We Keep Coding

SSL Error:“unsupported certificate purpose” for HAProxy's client

I'm trying to set up client certificate authentication using HAProxy.
With OpenSSL, I have created a certificate chain as (CA cert --> Intermediate cert --> Server Cert) and After signing Intermediate with CA key and server cert with Intermediate key, I concat then in a sequence of (server-cert.pem + Intermediate-cert.pem + Root-cert.pem + Server-key.pem)
[root#ip-172-31-0-168 /]# cd /etc/ssl/CertChain
[root#ip-172-31-0-168 CertChain]# ls -la
total 52
drwxr-xr-x 2 root root 265 Jul 15 14:39 .
drwxr-xr-x 7 root root 86 Jul 15 13:29 ..
-rw-r--r-- 1 root root 2114 Jul 15 13:34 ca-cert.pem
-rw-r--r-- 1 root root 17 Jul 15 13:53 ca-cert.srl
-rw-r--r-- 1 root root 3268 Jul 15 13:34 ca-key.pem
-rw-r--r-- 1 root root 9374 Jul 15 14:39 haproxySSLFile.pem
-rw-r--r-- 1 root root 2000 Jul 15 13:53 Intermidate-cert.pem
-rw-r--r-- 1 root root 17 Jul 15 14:01 Intermidate-cert.srl
-rw-r--r-- 1 root root 3272 Jul 15 13:51 Intermidate-key.pem
-rw-r--r-- 1 root root 1781 Jul 15 13:51 Intermidate-req.pem
-rw-r--r-- 1 root root 1988 Jul 15 14:01 server-cert.pem
-rw-r--r-- 1 root root 3272 Jul 15 13:56 server-key.pem
-rw-r--r-- 1 root root 1769 Jul 15 13:56 server-req.pem
The highlighted file is the concatenated version of certificates, the location of the file I have placed within the HAProxy config file.
Once Haproxy is up and running I download CA-Cert.pem file from ssl cert directories and to test ssl encryption I choose postman(Client) where I upload that CA-Cert.pem file.
bind *:80
bind *:443 ssl crt /etc/ssl/CertChain/haproxySSLFile.pem
redirect scheme https if !{ ssl_fc }
mode http
default_backend apps
After Running this through postman(Client), I'm getting ( SSL Error: Unsupported certificate purpose)
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
Above is the list of certificate purposes, that is already defined. I'm not able to figure out what should be the specific purposes I need to specify as my goal is to encrypt/decrypt the incoming traffic through SSL for Haproxy.
Postman(Client) Error Summary
I've spent many hours attempting to figure out what the issue is, but I'm no closer.
So I would greatly appreciate any help!

Kubernetes Client Certificate (RKE managed)

I'm currently deploying a K8S cluster through Rancher RKE using AWS EC2 virtual machines (with CentOS 7 and Docker 17.03.2-ce).
Unfortunately after depolying K8S dashboard, I'm not been able to access it from external, through API SERVER (https://API-server-ip:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/).
Service are up and running without problems:
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 1h
ingress-nginx default-http-backend ClusterIP 10.43.76.101 <none> 80/TCP 1h
kube-system kube-dns ClusterIP 10.43.0.10 <none> 53/UDP,53/TCP 1h
kube-system kubernetes-dashboard ClusterIP 10.43.198.196 <none> 443/TCP 1h
I saw that PEM certificate have been already created within /etc/kubernetes/ssl of the API SERVER machine:
-rw-r--r--. 1 root root 1679 Apr 19 09:19 kube-apiserver-key.pem
-rw-r--r--. 1 root root 1302 Apr 19 09:19 kube-apiserver.pem
-rw-r--r--. 1 root root 1679 Apr 19 09:19 kube-ca-key.pem
-rw-r--r--. 1 root root 1017 Apr 19 09:19 kube-ca.pem
-rw-r--r--. 1 root root 493 Apr 19 09:19 kubecfg-kube-controller-manager.yaml
-rw-r--r--. 1 root root 437 Apr 19 09:19 kubecfg-kube-node.yaml
-rw-r--r--. 1 root root 441 Apr 19 09:19 kubecfg-kube-proxy.yaml
-rw-r--r--. 1 root root 457 Apr 19 09:19 kubecfg-kube-scheduler.yaml
-rw-r--r--. 1 root root 1675 Apr 19 09:19 kube-controller-manager-key.pem
-rw-r--r--. 1 root root 1062 Apr 19 09:19 kube-controller-manager.pem
-rw-r--r--. 1 root root 1679 Apr 19 09:19 kube-etcd-<...>-compute-amazonaws-com-key.pem
-rw-r--r--. 1 root root 1298 Apr 19 09:19 kube-etcd-<...>-us-east-2-compute-amazonaws-com.pem
-rw-r--r--. 1 root root 1679 Apr 19 09:19 kube-node-key.pem
-rw-r--r--. 1 root root 1070 Apr 19 09:19 kube-node.pem
-rw-r--r--. 1 root root 1675 Apr 19 09:19 kube-proxy-key.pem
-rw-r--r--. 1 root root 1046 Apr 19 09:19 kube-proxy.pem
-rw-r--r--. 1 root root 1675 Apr 19 09:19 kube-scheduler-key.pem
-rw-r--r--. 1 root root 1050 Apr 19 09:19 kube-scheduler.pem
I tried to use kube-apiserver-key.pem as key to generate a client certificate openssl req -new -key /etc/kubernetes/ssl/kube-apiserver-key.pem -out /tmp/user-cert.pem and eventually use it to access. Unfortunately the generated certificate is resulted to be in invalid format (I tried both to install on MacOS X and on SSL online validator.
Any help?

After several digging I managed to found a solution.
In the generate RKE kubeconfig generated file, both client-certificate-data and client-key-data are present as base64 encoded keys for kube-admin.
In order to use them in my client browser I had first to decode them for obtaining the respective certificate and key
echo '<KUBE_ADMIN_CLIENT_CERTIFICATE_DATA>' | base64 --decode > kube-admin-cert.pem
echo '<KUBE_ADMIN_CLIENT_KEY_DATA>' | base64 --decode > kube-admin-cert-key.pem
Once the certificates have been generated it's possibile to extract the correspondant .p12 certificate file
openssl pkcs12 -export -clcerts -inkey kube-admin-cert-key.pem -in kube-admin-cert.pem -out kube-admin-cert.p12
Eventually, once the p12 certificate has been installed in local client browser, it's possibile to authenticate successfully to the proxy api server.

Apache start fails

I am setting up a internal virtual host on Apache with a self signed certificate. I have my VirtualHost config and when I try to start Apache, I get an error stating the cert if either missing or empty. I have checked my persmissions and cert and everything looks proper so I'm not sure why i'm getting this error. What is wrong with my config?
VirtualHost config:
<VirtualHost *:443>
ServerName www1
ServerAlias www1
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /var/certs/www-cert.crt
SSLCertificateKeyFile /var/certs/www-cert.key
</VirtualHost>
The error from apache:
[root#www1 scripts]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2016-12-17 16:13:50 CST; 44s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 10109 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 10107 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 10107 (code=exited, status=1/FAILURE)
Dec 17 16:13:50 www1 systemd[1]: Starting The Apache HTTP Server...
Dec 17 16:13:50 www1 httpd[10107]: AH00526: Syntax error on line 6 of /etc/httpd/conf.d/default.conf:
Dec 17 16:13:50 www1 httpd[10107]: SSLCertificateFile: file '/var/certs/www-cert.crt' does not exist or is empty
Dec 17 16:13:50 www1 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Dec 17 16:13:50 www1 kill[10109]: kill: cannot find process ""
Dec 17 16:13:50 www1 systemd[1]: httpd.service: control process exited, code=exited status=1
Dec 17 16:13:50 www1 systemd[1]: Failed to start The Apache HTTP Server.
Dec 17 16:13:50 www1 systemd[1]: Unit httpd.service entered failed state.
Dec 17 16:13:50 www1 systemd[1]: httpd.service failed.
The cert does exist:
[root#www1 scripts]# ls -la /var/certs
total 12
drwxr-xr-x. 2 root root 44 Dec 17 16:13 .
drwxr-xr-x. 22 root root 4096 Dec 17 14:57 ..
-rwxr-xr-x. 1 root root 1253 Dec 17 16:13 www-cert.crt
-rwxr-xr-x. 1 root root 1704 Dec 17 16:13 www-cert.key
The cert is valid:
[root#www1 scripts]# openssl x509 -text -noout -in /var/certs/www-cert.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 17817470849210419499 (0xf7445f561b10892b)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CA, ST=Manitoba, OU=www1/emailAddress=root#localhost
Validity
Not Before: Dec 17 22:13:49 2016 GMT
Not After : Dec 11 22:13:49 2021 GMT
Subject: C=CA, ST=Manitoba, OU=www1/emailAddress=root#localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:76:fa:a8:8a:0d:ee:97:2f:5c:f8:7d:2a:48:
e9:f8:ce:c6:df:62:5f:23:e4:be:ea:c0:9c:25:09:
31:30:df:90:fc:6b:1b:58:62:98:29:aa:13:39:93:
bc:4d:d2:b8:7a:9f:e8:09:c1:e6:dc:1d:57:67:67:
33:61:6e:eb:a8:52:a6:77:70:19:ed:2a:58:5a:79:
35:ba:af:18:c2:2f:be:06:6a:8b:33:12:e7:63:03:
63:12:36:ed:ae:8e:c5:13:b5:2a:be:25:ac:dc:8a:
a5:dc:bc:86:49:27:29:7f:cd:5e:e1:ec:d9:a5:9f:
34:63:cc:7b:34:fa:2e:27:da:7b:90:a2:27:46:9b:
0b:e1:0a:68:a2:ed:df:1a:b6:48:ef:4f:c9:23:a8:
cf:7e:4c:da:ff:1f:80:52:fb:15:10:39:03:b5:d2:
0d:64:4b:df:9c:0f:41:9a:a0:d8:a1:c7:25:aa:19:
ee:c6:01:81:8b:be:7a:d8:c6:8c:cd:8f:13:51:68:
6d:78:00:72:76:d7:19:9b:d1:66:73:43:4b:30:9b:
de:96:29:81:80:40:31:39:43:e1:c4:2c:4a:c0:19:
4e:9b:d1:f5:e7:2b:d5:36:e3:eb:ef:31:e5:32:b1:
53:5b:f7:a5:c1:17:94:e9:ab:79:e2:02:be:c0:6f:
98:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
2C:E5:06:10:BB:24:32:27:7A:7F:50:00:A8:A5:D6:FC:86:5C:58:1F
X509v3 Authority Key Identifier:
keyid:2C:E5:06:10:BB:24:32:27:7A:7F:50:00:A8:A5:D6:FC:86:5C:58:1F
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
05:69:cb:ee:4d:b5:3c:cb:c4:fb:2f:ac:26:b8:fd:db:bf:41:
69:d0:a2:5b:cd:cc:04:53:f5:32:fc:7d:c9:fb:54:9d:d4:bf:
41:02:09:0a:19:51:b1:69:bb:87:87:34:91:28:d4:1d:64:49:
3e:38:27:ad:74:91:4a:e2:dc:85:4f:56:92:ad:fe:f1:9d:17:
ca:e7:b2:2f:2f:89:62:fd:47:a0:0d:67:fb:6b:3b:8a:59:ae:
73:03:97:72:c7:4c:d7:23:a3:b7:1f:ed:8a:bf:03:8a:00:40:
1b:b4:02:d5:f6:73:45:4b:fd:1b:44:9d:9d:46:ca:c1:30:a0:
53:5d:a3:2b:da:09:84:e6:97:9c:66:e5:a2:92:12:99:c5:03:
7f:b7:f6:03:3d:d8:f3:ea:72:f4:ce:2b:73:dd:c6:72:e7:fb:
55:6e:b5:44:11:52:56:ce:3d:0b:d8:40:cb:7e:ed:89:06:c6:
ec:3a:0b:94:e7:54:ce:5e:d6:13:1f:3e:9f:35:47:9b:46:89:
97:80:62:14:f7:40:3e:f6:bc:d9:16:7e:c3:51:27:eb:ab:db:
80:d8:7e:ae:e5:a8:bb:09:28:73:ae:07:1f:78:79:b5:df:5f:
60:85:c3:1e:93:29:95:4e:92:c2:96:e8:ec:a8:46:51:05:a3:
eb:3d:96:f2

centos apache svn forbidden

I am using centos 7, I installed httpd, svn and mod_dav_svn, I can access the apache by http://localhost.
my /etc/httpd/conf.modules.d/10-subversion.conf looks like :
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule dontdothat_module modules/mod_dontdothat.so
<Location /svn>
DAV svn
SVNParentPath /svn
AuthName "SVN repo"
AuthType Basic
AuthUserFile /etc/svn/svn-auth
AuthzSVNAccessFile /svn/authz
Require valid-user
</Location>
Create svn repo by command :
cd /svn
sudo svnadmin create repo
sudo chown -R apache:apache repo
Then setup user permission for users by editting /svn/authz which copied from /svn/repo/conf/authz
sudo cp /svn/repo/conf/authz /svn/authz
However, when I accessed http://localhost/svn/repo, it showed me that 403 forbidden, You don't have permission to access /svn/repo on this server.
my /svn directory is :
[frank#localhost svn]$ ls
authz repo
[frank#localhost svn]$ ls -l
total 4
-rw-r--r--. 1 root root 1123 Nov 12 11:08 authz
drwxr-xr-x. 6 apache apache 80 Nov 12 11:01 repo
/svn/authz
[groups]
admin = frank
general_user=test1
[/]
#admin=rw
[repo:/]
#general_user=r
What's the problem?
----- Updated on 14 Nov ------------
I enabled logging like
<Location /svn>
DAV svn
…
</Location>
CustomLog logs/svn_logfile "%t %u %{SVN-ACTION}e" env=SVN-ACTION
there is svn_logfile under /var/log/httpd, but it is empty.
-rw-r--r--. 1 apache apache 0 Nov 14 22:32 svn_logfile
In error_log, the information displayed as
[Mon Nov 14 22:32:15.789588 2016] [core:notice] [pid 6924] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Nov 14 22:32:15.791536 2016] [suexec:notice] [pid 6924] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
[Mon Nov 14 22:32:15.828814 2016] [auth_digest:notice] [pid 6924] AH01757: generating secret for digest authentication ...
[Mon Nov 14 22:32:15.830345 2016] [lbmethod_heartbeat:notice] [pid 6924] AH02282: No slotmem from mod_heartmonitor
[Mon Nov 14 22:32:15.842779 2016] [mpm_prefork:notice] [pid 6924] AH00163: Apache/2.4.6 (CentOS) SVN/1.7.14 configured -- resuming normal operations
[Mon Nov 14 22:32:15.842858 2016] [core:notice] [pid 6924] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Nov 14 22:32:25.641415 2016] [authz_svn:error] [pid 6933] (13)Permission denied: [client ::1:60550] Failed to load the AuthzSVNAccessFile: Can't open file '/svn/authz': Permission denied
[Mon Nov 14 22:32:25.641504 2016] [authz_svn:error] [pid 6933] [client ::1:60550] Access denied: 'frank' GET repo:/
but permission of /svn/authz is:
drwxr-xr-x. 4 apache apache 41 Nov 13 22:16 svn
-rwxrwxrwx. 1 apache apache 1120 Nov 12 22:58 authz
drwxr-xr-x. 6 apache apache 80 Nov 12 11:01 repo

The problem is selinux.
After I modify the selinux security context of /svn by
sudo chcon -Rv –-type=httpd_sys_content_t /svn
then I can access the svn.

Then setup user permission for users by editting /svn/authz
You should double-check the access rules you put into authz file. There should be an access rule such as
[repo:/]
* = r
* = r stands for Everyone -- Read Only. Read about the access rules and authz file syntax in SVNBook | Path-Based Authorization.
BTW, you could enable logging and find out the root cause by yourself. Read SVNBook | Apache logging.

Apache: 403 Permission denied after syslogd restart

After syslogd retarted, Apache started logging Permission denied errors. Nothing has changed on the box. Permissions are 755 across the board and config file hasn't changed. I even set permissions to 777 on all folders leading to the web folder and restarted httpd. SElinux disabled. CentOS release 5.7. Any ideas?
[user#host log]$ sudo cat messages
Jun 23 04:02:55 systools syslogd 1.4.1: restart.
[user#host log]$ head /etc/httpd/logs/error_log
[Sun Jun 23 04:03:02 2013] [notice] Digest: generating secret for digest authentication ...
[Sun Jun 23 04:03:02 2013] [notice] Digest: done
[Sun Jun 23 04:03:04 2013] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Sun Jun 23 04:03:05 2013] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations
[Sun Jun 23 04:04:16 2013] [error] [client 192.168.1.190] (13)Permission denied: access to /incident/rss.php denied
[Sun Jun 23 04:09:14 2013] [error] [client 192.168.1.190] (13)Permission denied: access to /incident/rss.php denied
[Sun Jun 23 04:14:14 2013] [error] [client 192.168.1.190] (13)Permission denied: access to /incident/rss.php denied
[Sun Jun 23 04:19:15 2013] [error] [client 192.168.1.190] (13)Permission denied: access to /incident/rss.php denied
[Sun Jun 23 04:24:16 2013] [error] [client 192.168.1.190] (13)Permission denied: access to /incident/rss.php denied
Forbidden
You don't have permission to access / on this server.
Apache/2.2.3 (CentOS) Server at systools.corp.webex.com Port 80

Changed permissions of files and restarted httpd.
find /var/www -type d -exec chmod 775 {} \; find /var/www -type f -exec chmod 664 {} \; /etc/init.d/http restart