Facing issues with Jenkins access ERR_SSL_VERSION_OR_CIPHER_MISMATCH - ssl

I was hoping I can get some info on how to resolve this issue. I am new to jenkins and trying to setup a jenkins server.
After I enable SSL, I am unable to login to Jenkins. Chrome throws the error ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
Jenkins Version: jenkins-2.77-1.1
Steps followed:
1. Created a self signed SSL Cert.
Create Java keystore and imported the cert .
/bin/keytool \
-keystore .keystore/cacerts \
-import -alias jenkins -file ./ssl/cert.pem
Updated /etc/sysconfig/jenkins
JENKINS_HTTPS_PORT="8443"
JENKINS_HTTPS_KEYSTORE="/var/lib/jenkins/.keystore/cacerts"
JENKINS_HTTPS_KEYSTORE_PASSWORD="changeit"
JENKINS_HTTPS_LISTEN_ADDRESS=""
restarted jenkins.
Any help or pointers would be appreciated.
regards,

Ok I was able to resolve this by creating a PKCS12 cert and adding that the to the java Keystore.
The following thread that has the steps:
How to import an existing x509 certificate and private key in Java keystore to use in SSL?
Created the PKCS12 cert as below.
openssl pkcs12 \
-export -inkey ssl/key.pem \
-in ssl/cert.pem \
-out ssl/cert.p12 \
-password pass:test
Imported this cert to my java keystore.
/bin/keytool -importkeystore \
-deststorepass changeit \
-destkeypass changeit \
-destkeystore .keystore/cacerts \
-srckeystore ssl/cert.p12 \
-srcstoretype PKCS12 \
-srcstorepass test

Related

How to run Wowza streaming engine over https

I'm trying to import my existing ssl certificates in my wowza streaming server.
I'm following this document: Import certificate
I'm able to convert my certificates in JKS format, and i have change VHost.xml file as suggested on the url. but when i restart server and check logs i found below error:
Here is my conf VHost.xml file: (i have replace password with asterisk just for screenshot)
Steps that i have follow:
sudo openssl pkcs12 -export -in /etc/ssl/private/nginx/certificate.crt -inkey /etc/ssl/private/nginx/private.key -name example.com -out example.com-PKCS-12.p12
sudo keytool -importkeystore -deststorepass ***** -destkeystore example.com.jks -srckeystore example.com-PKCS-12.p12 -srcstoretype PKCS12
sudo keytool -import -alias bundle -trustcacerts -file /etc/ssl/private/nginx/ca_bundle.crt -keystore /usr/local/WowzaStreamingEngine-4.7.6/conf/example.com.jks
After that i have open 443 port in VHost.xml and change keystore and password
Please help me to run wowza streaming engine over https server.
Thanks in advance

Unable to run kafka with self-signed certificates

I am setting up kafka that uses SASL_PLAIN and SSL auth. I set one up in a public vpc so that I could use certbot to generate certs, but for this one I am setting it in a private network that cannot be accessed by certbot (and I cannot allow it to be accessed either).
So I want to use self-signed certs to do this. I've tried this:
openssl req -new -newkey rsa:4096 \
-days 3650 \
-x509 \
-subj "/CN=$(hostname)" \
-keyout key.pem \
-out cert.pem \
-passout "pass:${PASSWORD}"
openssl pkcs12 -export -out certout -name kafka \
-inkey "key.pem" \
-in "cert.pem" \
-password "pass:${PASSWORD}" \
-passin "pass:${PASSWORD}"
keytool -importkeystore -noprompt \
-srckeystore certout \
-srcstoretype pkcs12 \
-destkeystore /etc/ssl/cert.jks \
-deststoretype pkcs12 \
-srcstorepass "${PASSWORD}" \
-deststorepass "${PASSWORD}"
And in /etc/kafka/server.properties I have:
ssl.keystore.location=/etc/ssl/cert.jks
ssl.truststore.location=/etc/ssl/certs/java/cacerts
Where cacerts comes from is the apt package ca-certificates-java (and I ran update-ca-certificates -f too)
And if I try keytool -import -alias kafka -file certout -cacerts it gives the error
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
In the logs for kafka, I see every broker spewing this:
INFO [Controller id=2, targetBrokerId=3] Failed authentication with 3.kafka.my.dns/10.1.1.1 (SSL handshake failed) (org.apache.kafka.common.network.Selector)
(I have changed the URL and IP address in that log)
How can I run kafka with self-signed certs?

Configuring Kafka SSL with Let's Encrypt

I'm trying to setup a Kafka cluster and add SSL to it, but I'm getting always the same error:
INFO [SocketServer brokerId=0] Failed authentication with /XXX.XXX.XXX.XXX (SSL handshake failed) (org.apache.kafka.common.network.Selector)
I read several stackoverflow posts about this problem but I cannot fix it.
I'm using Kafka 2.5.0 on Ubuntu 18.04 with OpenJDK 14 and I used Let's Encrypt to generate certificates for my domain name (that are working perfectly with nginx).
First I created a pkcs12 file with the following command:
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name kafka1 -CAfile chain.pem -caname root
...then I created the keystore (with the -ext option as described in kafka docs):
keytool -importkeystore -deststorepass 'STRONG_PASS' -destkeypass 'STRONG_PASS' -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass 'STRONG_PASS' -alias kafka1 -ext SAN=DNS:{FQDN}
...also I added the certificate to the truststore:
keytool -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -noprompt -importcert -file /etc/letsencrypt/live/YOURDOMAIN/chain.pem
At this point, I believe that I have all of the necessary steps to have the keystore and the truststore correctly configured.
My broker config is:
broker.id=0
listeners=SSL://mydomain.com:9092
ssl.keystore.location=/path/to/keystore.jks
ssl.keystore.password=password
ssl.key.password=password
ssl.truststore.location=/path/to/jdk/lib/security/cacerts
ssl.truststore.password=changeit
ssl.secure.random.implementation=SHA1PRNG
security.inter.broker.protocol=SSL
ssl.endpoint.identification.algorithm= # I tried with and without this and the problem persists
advertised.listeners=SSL://mydomain.com:9092
num.network.threads=3
num.io.threads=8
socket.send.buffer.bytes=102400
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
log.dirs=/path/to/kafka_data
num.partitions=1
num.recovery.threads.per.data.dir=1
offsets.topic.num.partitions=3
offsets.topic.replication.factor=2
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1
min.insync.replicas=2
default.replication.factor=2
log.retention.hours=168
log.segment.bytes=1073741824
log.retention.check.interval.ms=300000
zookeeper.connect=IP1:2181,IP2:2181,IP3:2181
zookeeper.connection.timeout.ms=18000
group.initial.rebalance.delay.ms=3000
Then I run the broker and try to execute the following command to know if everything is working:
openssl s_client -debug -connect mydomain.com:9092 -tls1 | head -n 50
And the error is displayed:
INFO [SocketServer brokerId=0] Failed authentication with /XXX.XXX.XXX.XXX (SSL handshake failed) (org.apache.kafka.common.network.Selector)
My domain is not the same as my hostname in the machine, I don't know if it could be a problem. I only want to add security to the first broker and then repeat the same in the other two, but first have the first one working.
What is wrong with my config? Maybe the truststore? or the hostname and domain name?

Marathon - SSL and Basic Access Authentication

I'm following SSL basic access authentication doc
Step 3: Combine the key and certificate files into a PKCS12 format
file, the format used by the Java keystore. If the certificate you
received is not in the .pem format, see the Jetty SSL configuration
docs to learn how to convert it.
Read key password from env variable MARATHON_KEY_PASSWORD
Set PKCS password to env variable MARATHON_PKCS_PASSWORD
$ openssl pkcs12 -inkey marathon.key
-passin "env:MARATHON_KEY_PASSWORD"
-name marathon
-in trusted.pem
-password "env:MARATHON_PKCS_PASSWORD"
-chain -CAfile "trustedCA.crt"
-export -out marathon.pkcs12
I have marathon.key from step 1
I have trusted.pem from step 2
But I don't have trustedCA.crt
Is this a cert from my server?
I created a cert on my server, and used it but I get an error
Error self signed certificate getting chain.
If you don't have singed chain (self signde doesn't count) there is no point in using this option. Use the code below to generate self signed sert and use it with Marathon.
I generate self signed certs as follow without chain.
mkdir -p /etc/marathon/ssl
cd /etc/marathon/ssl
export MARATHON_SSL_KEYSTORE_PASSWORD=jks_pass
keytool -keystore marathon.jks -deststorepass $MARATHON_SSL_KEYSTORE_PASSWORD -alias marathon -genkey -keyalg RSA
cat << EOF > /etc/default/marathon
MARATHON_SSL_KEYSTORE_PATH=/etc/marathon/ssl/marathon.jks
MARATHON_SSL_KEYSTORE_PASSWORD=$MARATHON_SSL_KEYSTORE_PASSWORD
EOF
Releated to marathon#4783

Keystore password for Jetty 7.0 SSL configuration

Trying to setup SSL on jetty 7.2.2 using these instructions:
http://docs.codehaus.org/display/JETTY/How+to+configure+SSL
stuck on 3b:
keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore $JETTY_HOME/etc/keystore
jetty ships with default keystore at $JETTY_HOME/etc/keystore. I'm asked for password when running that command. I don't know default keystore password.
If I try to replace that keystore with newly created one - I'm getting IOException on jetty startup - keystore is tampered with or password incorrect.
What I'm doing wrong? Or what's default keystore jetty password?
The default password for the keystore that is shipped with jetty is storepwd. But I would highly recommend you follow the steps listed in the How to configure SSL and create your own keystore.
I think you just want to overwrite the keystore in etc/keystore with your new one. Then, update the Jetty conf as in Step 4. You will need to obfuscate your keystore password using the org.mortbay.jetty.security.Password class.
One more subtle steps that needs to be followed .
i.e Jetty has another file start.ini, un-comment jetty-ssl.xml line to make the SSL configuration active.
That was my bad. Didn't notice that there's jetty-ssl.xml also, that used default keystore. Moved addConnector to jetty-ssl.xml, put right passwords there, and everything works now like a charm.
One note, the eclipse version of jetty works a little differently http://www.eclipsezone.com/eclipse/forums/t88098.html
Today with jetty 9.4.34 and you'd like to use the default keystore password storepwd and default private key password keypwd, so that you don't have to modify the config, and you have cert/key in common PEM format...
tmpcert="/tmp/certkey$RANDOM.pkcs12" ; \
openssl pkcs12 -export -inkey "key.pem" \
-in "cert.pem" \
-passout "pass:storepwd" \
-out "$tmpcert" \
&& \
keytool -importkeystore \
-srckeystore "$tmpcert" -srcstoretype PKCS12 \
-srcstorepass storepwd \
-destkeystore "$JETTY_BASE/etc/keystore" -deststoretype JKS \
-deststorepass storepwd \
-destkeypass keypwd ; \
rm "$tmpcert"
That's all you need to import to provide SSL functionality
Because of JKS there is the
Warning: The JKS keystore uses a proprietary format. It is recommended
to migrate to PKCS12 which is an industry standard format using
...
But it is the only possibility to set a different keypass like keypwd for key and storepwd for keystore.
For pkcs12 storetype this distinction is impossible (at least with keytool, there is an error on execution).
For the rest (like config modifications for own passwords, and generating own passwords) the documentation at https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html is ok.