I use Alembic to manage my migrations. My database is on AWS, and I want to connect it with SSL.
In my alembic.ini I have the lines
[production]
script_location = alembic_prod
sqlalchemy.url = mysql+pymysql://user:password#my-rds-host.eu-west-1.rds.amazonaws.com/mydatabase
Of course, it works if user have the permission to connect the base without SSL, but not otherwise.
How to require a SSL connection, and specify the certificate ?
You first need the certificate bundle -
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport
You then would add the appropriate parameter to your URL like shown here -
How to connect to mysql server with SSL from a flask app
To repeat the previous answer with more specific steps:
Download the RDS certificate bundle from https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
Use the ssl_key option to point to the certificate:
sqlalchemy.url = mysql+pymysql://user:password#my-rds-host.eu-west-1.rds.amazonaws.com/mydatabase?ssl_key=/Users/DaMaill/Downloads/rds-ca-2019-root.pem
Related
I'm not even sure I asked the question right...
I have three servers running minio in distributed mode. I need all three servers to run with TLS enabled. It's easy enough to run certbot, generate a cert for each node, drop said certs into /etc/minio/certs/ and go! but here's where I start running into issues.
The servers are thus:
node1.files.example.com
node2.files.example.com
node3.files.example.com
I'm launching minio using the following command:
MINIO_ACCESS_KEY=minio \
MINIO_SECRET_KEY=secret \
/usr/local/bin/minio server \
-C /etc/minio --address ":443" \
https://node{1...3}.files.example.com:443/volume/{1...4}/
This works and I am able to connect to all three servers from a webbrowser using https with good certs. however, users will connect to the server using the parent domain "files.example.com" (using distributed DNS)
I already ran certbot and generated the certs for the parent domain... and I copied the certs into /etc/minio/certs/ as well as /etc/minio/certs/CAs/ (calling both files "files.example.com-public.crt" and "files.example.com-public.key" respectively)... this did not work. when I try to open the parent domain "files.example.com" I get a cert error (chich I can bypass) indicating the certificate is for the node in which I have connected and not for the parent domain.
I'm pretty sure this is just a matter of putting the cert in the right place and naming it correctly... right? does anyone know how to do that? I also have an idea there might be a way to issue a cert that covers multiple domains... is that how I'm supposed to do this? how?
I already hit up minio's slack channel and posted on their github, but no ones replying to me. not even, "this won't work."
any ideas?
I gave up and ran certbot in manual mode. it had to install apache on one of the nodes, then certbot had me jump through a couple of minor hoops (namely it had me create a new txt record with my DNS provider, and then create a file with a text string on the server for verification). I then copied the created certs into my minio config directory (/etc/minio/certs/) on all three nodes. that's it.
to be honest, I'd rather use the plugin as it allows for an automated cert renewal, but I'll live with this for now.
You could also run all of them behind a reverse proxy to handle the TLS termination using a wildcard domain certificate (ie. *.files.example.com). The reverse proxy would centralize the certificates, DNS, and certbot script if you prefer, etc to a single node, essentially load balancing the TLS and DNS for the minio nodes. The performance hit of "load-balancing" TLS like this may be acceptable depending on your workload, considering the simplification to your current DNS and TLS cert setup.
[Digital Ocean example using nginx and certbot plugins] https://www.digitalocean.com/community/tutorials/how-to-create-let-s-encrypt-wildcard-certificates-with-certbot
Is it compulsory to use:
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
While I'm also using:
smtp_tls_cert_file=/etc/letsencrypt/live/videoshark.io/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/videoshark.io/privkey.pem
I mean whats the difference in both?
This is the error Im seeing when I RUN: tail /var/log/maillog
postfix/smtpd[1419]: fatal: open lock file pid/inet.smtp: cannot open file: Permission denied
I just want postfix to be configured with gmail relay service using SSL/TLS
Appreciate the help!
smtp_tls_cert_file and smtp_tls_key_file are to specify the local certificate, i.e. the one which gets provided to the SMTP client inside the TLS handshake. This is therefore needed if you want to accept TLS traffic.
smtp_tls_CAfile is to verify the certificate Postfix gets when communicating with another mail server. This is therefore needed if you want it to be able to use TLS when sending mail to other servers.
I am using devise, devise_ldap_authenticatable module to do simple ldap authentication.
But if I try to authenticate on ssl (689 port), I have this error:
Net::LDAP::Error (hostname "x.x.x.x" does not match the server certificate):
So, I need to ignore this verification.
I tried to google, but I have no result :(
How I can do it?
Per the devise_ldap_authenticatable documentation
If you're using a test LDAP server running a self-signed SSL certificate, make sure the appropriate root certificate is installed on your system. Alternately, you may temporarily disable certificate checking for SSL by modifying your system LDAP configuration (e.g., /etc/openldap/ldap.conf or /etc/ldap/ldap.conf) to read TLS_REQCERT never.
I try to activate ssl of emqttd server. For this, I added following lines to emq.conf under the etc folder.
mqtt.listener.ssl.tls_versions = tlsv1.2,tlsv1.1,tlsv1
mqtt.listener.ssl.handshake_timeout = 15s
mqtt.listener.ssl.keyfile = etc/certs/key.pem
mqtt.listener.ssl.certfile = etc/certs/cert.pem
mqtt.listener.ssl.cacertfile = etc/certs/cacert.pem
mqtt.listener.ssl.verify = verify_peer
All other settings is same to default.
However, I can connect my local mqtt server without doing any ssl configuration like ssl version, certificate, etc. by using mqtt-spy broker. I think i didn' t configure ssl properties of emqttd. How can i solve this problem?
Thanks in advance.
You must check which port you are trying on for SSL.
Secondly you need to place your key.pem and cert.pem at the path mentioned.
It will just work fine if client have the certificate to authenticate the server.
Hello i have istalled to openfire into my computer.I am trying to login to spark using username password and ip address as domain but i am getting I am getting certificate hostname verification failed errror.I found that that they are asking to change server i tried that option as well no result.
When we install Openfire server, it generates self-signed certificates for SSL connections. Now if you are in development phase, you don't need to worry about this error. However, once you go into production, you might consider placing proper HTTPS certificates against your domain.
Certificate directory: OPENFIRE_HOME/resources/security/