We are try to set up the shield SSL in local machine.
Elasticsearch version : 2.2.1
Kibana version : 4.4.1
Shield version : Latest version
We generated self signed crt, key, pem file as below:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
openssl req -out CSR.csr -key privateKey.key -new
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
openssl x509 -in certificate.crt -out certificate.pem
keytool -importcert -keystore node01.jks -file certificate.pem -alias my_ca
keytool -certreq -alias node01 -keystore node01.jks -file CSR.csr -keyalg rsa -ext san=dns:XXX.com,ip:XXXX.xxxx.xxx
keytool -importcert -keystore node01.jks -file Certificate-signed.crt -alias node01
openssl x509 -in Certificate-signed.crt -out node01-signed-noheaders.crt
and added in shield configuration.
Shield configuration:
shield.http.ssl: true
shield.transport.ssl: true
shield.ssl.keystore.key_password: XXXXX
shield.ssl.keystore.password: XXXX
shield.ssl.keystore.path: /es/config/shield/node01.jks
network.host: XX.XX.XX.XX
Kibana configuration:
elasticsearch.url: "https://XXXXX:9200"
elasticsearch.username: "username"
elasticsearch.password: "password"
elasticsearch.ssl.cert: /XXX/XXX/XXX/elasticsearchtls.crt
elasticsearch.ssl.key: /XXX/XXX/XXX/elasticsearchtls.key
elasticsearch.ssl.ca: /XXX/XXX/XXX/elasticsearch.pem
elasticsearch.ssl.verify: true
So when run the kibana the below error is displayed in elasticsearch log:
log [12:24:25.512] [error][elasticsearch] Request error, retrying -- self signed certificate
log [12:24:25.622] [warning][elasticsearch] Unable to revive connection: https://XXXX:9200/
log [12:24:25.624] [warning][elasticsearch] No living connections
log [12:24:25.627] [error][status][plugin:elasticsearch] Status changed from yellow to red - Unable to connect to Elasticsearch at https://XXXXXX:9200.
After that when I change the elasticsearch.ssl.verify: false Kibana is working fine, but showing some error in elasticsearch log:
ElasticsearchSecurityException[missing authentication token for REST request [/_mget?timeout=0&ignore_unavailable=true&preference=1461307913497]]
In elastic client also the same issue is coming. When we use rejectUnauthorized: true then client is not connecting to elasticsearch.
My questions are:
is the self signed certificate working in Elasticsearch, Kibana or not?
do we have to buy a commercial CA certificate?
are we missing anything?
You are using unnecessary steps when generating and importing the key. Also the certificate you are generating is not signed by the CA and hence it will never be trusted
Unless you have a large deployment I would just use a selfsigned certificate, rather than a certificate signed by a selfsigned CA.
1) Generate a selfsigned certificate with SAN extensions as indicated here How can I generate a self-signed certificate with SubjectAltName using OpenSSL?
2) Merge the key and certificate in a PKCS12 container and import it to the a java keystore as explained here importing an existing x509 certificate and private key in Java keystore to use in ssl
Related
I'm using ActiveMQ Artemis 2.17.0 replication with self-signed certificates. After trying to update to 2.18.0 I realized that something wrong with my certificates (see this thread). There is no SSL connections between brokers and clients.
Here is how I generated my certificates:
openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out brokerRoot.pem -subj "/C=US/ST=Maryland/L=Aberdeen/O=TestCompany/OU=IT/CN=test/emailAddress=test#gmail.com" -passin pass: passphrase
openssl pkcs12 -inkey private.key -in brokerRoot.pem -export -out broker_ks.p12 -password pass:keyStorePassword
keytool -import -alias broker -keystore client_ts.p12 -file brokerRoot.pem -deststoretype pkcs12 -storepass trustStorePassword -noprompt
and I'm using same client_ts.p12 and broker_ks.p12 on clients and on brokers. So the hostnames should match but it doesn't work anyway.
The ActiveMQ Artemis upgrade instructions for 2.18.0 references says:
...core clients will now expect the CN or Subject Alternative Name values of the broker's SSL certificate to match the hostname in the client's URL.
When you use the openssl command to create private.key you specify CN=test. This means your hostname must be test and your client should also use test in its URL.
Since it's not working my guess is that your hostname is not test. Therefore you need to change your SSL cert on the broker to use the proper CN value which matches the hostname of the broker and then use that in the client's URL.
I am using Postman to test my API. I am using self-signed certificates to use HTTPS in my application.
After I turn on the HTTPS setup, the postman app shows this error
it shows
Error: self signed certificate
The API calls works perfectly when I turn off the SSL certificate verification in the postman setting. I tried to install certificate/keys in postman app but it didn't work.
I want to use the certificate/keys in postman so that I can hit the APIs using SSL. Is there any way to do that?
Generate RootCA.pem, RootCA.key & RootCA.crt:
openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=BR/CN=Example-Root-CA"
openssl x509 -outform pem -in RootCA.pem -out RootCA.crt
customize waht you want...(C=?,CN=? etc)
Domain name certificate
Add your domain myapp.local that is hosted on your local machine for development (using the hosts file to point them to 127.0.0.1).
127.0.0.1 myapp.local
First, create a file domains.ext that lists all your local domains:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = myapp.local
Generate localhost.key, localhost.csr, and localhost.crt:
openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=BR/ST=BAHIA/L=SSA/O=Example-Certificates/CN=localhost.local"
openssl x509 -req -sha256 -days 1024 -in localhost.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out localhost.crt
openssl pkcs12 -export -inkey localhost.key -in localhost.crt -out localhost.p12
customize waht you want...(C=?,CN=? etc)
For p12 uses 'password'. This was my keystore on springboot app for example:
Confguring a Keystore (used PKCS12 format, maybe a JKS format also acceptable)...
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-configure-ssl
cp localhost.p12 myapp/src/main/resources/keystore/localhost.p12
edit application.properties
# secure server port
server.port=8443
# The format used for the keystore. It could be set to JKS in case it is a JKS file
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=classpath:keystore/localhost.p12
# The password used to generate the certificate
server.ssl.key-store-password=password
# Enable ssl
server.ssl.enabled=true
Trust the local CA
At this point, the site would load with a warning about self-signed certificates. In order to get a green lock, your new local CA has to be added to the trusted Root Certificate Authorities.
In Postman go to:
Settings -> Enable SSL certificate verification: ON.
Settings -> Certifcates -> CA Certificates: add the PEM RootCA.pem
In a curl command line:
curl --cacert RootCA.crt -v https://myapp.local:8449/endpoint
I have _client-cert.pem and client-key.pem and ca.pem files which I am trying to add to my grails project.
I used following commands :
Convert client keys/certificate files to PKCS#12 before creating a keystore
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem \
-name “mysqlclient” -passout pass:mypassword -out client-keystore.p12
Create a Java Keystore using the client-keystore.p12 file
keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 \
-srcstorepass mypassword -destkeystore keystore -deststoretype JKS -deststorepass mypassword
Then Modified my application.yml file with that path :
enabled: true
key-store: /..../proxreg
key-store-password:kjsfghsfjlhgl
keyStoreType: pkcs12
keyAlias: tomcat
I was wondering if I am missing any step or what am I doing wrong. I am getting access denied error but when I try to connect thro mysql wokbench it works
You can generate a self-signed certificate using the openssl command-line utility.
We can use openssl's req command to create a self-signed certificate:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Above will prompt you to supply metadata about the certificate, such as Country, Organization, etc. Moreover, it will ask you to provide a PEM pass phrase. Enter a random password and keep it safe; we will need in the next step.
Now you have you self-signed certificate. Unfortunately Grails (and Spring Boot) doesn’t support the PEM format directly. Instead, we need to use the PKCS12 format for our keys. Fortunately, there is another openssl command to make the conversion:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 -name tomcat -caname root
Update grails-app/conf/application.yml with the following lines:
server:
port: 8443
ssl:
keyStore: /certificates/keystore.p12
keyStorePassword: secret
# keyAlias: tomcat
Above all worked fine with me. for more information please refer this and this
Hope this will help you.
I'm using CAS using the gradle overlay method. I am able to use it with a self signed certificate. However, when I try to use a certificate from the FreeIPA certificate authority, I am getting the following error message:
2018-02-03 13:39:54,298 ERROR [org.apache.catalina.core.StandardService] - <Failed to start connector [Connector[HTTP/1.1-8443]]>
org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167) ~[tomcat-embed-core-8.5.24.jar!/:8.5.24]
...
Caused by: java.lang.IllegalArgumentException: java.io.IOException: Alias name [null] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116) ~[tomcat-embed-core-8.5.24.jar!/:8.5.24]
I have added the FreeIPA CA certificate to /usr/java/jdk1.8.0_152/jre/lib/security/cacerts
And, put the certificate into /etc/cas/thekeystore
This is the solution:
openssl req -nodes -newkey rsa:2048 -sha256 -keyout cas.key -out cas.csr
[Send CSR to certificate authority]
[Download CA certificate PEM file]
[Download CAS certificate PEM file]
cp cas.key /etc/pki/tls/private/.
cp cas.crt /etc/pki/tls/certs/.
cp freeipa_ca.crt /etc/pki/tls/certs/.
cat cas.pem freeipa_ca.pem > cas_all.pem
openssl pkcs12 -export -inkey /etc/pki/tls/private/cas.key -in cas_all.pem -name cas -out cas.p12
keytool -delete -alias cas -keystore /etc/cas/thekeystore
keytool -list -keystore /etc/cas/thekeystore -v
keytool -importkeystore -srckeystore cas.p12 -srcstoretype pkcs12 -destkeystore /etc/cas/thekeystore
I cannot seem to configure Dropwizard to use ssl.
I've created a key
openssl genrsa -des3 -out server.key 1024
and a certificate
openssl req -new -key server.key -days 365 -out server.crt -x509
and imported it into a keystore
keytool -import -file server.crt -keystore keystore.jks
From there, I've placed the keystore.jks file into /src/main/resources, alongside the config.yaml file for dropwizard.
Then I tried configuring ssl for dropwizard according to the manual:
http:
ssl:
keyStore: ./keystore.jks
keyStorePassword: ********
However, when I navigate to the login page, it only works without https: and gives Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error when using https.
Are there other steps that I'm missing?
I posted on the mailing list and Codahale was quick to respond. I hadn't set nonblocking+ssl connectors in my configuration yaml file under the http: section. Putting in
connectorType: nonblocking+ssl
fixed everything. Thanks dropwizard wizard!