I've followed the tutorial on this website but if I want to save the results i get a message that prevents me from saving the results:
1 error prohibited this sender from being saved:
APNS certificate or private key is not valid
But why do I get this error?
I've tried a couple of methods, placing it with -----BEGIN CERTIFICATE----- and placing it without it, but nothing works. I've created a couple of certificates but each one is false according too the error.
Have I forgot something to do?
placing it with -----BEGIN CERTIFICATE----- and placing it without it, but nothing works.
You must copy and paste the whole content of the files, including -----BEGIN CERTIFICATE----- and ----- END CERTIFICATE-----.
But why do I get this error?
You have probably done an error in one of the steps: that error means that the certificates are not valid. They are not valid in general (e.g. malformed, etc.): this is not something specific related to push notifications, APNs or Pushpad.
If you know Ruby, you can see what is the exception raised by that certificates by running the following snippet:
private_key = OpenSSL::PKey.read apns_private_key
certificate = OpenSSL::X509::Certificate.new apns_certificate
pkcs12 = OpenSSL::PKCS12.create(nil, nil, private_key, certificate)
pkcs12.to_der
Otherwise contact support#pushpad.xyz and attach your cert/private key so that I can try to help.
Related
I've try to apply my CA certificate to Solr. I've already reach solr with http or self-signed certificate following their own recipe in there: enabling ssl
But, when I try to apply my CA certificate I take an error : "HTTP ERROR 404 javax.servlet.UnavailableException: Error processing the request. CoreContainer is either not initialized or shutting down."
Full error message that I've take on browser
My solr.in.sh config is:
SOLR_SSL_ENABLED=true
SOLR_SSL_KEY_STORE=/etc/default/mykeystore
SOLR_SSL_KEY_STORE_PASSWORD=********
SOLR_SSL_TRUST_STORE=/etc/default/mykeystore
SOLR_SSL_TRUST_STORE_PASSWORD=********
SOLR_SSL_NEED_CLIENT_AUTH=false
# SOLR_SSL_WANT_CLIENT_AUTH=false
#SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=true
SOLR_SSL_CHECK_PEER_NAME=false
SOLR_SSL_KEY_STORE_TYPE=JKS
SOLR_SSL_TRUST_STORE_TYPE=JKS
I followed this two link for convert my pem file to key store: first:1 then:2 (I applied just fourth step in second link) then named the file as mykeystore.
I tried a lot of solution which some of them in stackoverflow. But none of them are my answer. Any help, any idea can be very useful. I'm totally stuck. What can I do/check?
I'm trying to read public cert using dig command as:
dig <domain> -t CERT
which will come back as something like:
;; ANSWER SECTION:
domain. 3600 IN CERT PKIX 54727 RSASHA1 MIIFfTCCBGWgAwIBAgIQCTinFRnGvxrlJ4zqeWKf/TANBgkqhkiG9w0B AQsFADB/MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEg MB4GA1UEChMXTmV4dGdlbiBIZWFsdGhjYXJlIEluYy4xOTA3BgNVBAMT ME5leHRnZW4gSGVhbHRoY2FyZSBEaXJlY3QgU2VjdXJlIE1lc3NhZ2lu ZyBDQSBHMjAeFw0yMjAzMDEwMDAwMDBaFw0yNDAyMjkyMzU5NTlaMGkx CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazERMA8GA1UEBxMI TmV3IFlvcmsxFjAUBgNVBAoTDUhlYWx0aGl4LCBJbmMxHDAaBgNVBAMT E2RpcmVjdC5oZWFsdGhpeC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCj0VULvmE0VY0yU27696Lo1PGXk4bzPjwQANn0xtTp i13zc0fgWSHDMaDBuF6lRjw9uzIhXXxsakYVPhQjm1BrpBfnRLWbrm9c XHpvlumbSc/oGGZf/k7UotaAQwwUmbvBxaq4lyIID7qZMLZ6HssbNeys jEvHRfBXIs1lohEZgwQdrM/MnNLF63rqY7Ymh2qJUhHuu4qGKJO8RiVf gH4Qly8zAaBMlQ/XevvKPdPPtGyf923Hk7LABHta6WtaPCEgazYBjVmq SKL5mYaNHXYNjMRFe4dRH7e7hYaLmcWNdcMXFvOttYNCYM1YsFqAGOAL iGA5mm/dsomiDB9atdXHAgMBAAGjggIJMIICBTAfBgNVHSMEGDAWgBRW JSd4pIqHpJ781l5+fKpIP7aOOzAdBgNVHQ4EFgQU7aKfWKxg3rF+/eta 788DoC6i+r4wHgYDVR0RBBcwFYITZGlyZWN0LmhlYWx0aGl4Lm9yZzAO BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwQwgakGA1Ud HwSBoTCBnjBNoEugSYZHaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL05l eHRnZW5IZWFsdGhjYXJlRGlyZWN0U2VjdXJlTWVzc2FnaW5nQ0FHMi5j cmwwTaBLoEmGR2h0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9OZXh0Z2Vu SGVhbHRoY2FyZURpcmVjdFNlY3VyZU1lc3NhZ2luZ0NBRzIuY3JsMDQG A1UdIAQtMCswDQYLKwYBBAGCwVsAAgAwDAYKKwYBBAGCwVsBAzAMBgor BgEEAYLBWwIBMIGNBggrBgEFBQcBAQSBgDB+MCQGCCsGAQUFBzABhhho dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wVgYIKwYBBQUHMAKGSmh0dHA6 Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9OZXh0Z2VuSGVhbHRoY2FyZURp cmVjdFNlY3VyZU1lc3NhZ2luZ0NBRzIuY3J0MAwGA1UdEwEB/wQCMAAw DQYJKoZIhvcNAQELBQADggEBADXqYelrcmLRV0olDpe1IpBfDoR5bxYy nvGmkrI/a2Wa1ZqbaVPsR3KevaDwKk/osXNIdcc1MbTsA6m1Lc0otJZd IlSn3YjzYZHwJqwzeL4OxYwJs8Dytdlxa3c6UYRtKNeT0FU8cKtQoXo2 3N9WG21UwoUwIfU0k86tX5saTqeUYgy2q4FWFIdjzCnL6+MKsEtpzKay AM6p96SUKLfBaUYMaHeFgQbkR9g/kcgQY89HtckzuOZwtYdEfuOlY/0Y dnzX+mmCA3FvKNj06oChiRNJeBOD3gbkFWTm0SJqRz61ciSssqvFTB/M vY2EVuDKUikwgfjlJnic7cj60TJrBFE=
My question is how can I get that cert in a PEM format so then can transfer it to the human readable like an ouput from openssl X509 to text.
How do I open a Pem file to check a) That the 'Not before' and 'Not after' dates are okay and b) That there is a chain of certs in the pem file to a route certificate authority?
I have tried:
:-use_module(library(http/http_client)).
url('http://fm4dd.com/openssl/source/PEM/certs/512b-rsa-example-cert.pem').
url_data(Url,D):-
http_get(Url,D,[to(string)]).
url_data1(Url,Certificate):-
http_get(Url,D,[to(stream(Stream))]),
load_certificate(Stream, Certificate),
close(Stream).
url_data/1 works in that it returns the pem file as a string. But url_data1/1 does not work. It is intended to return each certificate(s) as a list of terms.
* Update *
I have:
url_data1(Url,Certs):-
http_open(Url,Stream,[]),
all_certs(Stream,Certs),
forall(member(C,Certs),my_validate(C)),
close(Stream).
all_certs(Stream,[C1|Certs]):-
catch(load_certificate(Stream,C1),_,fail),
all_certs(Stream,Certs),!.
all_certs(_Stream,[]).
my_validate(C):-
memberchk(to_be_signed(Signed),C),
memberchk(key(Key),C),
memberchk(signature(Signature),C),
memberchk(signature_algorithm(A),C),
algo_code(A,Code),
rsa_verify(Key,Signed,Signature,[type(Code)]).
algo_code('RSA-SHA256',sha256).
algo_code('RSA-SHA1',sha1).
Which fails. What are the correct arguments?
You can use http_open/3 in combination with load_certificate/2:
?- url(Url),
http_open(Url, Stream, []),
load_certificate(Stream, Certificate),
maplist(portray_clause, Certificate).
Yielding:
version(0).
notbefore(1345613214).
notafter(1503293214).
serial('0DFA').
subject(['C'='JP', 'ST'='Tokyo', 'O'='Frank4DD', 'CN'='www.example.com']).
hash("071CB94F0CC8514D024124708EE8B2687BD7D9D5").
signature("14B64CBB817933E671A4DA516FCB081D8D60ECBC18C7734759B1F22048BB61FAFC4DAD898DD121EBD5D8E5BAD6A636FD745083B60FC71DDF7DE52E817F45E09FE23E79EED73031C72072D9582E2AFE125A3445A119087C89475F4A95BE23214A5372DA2A052F2EC970F65BFAFDDFB431B2C14A9C062543A1E6B41E7F869B1640").
signature_algorithm('RSA-SHA1').
etc.
Check the issuer_name/1 element to obtain the issuer. You can use load_certificate/2 again to read further certificates from the file.
Note that a much more typical way to validate the certificate chain is to establish a secure connection (via HTTPS), and then to use ssl_peer_certificate/2 or ssl_peer_certificate_chain/2 on the stream to obtain the peer certificate and certificate chain.
To validate the chain, you must verify the signature/1 fields, which contain the digital signatures of the to_be_signed/1 portions of the certificate, signed by the respective issuer.
You can use library(crypto) to verify the signatures.
I have a problem verifiying a HTTPS endpoint when providing a specific certificate path to the 'verify' option; setting 'verify' to true DOES work however:
import requests
def run_tests():
url="https://www.google.com"
certfilename="google.crt"
generate_cert_file( certfilename )
response = requests.get( url, verify=False )
print "URL:%s, Verify=False. Result: %s"%(url, response.status_code )
response = requests.get( url, verify=True )
print "URL:%s, Verify=True. Result: %s"%(url, response.status_code )
response = requests.get( url, verify=certfilename )
print "URL:%s, Verify=%s. Result: %s"%(url, certfilename, response.status_code )
def generate_cert_file( filename ):
cert_text=('''\
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIIxZ+YmNtB9AwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwOTA5MjI1MzM5WhcNMTUxMjA4MDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqH1dz
jOr385g9DXVZowTLkhjCoYGQ/zOLzslSFowYqZnlMiE7iZ8Vm9/iJfhStSMoA6gZ
87uqLENCi3NK+pk4+n1SIPRZS0jorb1jsyenMMy6Fxb9sQe3ndqZpWBtsW5ezW9t
7q5HWA1cNm1KSi2fmwZpDrSaN0TYQdFbRAz6cPf6J/P66qyEC7OInFgLsy4FDdp8
itpjCo/gnk2gz1vpWjiRYLCkz/dlFY3M3kR/s7YcJa7UP7BZ+QmmDfN3y4mxmEfn
Cg8rB25ZbD+oQ+Hua3/oMrx4r3lliou3yrD08/ABEqs16EEPX5wFHtI4CQYAUt5E
rEDl36bpvFD0QkfLAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBQHiMS+8X3+WcfbMQymf9yX9XA1yDAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAUvY5/JbZLfahjC4F
IZU0jVtGRBDa6tXLhCHAdwLHYLQdHn74oQ8Y1vxL0AYd7V2SBAgrDjCoK9bDQbQi
UZ7xwG9K2O75bS2qYc/OlZLJr0Gdfs71ZpQzlv14SGBXvwPuD6noj+hiZjqICd6t
3Rd5oIFiZvkhNDdN6Uag28rIfR8HECdlkbZNZeLZnyoIaxsprANvlEkY0wEbn1K9
kww3/SYKbdPJ8VQSUOtWgGsO1RPFaE4PP7hCg8Q062+mmCs0ZMQSvrzzv7JQsO5J
EkdG6691HdVA6z/rRGGX8E6assTnJLmVMxRayV+Do07KvywLONTInUWue8heHUSX
EHJZbg==
-----END CERTIFICATE-----\
''')
with open(filename, "wb") as output:
output.write(cert_text)
if __name__=='__main__':
run_tests()
Am I doing something wrong here ? (I embedded the cert inline to make the code easier to run without having to provide a separate cert file)
I'm fetched 'requests' down from the git repository - the newest version TAG in the history is V2.7.0, and the latest commit is "46ff1a9a543cc4d33541aa64c94f50f0a698736e"
EDIT: I actually had the wrong certificate here (thanks Steffen Ullrich for pointing this out) : but I have now confirmed I have the correct cert/endpoint: and I get the same error.
I retrieved the cert like this:
openssl s_client -connect www.google.com:443
And just copied the cert details into the python program.
The issue is actually happening for my own in-house systems as well - using self-signed certs (which is my real use-case).
Alternatively : where does the 'verify=True' option actually look for trusted certs/CAs ? (On Java it would be 'cacerts' - not sure what the equivalent here is for Python/requests ?).
I'm on a Windows platform here.
You are using the certificate which is only valid for www.google.co.uk, but access www.google.com. Thus the certificate can not match at all. And I'm not sure if using the host certificate instead of an issuer certificate (i.e. root CA or intermediate CA) will work at all.
Can you try this:
s = Session()
req = Request('POST', 'https://www.google.com')
prepped = s.prepare_request(req)
resp = s.send(prepped, verify=False, cert=CERT_PATH)
if resp.status_code == 200:...
I am trying to setup the certificate verification in opensips along with the blink sip client. I followed the tutorial:
https://github.com/antonraharja/book-opensips-101/blob/master/content/3.2.%20SIP%20TLS%20Secure%20Calling.mediawiki
My config look like so:
[opensips.cfg]
disable_tls = no
listen = tls:my_ip:5061
tls_verify_server= 0
tls_verify_client = 1
tls_require_client_certificate = 1
#tls_method = TLSv1
tls_method = SSLv23
tls_certificate = "/usr/local/etc/opensips/tls/server/server-cert.pem"
tls_private_key = "/usr/local/etc/opensips/tls/server/server-privkey.pem"
tls_ca_list = "/usr/local/etc/opensips/tls/server/server-calist.pem"
So i generated the rootCA and the server certificate. Then i took the server-calist.pem added the server-privkey.pem in there (otherwise blink sip client won't load it) and set it in client. I also set the server-calist.pem as a certificate authority in the blink. But when i try to login to my server i get:
Feb 4 21:02:42 user /usr/local/sbin/opensips[28065]: DBG:core:tcp_read_req: Using the global ( per process ) buff
Feb 4 21:02:42 user /usr/local/sbin/opensips[28065]: DBG:core:tls_update_fd: New fd is 17
Feb 4 21:02:42 user /usr/local/sbin/opensips[28065]: ERROR:core:tls_accept: New TLS connection from 130.85.9.114:48253 failed to accept: rejected by client
So i assume that the client doesn't accept the server certificate for some reason, although i have the "Verify server" checkbox turned off in my blink sip client! I think i have the wrong certificate authority file.
./user/user-cert.pem
./user/user-cert_req.pem
./user/user-privkey.pem
./user/user-calist.pem <- this 4 are for using opensips as a client i think
./rootCA/certs/01.pem
./rootCA/private/cakey.pem
./rootCA/cacert.pem
./server/server-privkey.pem
./server/server-calist.pem
./server/server-cert.pem
./server/server-cert_req.pem
./calist.pem
Can anybody help, did i do something wrong i the config or did i use the wrong certificate chain? What certificate exactly should be used by the client as a client cert, and ca authority cert?
Allright, i'm still not sure if it is working or not, because the authorization behaviour became weird, but after it's hanging for 5-6 minutes i get the success authorization, so this is a solution:
Generate rootCA:
opensipsctl tls rootCA
then edit server.conf file in your tls opensips folder and set the commonName = xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is your server ip address. Other variables can be edited in any way. Generate the certificates signed by CA
opensipsctl tls userCERT server
This will produce 4 files. Download the server-calist.pem, server-cert.pem, server-privkey.pem. Open the server-privkey.pem, copy it's content and paste in the file server-cert.pem, before the actual certificate. If you are using blink, the produced server-cert.pem goes in the preferences->account->advanced. And server-calist.pem goes into the preferences->advanced. After that restart blink and after 5-6 minutes your account is gonna be logged in. But i'v observed a weird behaviour, if you run another copy of blink and try to log into the other existing account after your logged from the first one with the certificates, you can log in from other account without providing the certificates. So i don't know, but i think it's working.
P.S. I asked about the certificates in the opensips mailing list, but i guess they found my question too lame, so i didn't get the response. If you have the same problem and got better results or an answer from opensips support let me know please.