Is it possible to interact/bypass a dialog popup when running a curl command?
My example involves running a curl command within a jenkins build that is using a p.12 certificate for authentication.
curl -v -k -E dev_key.p12:password https://jira.dev.organisation.co.uk:443/rest/api/2/issue/MYSTATS-2213
So if I do this within my regular terminal I will get a popup first time round asking stating example wants to access key in your keychain with allow/always allow buttons after which I can make my curl requests uninterrupted. But for some reason when running the same command in a Jenkins pipeline I just get the error (which is the outcome if you press cancel on the popup)
SSL can't load the certificate and it's private key
Is there a way around this?
UPDATE
So I have found there is a --cacert option to pass through which I guess verifies the dev_key but when I export my ca certificate its a .crt file. is the right format?
For SSL (https), curl option -E expects a certificate in PEM format (not PKCS#12). From man page:
-E, --cert <certificate[:password]>
[...]
The certificate must be in PKCS#12 format if using Secure Transport, or
PEM format if using any other engine.
[...]
Related
there are a number of similar posts but I am trying to understand a little more than what those offer.
My curl commandline works fine and am able to talk to the server and get the data I want. The command looks like
curl -v --tlsv1.2 --cert ./service_cert.pem --key ./service_private.key "https://myserver"
But when I try to run my C program and examine the http client object I see this
errorBuffer = "NSS: client certificate not found (nickname not specified)
reading further I realized I have libcurl built with NSS which doesn't support reading cert from a flat file ( .pem)
How is then command line curl utility able to read the pem file ?
You need to import your client certificate into a NSS database, using certutil, and have your code use this database.
Reference:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil
I am using curl command to invoke a rest service. It is as follows:
{curl -X POST --ssl-no-revoke --cacert xyz.pem -K urls.txt -H "Authorization:Basic XYZ" -H "Content-Type:application/json" -d #data.json}
The above command is used to hit the service using one way SSL and basic authorization. The data to be passed is enclosed in data.json file and the urls to be hit are enclosed in urls.txt file.
The above command works perfectly in Windows but when executed from linux, it says:
{curl: option --ssl-no-revoke: is unknown
curl: try 'curl --help' or 'curl --manual' for more information}
I want to disable certificate revocation checks altogether. It looks like {--ssl-no-revoke} works on Windows but not Unix/Linux.
Would like to know if any alternative.
ssl-no-revoke is Windows Only. The only alternative I'm aware of is to have a valid certificate or not use SSL.
https://curl.haxx.se/docs/manpage.html
Using a valid certificate is not always a solution as revocation checks will fail with a valid certificate too when there is no Internet connection (for example, in the presence of a captive portal).
One way is to disable certificate checking altogether, i.e.:
curl --insecure https://www.example.com
Note that this will greatly reduce the security as self signed certificates will also be accepted as well as revoked ones!
Is it possible to programmatically installing LetsEncrypt Certificate on shared server, by using some opensource tool or PHP. Currently I'm generating Certificate on windows machine with "letsencrypt-win-simple" tool with W option which uses webdav to authenticate server. Certificate are generated locally in my windows machine and I've to configure it manually through cpanel every month.
Is it any possible automation for this process on certificate installation?
You can use Cpanel's API to install the new certificate. Here is a Linux example, but curl exists for Windows as well. You would need to change the paths in this script though:
domain='example.org'
ledir="/etc/letsencrypt/live/$domain"
cabundle="$ledir/chain.pem"
crt="$ledir/cert.pem"
key="$ledir/privkey.pem"
cpanel_host='cpanel.example.com:2083'
cpanel_user=''
curl -u "$cpanel_user"\
"$cpanel_host/json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=SSL&cpanel_jsonapi_func=installssl&cpanel_jsonapi_user=$cpanel_user"\
-d "domain=$domain" --data-urlencode "cabundle#$cabundle" --data-urlencode "crt#$crt" --data-urlencode "key#$key"
This will still ask for your password. But it is possible to provide Curl with the password as well: curl -u "user:password" ...
you should look windows "sheduled tasks"
https://sites.google.com/site/ballif1073/windows/taches-planifiees
command line Example, not sure its working as i wrote it from the doc on my linux systeme :) (run task every month):
C:\>SCHTASKS /Create /SC MONTHLY /TR C:\path\to\letsencrypt-win-simple.exe
I'm setting up a domain registry as described here:
https://docs.docker.com/registry/deploying/
I generated a certificate for docker.mydomain.com and started the docker using their command on my server:
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
registry:2
I've started the docker and pointed to certificates I obtained using letsencrypt (https://letsencrypt.org/).
Now, when I browse to https://docker.mydomain.com:5000/v2/ I will get a page with just '{}', with a green lock (succesful secure page request).
But when I try to do a docker login docker.mydomain.com:5000 from a different server I see a error in the registry docker:
TLS handshake error from xxx.xxx.xxx.xxx:51773: remote error: bad certificate
I've tried some different variations in setting up the certificates, and gotten errors like:
remote error: unknown certificate authority
and
tls: first record does not look like a TLS handshake
What am I missing?
Docker seams to not support SNI : https://github.com/docker/docker/issues/9969
Update : Docker now should support SNI.
It's mean, when connecting to your server during the tls transaction, the docker client do not specify the domain name, so your server show the default certificate.
The solution could be to change to default certificate of your server to be to one valid for the docker domain.
This site works only in browsers with SNI support.
To check if your (sub-)domain works with clients not SNI-aware, you can use ssllabs.com/ssltest : If you DONT see the message, "This site works only in browsers with SNI support. " then it will works.
I followed the Docker Registry installation docs precisely, and have a registry running on a remote Ubuntu VM. On that VM, the Docker container is running with the following command:
docker run -d -p 5000:5000 --restart=always --name registry \
-v `pwd`/auth:/auth \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
registry:2
On the remote VM, I have the following directory structure:
/home/myuser/
certs/
registry.crt
registry.key
/etc/docker/certs.d/myregistry.example.com:5000/
ca.crt
ca.key
The ca.crt is the same exact cert as ~/certs/registry.crt (just renamed); same goes for ca.key and registry.key being the same/just renamed. I created the ca* files per a suggestion from the error output you'll see below.
I am almost 100% sure the CA cert is still valid, although any help ruling that out (e.g. how can I actually tell?) would be appreciated. When I start the container and look at the Docker logs, I don't see any errors.
I then attempt to login from my local laptop (Mac):
docker login myregistry.example.com:5000
It queries me for my username, password and email (although I don't recall ever specifying an email when setting up Basic Auth). After entering these correctly (I have checked and double checked...) I get the following error:
myuser#mymachine:~/tmp$docker login myregistry.example.com:5000
Username: my_ciuser
Password:
Email: myuser#example.com
Error response from daemon: invalid registry endpoint https://myregistry.example.com:5000/v0/:
unable to ping registry endpoint https://myregistry.example.com:5000/v0/ v2 ping attempt failed with error:
Get https://myregistry.example.com:5000/v2/: x509: certificate has expired or is not yet valid
v1 ping attempt failed with error: Get https://myregistry.example.com:5000/v1/_ping: x509:
certificate has expired or is not yet valid. If this private registry supports only HTTP or
HTTPS with an unknown CA certificate, please add
`--insecure-registry myregistry.example.com:5000` to the daemon's
arguments. In the case of HTTPS, if you have access to the registry's CA
certificate, no need for the flag; simply place the CA certificate
at /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
So from my perspective, I guess the following are possible:
The CA cert is invalid (if so, why?!?)
The CA cert is an intermediary cert (if so, how can I tell?)
The CA cert is expired (if so, how do I tell?)
This is a bad error message, and some other facet of the registry is not configured properly (if so, how do I troubleshoot further?)
Perhaps my cert is not located in the correct place on the server, or doesn't have the right permissions set (if so, where does the cert need to be?)
Something else that I would never expect in a million years
Any ideas/thoughts?
As said in the error message:
... In the case of HTTPS, if you have access to the registry's CA
certificate, no need for the flag; simply place the CA certificate
at /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
where myregistry.example.com:5000 - your CN with port.
You should copy your ca.crt into each Docker Daemon that will connect to your Docker Registry and put it in this folder: /etc/docker/certs.d/myregistry.example.com:5000/ca.crt
After this action you need to restart Docker daemon, for example, via sudo service docker stop && service docker start on CentOS (or call similar procedure on your OS).
I had the similar error:
Then I added my private registry to the insecureregistries list.
See below image for docker-desktop