logstash http_poller ssl certification issue - ssl

I am trying to use logstash http_poller to query a server RESTAPI. I download the server pem through explore, and generate jks file with keytool. but we still get error "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". Don't know what wrong.
The config like below:
http_poller {
urls => {
restapi => {
method => get
url => "https://path_to_resources
headers => {
Accept => "application/json"
}
truststore => "/path/generated.truststore.jks"
truststore_password => "xxx"
ssl_certificate_validation => false
auth => {
user => "xxx"
password => "xxx"
}
}
}
request_timeout => 60
interval => 60000
codec => "json"
metadata_target => "http_poller_metadata"
}
}
By the way, what impact if ssl_certificate_validation is set as false?


I interpret OPs intention as to hopefully being able to disable TLS verification, which we still cant (logstash-7.11.1) and I plow on with how to get a trust store for these cases. This Q was one of my hits in pursuit of the same.
Some appliances will be running self signed certificates (another discussion ppl...) - so a small script to setup such a trust store could be helpful, especially if you are about to set up some automation internally.
Another caveat is that the self signed certificate still has to have a matching host name.
Based on the example from https://www.elastic.co/guide/en/logstash/current/plugins-inputs-http_poller.html
NB! Further error checking, etc. is left at your discretion.
#!/bin/bash
# Fetch an http server's TLS certificate and
# create or update a JAVA keystore / truststore
usage () {
echo "usage: get-cert.sh <hostname>:<port>"
exit 1
}
TRUSTSTORE=cacert/trust.jks
PARAM=$1
HOSTNAME=$(echo "$PARAM" | cut -d: -f 1)
PORT=$(echo "$PARAM" | cut -d: -f 2)
REST=$(echo "$PARAM" | cut -d: -f 3-)
[ -z "$HOSTNAME" ] && usage
[ -z "$PORT" ] && usage
[ -n "$REST" ] && usage
OUTPUT=$(
openssl \
s_client \
-showcerts \
-connect "${HOSTNAME}":"${PORT}" </dev/null 2>/dev/null | \
openssl \
x509 \
-outform PEM)
EC=$?
[ $EC -ne 0 ] && { echo "ERROR EC=$EC - $OUTPUT" ; exit $EC ; }
keytool \
-import \
-storepass changeit \
-alias ${HOSTNAME} \
-noprompt \
-file <(echo "$OUTPUT") \
-keystore ${TRUSTSTORE}
Using some bash specific possibilities here. The alternative is to go through temporary files, as pr the official example (see link above).


Apparently your certificate is invalid .
Regarding
ssl_certificate_validation
it doesn't have real impact , http-puller is based on manticore, a ruby libary which relay on Apache HC
which does not support this hook see

Related

Creating a Certificate Signing Request failed

I am trying to create a Certificate Signing Request in Rust programmatically with the binding library https://docs.rs/openssl/latest/openssl/index.html.
The following statement creates a CSR with openssl library:
openssl ecparam -name prime256v1 \
-genkey \
-noout \
-out server.key.pem
status=$?
if [ $status -eq 1 ]; then
echo "Creating private key failed"
exit 1
fi
openssl req \
-key server.key.pem \
-subj "/CN=server.acme.io/C=CH/L=Zurich/ST=ZH/O=acme/OU=acme" \
-new -sha256 \
-out server.csr
status=$?
if [ $status -eq 1 ]; then
echo "CSR creation failed"
exit 1
fi
Unfortunately, the following code snippet using the Rust binding library does not work:
use openssl::nid::Nid;
use openssl::ec::{EcGroup, EcKey};
use openssl::error::ErrorStack;
use openssl::x509::{X509NameBuilder, X509ReqBuilder};
use openssl::hash::MessageDigest;
use openssl::pkey::{PKey};
fn main() -> Result<(), ErrorStack> {
let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1)?;
let ec = EcKey::generate(&group)?;
let private_key = PKey::from_ec_key(ec)?;
let mut name = X509NameBuilder::new()?;
name.append_entry_by_nid(Nid::COUNTRYNAME, "CH")?;
name.append_entry_by_nid(Nid::STATEORPROVINCENAME, "ZH")?;
name.append_entry_by_nid(Nid::LOCALITYNAME, "Zurich")?;
name.append_entry_by_nid(Nid::ORGANIZATIONALUNITNAME, "ACME")?;
name.append_entry_by_nid(Nid::ORGANIZATIONNAME, "ACME")?;
name.append_entry_by_nid(Nid::COMMONNAME, "acme.io")?;
let mut req = X509ReqBuilder::new()?;
req.set_subject_name(name.build().as_ref())?;
req.sign(private_key.as_ref(), MessageDigest::sha256())?;
Ok(())
}
It shows the error message:
Error: ErrorStack([Error { code: 109052126, library: "asn1 encoding routines", function: "asn1_template_ex_i2d", reason: "illegal zero content", file: "crypto/asn1/tasn_enc.c", line: 374 }, Error { code: 109838595, library: "asn1 encoding routines", function: "ASN1_item_sign_ctx", reason: "internal error", file: "crypto/asn1/a_sign.c", line: 265 }])
What am I doing wrong? All the required fields are filled with values.

mosquitto self signed certificate issue - handshake failure

I've created self signed CA and certs for mosquito acording to:
https://mosquitto.org/man/mosquitto-tls-7.html and
http://www.steves-internet-guide.com/mosquitto-tls/
Then added these to mosquitto dir and chmoded for mosquitto user, generally did that all with script which runs commands to:
- Create CA
- Create server certs
- Create client certs
#!/bin/bash
# FROM: https://mosquitto.org/man/mosquitto-tls-7.html and
# http://www.steves-internet-guide.com/mosquitto-tls/
set -e
# logging
RESTORE='\033[0m'
RED='\033[00;31m'
GREEN='\033[00;32m'
YELLOW='\033[00;33m'
BLUE='\033[00;34m'
PURPLE='\033[00;35m'
CYAN='\033[00;36m'
LIGHTGRAY='\033[00;37m'
LRED='\033[01;31m'
LGREEN='\033[01;32m'
LYELLOW='\033[01;33m'
LBLUE='\033[01;34m'
LPURPLE='\033[01;35m'
LCYAN='\033[01;36m'
WHITE='\033[01;37m'
REQNUM=0
print_err() {
echo -e "${RED}ERROR $# ${RESTORE}"
}
print_succ() {
echo -e "${GREEN} SUCCES: $# ${RESTORE}"
}
print_warn() {
echo -e "${BLUE} WARN: $# ${RESTORE}"
}
# CA & SRV need to have different params for mosquitto broker to work & to avoid needles asking
SUBJ="-subj "'/C=GB/ST=London/L=London/O='"$((++REQNUM))$1"'/OU=IT_Department/CN=localhost.local'
# gen CA
gen_CA() {
print_warn "generate CA"
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 ${DAYS} -out ca.crt ${SUBJ}
}
# SERVER
gen_server_keys() {
print_warn "Generate a server key"
openssl genrsa ${PSWD} -out server.key 2048 ${SUBJ}
print_warn "Generate a certificate signing request to send to the CA"
openssl req -out server.csr -key server.key -new ${SUBJ}
print_warn "Send the CSR to the CA, or sign it with your CA key"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt ${DAYS}
}
# CLIENT
gen_client_keys() {
print_warn "Generate a client key"
openssl genrsa ${PSWD} -out client.key 2048 ${SUBJ}
print_warn " Generate a certificate signing request to send to the CA"
openssl req -out client.csr -key client.key -new ${SUBJ}
print_warn "Send the CSR to the CA, or sign it with your CA key"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -addtrust clientAuth -CAcreateserial -out client.crt ${DAYS}
}
mosq_install() {
print_warn "Install mqtt certs"
sudo systemctl stop mosquitto
sudo cp server.* ca.crt /etc/mosquitto/certs/
sudo chown -R mosquitto:mosquitto /etc/mosquitto/certs
sudo bash -c 'cat << EOF > /etc/mosquitto/conf.d/tls.conf
listener 8883
tls_version tlsv1.2
require_certificate false
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
EOF'
sudo chown -R mosquitto:mosquitto /etc/mosquitto/certs/ /etc/mosquitto/conf.d/
sudo systemctl restart mosquitto && print_warn "MQTT restarted!"
}
print_help() {
echo "usage: "
echo "--CA or --SRV or --CLI"
echo "--des3 to use passwd on cers"
echo "--days 'N' to use expirydate"
echo "--mosq install to mosquitto certs"
}
[ $1 ] || print_help
for a in $#; do
case "$a" in
"--CA")
gen_CA && print_succ "CA" || print_err "CA failed"
;;
"--SRV")
gen_server_keys && print_succ "server" || print_err "server keys failed"
;;
"--CLI")
gen_client_keys && print_succ "cli" || print_err "client keys failed"
;;
"--pass")
PSWD="-des3"
;;
"--days")
DAYS="-days $2"
shift
;;
"--mosq")
mosq_install && print_succ "" || print_err "install mosquitto"
;;
-h|--help)
print_help
;;
*)
print_help;
echo "bad param! $a"
;;
esac
done
After that I get error in mosquitto logs:
159 1528809795: Config loaded from /etc/mosquitto/mosquitto.conf.
160 1528809795: Opening ipv4 listen socket on port 8883.
161 1528809795: Opening ipv6 listen socket on port 8883.
162 1528809806: New connection from 127.0.0.1 on port 8883.
163 1528809806: OpenSSL Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
164 1528809806: OpenSSL Error: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
165 1528809806: Socket error on client , disconnecting.
166 1528809809: New connection from 127.0.0.1 on port 8883
mosquitto.conf
# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
In sourced conf.d dir tls.conf:
listener 8883
tls_version tlsv1.2
require_certificate true
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
mosquitto_sub command to test:
mosquitto_sub -h localhost -p 8883 --cafile ca.crt -v -t '#'
The only issue in I get with openssl s_client I get is:
"verify return code: 18 (self signed certificate)"
I can't connect with either python paho mqtt, or mosquitto_sub/pub. I've wanted to test connections on localhost, then make certs for my local network server and use it with my devices for testing - but can't make it connect even on localhost.

Kibana SSL PEM error on Windows

Note: I will regenerate all passwords and certs in my final install since I have provided all that information here. Also I have asked the same question here
https://discuss.elastic.co/t/kibana-ssl-pem-error-on-windows/117851/2
Environment
Windows 10 Enterprises
Elasticsearch Version : 6.1.1 (elasticsearch-6.1.1.zip)
Kibana Version: 6.1.1 (kibana-6.1.1-windows-x86_64.zip)
Problem:
I am trying to enabled SSL in kibana and I am running into an issue. I cant for the life of me figure out what I have done wrong. Here are the steps I have taken so far.
0) Create Yaml file use with the certutil --in flag.
instances:
- name: node1
dns: ['node1.local']
- name: devws-kibana
dns: ['devws-kibana.local']
1) Declare variables for use in powershell commands
$root = "C:\working\elasticsearch"
[Version]$esVersion = "6.1.1"
$es = "$root\elasticsearch-$($esVersion.ToString())"
$esService = "elasticsearch_$($esVersion.ToString() -replace '\.','')"
[Version]$KibanaVersion = "6.1.1"
$kibana = "$root\kibana-$($KibanaVersion.ToString())-windows-x86_64"
$kibanaService = "elasticsearch-kibana$($KibanaVersion.ToString() -replace '\.','')"
2) Install x-pack in elasticsearch
`&"$es\bin\elasticsearch-plugin.bat" install x-pack --batch`
3) Create a Self Signed CA certificate.
&"$es\bin\x-pack\certutil.bat" ca --silent --pass password --ca-dn "CN=Elasticsearch-DevWS" --pem --out "$root\elastic-stack-ca.zip"
Expand-Archive -Path "$root\elastic-stack-ca.zip" -OutputPath "$root\certs"
4) Create a cert for elasticsearch and kibana
&"$es\bin\x-pack\certutil.bat" cert --silent --pem --ca-cert "$root\certs\ca\ca.crt" --ca-key "$root\certs\ca\ca.key" -in "$root\instances.yml" --ca-pass password --pass password --out "$root\certificate-bundle.zip"
Expand-Archive -Path "$root\certificate-bundle.zip" -OutputPath "$root\certs"
5) Copy Certs to proper directories
Copy-Item -Path "$root\certs\ca\ca.crt" -Destination "$es\config\certs\ca.crt"
Copy-Item -Path "$root\certs\node1\*" -Destination "$es\config\certs\"
Copy-Item -Path "$root\certs\ca\ca.crt" -Destination "$kibana\config\certs\ca.crt"
Copy-Item -Path "$root\certs\devws-kibana\*" -Destination "$kibana\config\certs\"
6) Update Elasticsearch.yml to below
cluster.name: WRK001
node.name: node1
network.host: node1.local
http.port: 9210
discovery.zen.ping.unicast.hosts: [ 'node1.local' ]
processors: 2
node.master: true
node.data: true
node.max_local_storage_nodes: 1
xpack.ssl.key: certs/node1.key
xpack.ssl.certificate: certs/node1.crt
xpack.ssl.certificate_authorities: certs/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: full
xpack.security.http.ssl.enabled: true
xpack.ssl.key_passphrase: password
7) Add secure key passphrase to keystore
"password" | &"$es\bin\elasticsearch-keystore.bat" add xpack.ssl.secure_key_passphrase --stdin
&"$es\bin\elasticsearch-keystore.bat" list
8) Start Elasticsearch
9) Set password for build in accounts
$url = https://node1.local:9210/
$output = & cmd.exe /C "$es\bin\x-pack\setup-passwords.bat auto --url $url -batch" 2>&1
Write-Host -ForegroundColor Green -BackgroundColor Black $output
10) Parse passwords from response and save to temp files.
$elasticPassword = ($output | Select-String -Pattern "^PASSWORD\selastic\s=\s(.*)$" -AllMatches).Matches[0].Groups[1].Value
$kibanaPassword = ($output | Select-String -Pattern "^PASSWORD\skibana\s=\s(.*)$" -AllMatches).Matches[0].Groups[1].Value
$elasticPassword | Out-File -FilePath "$es\config\elastic.password" -Encoding utf8
$kibanaPassword | Out-File -FilePath "$kibana\config\kibana.password" -Encoding utf8
11) Remove setting xpack.ssl.key_passphrase from Elasticsearch.yml
12) Restart Elasticsearch
13) Verify Elasticsearch is work (and it is)
14) Install X-Pack in kibana
&"$kibana\bin\kibana-plugin.bat" install x-pack
15) Update Kibana.yml to below
server.name: devws-kibana
server.host: devws-kibana.local
elasticsearch.url: https://node1.local:9210/
elasticsearch.username: kibana
elasticsearch.password: nWD0zPDLFiM3yHdVQM9j
elasticsearch.ssl.certificateAuthorities: ../config/certs/ca.crt
16) Start Kibana
17) Verify Kibana is running and I am able to log in with elastic user
18) Stop Kibana
19) Update Kibana.yml to below
server.name: devws-kibana
server.host: devws-kibana.local
server.ssl.enabled: true
server.ssl.certificate: ../config/certs/devws-kibana.key
server.ssl.key: ../config/certs/devws-kibana.crt
elasticsearch.url: https://node1.local:9210/
elasticsearch.username: kibana
elasticsearch.password: nWD0zPDLFiM3yHdVQM9j
elasticsearch.ssl.certificateAuthorities: ../config/certs/ca.crt
xpack.security.encryptionKey: 3qrb1xee9ue9rrh3p93ykj28otgp676iu0l8ziifjopfov6h4sv9jhyp49gpm90t
20) Try starting kibana. It fails and produces the following error.
FATAL Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Error (native)
at Object.createSecureContext (_tls_common.js:69:17)
at Server (_tls_wrap.js:776:25)
at new Server (https.js:26:14)
at Object.exports.createServer (https.js:47:10)
at new module.exports.internals.Connection (C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\node_modules\hapi\lib\connection.js:88:74)
at internals.Server.connection (C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\node_modules\hapi\lib\server.js:142:24)
at KbnServer.exports.default (C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\src\server\http\setup_connection.js:43:10)
at C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\src\server\kbn_server.js:171:20
at next (native)
at step (C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\src\server\kbn_server.js:87:191)
at C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\src\server\kbn_server.js:87:437
at C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\src\server\kbn_server.js:87:99
at KbnServer.mixin (C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\src\server\kbn_server.js:187:7)
at KbnServer.<anonymous> (C:\working\elasticsearch\kibana-6.1.1-windows-x86_64\src\server\http\index.js:66:21)
at next (native)
Documentation:
https://www.elastic.co/blog/tls-elastic-stack-elasticsearch-kibana-logstash-filebeat
https://www.elastic.co/guide/en/kibana/6.1/installing-xpack-kb.html
https://www.elastic.co/guide/en/kibana/6.1/security-settings-kb.html
https://www.elastic.co/guide/en/kibana/current/production.html#enabling-ssl
https://www.elastic.co/guide/en/kibana/6.1/using-kibana-with-security.html
https://www.elastic.co/guide/en/kibana/6.1/settings.html
https://www.elastic.co/guide/en/elasticsearch/reference/6.1/certutil.html
devws-kibana.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,17D5A5CA90BECF38
zOhDSJ8OFqB+FGvSmL18k4kIiojvO4yLnAmTYDar51NGAdvitBlGaOEvXzpBAx9j
3nwNVBvz+NCBMg9tOcr8UY9H1/Qgns7gpiWhCJmJlja33Jly97UJS9go6DHvWaJi
OoppKOHOkFaDDnMo6XkyHN2PXagVxFJxO8zW1OgQjMn1dWzUN8jwff/hUmgLT1tx
Arsso/+OKWEwZIJ2rczJjxXjgQmAu+d3libn8tLG9TpDStnj47j/8nxyViIp8Rq0
fFv3XW2QN8oj0Pjo0IBP8FjjGc8+b+zq+kgfvs0Lz65k5GigUcL66nkAgXTADb0S
1Qxo8NVgC4yzc94WrMqSiV99Tlw1kCh1Sb86TJDjYvWMko04wP+kFJrIPs2IxA9D
qxf7YwSZUHfIxg9FdNJHa+jHy+HinX9wOLK6JxZv5jWcZDNThjUW9JxRdvuM1nxD
6K0bUWAa8VlO0MU9x8Hwo7hhT4lJp6sr4jagKkvEqo/ZJWqyQzv5sOMQKu8vXGco
nqjxApjTQGIplf+RrYaPg7URH6GdOW3cIY0d+Hh9i1K/v7UolO2fZjSoCaYmt4YF
BjsMTIpdMnw1GfT0TlRa3bTgRAIqI9lE008fS/XRhjHgKY6wgHbbb7L+mxG05FIa
8rOAClu1btBJXZSELK4JqUgbY+kIPQqB2Ezh1FpggjTboJkdF2cXCazCLDtMSEi3
z95miNGm3rRtS0HNaqrElDQeNbbyo6X9joFKApaxvdICDe9rfdMbhl/tQkYZdyxA
XKeqbPL1dS95ma60A/7B0fIqwrD8Rko8q0EIMClG7bC/C7JRSdd8YEpIV9B1xorc
gYyPiLtoGsihFpF2wpapG0e45wKedtl5QAYbeMWp9JoRPx9ZUuaP4Usn6zdyCqtw
mWUGAHw2F7qQYpdvvUYrKAwC4dVRwivaHz4OoabppY0dYCq1THGvFBmlinbtDFLD
ihKwgnvdACyhWU+e45a53cAtpSwoaPVenFvUJU6MHt+XmxT757blb4Dn9nsHqrwz
HyWo0QoXdgbCwAzzBRW90R6wwYJx2cD+aYxpFop7aeeM/BgQ7IK2ejnykaTk3+NO
hTJ1RgUDvn30jmczvJE0hquzn4SxKVi/hn+YuPxENc2a3CDbj6vsLQRGYMxjnSwT
4POYxc+hgszaE7afh2sKjQHwNboHpeLNuFOXDU22StsIbltWltw+jKzz3sHNE83G
uUJnJPi7LN47WOT2pTNqV+k7/SEFfdo4JVDna54LF8LkrNLl9odmXR3ryTuTdQwP
fAiNXWySIKfEJufVb4g0tv3xDFtJztwZrVvOgCnMnlXw+4BWp7FmN3M+pjDReEdv
1t15tPoDltCfPRva4bZaUXriYSYK5w6PW0t33AR7WbUSKmYlisqInCXwACjBjQJc
nN8epVm33Kaqs18T1PSfkUKiqCKfFRqgleL5W96lG/W8b6qZvglod1qIu3k7qqiy
V6d/jLpe/lASCy1mCtjnNMYTkIlNc5Jyy7FrplXGEm5dWLunMCnCAYX4rfAunynW
1YdB/poa9pXBbUPrF1KxHVNAmV7x5VS4/0eK7LKcUAWs01nH7yiBsXEfs3YfsVMQ
-----END RSA PRIVATE KEY-----
devws-kibana.crt
-----BEGIN CERTIFICATE-----
MIIDbDCCAlSgAwIBAgIUMtq8dgtI+Opfy++z6Ptx8ci2Pr8wDQYJKoZIhvcNAQEL
BQAwHjEcMBoGA1UEAxMTRWxhc3RpY3NlYXJjaC1EZXZXUzAeFw0xODAxMzAxOTUz
NTNaFw0yMTAxMjkxOTUzNTNaMBcxFTATBgNVBAMTDGRldndzLWtpYmFuYTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKxUb4Mc9PVov9+r6a7V1At1+JL/
CXl81g3tFQNYLzAMj/RJr06HAht8Loh7i7rBvWjleklOZNoKC8LMhbDNU56ix4WK
46yboRknYbjyEYOTjujx6gKoZ72yHugcbF5mc6GoafnyDJf0zL5nNHD8rC61WsFg
hUzJF0qlA9dMojjMMrlrDJDIeKRzhrDj950QBgC9bzLVHQ0sseHmmPQFRQRXXYiP
7/89jfrclgsRaB/H7A2DI5JnZz/HvTQ7UiVOoRXb4TW3NMc1OQbkTg2bjpPMruL6
tVXE/F0xLL4XXSUKbzT95p3vGxRp0jbnce0c8u4USiBEWoJbmYmD/rOouOECAwEA
AaOBqDCBpTAdBgNVHQ4EFgQUpbjtvSNDqoOha32Oculkz4L9c6kwWgYDVR0jBFMw
UYAU3G6UbG/SC9ucNlVGjGZmwk/CQaehIqQgMB4xHDAaBgNVBAMTE0VsYXN0aWNz
ZWFyY2gtRGV2V1OCFQDW6SMoh4MojBt5XyEkdFAA85u/jTAdBgNVHREEFjAUghJk
ZXZ3cy1raWJhbmEubG9jYWwwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEA
Nr0wX2LqbIV8c4/tXaPUA34J8WoWS0HarADrFA+NFee3+/V0Afoun20HI8B8ql6a
5sK+omjDTsHxjjGIitatS/ntmOacJST4MLVeQzSHEfx3ArvozD0LJqnpCifvvUMz
0Gq1fmZHUioz3sHeqw4ZlpEll8MRyvtVj6gDQqzUJcaw9S06/J3VsEJbrRudhSLD
GYgCz1P5jIsZoiEFhinWafgayImcYY3LMNdpRFwIbmwO4Uhs26vgt2zfRVW3vw6r
+5O+DMvjoSe46fZN4uY36rCAEiCoYDC+PB6LSFOGbGswylTTL6F8EorQtjJxOnsn
yFmugwITE4K4iwAQcuCy+g==
-----END CERTIFICATE-----
ca.crt
-----BEGIN CERTIFICATE-----
MIIDWzCCAkOgAwIBAgIVANbpIyiHgyiMG3lfISR0UADzm7+NMA0GCSqGSIb3DQEB
CwUAMB4xHDAaBgNVBAMTE0VsYXN0aWNzZWFyY2gtRGV2V1MwHhcNMTgwMTMwMTk1
MzQ5WhcNMjEwMTI5MTk1MzQ5WjAeMRwwGgYDVQQDExNFbGFzdGljc2VhcmNoLURl
dldTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArB0kt1hdL0xuCqtw
pO/9wr6xvL9uOy63uHWhEvF8hqW1Kv3w9unZQkJxXlQj3oVbhJTGD6+Bu6RZ8nwl
J7kVjf3EHDvcvwZZElHjmV0zlZ8k3XlJJmKIFeCNAa52YpmReiFerIv+xWV9F4Ae
B77O2pNzfvrJzWroPBVodbF9/N0kxplwSbAJPRGLDvknxW0vX3XiyjvDUPZkmVhm
xc7g0XkTqtjGcYKylz3sfCEnBOSY+3TKePyA62thKlmfMb5iDxGHjraHCcXzPtjh
y3LcD4E3KM57xv1XnHyrKxzJLf0iaJb1xyd4aRGFfckhkqrGvyaS08PRLd3RL+QE
/JsRKQIDAQABo4GPMIGMMB0GA1UdDgQWBBTcbpRsb9IL25w2VUaMZmbCT8JBpzBa
BgNVHSMEUzBRgBTcbpRsb9IL25w2VUaMZmbCT8JBp6EipCAwHjEcMBoGA1UEAxMT
RWxhc3RpY3NlYXJjaC1EZXZXU4IVANbpIyiHgyiMG3lfISR0UADzm7+NMA8GA1Ud
EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIA7S3HbOEKw9kTjxPYlOYoe
kQiKTyZ7rxUAJYSnafnmsjbCMbpVXS9k+THm3IUTQuyxwrGuuBBeKFZJWQ1FcPiF
DVPsgsNO4MRT6r78XjmCJJZcB5FZqbfK7EQd/E4sRzq8bk5VR6wfQK/U5/42TTcw
5RdDYnS4axLQOb9AuSdma7XP6BcshNAFCTp39caP7ZfKLJeRMMv0Mn0/3Yt9I9dv
2MGpxnMOYeVKzYVeoyXXDIOZqdPEkPO6gO7i1MprHcC3XlXFwkbe/EZ4pKUtRTJU
kUgoSTOEd8BO8hwOYhG3HjOqTQe4U6lp2J58Kk47MMs8KUH5Zv47O8baNdHPWVw=
-----END CERTIFICATE-----

Figured out the issue. The server.ssl.certificate and server.ssl.key values were switched.

Webpack Dev Server running on HTTPS/Web Sockets Secure

Normally in developer mode Webpack runs using HTTP. There is usually a web server serving content through HTTP and webpack using http/websockets on a separate port.
Is it possible to run the web server on https and webpack on https/websocket secure ?

See the webpack docs
There is a flag you can add to the webpack-dev-server command
webpack-dev-server --https

While the above answer is correct for cli, if you are not in the CLI, you could do something like this (in a gulp task):
var WebpackDevServer = require('webpack-dev-server');
new WebpackDevServer(webpack(WebpackDevConfig), {
https: true,
hot: true,
watch: true,
contentBase: path.join(__dirname, 'src'),
historyApiFallback: true
}).listen(1337, 'localhost', function(err, result) {
if (err) {
console.log(err);
}
console.log('Dev server running at https://localhost:1337');
});

this for TEST environment only:
you need to configure your webpack-dev-server as follows:
webpack-dev-server --https --cert ./cert.pem --key ./key.pem
The easiest work around is to generate a key with no passphrase (I don't know the security consequences of this! but this is for test only) .
To take the passphrase out of your key use this command:
$ openssl rsa -in key.pem -out newKey.pem
and use the new key in the previews configuration line

With webpack-dev-server --https you create a self-signed certificate. But it works not for all use cases.
Browsers will ask you for a security exception and show in the url bar that connection is not secure.
Therefore it is recommended to create a locally trusted development certificate for localhost with mkcert
Then use it via CLI:
webpack-dev-server --https --key C:/Users/User/localhost-key.pem --cert C:/Users/User/localhost.pem --cacert C:/Users/User/AppData/Local/mkcert/rootCA.pem
or configure devServer.https option in webpack.config.js:
devServer: {
https: {
key: fs.readFileSync('C:/Users/User/localhost-key.pem'),
cert: fs.readFileSync('C:/Users/User/localhost.pem'),
ca: fs.readFileSync('C:/Users/User/AppData/Local/mkcert/rootCA.pem')
}
}
mkcert creates .pem files in Unix format by default. So if you're on Windows you'll probably need convert them to Windows format using e.g. Notepad++

Tested on Windows (04/22/2021). Easy (no installations required).
1. Project configuration
In your project root run in Powershell (or CMD):
npx mkcert create-ca
npx mkcert create-cert
Your webpack.config.js:
devServer: {
// ...
https: {
key: fs.readFileSync("cert.key"),
cert: fs.readFileSync("cert.crt"),
ca: fs.readFileSync("ca.crt"),
},
// ....
},
2. Install certificate
Double-click on ca.crt > Install Certificate > ...
... > Current User > Place all certificates in the following store > Trusted Root Certification Authorities > ...
... > Finish > Yes
3. Check correct installation
Start > Type: "cert" > Manage User Certificates > ...
... > Trusted Root Certification Authorities > Certificates > Test CA
4. Reload & Test
Reload your browser, Start yout webpack dev server and check the SSL Certificate validity:
Additional steps
If you get this error:
You can add this configuration to your webpack.config.js:
devServer: {
// ...
// https: { ... }
disableHostCheck: true,
// ....
},
For more info:
https://webpack.js.org/configuration/dev-server/#devserverhttps
https://www.npmjs.com/package/mkcert

In my case I had to run all these commands to get the certificate:
openssl genrsa -out private.key 4096
openssl req -new -sha256 -out private.csr -key private.key
openssl x509 -req -days 3650 -in private.csr -signkey private.key -out private.crt -extensions req_ext
openssl x509 -in private.crt -out private.pem -outform PEM
And then finally:
npm run dev -- --open --https --cert private.pem --key private.key

I'm working on react project, Now wanted to add SSL certificate on this project and run my website with https so have followed below step:
In add https in webpack.config.js
devServer: {
https: true,
host: '0.0.0.0', // you can change this ip with your ip
port: 443, // ssl defult port number
inline: true,
historyApiFallback: true,
publicPath: '/',
contentBase: './dist',
disableHostCheck: true
}
Add SSL public certificate on package.json file If you didn't want to add a certificate on your package.json file then you have to add it on your webpack.config.js it is mandatory to add your certificate in your project either you can it on package.json file or webpack.config.js
For Package.json
scripts: {
"test": "echo \"Error: no test specified\" && exit 1",
"build": "webpack --mode production",
"start": "webpack-dev-server --open --https --cert /path/to/private.crt --key /path/to/private.key"
}
OR webpack.config.js
devServer: {
https: true,
host: '0.0.0.0', // you can change this ip with your ip
port: 443, // ssl defult port number
inline: true,
https: {
key: fs.readFileSync('/path/to/private.pem'),
cert: fs.readFileSync('/path/to/private.pem'),
ca: fs.readFileSync('/path/to/private.pem')
}
historyApiFallback: true,
publicPath: '/',
contentBase: './dist',
disableHostCheck: true
}
Run npm start command on a terminal or you can also use pm2 start npm -- start

Had similar case when webapp was served from docker container which internally uses http, but traefik is serving app though https (multiple ports: 4000, 3000), so socket client was trying to connect to http://my.app.url:3000.
After spending a few hours to figure out a solution, came up with this in webpack 5:
devServer: {
client: {
port: ' ', //<--must be empty to eliminate the 3000 port for connecting to socket client
},
devMiddleware: {
writeToDisk: true,
},
transportMode: 'sockjs',
port: 3000, // port which is dev server opening for the sockets
...(process.env.DOCKER_DEV && {
host: '0.0.0.0',
firewall: false,
public: 'https://my.app.url', <-- HTTPS here
}),
},

Dart, use SSL emitted by an authority

I create a db with certutil
myproject/bin/pkcert
echo "dartdart" > pwdfile
certutil -N -d 'sql:./' -f pwdfile
Then, I import my certificate validated by an authority
certutil -d "sql:./" -A -t "C,C,C" -n "my_cert" -i certificate.crt
I check if it work
certutil -L -d 'sql:./'
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
my_cert C,C,C
My main.dart
library main;
import "dart:io";
void main() {
var testPkcertDatabase = Platform.script.resolve('./pkcert')
.toFilePath();
SecureSocket.initialize(database: testPkcertDatabase,
password: 'dartdart');
HttpServer
.bindSecure(InternetAddress.ANY_IP_V6,
8443,
certificateName: 'my_cert')
.then((server) {
server.listen((HttpRequest request) {
request.response.write('Hello, world!');
request.response.close();
});
});
}
I execute, and I get this error:
Uncaught Error: CertificateException: Cannot find server certificate by nickname: my_cert (OS Error: security library: read-only database., errno = -8126)
I missed something or I should report a bug?
Thank you.

Have you tried to add -s "cn=mycert" to
certutil -d "sql:./" -A -t "C,C,C" -n "my_cert" -i certificate.crt
and use it with
HttpServer
.bindSecure(InternetAddress.ANY_IP_V6,
8443,
certificateName: 'CN=my_cert')
as shown in this blog post http://jamesslocum.com/post/70003236123 ?