Add trusted CA to Debian/Ubuntu image - ssl

I'm trying to deploy a CA certificate as a trusted root certificate in a Debian/nodejs container as described in https://askubuntu.com/a/94861/88763 or http://blog.bigon.be/2014/03/22/add-a-new-ca-certificate-to-the-certificates-stash-in-debian/ but it fails with no apparent reason. My Dockerfile:
FROM debian:jessie # or buildpack-deps:jessie or node:5
RUN apt-get update -y && \
apt-get install ca-certificates netcat strace wget -y
ADD rootCa.pem /usr/local/share/ca-certificates/rootCa.crt
RUN update-ca-certificates --verbose
CMD ["netcat", "-l", "12345"] # just to keep the container running
When building the container it actually tells me a certificate was added (1 added, 0 removed; done.) Nonetheless, when I try to use the root CA with wget, it is not found:
$ sudo docker exec -it cleanslatehg_catests_1 wget https://foo.v3.testing
converted 'https://foo.v3.testing' (ANSI_X3.4-1968) -> 'https://foo.v3.testing' (UTF-8)
--2016-02-02 15:11:33-- https://foo.v3.testing/
Resolving foo.v3.testing (foo.v3.testing)... 172.19.0.7
Connecting to foo.v3.testing (foo.v3.testing)|172.19.0.7|:443... connected.
ERROR: The certificate of 'foo.v3.testing' is not trusted.
Using the Ubuntu base image, I can access https://foo.v3.testing successfully:
FROM ubuntu
RUN apt-get update -y && \
apt-get install ca-certificates netcat strace wget -y
ADD rootCa.pem /usr/local/share/ca-certificates/rootCa.crt
RUN update-ca-certificates --verbose
CMD ["netcat", "-l", "12345"]
$ sudo docker exec -it cleanslatehg_catests_1 wget https://foo.v3.testing
--2016-02-02 15:23:17-- https://foo.v3.testing/
Resolving foo.v3.testing (foo.v3.testing)... 172.19.0.7
Connecting to foo.v3.testing (foo.v3.testing)|172.19.0.7|:443... connected.
HTTP request sent, awaiting response... 200 OK
[…]
2016-02-02 15:23:17 (33.9 MB/s) - 'index.html' saved [170/170]

Related

The TLS connection was non-properly terminated in kubernetes

I am doing an apt-get update for installing Kubernetes and I get this message
https://packages.cloud.google.com/apt kubernetes-xenial Release
Could not handshake: The TLS connection was non-properly terminated.
and ofcourse later in the process; ""The repository 'http://apt.kubernetes.io kubernetes-xenial Release' does not have a Release file"
I have the proxies set correctly:
1 in etc-apt-apt.conf.d -proxy.conf
Acquire::ForceIPv4 "true";
and proxies are set for https_proxy; http_proxy and ftp_proxy
and in **
etc conf I have disabled ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
**
Can someone please help me understand what other proxies etc are missing to avoid the TLS error.
Solved the issue:
This was an issue due to be being behind a firewall
The apt-key before the apt-get update instruction was the issue
By rerunning the apt-key using
"curl -sSL
'http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xBBEBDCB318AD50EC6865090613B00F1FD2C19886'
| sudo apt-key add - "
instead of the original instruction
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
Full set of instructions
sudo apt-get update
sudo apt-get install docker.io
sudo apt-get update && sudo apt-get install -y apt-transport-https curl
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add –
cat <<EOF | sudo tee /etc/apt/sources.list.d/kubernetes.list
deb https://apt.kubernetes.io/ kubernetes-xenial main
EOF
sudo apt-get update:

docker & docker-compose - Apache image with an option to switch between SSL Cert, self-signed, Let's Encryp or disabled

I'm creating a docker image for Apache. I would like to configure SSL certs with an option to switch between different certificate provider.
SSL Cert (or) Let's Encryp (or) Self Signed (or) Disable SSL altogether
Any idea on how to accomplish that? Unfortunately cannot find any example out on the internet. Any help is greatly appreciated. Thanks!
Dockerfile:
FROM centos:centos7
RUN yum -y install epel-release && \
yum -y update
RUN yum -y install httpd mod-ssl
RUN yum clean all && \
rm -rf /var/cache/yum
...
I want to be able to do something like this.
Docker run:
SSL Cert:
docker run -d -e sslCertType=sslCert
-v /etc/cert.crt:/etc/httpd/conf.d/cert.crt
-v /etc/intermediate.crt:/etc/httpd/conf.d/intermediate.crt
-v /etc/passphrase.sh:/etc/httpd/conf.d/passphrase.sh
apache
LetsEncrpt:
docker run -d -e sslCertType=letsEncrypt apache
Self Signed:
docker run -d -e sslCertType=selfSigned apache
disabled:
docker run -d apache
Why don't you just build 4 different images with different configuration and tag them correctly i.e.
apache:selfSigned
apache:sslCert
and then just run them accordingly i.e.:
docker run -d apache:selfSigned

server certificate verification failed while installing Kubernetes on Ubuntu 16.04

I'm setting up a Kubernetes cluster and as part of that, I ran the following command (mentioned on official docs: https://kubernetes.io/docs/tasks/tools/install-kubectl/) :
sudo apt-get update && sudo apt-get install -y apt-transport-https
However, it fails with the following error:
Err:3 https://packages.cloud.google.com/apt kubernetes-xenial/main amd64 Packages
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Now, I fetch the certificate with this command :
ex +'/BEGIN CERTIFICATE/,/END CERTIFICATE/p' <(echo | openssl s_client -showcerts -connect packages.cloud.google.com:443) -scq > kubecertificate.crt
I get the following response :
verify error:num=20:unable to get local issuer certificate
DONE
But since I see content inside my kubecertificate.crt file , I go ahead and copy the certificate in /usr/local/share/ca-certificates/ directory.
Then I run:
update-ca-certificates
After updating my ca certificates bundle, I re run the first command mentioned.
It again fails with the server certificate verification failed error.
Please help me understand where am I going wrong? Is it because I'm unable to get the local issuer certificate? Please help.
Are you using i386 image or is there some firewall involved? If it is 64bit version of Xenial then it must be some kind of system issue.
Take a look at this case. Especially I would check the current system time date -R and apt-get install NTP as advised by #davidthings as I remember having similar problem. There is also a lot of different solutions which could help, listed in the linked case - check which one is applicable for your and update if you succeeded.
After that you can try with this, to download kubectl, kubelet and kubeadm (or edit it accordingly if you want just one)
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg |
apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
EOF
sudo apt-get update
sudo apt-get install -y kubelet kubeadm kubectl

I would like to set up rfc5766-turn-server in Ubuntu 14.04, can anyone give me the set of steps listed all together ? I am doing it in AWS EC2

I have tried to install and set up rfc5766-turn-server in AWS EC2 but unable to do it as I do not see a proper flow of work or command line for that, can someone help me about this ? I need to set it up in Ubuntu 14.04
do an ssh login to your ec2 instance, then run the below commands for installing and starting the turn server.
commands for installing turnserver:
sudo apt-get update
sudo apt-get install make gcc libssl-dev libevent-dev wget -y # for installing modules required by turn server
mkdir ~/turn && cd ~/turn # creating temp directory
wget turnserver.open-sys.org/downloads/v3.2.5.9/turnserver-3.2.5.9.tar.gz # downloading the TURN source code
tar -zxvf *.gz # extract
cd turn*
make
sudo make install # installing the rfc5766
cd ../.. && rm -rf turn # cleaning up
command for starting the TURN server:
turnserver -a -o -v -n -u user:root -p 3478 -L INT_IP -r someRealm -X EXT_IP/INT_IP
assumptions:
your ip, internal ip = EXT_IP, INT_IP
desired port for listening: 3478
single credential username:password = user:root
realm: someRealm
in your WebRTC app, you can use trun server like:
{
url: 'turn:user#EXT_IP:3478',
credential: 'root'
}

gitLab update : curl returns ssl error 35

I am trying to update my gitLab installation from 7.7.2.
When I am running the following command nothing downloads.
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash
And I get this error:
0* Unknown SSL protocol error in connection to packages.gitlab.com:443
0 0 0 0 0 0 0 0 --:--:-- 0:02:00 --:--:--
0
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to packages.gitlab.com:44
3
curl is unable to connect to packagecloud.io over TLS when running:
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/co
nfig_file.list?os=Ubuntu&dist=trusty&name=git.curuba2.fr&source=script
This is usually due to one of two things:
1.) Missing CA root certificates (make sure the ca-certificates package is i
nstalled)
2.) An old version of libssl. Try upgrading libssl on your system to a more
recent version
My ubuntu Trusty is up to date, I have ca-certificates installed and I also did update-ca-certificates.
No idea what's wrong. I need to migrate my server. I installed it properly on the new one but I fail updating the old one...
[EDIT]
I also tried with -k with no luck...
I ran into the same problem trying to install the runner via a non-https proxy.
I tried using -x [proxy] --insecure in the command but it still failed.
I decided to look at the script itself and realised the issue is with the curl calls inside the script.
I update the calls I could find in a local copy of script.deb.sh to include -x [proxy] --insecure then just executed that using sudo ./script.deb.sh and it worked.
That's more a wrkaround than an answer.
I finally downgraded my future server to 7.7.2, restored there my backup and upgraded back to 7.12.0.
Here are the commands I ran on the future server:
sudo gitlab-ctl stop unicorn
sudo gitlab-ctl stop sidekiq
wget https://downloads-packages.s3.amazonaws.com/ubuntu-14.04/gitlab_7.7.2-omnibus.5.4.2.ci-1_amd64.deb
sudo dpkg -r gitlab-ce
sudo dpkg -i git*.deb
sudo gitlab-ctl reconfigure
cd /var/opt/gitlab/backups/ # This is where backups should be located
sudo gitlab-rake gitlab:backup:restore BACKUP=1435537802
sudo gitlab-ctl start unicorn
sudo gitlab-ctl start sidekiq
sudo gitlab-ctl status
sudo apt-get update
sudo apt-get install gitlab-ce