I'm trying to setup client certificate authentication using haproxy.
With openssl I have created a CA and an intermediate CA. I want to allow only client certs signed by this intermediate CA.
What should I provide in the ca-file option : intermediate CA cert or should I provide concatenation of cert + key ?
When using cert or cert chain (cat CA + intermediate) I get the following error : ERR_BAD_SSL_CLIENT_AUTH_CERT and the browser doesn't ask me for a cert.
here is the haproxy bind config :
bind *:443 ssl crt /etc/ssl/private ca-file /etc/haproxy/ca-chain.cert.pem verify required crt-ignore-err all
Thanks for your help,
Jonathan
Related
I am using OpenSSL program to generate my SSL self-signed certificate, created a CA certificate and a webserver certificate. The webserver certificate, I have signed it with the CA certificate. I created a keystore with Java's keytool to import webserver's certificate.
On the client side, I have imported the CA certificate inside client's Certificate Manager, under the "Trusted Root Certification Authorities".
In theory, is this way considered as a One way TLS or a Two way TLS communication?
Thank you so much for the help!
In TLS protocol by default the client validates servers authenticity, the server sends its certificate during the handshake and the client validates it with the CA certificate in its trust store. It is one way setup
For two way, during the handshake, the server also asks for certificate from client,it validates the certificate sent by the client with the CA certificate in its trust store. So if you want to use two way setup, you need to generate client CA certificate and client certificate(it will be signed by the client CA certificate), the same CA certificate you need to configure at server so that it(server) will be able to validate the client certificate it received during the handshake.
You can also decide to keep same CA certificate for both client and server certificates, making sure client and server certificates are signed by the same CA
I am new to kubernetes. here I have some confusions about the CA certificates used in a kubernetes cluster. As far as I know there are several CA certificates in kubernetes, but still not clear what each functionality of them. Here is my understanding of them, but still not sure of them.
Root CA also know as serving CA,
it signs the apiserver certwhich are configured in the apiserver with --tls-cert-file and --tls-private-key-file.
this CA certificate is configured in kube-controller-manager with --root-ca-file
Client CA
this CA certificate can be a intermediate CA certificate signed by ROOT CA certificate.
which is used to sign the individual components in cluster, help to identify their identities when RBAC and NODE authorization are enabled. for example, sign the kube-controller-manager, kube-scheduler, kube-proxy, kubelet.
can be configured in apiserver with --client-ca-file
requestheader client ca
this CA certificate can also be a intermediate CA certificate signed by ROOT CA certificate.
Still not understand what this CA is used for ? what scenario of the CA file, just found that if metric server is deployed, it will ask for requestheader related certificates and keys
for --proxy-client-cert-file and --proxy-client-key-file in kube-apiserver, what the value of these parameter? can kubelet certificates and keys be used?
Besides these CA certificates, some other certificates relative confusions are also encountered.
--service-account-key-file parameter in kube-apiserver and kube-controller-manager, which file can be configured? is the apiserver key file or ROOT CA key file ?
what can be set to
--cluster-signing-cert-file and --cluster-signing-key-file in kube-controller-manager? can we use client ca and client ca key file?
A good summary is at https://github.com/kubernetes/kubernetes/issues/54665#issuecomment-340960398
The request header CA is used to verify a client cert presented by an authenticating proxy along with user info set in request headers. The proxy authenticated the user, proxies the request, and sets username/groups in headers. The API server verifies the client cert before trusting user info in any headers.
I want to connect to ssl://iot.eclipse.org:8883 using Client certficate authentication.
How I can obtain CA certificate?
Do I require to generate my own client certificate with provided CA certificate.
Or client certificate is also bundled along with CA certificate.
Using openssl to check it appears that the certificate for iot.eclipse.org is from the Let's Encrypt project.
$ openssl s_client -showcerts -connect iot.eclipse.org:8883CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=iot.eclipse.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
So you should be able to check this certificate is valid with the standard CA set in most modern OS/Applications.
You will not be able to get hold of the CA cert/private key to generate your own client certs for obvious reasons and they do not issue client certificates ( and that is assuming that the eclipse.org broker is set up to authenticate clients with the same CA, it doesn't have to).
Also it doesn't make sense to authenticate against this broker as you have no way to set an ACL to control which users can subscribe/publish to specific topics as it's a public demonstration broker. If you want to secure access then you will have to run your own public broker
EDIT: You don't want to do client certificate authentication, you just want to verify the server cert, this is very different.
To do this with mosquitto_pub or mosquitto_sub you have to specify a CA cert or a path to a directory of multiple certificates in order to enable ssl/tls for the connection. You would specify an individual CA cert if you were using a private CA, but since the iot.eclipse.org broker is using a well known public CA you need to specify the path to the system collection of CA certs.
On Linux that is /etc/ssl/certs so you would publish as follows:
mosquitto_pub -h iot.eclipse.org -p 8883 --capath /etc/ssl/certs/ -t testing/ben -m foo
If a certificate is like a passport which proves your identity, then CA is just like a passport office(1). You could consider Verisign, Entrust etc as passport offices. CA certficate is analogous to passport office providing a way to check if a passport is valid or not.
To prove their identity any two parties,( read server and client ), could use certificates. To verify the authenticity of a party( read server ), you need CA certificate. Linux system(Ubuntu) holds commonly used CA certificates at /etc/ssl/certs.
A client certificate is needed only if you need to authenticate yourself to the server. Here server is iot.eclipse.org which doesn't ask for client authentication and so you don't need client certificate.
So, to communicate securely with server ( read TLS ), you can use the CA store present in your system(Ubuntu) as below.
mosquitto_pub -h iot.eclipse.org -p 8883 -t my_topic -m my_message --capath /etc/ssl/certs/
I just setup a load balancer with HAProxy 1.5.2, and the HTTPS frontend work incorrectly.
I use curl to make an request to my server as follow:
curl https://haproxy.example.com
The output as follows:
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
The following are the configuration:
frontend https-in
bind *:443 ssl crt /var/crt/mycrt.pem ca-file /var/crt/myca.crt
reqadd X-Forwarded-Proto:\ https
default_backend https-in-443
The /var/crt/myca.crt are the CA bundle file.
Anybody can help on this issue? thanks a lot.
Finally, i fixed this issue
Just added "verify optional" to the end of bind *:443 ssl crt /var/crt/mycrt.pem ca-file /var/crt/myca.txt as follow
Reference: HAProxy: client side ssl certificates
I am using self signed certificates with Apache mod_ssl module but I am getting
> curl_easy_perform() failed on: https://localhost/auth/example (SSL
> certificate problem: self signed certificate)
Is their a way to make ssl not fail? I know that curl has the option --insecure or -k so is there something similar I can add to http-ssl.conf?
mod_ssl will present whatever certificate it is configured to present. It is a client decision whether to accept the presented certificate or not; there is nothing you can configure in mod_ssl, other than the certificate itself, that will influence client verification.
If you want Curl to accept the server certificate, you can either:
Use --insecure/-k (as you are already aware)
Obtain a certificate signed by a public, trusted certificate authority (CA)
Use a self-signed CA to sign the server certificate, and tell Curl to verify the server certificate using that CA via the --cacert <CA certificate> option.