo "$PARAM" | cut -d: -f 2)
REST=$(echo "$PARAM" | cut -d: -f 3-)
[ -z "$HOSTNAME" ] && usage
[ -z "$PORT" ] && usage
[ -n "$REST" ] && usage
OUTPUT=$(
openssl \
s_client \
-showcerts \
-connect "${HOSTNAME}":"${PORT}" </dev/null 2>/dev/null | \
openssl \
x509 \
-outform PEM)
EC=$?
[ $EC -ne 0 ] && { echo "ERROR EC=$EC - $OUTPUT" ; exit $EC ; }
keytool \
-import \
-storepass changeit \
-alias ${HOSTNAME} \
-noprompt \
-file <(echo "$OUTPUT") \
-keystore ${TRUSTSTORE}
Using some bash specific possibilities here. The alternative is to go through temporary files, as pr the official example (see link above).

Apparently your certificate is invalid .
Regarding
ssl_certificate_validation
it doesn't have real impact , http-puller is based on manticore, a ruby libary which relay on Apache HC
which does not support this hook see

Writing variables defined in site.pp file to file

On my puppet master I have a site.pp file that defines the content of some certificates like so ...
$swift_cert_content = '
-----BEGIN CERTIFICATE-----
blhablhadfblhablah...
-----END RSA PRIVATE KEY-----
'
... and I want to write the value of $swift_cert_content to the file /tmp/swift_cert on my puppet master. I have tried this ...
# cat create_cert_files.pp
class create_cert_files (
$swift_cert_content = $::swift_cert_content,
) {
file { '/tmp/swift_cert':
ensure => "file",
content => $swift_cert_content,
}
}
class { 'create_cert_files': }
... and I execute this like so ...
# puppet apply create_cert_files.pp
Notice: Compiled catalog for osc-ppt-001.example.com in environment production in 0.16 seconds
Notice: /Stage[main]/Create_cert_files/File[/tmp/swift_cert]/ensure: created
Notice: Finished catalog run in 0.31 seconds
... but the file is empty:
# ls -l /tmp/swift_cert
-rw-r--r-- 1 root root 0 Aug 26 14:55 /tmp/swift_cert
What am I doing wrong?

I forgot that when one uses puppet apply puppet ignores the site.pp file so I need to do something like this:
# cat /etc/puppetlabs/puppet/manifests/site.pp create_cert_files.pp > runit.pp
# puppet apply runit.pp

Dart, use SSL emitted by an authority

I create a db with certutil
myproject/bin/pkcert
echo "dartdart" > pwdfile
certutil -N -d 'sql:./' -f pwdfile
Then, I import my certificate validated by an authority
certutil -d "sql:./" -A -t "C,C,C" -n "my_cert" -i certificate.crt
I check if it work
certutil -L -d 'sql:./'
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
my_cert C,C,C
My main.dart
library main;
import "dart:io";
void main() {
var testPkcertDatabase = Platform.script.resolve('./pkcert')
.toFilePath();
SecureSocket.initialize(database: testPkcertDatabase,
password: 'dartdart');
HttpServer
.bindSecure(InternetAddress.ANY_IP_V6,
8443,
certificateName: 'my_cert')
.then((server) {
server.listen((HttpRequest request) {
request.response.write('Hello, world!');
request.response.close();
});
});
}
I execute, and I get this error:
Uncaught Error: CertificateException: Cannot find server certificate by nickname: my_cert (OS Error: security library: read-only database., errno = -8126)
I missed something or I should report a bug?
Thank you.

Have you tried to add -s "cn=mycert" to
certutil -d "sql:./" -A -t "C,C,C" -n "my_cert" -i certificate.crt
and use it with
HttpServer
.bindSecure(InternetAddress.ANY_IP_V6,
8443,
certificateName: 'CN=my_cert')
as shown in this blog post http://jamesslocum.com/post/70003236123 ?