Using this guide I'm attempting to set up MariaDB (mysql) for using SSL between dbserver and appclient.
I created the server and client certificates on the server, per the guide. I then copied the three necessary client files to appclient and set ownership and permissions:
[root#appclient mysql]# ll /etc/pki/tls/certs/
drwxr-xr-x. 2 mysql mysql 88 Feb 9 13:31 mysql
[root#appclient mysql]# ll /etc/pki/tls/certs/mysql/
-rw-------. 1 mysql mysql 1372 Feb 9 13:31 ca-cert.pem
-rw-------. 1 mysql mysql 1230 Feb 9 14:16 client-cert.pem
-rw-------. 1 mysql mysql 1705 Feb 9 14:16 client-key.pem
Here's the full my.cnf on appclient:
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
symbolic-links=0
[client]
ssl-ca=/etc/pki/tls/certs/mysql/ca-cert.pem
ssl-cert=/etc/pki/tls/certs/mysql/client-cert.pem
ssl-key=/etc/pki/tls/certs/mysql/client-key.pem
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
!includedir /etc/my.cnf.d
Next, I tested that port 3306 is open on dbserver:
[root#appclient mysql]# telnet dbserver 3306
Connected to dbserver.
Escape character is '^]'.
R
5.5.52-MariaDB
Next I checked MariaDB (mysql) ssl variables on dbserver:
MariaDB [(none)]> show variables like '%ssl%';
+---------------+------------------------------------------+
| Variable_name | Value |
+---------------+------------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/pki/tls/certs/mysql/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/pki/tls/certs/mysql/server-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/pki/tls/certs/mysql/server-key.pem |
+---------------+------------------------------------------+
Next I checked MariaDB (mysql) ssl variables on appclient:
MariaDB [(none)]> show variables LIKE '%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+
7 rows in set (0.00 sec)
That looks like the start/source of the problem.
If I try to connect to dbserver from appclient anyway:
[root#appclient mysql]# mysql -h dbserver -u ssluser -p
Enter password:
ERROR 2026 (HY000): SSL connection error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
No bueno.
Checking appclient's certs with openssl...
[root#appclient mysql]# cd /etc/pki/tls/certs/mysql/
[root#appclient mysql]# openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
Error opening certificate file server-cert.pem
139864320337824:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('server-cert.pem','r')
139864320337824:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
client-cert.pem: OK
For kicks, I ran the same openssl test on dbserver:
[root#dbserver mysql]# openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
server-cert.pem: C = XX, ST = XX, L = CityName, O = MyOrganization, OU = MyGroup, CN = dbserver
error 18 at 0 depth lookup:self signed certificate
OK
client-cert.pem: OK
The tutorial only mentions copying ca-cert.pem, client-cert.pem and client-key.pem to the client, yet the failure above points to a missing server-cert.pem on the client.
Do I need to create the server-*.pem files on the client also? If so, where do these go in the /etc/my.cnf file?
The missing ingredient from several of the MySQL/MariaDB SSL setup guides is making sure the ssl-ca certificate file contains both server and client ca's.
Here's a step by step guide which worked for me:
This answer assumes two servers:
dbserver (where our database lives)
appclient (where our applications live)
FWIW, both servers are SELinux enforcing.
First, log on to dbserver
Create a temporary directory for creating the certificates.
mkdir /root/certs/mysql/ && cd /root/certs/mysql/
Create the server certificates
openssl genrsa 2048 > ca-key.pem
openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -sha1 -req -in server-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
Move server certificates to /etc/pki/tls/certs/mysql/ Directory path assumes CentOS or RHEL (adjust as needed for other distros):
mkdir /etc/pki/tls/certs/mysql/
cp /root/certs/mysql/* /etc/pki/tls/certs/mysql/
Be sure to set permissions on the folder and files. mysql needs full ownership and access.
chown -R mysql:mysql /etc/pki/tls/certs/mysql
Now configure MySQL/MariaDB
# vi /etc/my.cnf
# i
[mysqld]
bind-address=*
ssl-ca=/etc/pki/tls/certs/ca-cert.pem
ssl-cert=/etc/pki/tls/certs/server-cert.pem
ssl-key=/etc/pki/tls/certs/server-key.pem
# :wq
Then
systemctl restart mariadb
Don't forget to open your firewall to allow connections from appclient (using IP 1.2.3.4)
firewall-cmd --zone=drop --permanent --add-rich-rule 'rule family="ipv4" source address="1.2.3.4" service name="mysql" accept'
# I force everything to the drop zone. Season the above command to taste.
Now restart firewalld
service firewalld restart
Next, log in to dbserver's mysql server:
mysql -uroot -p
Issue the following to create a user for the client. note REQUIRE SSL in GRANT statement.
GRANT ALL PRIVILEGES ON *.* TO ‘iamsecure’#’appclient’ IDENTIFIED BY ‘dingdingding’ REQUIRE SSL;
FLUSH PRIVILEGES;
# quit mysql
You should still be in /root/certs/mysql from the first step. If not, cd back to it for one of the commands below.
Create the client certificates
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
Note: I used the same common name for both server and client certificates. YMMV.
Be sure you're still /root/certs/mysql/ for this next command
Combine server and client CA certificate into a single file:
cat server-cert.pem client-cert.pem > ca.pem
Make sure you see two certificates:
cat ca.pem
END OF SERVER SIDE WORK FOR NOW.
Open another terminal and
ssh appclient
As before, create a permanent home for the client certificates
mkdir /etc/pki/tls/certs/mysql/
Now, place the client certificates (created on dbserver) on appclient.
You can either scp them over, or just copy and paste the files one by one.
scp dbserver
# copy files from dbserver to appclient
# exit scp
Again, be sure to set permissions on the folder and files. mysql needs full ownership and access.
chown -R mysql:mysql /etc/pki/tls/certs/mysql
You should have three files, each owned by user mysql:
/etc/pki/tls/certs/mysql/ca.pem
/etc/pki/tls/certs/mysql/client-cert.pem
/etc/pki/tls/certs/mysql/client-key.pem
Now edit appclient's MariaDB/MySQL config in the [client] section.
vi /etc/my.cnf
# i
[client]
ssl-ca=/etc/pki/tls/certs/mysql/ca.pem
ssl-cert=/etc/pki/tls/certs/mysql/client-cert.pem
ssl-key=/etc/pki/tls/certs/mysql/client-key.pem
# :wq
Restart appclient's mariadb service:
systemctl restart mariadb
still on the client here
This should return: ssl TRUE
mysql --ssl --help
Now, log in to appclient's mysql instance
mysql -uroot -p
Should see YES to both variables below
show variables LIKE '%ssl';
have_openssl YES
have_ssl YES
Initially I saw
have_openssl NO
A quick look into mariadb.log revealed:
SSL error: Unable to get certificate from
'/etc/pki/tls/certs/mysql/client-cert.pem'
The problem was that root owned client-cert.pem and the containing folder.
The solution was to set ownership of /etc/pki/tls/certs/mysql/ to mysql.
chown -R mysql:mysql /etc/pki/tls/certs/mysql
Restart mariadb if needed from the step immediately above
NOW WE ARE READY TO TEST THE SECURE CONNECTION
We're still on appclient here
Attempt to connect to dbserver's mysql instance using the account created above.
mysql -h dbserver -u iamsecure -p
# enter password dingdingding (hopefully you changed that to something else)
With a little luck you should be logged in without error.
To confirm you are connected with SSL enabled, issue the following command from the MariaDB/MySQL prompt:
\s
That's a backslash s, aka status
That will show the status of your connection, which should look something like this:
Connection id: 4
Current database:
Current user: iamsecure#appclient
SSL: Cipher in use is DHE-RSA-AES256-GCM-SHA384
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server: MariaDB
Server version: 5.X.X-MariaDB MariaDB Server
Protocol version: 10
Connection: dbserver via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 42 min 13 sec
If you get permission denied errors on your connection attempt, check your GRANT statement above to make sure there aren't any stray characters or ' marks.
If you have SSL errors, go back through this guide to make sure the steps are orderly.
This worked on RHEL7 and will likely work on CentOS7, too. Cannot confirm whether these exact steps will work elsewhere.
Hope this saves someone else a little time and aggravation.
According to mentioned guide, you have to make sure that "Common name" is different for all three certificates.
I was getting the same error, because I had used same CN for all three certificates. After re-generating certs with different CNs, the error is gone.
Related
Context
After setting up a self-hosted nextcloud server on Ubuntu 22.10 over a tor domain, I created a self-signed SLL certificate using the script below:
Code
This script first
generates the certificate authority (CA) and SSL certificates, and then it adds the CA private key to: "/usr/local/share/ca-certificates/$ca_public_key_filename" and reloads the trusted ca certificates with:
sudo update-ca-certificates
It also adds the SSL prublic and private key and the full chain certificate into Nextcloud.
The fullchain.pem consists of the SSL certificate, followed by the CA certificate.
#!/usr/bin/env bash
# Here is the list of certificates and their description:
# First you create your own certificate authority.
CA_PRIVATE_KEY_FILENAME="ca-key.pem"
CA_PUBLIC_KEY_FILENAME="ca.pem"
# Same file as ca.pem except different file extension and content.
CA_PUBLIC_CERT_FILENAME="ca.crt"
# Then you create a SSL certificate.
SSL_PRIVATE_KEY_FILENAME="cert-key.pem"
# Then create a sign-request (for your own CA to sign your own SSL certificate)
CA_SIGN_SSL_CERT_REQUEST_FILENAME="cert.csr"
SIGNED_DOMAINS_FILENAME="extfile.cnf"
# Then create the signed public SSL cert.
SSL_PUBLIC_KEY_FILENAME="cert.pem"
# Then merge the CA and SLL cert into one.
MERGED_CA_SSL_CERT_FILENAME="fullchain.pem"
setup_tor_ssl() {
local onion_address="$1"
# Create domains accepted by certificate.
local domains
#domains="DNS:$onion_address,IP:127.0.0.1"
#domains="DNS:localhost,IP:$onion_address" # IP onion does not work
#domains="DNS:*.$onion_address" # Does not work.
#domains="DNS:$onion_address" # Does not work.
domains="DNS:localhost,DNS:$onion_address" # Works for localhost
echo "domains=$domains.end_without_space"
delete_target_files
# Generate and apply certificate.
generate_ca_cert "$CA_PRIVATE_KEY_FILENAME" "$CA_PUBLIC_KEY_FILENAME"
generate_ssl_certificate "$CA_PUBLIC_KEY_FILENAME" "$CA_PRIVATE_KEY_FILENAME" "$CA_SIGN_SSL_CERT_REQUEST_FILENAME" "$SIGNED_DOMAINS_FILENAME" "$SSL_PUBLIC_KEY_FILENAME" "$SSL_PRIVATE_KEY_FILENAME" "$domains"
verify_certificates "$CA_PUBLIC_KEY_FILENAME" "$SSL_PUBLIC_KEY_FILENAME"
merge_ca_and_ssl_certs "$SSL_PUBLIC_KEY_FILENAME" "$CA_PUBLIC_KEY_FILENAME" "$MERGED_CA_SSL_CERT_FILENAME"
install_the_ca_cert_as_a_trusted_root_ca "$CA_PUBLIC_KEY_FILENAME" "$CA_PUBLIC_CERT_FILENAME"
add_certs_to_nextcloud "$SSL_PUBLIC_KEY_FILENAME" "$SSL_PRIVATE_KEY_FILENAME" "$MERGED_CA_SSL_CERT_FILENAME"
}
generate_ca_cert() {
local ca_private_key_filename="$1"
local ca_public_key_filename="$2"
# Generate RSA
openssl genrsa -aes256 -out "$ca_private_key_filename" 4096
# Generate a public CA Cert
openssl req -new -x509 -sha256 -days 365 -key "$ca_private_key_filename" -out "$ca_public_key_filename"
}
generate_ssl_certificate() {
local ca_public_key_filename="$1"
local ca_private_key_filename="$2"
local ca_sign_ssl_cert_request_filename="$3"
local signed_domains_filename="$4"
local ssl_public_key_filename="$5"
local ssl_private_key_filename="$6"
local domains="$7"
# Example supported domains:
# DNS:your-dns.record,IP:257.10.10.1
# Create a RSA key
openssl genrsa -out "$ssl_private_key_filename" 4096
# Create a Certificate Signing Request (CSR)
openssl req -new -sha256 -subj "/CN=yourcn" -key "$ssl_private_key_filename" -out "$ca_sign_ssl_cert_request_filename"
# Create a `extfile` with all the alternative names
echo "subjectAltName=$domains" >>"$signed_domains_filename"
# optional
#echo extendedKeyUsage = serverAuth >> "$ca_sign_ssl_cert_request_filename"
# Create the public SSL certificate.
openssl x509 -req -sha256 -days 365 -in "$ca_sign_ssl_cert_request_filename" -CA "$ca_public_key_filename" -CAkey "$ca_private_key_filename" -out "$ssl_public_key_filename" -extfile "$signed_domains_filename" -CAcreateserial
}
verify_certificates() {
local ca_public_key_filename="$1"
local ssl_public_key_filename="$2"
openssl verify -CAfile "$ca_public_key_filename" -verbose "$ssl_public_key_filename"
}
merge_ca_and_ssl_certs() {
local ssl_public_key_filename="$1"
local ca_public_key_filename="$2"
local merged_ca_ssl_cert_filename="$3"
cat "$ssl_public_key_filename" >"$merged_ca_ssl_cert_filename"
cat "$ca_public_key_filename" >>"$merged_ca_ssl_cert_filename"
}
install_the_ca_cert_as_a_trusted_root_ca() {
local ca_public_key_filename="$1"
local ca_public_cert_filename="$2"
# The file in the ca-certificates dir must be of extension .crt:
openssl x509 -outform der -in "$ca_public_key_filename" -out "$ca_public_cert_filename"
# First remove any old cert if it existed.
sudo rm "/usr/local/share/ca-certificates/$ca_public_cert_filename"
sudo update-ca-certificates
# TODO: Verify target directory exists.
# On Debian & Derivatives:
#- Move the CA certificate (`"$ca_private_key_filename"`) into `/usr/local/share/ca-certificates/ca.crt`.
sudo cp "$ca_public_cert_filename" "/usr/local/share/ca-certificates/$ca_public_cert_filename"
# TODO: Verify target file exists.
# TODO: Verify target file MD5sum.
# Update the Cert Store with:
sudo update-ca-certificates
}
add_certs_to_nextcloud() {
local ssl_public_key_filename="$1"
local ssl_private_key_filename="$2"
local merged_ca_ssl_cert_filename="$3"
# First copy the files into nextcloud.
# Source: https://github.com/nextcloud-snap/nextcloud-snap/issues/256
# (see nextcloud.enable-https custom -h command).
#sudo cp ca.pem /var/snap/nextcloud/current/ca.pem
sudo cp "$ssl_public_key_filename" /var/snap/nextcloud/current/"$ssl_public_key_filename"
sudo cp "$ssl_private_key_filename" /var/snap/nextcloud/current/"$ssl_private_key_filename"
sudo cp "$merged_ca_ssl_cert_filename" /var/snap/nextcloud/current/"$merged_ca_ssl_cert_filename"
# CLI sudo /snap/bin/nextcloud.enable-https custom Says:
sudo /snap/bin/nextcloud.enable-https custom "/var/snap/nextcloud/current/$ssl_public_key_filename" "/var/snap/nextcloud/current/$ssl_private_key_filename" "/var/snap/nextcloud/current/$merged_ca_ssl_cert_filename"
}
delete_target_files() {
rm "$CA_PRIVATE_KEY_FILENAME"
rm "$CA_PUBLIC_CERT_FILENAME"
rm "$CA_PUBLIC_KEY_FILENAME"
rm "$SSL_PRIVATE_KEY_FILENAME"
rm "$CA_SIGN_SSL_CERT_REQUEST_FILENAME"
rm "$SIGNED_DOMAINS_FILENAME"
rm "$SSL_PUBLIC_KEY_FILENAME"
rm "$MERGED_CA_SSL_CERT_FILENAME"
sudo rm "/usr/local/share/ca-certificates/$CA_PUBLIC_KEY_FILENAME"
sudo rm "/usr/local/share/ca-certificates/$CA_PUBLIC_CERT_FILENAME"
sudo rm "/var/snap/nextcloud/current/$SSL_PUBLIC_KEY_FILENAME"
sudo rm "/var/snap/nextcloud/current/$SSL_PRIVATE_KEY_FILENAME"
sudo rm "/var/snap/nextcloud/current/$MERGED_CA_SSL_CERT_FILENAME"
}
Output
The output of this script can be read as:
$src/main.sh -h
domains=DNS:some_onion.onion,IP:127.0.0.1.end_without_space
rm: cannot remove 'ca.pem': No such file or directory
rm: cannot remove 'cert.csr': No such file or directory
rm: cannot remove 'extfile.cnf': No such file or directory
rm: cannot remove 'cert.pem': No such file or directory
rm: cannot remove 'fullchain.pem': No such file or directory
rm: cannot remove '/usr/local/share/ca-certificates/ca.pem': No such file or directory
Generating RSA private key, 4096 bit long modulus (2 primes)
................................................................................................................................................................................++++
...................................................................................................................................................................................................................................++++
e is 65537 (0x010001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:so
State or Province Name (full name) [Some-State]:state3
Locality Name (eg, city) []:locality3
Organization Name (eg, company) [Internet Widgits Pty Ltd]:org3
Organizational Unit Name (eg, section) []:orgunit3
Common Name (e.g. server FQDN or YOUR name) []:cn3
Email Address []:email3#email.com
Generating RSA private key, 4096 bit long modulus (2 primes)
...................................................................++++
.............................................++++
e is 65537 (0x010001)
Signature ok
subject=CN = yourcn
Getting CA Private Key
Enter pass phrase for ca-key.pem:
cert.pem: OK
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Processing triggers for ca-certificates-java (20220719) ...
done.
Updating Mono key store
Mono Certificate Store Sync - version 6.8.0.105
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
Importing into legacy system store:
I already trust 124, your new list has 124
Import process completed.
Importing into BTLS system store:
I already trust 124, your new list has 124
Import process completed.
Done
done.
Installing custom certificate... done
Restarting apache... done
Error Message
After running the script successfully, I can manually import the ca.crt into brave at: brave://settings/certificates This ensures https works for https://localhost:81 . However, when I open the tor browser in brave, and visit the some_onion.onion it returns:
This site can’t provide a secure connection
some_onion.onion sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
Question
How can I ensure the certificate is trusted on both the some_onion.onion link, as well as on localhost?
Doubt
I am unsure whether:
echo "subjectAltName=DNS:some_onion_link.onion"
is permitted. for an SSL certificate. I wonder why the tor version of Brave does not show why the certificate is not trusted.
I have a Kubernetes that runs 3 node cassandra cluster. when I try to connect to cqlsh from the local machine it works fine. but after enabling SSL on the cluster, I am seeing the below error. I tried setting up the cqlshrc on my local machine and also kubernetes pods but still the same error. can someone help me?
$ kubectl run -i --tty --restart=Never --rm --image cassandra cqlsh -- cqlsh cassandra-0.cassandra.default.svc.cluster.local -u cassandra -p password --ssl
Validation is enabled; SSL transport factory requires a valid certfile to be specified. Please provide path to the certfile in [ssl] section as 'certfile' option in /root/.cassandra/cqlshrc (or use [certfiles] section) or set SSL_CERTFILE environment variable.
pod "cqlsh" deleted
pod default/cqlsh terminated (Error)
Follow the below steps to troublshoot
Check the subject,validity,issuer of remote node certificate (host-remote) from host-local
echo | openssl s_client -showcerts -connect host-remote:cassandra-ssl-port 2>/dev/null | openssl x509 -noout -subject -dates -issuer
Check cqlsh.cer.pem it may only one entry and has subject with CN=host-local, this can be a possible reason that you are able to connect to local but not remote host.
openssl x509 -text -noout -in path to trustore in cqlhrc file/cqlsh.cer.pem
Your truststore shoud have root certificate/CA certificate as well to connect to remote host by successfully validating the certificate chain which is coming from remote node .
You may need to embed the root certificate in trutstore
Refer this to apply ssl in in cassandra.
I am installing a new SSL certificate on Centos6/Apache and my web browser keeps picking up the old certificate. To test my setup, I am using "openssl s_client" but I am seeing different results based on the "-servername" parameter. No one seems to us this parameter and it does not appear in the man pages but I saw it mentioned here OpenSSL: Check SSL Certificate Expiration Date and More .
If I run this command:
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
I get the correct date for the certificate.
(notBefore=Apr 20 00:00:00 2017 GMT notAfter=Apr 20 23:59:59 2018 GMT)
However, if I intruduce the -servername parameter into the commmand
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
I then get the expired date that my browser is showing -
(notBefore=Apr 20 00:00:00 2016 GMT notAfter=Apr 20 23:59:59 2017 GMT)
Can anyone explain why this is happening, as this must be related to the reason why my SSL certificate shows as expired in my browser.
Thanks
O
The servername argument to s_client is documented (briefly) on this page:
https://www.openssl.org/docs/man1.0.2/apps/s_client.html
Essentially it works a little like a "Host" header in HTTP, i.e. it causes the requested domain name to be passed as part of the SSL/TLS handshake (in the SNI - Server Name Indication extension). A server can then host multiple domains behind a single IP. It will respond with the appropriate certificate based on the requested domain name.
If you do not request a specific domain name the server does not know which certificate to give you, so you end up with a default one. In your case one of the certificates that the server is serving up for your domain has expired, but the default certificate has not.
You need to make sure you are updating the correct VirtualHost entry for your domain, e.g. see:
https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm
When I access one of my subdomains: say https://foo.example.com in a browser and inspect the certificates, the certificate looks great. When I use openssl from a remote computer it shows an expired certificate. How can this be?
I tried to reproduce what was found in this question, but my scenario is different. When I run
echo | openssl s_client -showcerts -connect foo.example.com:443 2>&1 | grep Verify
I see:
Verify return code: 10 (certificate has expired)
When I run:
echo | openssl s_client -showcerts -connect foo.example.com:443 2>&1 | openssl x509 -noout -dates
I get:
notBefore=Sep 27 15:10:20 2014 GMT
notAfter=Sep 27 15:10:20 2015 GMT
It looks expired but the browser doesn't show it as expired. Here it is in the browser:
See the 1st comment by #jww. He pointed out that I needed to add -tls1 -servername foo.example.com to my openssl command. His comment:
Try adding -tls1 -servername foo.example.com. I'm guessing you have a front-end server that's providing a default domain for requests without SNI, and the default domain is routed to an internal server with the old certificate. When the browsers connect, they use SNI and get the server for which you have updated the certificate. Or, there could be an intermediate with an expired certificate in the chain that's being served. If you provide real information, its easier for us to help you with problems like this.
I have been trying to inspect all the traffic going through my machine. I have a server directly connected to Internet. And I would like to log all the youtube request made on internet with the URL.
As youtube is based on SSL, so I must need to inspect the HTTPS traffic. I have read it somewhere that I must need to create MITM attack on my own server in order to view the HTTPS request. I have followed following steps in order to create a certificate I own.
1 - Generate a 2048 bit RSA Key: openssl genrsa -des3 -out private.pem
2048
2 - Export the RSA Public Key to a File: openssl rsa -in private.pem
-outform PEM -pubout -out public.pem
3 - Check The public key File (Certificate) Now: less public.pem
4 - Export the RSA Public Key to a File: openssl rsa -in private.pem
-out private_unencrypted.pem -outform PEM -pubout
5 - Check The Private File Now: less private.pem
6 - Copied certificate into certificate directory
7 - Configure certificate by using following command: sudo dpkg-reconfigure ca-certificates
In the end executed all the possible ways available:
mitmproxy -T
Above command open a console application and I accessed all the HTTPs sites but no effect on this window.
And
sudo ssldump -Ad -k cert.pem -p password -i wlo1
This command just printed some handshake stuff in console and after that terminated. But, nothing is related to URL.
And
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 1024
sudo sslstrip -l 1024
This commands keep on listening but, nothing comes out as a result in sslstrip.log file.
I am using all these things with Ubuntu 15 and want to dump ssl request in transparent mode i.e. without setting up proxy on client's machine.