Following Godaddy instructions, I have generated a private key and the corresponding CSR:
openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr
Then, I uploaded mydomain.csr to Godaddy, getting a ZIP file containing the SSL and intermediate certificates, which I concatenated to have a single CRT file:
cat mysslcert.crt intermediate.crt >> mydomain.crt
Using the official NGINX image from the docker hub, the configuration is the following:
server {
listen 80;
listen 443 ssl;
keepalive_timeout 10m;
root /var/www;
server_name mydomain.com;
ssl on;
ssl_certificate /etc/ssl/mydomain.crt;
ssl_certificate_key /etc/ssl/mydomain.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on; ...
The files are accessible (checked with wrong paths). The error I'm getting is the following:
SSL_CTX_use_PrivateKey_file("/etc/ssl/mydomain.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
The comparison of the MD5 tells me they're different, but what am I doing wrong?
Thanks #TarunLalwani, the problem was that the certificate that I can download from Godaddy takes time to be refreshed when a new CSR is uploaded. The solution is that I had to wait for the actual email indicating that my certificate is ready to be downloaded.
Related
I have generate two SSL certificates, one is RSA certificate and the other one is ECC certificate, for my domain forum.example.com and have implemented it in Nginx by using the following configuration:
listen 443 ssl http2; listen [::]:443 ssl http2;
server_name forum.example.com;
access_log /var/log/nginx/forum.example.com.log;
ssl on;
ssl_certificate /path/forum.example.com/fullchain.cer;
ssl_certificate_key /path/forum.example.com/forum.example.key;
ssl_certificate /path/forum.example.com_ecc/fullchain.cer;
ssl_certificate_key /path/forum.example.com_ecc/forum.example.com.key;
ssl_dhparam /path/dhparams.pem;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
http2_idle_timeout 5m;
# Rest of the configuration
The idea behind this is to use ECC certificate whenever possible, and in the case where a client doesn't support ECC certificates, RSA certificate will be used. However, on my machine sometimes I see RSA certificate being used and sometimes ECC certificate being used. My guess is some round-robin method is being used to determine which certificate to use.
Is there a way to prioritise ECC over RSA, and if the client doesn't support ECC, the server will use RSA certificate?
I am trying to establish a 2-way SSL connection between an nginx server and a client(browser/postman).
I am wondering whether it should be possible to tell nginx to trust the browser/postman's keys, assuming nginx requests and verifies client's certificates.
specifically, what should be put in that section of nginx
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/newcert.crt;
ssl_certificate_key /etc/nginx/ssl/newkey.pem;
ssl_session_timeout 15m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
ssl_verify_client on;
ssl_verify_depth 2;
# what should be the content of that file??
>>>>>> ssl_client_certificate /etc/nginx/ssl/trust/client.crt;
}
I failed to find any information regarding this...
Thanks.
The ssl_client_certificate directive points to a file containing the Certificate Authority used to sign the client's Certificate Request. See this document for details.
If you are using a self-signed certificate authority for your client certificates, the procedure would be something like this:
Create a self-signed certificate to use as a Certificate Authority. See OpenSSL CA(1) for a simplified scheme to manage this step.
Generate a certificate request for the client. For example:
openssl req -newkey rsa:2048 -nodes -keyout user.key -out user.req
Use the CA from step 1 to sign the request from step 2 to generate a certificate for the client. See OpenSSL CA(1) above.
Convert the certificate from step 3 into a PKCS#12 formatted file so that it can be imported by the client. For example:
cat user.key user.crt | openssl pkcs12 -export -out user.p12
I've gotten SSL to work on Apache servers and on a client's Nginx server. However, I am having issues with my EV SSL certificate installation. This is also on a server with a special character in the URL: weöm.com.
weöm.com is displayed as xn--wem-tna.com in browsers, which is fine. When I inspected my .ca-bundle that was emailed to me from COMODO, I saw my domain name rendered as we\xC3\xB6m.com, which made me think I have to generate my .csr and .key the same way.
Here's how I've been doing it (ran this command in Terminal):
openssl req -new -newkey rsa:2048 -nodes -out weom.csr -keyout weom.key -subj "/serialNumber=000000000/businessCategory=Private Organization/C=US/postalCode=00000/ST=California/L=Cupertino/street=1 Loop Way/O=Apple Inc/OU=COMODO EV SSL/CN=we\xC3\xB6m.com"
(I've replaced the serial number and other things with fake data in my example)
The code spits out a .csr and .key with the exact same data that my compiled .crt has and I cannot understand why I'm still getting this SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch error.
I've been wrangling with this for about a week, does anyone have any idea what I'm doing wrong?
EDIT: Proving more information...
Here is how I'm creating my master .crt:
cat xn--wem-tna.com.crt AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSAExtendedValidationSecureServerCA.crt >> cert_chain.crt
This is the default file in my sites-available folder:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name xn--wem-tna.com;
return 301 https://$host$request_uri;
}
server {
# SSL configuration
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate cert_chain.crt;
ssl_certificate_key weom.key;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name xn--wem-tna.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
The reason for the error is that your KEY and CRT are different.
You can verify this by checking MD5 hashes on them:
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
Additionally I would change the order in the bundle CRT (cert_chain.crt),at the moment you have it this way:
xn--wem-tna.com.crt AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSAExtendedValidationSecureServerCA.crt
It should be:
cat xn--wem-tna.com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > cert_chain.crt
This is Official Comodos Certificate Installation: NGINX
What gets me worried is your comment at the beginning:
If you have changed the key once your certificate had been issued you will need to invalidate it and apply for a new CRT with your new KEY and new CSR.
weöm.com is displayed as xn--wem-tna.com in browsers, which is fine. When I inspected my .ca-bundle that was emailed to me from COMODO, I saw my domain name rendered as we\xC3\xB6m.com, which made me think I have to generate my .csr and .key the same way.
Oh yeah, forgot to update.
I got a refund and went with CertSimple. Emailed them questions Friday night, went through the entire process of obtaining an EV cert Saturday morning/afternoon, and had it on my server by 6pm (and that's only because I was out running errands).
I'm working on a Ruby language server to manage multiple Telegram Bots via setwebhooks
BTW, I'll delivery the server as opensource at BOTServer
PROBLEM
I have troubles receiving webhook updates from Telegram Bot API Server. I have set a webhook token (Telegram reply "success") but I do not receive any update on the succesfully configured webhook.
I think the problem could be around self-signed Certificate mysteries. See old reddit question and answers.
I have similar problem and I fair the point is in some "misunderstanding" between Telegram Bot API Server that send HTTPs webhooks updates and the bot server receving webhooks (I use nginx as proxy/https SSL certificate handler).
It seems that someone solved the issue configuring nginx with a certificate "chain"; I'm pretty ingnorant in certificates tricks and so I ask:
QUESTION
May someone can post info, to configure nginx (any ssl web server!) with detailed settings / step-by step for dummies, showing how to pass from .key and .pem files described here: https://core.telegram.org/bots/self-signed to set-up the certificate "chain" to configure in nginx config, to be "accepted" by Telegram Bot API Server ?
BTW, my nginx config now:
upstream backend {
server 127.0.0.1:3000;
}
#
# HTTPS server
#
server {
listen 8443 ssl;
server_name myhost.com;
ssl on;
ssl_certificate /mypath/ssl/PUBLIC.pem;
ssl_certificate_key /mypath/ssl/PRIVATE.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location #backend {
proxy_pass http://backend;
}
location / {
try_files $uri #backend;
}
}
where PRIVATE.key + PUBLIC.pem files are that one generated following guidelines: Using self-signed certificates:
openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=YOURDOMAIN.EXAMPLE"
thanks
giorgio
I answer myself, to share solution found here:
https://stackoverflow.com/a/33260827/1786393
the point was not the mentioned nginx configuration, but the PEM file:
openssl req -newkey rsa:2048 -sha256 -nodes -keyout YOURPRIVATE.key -x509 -days 365 -out YOURPUBLIC.pem -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=YOURDOMAIN.EXAMPLE"
YOURDOMAIN.EXAMPLE in the subj strig of openssl must be real hostname of your server that receive webhooks.
the solution that works for me:
I generated key pairs: openssl genrsa -out webhook_pkey.pem 2048 and openssl req -new -x509 -days 3650 -key webhook_pkey.pem -out webhook_cert.pem
don't forget to give FQDN name. give your host's ip at least
added it to nginx config
server {
listen 8443 ssl;
server_name MY_IP;
charset utf-8;
client_max_body_size 75M;
ssl_certificate /var/www/myproject/tg_keys/webhook_cert.pem;
ssl_certificate_key /var/www/myproject/tg_keys/webhook_pkey.pem;
location / { try_files $uri #yourapplication; }
location #yourapplication {
include uwsgi_params;
uwsgi_pass unix:/var/www/myproject/hb.sock;
}
}
cURL options:
CURLOPT_SSL_VERIFYPEER = false
CURLOPT_SSL_VERIFYHOST = false
I get this error when I try to get page with client key and certificate using this command:
curl -v -s --key /home/dmitry/Downloads/client_cert/client.mysite.key --cert /home/dmitry/Downloads/client_cert/client.mysite.crt https://mysite.com/api/login/
Here's what I see in nginx logs:
2014/12/08 06:30:55 [crit] 13087#0: *404 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early) while SSL handshaking, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:443
And here is part of my nginx.conf:
server {
listen 443 ssl;
ssl_certificate /home/mysite/conf/dev/ssl/com.mysite.crt;
ssl_certificate_key /home/mysite/conf/dev/ssl/com.mysite.key;
ssl_client_certificate /home/mysite/conf/dev/ssl/com.mysite.crt;
ssl_verify_client optional;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name mysite.com www.mysite.com;
access_log /home/mysite/logs/nginx_access.log;
error_log /home/mysite/logs/nginx_error.log;
location /api/{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header SSL-client-serial $ssl_client_serial;
proxy_set_header SSL-client-dn $ssl_client_s_dn;
proxy_set_header SSL-client-verify $ssl_client_verify;
if ($ssl_client_verify != SUCCESS) {
return 403;
break;
}
}
}
Here are the commands I've used to create client cert:
openssl req -out client.mysite.csr -new -newkey rsa:2048 -nodes -keyout client.mysite.key
openssl x509 -req -days 3650 -in client.mysite.csr -CA com.mysite.crt -CAkey com.mysite.key -set_serial 01 -out client.mysite.crt
What could be wrong here? Should I use some other certificate as CA for my client cert than server cert?
UPDATE:
When I do
openssl verify -CAfile com.mysite.crt client.mysite.crt
I get:
error 20 at 0 depth lookup:unable to get local issuer certificate
First of all, enable debug log in nginx.conf:
error_log logs/error.log debug;
And restart nginx. Then repeat the request and check the log file. Find the first line with verify:0:
2019/12/05 22:34:50 [debug] 5980#9776: *17 verify:0, error:20, depth:0, subject:"/CN=...", issuer:"/CN=..."
Here you see error:20. The error code comes from OpenSSL. Here you can find the constant name by code and here the corresponding description by constant name.
Alternatively you can verify the certificate using openssl command line tool:
openssl verify -CAfile ca.crt client.crt
To verify it as the server sees it, ca.crt has to be the file listed in ssl_client_certificate or ssl_trusted_certificate directive in nginx.conf.
To verify the certificate on its own, ca.crt has to be the certificate that was used to sign client.crt. If it is self-signed, it'll be client.crt itself (client.crt will be twice in a row).
If you're getting error 20 specifically and your client certificate is self-signed, you might have encountered this bug. To fix it you should either drop keyUsage from your certificate entirely or add keyCertSign to the list. To verify whether you've stumbled upon it, check whether Key Usage is listed in X509v3 extensions: section in the output of the following command:
openssl x509 -in client.crt -text -noout
The certificate I used to sign another one was not CA so it simply could not be verified, so that's why I had this error from openssl verify command:
error 20 at 0 depth lookup:unable to get local issuer certificate
If you're not CA then obviously there's nothing you can do about it.
ccs received early
Looks like a fallout from fixes for CVE-2014-0224. Since patches seems to be available check that your system is up-to-date or report the bug to your distributor.
More details might be available if you would add information about the server system you are running, especially which OS, which version of OpenSSL and which patches.
In my case I mistakenly downloaded 'cloudflare.crt' file from digital ocean's website which has older certificate and that wasted quite a bit of my time.
As their tutorial shows up in the google search.
wrong certificate from digital ocean
link to correct certificate
I have A nice working way. First before Creating pointing domain i.e
server_name api.example.com;
location / {
proxy_pass "http://example.com:9191";
}
create a sub domain of api.domain.com in your cpanel then now locate your crt files here
/var/cpanel/ssl/apache_tls/api.domain.com
you will find combined file done now put combine file i.e
ssl_certificate /var/cpanel/ssl/apache_tls/api.domain.com/combined;
then ssl you will find it under cpanel ssl/tsl->install ssl
You can locate where your ssl file are via google
your end ssl configuration will be like this
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name api.example.com;
location / {
proxy_pass "http://example.com:9191";
}
location /socket.io/ {
proxy_pass "http://example.com:9191";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}
location /engine.io/ {
proxy_pass "http://example.com:9191";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}
ssl_certificate /var/cpanel/ssl/apache_tls/api.domain.com/combined;
ssl_certificate_key /var/cpanel/ssl/system/certs/crashgame/private.key;
}
Please have your Private key in path where you can locate