I've installed CouchDB on the mac via Homebrew (yay homebrew!):
brew install couchdb
Then I've done a bunch of SSL setup steps (in a shell script) that are detailed in the official documentation: http://docs.couchdb.org/en/1.6.1/config/http.html -
#!/bin/sh
currDir=$(pwd)
mkdir couch_certs
cd couch_certs
openssl genrsa > privkey.pem
openssl req -new -x509 -key privkey.pem -out couchdb.pem -days 1095
chmod 600 privkey.pem couchdb.pem
perl -p -i -e "s#\[daemons\]#[daemons]\nhttpsd = {couch_httpd, start_link, [https]}#" /usr/local/etc/couchdb/default.ini
perl -p -i -e "s#\[ssl\]#[ssl]\ncert_file = ${currDir}/couchdb.pem#" /usr/local/etc/couchdb/default.ini
perl -p -i -e "s#\[ssl\]#[ssl]\nkey_file = ${currDir}/privkey.pem#" /usr/local/etc/couchdb/default.ini
Then (same terminal), I launch couch:
couchdb
In a different terminal I test that:
curl -k https://127.0.0.1:6984/
And get a failure:
curl: (35) Server aborted the SSL handshake
What am I doing wrong?
Note I can get the same error when doing the CouchDB install as an application (section 2.3.1 of http://docs.couchdb.org/en/stable/install/mac.html)
Edit: I think it is an Erlang SSL issue: http://bugs.erlang.org/browse/ERL-74
My root cause was an older version of openssl (the one that came with OS X 10.10.5). After a homebrew install of openssl, and the same key-gen sequence, it all works.
Related
I'm setting up a Kubernetes cluster and as part of that, I ran the following command (mentioned on official docs: https://kubernetes.io/docs/tasks/tools/install-kubectl/) :
sudo apt-get update && sudo apt-get install -y apt-transport-https
However, it fails with the following error:
Err:3 https://packages.cloud.google.com/apt kubernetes-xenial/main amd64 Packages
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Now, I fetch the certificate with this command :
ex +'/BEGIN CERTIFICATE/,/END CERTIFICATE/p' <(echo | openssl s_client -showcerts -connect packages.cloud.google.com:443) -scq > kubecertificate.crt
I get the following response :
verify error:num=20:unable to get local issuer certificate
DONE
But since I see content inside my kubecertificate.crt file , I go ahead and copy the certificate in /usr/local/share/ca-certificates/ directory.
Then I run:
update-ca-certificates
After updating my ca certificates bundle, I re run the first command mentioned.
It again fails with the server certificate verification failed error.
Please help me understand where am I going wrong? Is it because I'm unable to get the local issuer certificate? Please help.
Are you using i386 image or is there some firewall involved? If it is 64bit version of Xenial then it must be some kind of system issue.
Take a look at this case. Especially I would check the current system time date -R and apt-get install NTP as advised by #davidthings as I remember having similar problem. There is also a lot of different solutions which could help, listed in the linked case - check which one is applicable for your and update if you succeeded.
After that you can try with this, to download kubectl, kubelet and kubeadm (or edit it accordingly if you want just one)
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg |
apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
EOF
sudo apt-get update
sudo apt-get install -y kubelet kubeadm kubectl
I'm trying to deploy a CA certificate as a trusted root certificate in a Debian/nodejs container as described in https://askubuntu.com/a/94861/88763 or http://blog.bigon.be/2014/03/22/add-a-new-ca-certificate-to-the-certificates-stash-in-debian/ but it fails with no apparent reason. My Dockerfile:
FROM debian:jessie # or buildpack-deps:jessie or node:5
RUN apt-get update -y && \
apt-get install ca-certificates netcat strace wget -y
ADD rootCa.pem /usr/local/share/ca-certificates/rootCa.crt
RUN update-ca-certificates --verbose
CMD ["netcat", "-l", "12345"] # just to keep the container running
When building the container it actually tells me a certificate was added (1 added, 0 removed; done.) Nonetheless, when I try to use the root CA with wget, it is not found:
$ sudo docker exec -it cleanslatehg_catests_1 wget https://foo.v3.testing
converted 'https://foo.v3.testing' (ANSI_X3.4-1968) -> 'https://foo.v3.testing' (UTF-8)
--2016-02-02 15:11:33-- https://foo.v3.testing/
Resolving foo.v3.testing (foo.v3.testing)... 172.19.0.7
Connecting to foo.v3.testing (foo.v3.testing)|172.19.0.7|:443... connected.
ERROR: The certificate of 'foo.v3.testing' is not trusted.
Using the Ubuntu base image, I can access https://foo.v3.testing successfully:
FROM ubuntu
RUN apt-get update -y && \
apt-get install ca-certificates netcat strace wget -y
ADD rootCa.pem /usr/local/share/ca-certificates/rootCa.crt
RUN update-ca-certificates --verbose
CMD ["netcat", "-l", "12345"]
$ sudo docker exec -it cleanslatehg_catests_1 wget https://foo.v3.testing
--2016-02-02 15:23:17-- https://foo.v3.testing/
Resolving foo.v3.testing (foo.v3.testing)... 172.19.0.7
Connecting to foo.v3.testing (foo.v3.testing)|172.19.0.7|:443... connected.
HTTP request sent, awaiting response... 200 OK
[…]
2016-02-02 15:23:17 (33.9 MB/s) - 'index.html' saved [170/170]
This question already has answers here:
How to convert SSH keypairs generated using PuTTYgen (Windows) into key-pairs used by ssh-agent and Keychain (Linux)
(10 answers)
Closed 3 years ago.
So there are plenty of tutorials on how to convert a PEM to a PPK using puttyGen. However my issue is that my windows machine had the only PEM copy and I converted it into a PPK and deleted it. Now I need to figure out how to convert a PPK into a PEM so that my mac can ssh into the server. I still have access to the server so I could also just make a new key if I had to, anyone know how to convert PPK to PEM?
Install PuttyTools
apt-get install putty-tools
Generate a pem file form the ppk
puttygen server.ppk -O private-openssh -o server.pem
The file server.pem file will be saved on same location
If you're on a Mac and you've previously installed Homebrew, from Terminal:
$ brew install putty
$ puttygen server.ppk -O private-openssh -o server.pem
The first command was suggested in this comment and the second from Emizen Tech's answer.
Try this to install putty-tools
sudo apt install putty-tools
puttygen key.ppk -O private-openssh -o key.pem
ssh -i ~/key.pem {user}#{ip}
First, install PuTTY for Mac using
brew install putty
Then, use the following command to convert the .ppk format private key to a standard PEM format private key:
puttygen privatekey.ppk -O private-openssh -o privatekey.pem
Make sure permissions on the private key file are set properly. It should only be readable by the user that owns it.
chmod go-rw privatekey.pem
You can now use the key for logins from scripts and command line with:
ssh -i privatekey.pem user#hostname
OS: Red Hat Enterprise Linux Server release 6.4 (Santiago)
The current yum installation of apache on this OS is 2.2.15. I require the latest 2.4.x branch so have gone about installing it manually. I have noted the complete procedure I undertook, including unpacking apr and apr-util sources into the apache sources beforehand, but I guess the following is the most important part of the procedure:
GATHER LATEST APACHE AND APR
$ cd ~
$ mkdir apache-src
$ cd apache-src
$ wget http://apache.insync.za.net//httpd/httpd-2.4.6.tar.gz
$ tar xvf httpd-2.4.6.tar.gz
$ cd httpd-2.4.6
$ cd srclib
$ wget http://apache.insync.za.net//apr/apr-1.5.0.tar.gz
$ tar -xvzf apr-1.5.0.tar.gz
$ mv apr-1.5.0 apr
$ rm -f apr-1.5.0.tar.gz
$ wget http://apache.insync.za.net//apr/apr-util-1.5.3.tar.gz
$ tar -xvzf apr-util-1.5.3.tar.gz
$ mv apr-util-1.5.3 apr-util
INSTALL DEVEL PACKAGES
yum update --skip-broken (There is a dependency issue with the latest Chrome needing the latest libstdc++, which is not available for RHEL and CentOS)
yum install apr-devel
yum install apr-util-devel
yum install pcre-devel
INSTALL
$ cd ~/apache-src/httpd-2.4.6
$ ./configure --prefix=/etc/httpd --enable-mods-shared="all" --enable-rewrite --with-included-apr
$ make
$ make install
NOTE: At the time of running the above, /etc/http is empty.
This seems to have gone fine until I attempt to start the httpd service. It seems that every module include in httpd.conf fails with a message similar to this one for mod_rewrite:
httpd: Syntax error on line 148 of /etc/httpd/conf/httpd.conf: Cannot load /etc/httpd/modules/mod_rewrite.so into server: /etc/httpd/modules/mod_rewrite.so: undefined symbol: ap_global_mutex_create
I've gone right through the list of enabled modules in httpd.conf and commented them out one at a time. All trigger an error as above, however the "undefined symbol: value" is often different (so not always ap_global_mutex_create).
Am I missing a step? Although I find a some portion of that error on Google, most of the solutions centre around the .so files not being reachable. That doesn't seem to be an issue here and the modules are present in /etc/http/modules.
NOTE: At the time of running the above, /etc/http is empty.
You have the correct procedure but it's incomplete.
After the installation you have to enable SSL in httpd.conf. and generate server.crt and server.key file.
Below the complete procedure :
1. Download Apache
cd /usr/src
wget http://www.apache.org/dist/httpd/httpd-2.4.23.tar.gz
tar xvf httpd-2.4.23.tar.gz
2. Download APR and APR-Util
cd /usr/src
wget -c http://mirror.cogentco.com/pub/apache/apr/apr-1.5.2.tar.gz
wget -c http://mirror.cogentco.com/pub/apache/apr/apr-util-1.5.4.tar.gz
tar xvf apr-1.5.2.tar.gz
tar xvf apr-util-1.5.4.tar.gz
Now put the APR and APR-Util you downloaded into your apache source files.
mv apr-1.5.2 /usr/src/httpd-2.4.23/srclib/apr
mv apr-util-1.5.4 /usr/src/httpd-2.4.23/srclib/apr-util
3.Compile
cd /usr/src/httpd-2.4.23
./configure --enable-so --enable-ssl --with-mpm=prefork --with-included-apr --with-included-apr-util
make
make install
As you can see in the ./configure command we specify command line options to include apr and apr-utils.
4. Enable SSL in httpd.conf
Apache configuration file httpd.conf is located under /usr/local/apache2/conf.
nano /usr/local/apache2/conf/httpd.conf
Uncomment the httpd-ssl.conf Include line and the LoadModule ssl_module line in the /usr/local/apache2/conf/httpd.conf file :
# LoadModule ssl_module modules/mod_ssl.so
# Include conf/extra/httpd-ssl.conf
View the httpd-ssl.conf to review all the default SSL configurations. For most cases, you don’t need to modify anything in this file.
nano /usr/local/apache2/conf/extra/httpd-ssl.conf
The SSL certificate and key are required before we start the Apache. The server.crt and server.key file mentioned in the httpd-ssl.conf needs to be created before we move forward.
cd /usr/local/apache2/conf/extra
egrep 'server.crt|server.key' httpd-ssl.conf
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
5. Generate server.crt and server.key file
First, Generate the server.key using openssl.
cd /usr/src
openssl genrsa -des3 -out server.key 1024
The above command will ask for the password. Make sure to remember this password. You need this while starting your Apache later.
Next, generate a certificate request file (server.csr) using the above server.key file.
openssl req -new -key server.key -out server.csr
Finally, generate a self signed ssl certificate (server.crt) using the above server.key and server.csr file.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Copy the server.key and server.crt file to appropriate Apache configuration directory location.
cp server.key /usr/local/apache2/conf/
cp server.crt /usr/local/apache2/conf/
6. Start Apache
/usr/local/apache2/bin/apachectl start
If you are getting the below error message :
AH00526: Syntax error on line 51 of /usr/local/apache2/conf/extra/httpd-ssl.conf:
Invalid command 'SSLCipherSuite', perhaps misspelled or defined by a module not included in the server configuration
Make sure to uncomment the line shown below in httpd.conf :
vi /usr/local/apache2/conf/httpd.conf
# LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Finally, this will prompt you to enter the password for your private key before starting up the apache.
Verify that the Apache httpd process is running in the background.
ps -ef | grep http
You should see something like that :
root 29529 1 0 13:08 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
antoine 29530 29529 0 13:08 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
antoine 29531 29529 0 13:08 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
antoine 29532 29529 0 13:08 ? 00:00:00 /usr/local/apache2/bin/httpd -k start
root 29616 18260 0 13:09 pts/0 00:00:00 grep http
By default Apache SSL runs on 443 port. Open a web browser and verify that you can access your Apache using https://{your-ip-address}
I hope this help, else I advise you to go see : http://jasonpowell42.wordpress.com/2013/04/05/install-apache-2-4-4-on-centos-6-4/
baprutil-1.la /usr/src/httpd-2.4.27/srclib/apr/libapr-1.la -lrt -lcrypt -lpthread -ldl -lcrypt
/usr/src/httpd-2.4.27/srclib/apr-util/.libs/libaprutil-1.so: undefined reference to `XML_GetErrorCode'
/usr/src/httpd-2.4.27/srclib/apr-util/.libs/libaprutil-1.so: undefined reference to `XML_SetEntityDeclHandler'
/usr/src/httpd-2.4.27/srclib/apr-util/.libs/libaprutil-1.so: undefined reference to `XML_ParserCreate'
/usr/src/httpd-2.4.27/srclib/apr-util/.libs/libaprutil-1.so: undefined reference to `XML_SetCharacterDataHandler'
/usr/src/httpd-2.4.27/srclib/apr-util/.libs/libaprutil-1.so: undefined reference to `XML_ParserFree'
/usr/src/httpd-2.4.27/srclib/apr-util/.libs/libaprutil-1.so: undefined reference to `XML_SetUserData'
/usr/src/httpd-2.4.27/srclib/apr-util/.libs/libaprutil-1.so: undefined reference to `XML_StopParser'
/usr/src/httpd-2.4.27/srclib/apr-util/.libs/libaprutil-1.so: undefined reference to `XML_Parse'
/usr/src/httpd-2.4.27/srclib/apr-util/.libs/libaprutil-1.so: undefined reference to `XML_ErrorString'
/usr/src/httpd-2.4.27/srclib/apr-util/.libs/libaprutil-1.so: undefined reference to `XML_SetElementHandler'
collect2: error: ld returned 1 exit status
make[2]: *** [htpasswd] Error 1
make[2]: Leaving directory `/usr/src/httpd-2.4.27/support'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/src/httpd-2.4.27/support'
make: *** [all-recursive] Error 1
This error is received in make step if --with-included-apr-util is not specified in ./configure
I am trying to create simple client side certificate and for that I following below link...
How to create client certificate
I have installed SDK on machine, and I have successfully run below two commands.
makecert.exe -r -n "CN=My Personal CA" -pe -sv MyPersonalCA.pvk -a sha1 -len 2048 -b 01/21/2010 -e 01/21/2016 -cy authority MyPersonalCA.cer
makecert.exe -iv MyPersonalCA.pvk -ic MyPersonalCA.cer -n "CN=John Doe" -pe -sv JohnDoe.pvk -a sha1 -len 2048 -b 01/21/2010 -e 01/21/2016 -sky exchange JohnDoe.cer -eku 1.3.6.1.5.5.7.3.2
After running these two commands successfully , When I try to run the third command I get the error "File Not Found" (Error Code = 0x80070002).
Third command is
pvk2pfx.exe -pvk JohnDoe.pvk -spc JohnDoe.cer -pfx JohnDoe.pfx -po password
Whats the issue?