I have set up a docker registry using harbor.
I have copied the appropriate certificates in /usr/share/local/ca-certificates and run sudo update-ca-certificates with success. (indicated the number of newly certs added).
When trying to login to the specific registry:
ubuntu#master1:/home/vagrant$ docker login my.registry.url
Username: pkaramol
Password:
Error response from daemon: Get https://my.registry.url/v2/: x509: certificate signed by unknown authority
However the following test succeeds:
openssl s_client -connect my.registry.url:443 -CApath /etc/ssl/certs/
...coming back with a lot of verbose output, the certificate itself and ending in :
Verify return code: 0 (ok)
curl also succeeds to the above https link (it fails when the site is not trusted).
Any suggestions?
If you read the documentation
Use self-signed certificates
Warning: Using this along with basic authentication requires to also trust the certificate into the OS cert store for some versions of docker (see below)
This is more secure than the insecure registry solution.
Generate your own certificate:
$ mkdir -p certs
$ openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt
Be sure to use the name myregistrydomain.com as a CN.
Use the result to start your registry with TLS enabled.
Instruct every Docker daemon to trust that certificate. The way to do this depends on your OS.
Linux: Copy the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt on every Docker host. You do not need to restart Docker.
See below link for more details
https://docs.docker.com/registry/insecure/#use-self-signed-certificates
Related
So i have a simple GO server running on port 8080 using a self-signed certificate that i created with the following command:
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out local.crt -keyout local.key
When creating it i set the fields to these values:
As you can see i skipped everything but the fully qualified host name which i set to go-auth
I started my go server using the local.key and local.crt files successfully.
I tried cURLing it like:
➜ certs git:(master) ✗ curl --proxy-cacert local.crt https://go-auth/
curl: (6) Could not resolve host: go-auth
➜ certs git:(master) ✗ curl --proxy-cacert local.crt https://localhost:8080/
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
After that i tried to get the certs from the running server and saving it to the cacert.pem file and tried again:
➜ certs git:(master) ✗ echo quit | openssl s_client -showcerts -servername go-auth -connect localhost:8080 > cacert.pem
depth=0 CN = go-auth
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = go-auth
verify return:1
DONE
➜ certs git:(master) ✗ curl --cacert cacert.pem https://go-auth/
curl: (6) Could not resolve host: go-auth
➜ certs git:(master) ✗ curl --proxy-cacert cacert.pem https://go-auth/
curl: (6) Could not resolve host: go-auth
At this point i don't know, i was trying to follow the answer to this question: Use self signed certificate with cURL? but did not get the desired result.
You can use the -k parameter in order to skip the certificate validation.
Your command have to be similar to the following one:
curl -vk https://localhost:8080/
-v enable some debug information
-k disable the certificate validation
If you want to enable the certificate validation, you have two way:
Add and trust the certificate to your current CA list
By this way, you are going to "accept" your self signed certificate as a valid one, and you will be able to call the service (from your machine, obviously) using any type of HTTP client (Java, Go, cURL etc etc).
Use the --cacert parameter of the cURL command in order to specify the path related to the certificate to use in order to authenticate to the service.
I was using certificate which expired. I requested new one with new private key and request file.
But when I add new certificate to ISPConfig vhost, even after running
/usr/local/ispconfig/server/server.sh
the new certificate wont be accepted by ISPConfig and is still using the old one which expired, so my site is not working with HTTPS. Is there possibility that ISPConfig have this old certificate stored somewhere?
I also deleted content of SSL folder in my vhost but did not worked either.
Site is working with generated Let's Encrypt certificate.
I also faced the same error and I fixed it by applying the second method. I've mentioned both methods for you. Please try any to renew your SSL Certificate.
Method 1:
Create a new ISPConfig 3 SSL Certificate with OpenSSL
Login to your server on the shell as a root user. Before we create a new SSL Cert, backup the current ones. SSL Certs are security-sensitive so I'll store the backup in the /root/ folder.
# tar pcfz /root/ispconfig_ssl_backup.tar.gz /usr/local/ispconfig/interface/ssl
# chmod 600 /root/ispconfig_ssl_backup.tar.gz
Now create a new SSL Certificate key, Certificate Request (csr) and a self-signed certificate.
# cd /usr/local/ispconfig/interface/ssl
# openssl genrsa -des3 -out ispserver.key 4096
# openssl req -new -key ispserver.key -out ispserver.csr
# openssl x509 -req -days 3650 -in ispserver.csr \
-signkey ispserver.key -out ispserver.crt
# openssl rsa -in ispserver.key -out ispserver.key.insecure
# mv ispserver.key ispserver.key.secure
# mv ispserver.key.insecure ispserver.key
Restart Apache to load the new SSL Certificate.
# service apache2 restart
Method 2:
Renew the SSL Certificate with the ISPConfig installer
The alternative way to get a new SSL Certificate is to use the ISPConfig update script.
Download ISPConfig to the /tmp folder, unpack the archive and start the update script.
# cd /tmp
# wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
# tar xvfz ISPConfig-3-stable.tar.gz
# cd ispconfig3_install/install
# php -q update.php
The update script will ask the following question during the update:
Create new ISPConfig SSL certificate (yes,no) [no]:
Answer "yes" here and the SSL Certificate creation dialog will start.
Thank you!
I've set up an internal pypi server for internal projects.
It's hosted at https://<USER>:<PASS>#<INTERAL>/pypi with a self-signed certificate.
I can get pip to use this repository in addition to the central pypi server using extra-index-url in ~/.pip/pip.conf. As the certificate to my server is self-signed, and pip isn't using the system-wide (keychain) certificated, I've made it aware of it using cert = ... in the config file:
extra-index-url = https://<USER>:<PASS>#<INTERAL>/pypi
cert = /path/to/cert.pem
Now, whenever I install something using pip install, I get a warning that the certificate can't be verified for https://pypi.python.org:
$ pip install <PACKAGE-NAME>
Collecting <PACKAGE-NAME>
Could not fetch URL https://pypi.python.org/simple/<PACKAGE-NAME>/:
There was a problem confirming the ssl certificate: [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) -
skipping
Is there any way to tell pip only to use the self-signed certificate only for the extra-index-url repository?
Pip uses it's certificate bundle (a file) that can be found by running:
python -m pip._vendor.requests.certs
The bundle is just a file with certificates concatenated, one after another. We want to tell pip to use those AND our certificate,
so generate a new file using
cat $(python -m pip._vendor.requests.certs) /path/to/my/cert.pem > /path/to/my/bundle.pem
and make sure your .pip/pip.conf file contains something along these lines:
[global]
extra-index-url = https://user:pass#my-pypi.com
cert = /path/to/my/bundle.pem
Finally, you might want to periodically update /path/to/my/bundle.pem (in a cronjob or whatever).
Other notes
I also got the following error:
SubjectAltNameWarning: Certificate for my-pypi.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
Normally, you'd create a certificate something like:
openssl req -new -x509 -nodes -key my.key -out cert.csr -days 365
Instead, copy your openssl.cnf (possibly in /etc/pki/tls/openssl.cnf) to your working directory, and add an extension by adding the following to the end of the file:
[ san_env ]
subjectAltName=DNS:mypypi.com
and generating your certificate with
openssl req -new -x509 -nodes -key my.key -out cert.csr -days 365 -config openssl.cnf -extensions san_env
In addition, pip wants your certificate in a different format, which can be generated using
openssl x509 -inform der -in cert.cer -out cert.pem
This file cert.pem can be concatenated with the python ca bundle as described above to generate your custom bundle.
I'm going to install SSL using OpenSSL on WAMPServer. The processes which I've been through are as follows:
I have installed apache, configured it and activated ssl module,
Added a new system variable OPENSSL_CONF:
Variable name: OPENSSL_CONF
Variable value: A:\wamp\bin\apache\apache2.4.9\conf\openssl.cnf
Restarted windows and made sure I saw the following line among the environment variables using command-line set | more command:
OPENSSL_CONF=A:\wamp\bin\apache\apache2.4.9\conf\openssl.cnf
Installed openSSL1.01Light(x64) on A:\OpenSSL and in its bin folder I have generated a key using command line command:
openssl req -new > webserver.csr
(Note that openSSL installation directory by default ain't have webserver.csr and I had to copy it from A:\wamp\bin\apache\apache2.4.9\bin directory)
The command ran and prompted me to enter a PEM pass phrase and verify it. I entered a pass phrase and verified it.
I entered information that would be incorporated into my certificate request.
I ran the following command:
openssl rsa -in privkey.pem -out webserver.key
I was prompted for the pass phrase from the previous step. The RSA key was written and the file webserver.key was then available in the folder.
Now I was going to covert the certificate into a signed one using the following command:
openssl x509 -in webserver.csr -out webserver.cert -req -signkey webserver.key -days 365
I got stock in this level that error occured with the following message:
5336:error:0906D06C:PEM routiness:PEM read bin:no start line:.\crypto\pem\pem_lib.c:703:Expecting: CERTIFICATE REQUEST
error in x509
How do I overcome this issue? Any idea? Thanks...
I have a flask application running using a self signed certificate. I'm able to send in a curl request using:
curl -v -k -H "Content-Type: application/json" -d '{"data":"value1","key":"value2"}' https://<server_ip>:<port>
The verbose logs show that everything went alright.
I wanted to avoid using the -k (--insecure) option and instead specify a .pem file that curl could use. Looking at the curl man page I found that you could do this using the --cert option.
So I created a .pem file using this:
openssl rsa -in server.key -text > private.pem
CURL throws me this error when using the private.pem file:
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)
Any suggestions? - or is this only possible with a properly signed certificate?
Tnx
This is just another version of this question: Using openssl to get the certificate from a server
Or put more bluntly:
Using curl --cert is wrong, it is for client certificates.
First, get the the certs your server is using:
$ echo quit | openssl s_client -showcerts -servername server -connect server:443 > cacert.pem
(-servername is necessary for SNI so that you get the right virtual server's certificate back)
Then make your curl command line use that set to verify the server in subsequent operations:
$ curl --cacert cacert.pem https://server/ [and the rest]
special teaser
Starting with curl 7.88.0 (to be shipped in February 2023), curl can save the certificates itself with the new %{certs} variable for the -w option. Blogged about here.
To make request from https server through curl. I make use of below steps
Step1: Generate self signed certificate with below code at root of the project you want to make use of it.openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes
Step2: Fill the prompt with required details but when you get to Common name input localhost e.g Common Name (eg, fully qualified host name) []:localhost
step3: When your openssl cert.pem & key.pem has being generated startup your server then in another terminal or command line run curl --cacert cert.pem https://localhost:443
Note: I use port 443 which is the default https port, you can make use of another port then make sure cert.pem file path is well referenced.