Meteor mupx ssl configuration - ssl

I'm struggling with the Meteor mupx ssl configuration as I can't reconcile it with the files provided by my ssl provider:
{
"ssl": {
"certificate": "./bundle.crt", // this is a bundle of certificates
"key": "./private.key", // this is the private key of the certificate
"port": 443 // 443 is the default value and it's the standard HTTPS port
}
According to my provider I have:
Signed Certificate (PEM Format) (Most web/mail servers)
Bundle Certificate (Intermediate)
Root Certificate (CA)
I've tried various combinations of these files without success. How do I build the bundle.crt from these files?

For future reference the solution was to concatenate all three in the order given above - but to ensure the begin and end file lines between the files were on separate lines. When you use the cat command they can end up on the same line.

Related

How to import a self-signed certificate in a vue app

I generated a self-signed PKCS-12 certificate with keytool(java sdk) for the API which is built in java Spring. Then, I imported the same certificate in Chrome certificates, but I don't understand why when I run my application is not using the certificate. It seems to generate a localhost certificate of its own. This is my vue.config.js:
let fs = require('fs')
module.exports = {
devServer: {
host: "localhost",
port: "8081",
https: {
ca: fs.readFileSync('C:\\Projects\\LicentiaUtilities\\books.p12')
},
}
}
Is the PKCS12 format not supported? Should I convert into something else?
Your certificate won't work on localhost, all certificates work only with domain names.
There is no way to issue SSL certificate for an IP address or localhost; you have to have an actual name which you create the certificate for. In order to get such a name, you need a DNS. Since you don't have access to the internal DNS of that local network, you will have to use a public DNS server for this.
If you will publish your app, I'll recommend you nginx, it's super easy to add ssl cert, and make a reverse-proxy to your NodeJS instance.

Akka.NET TLS implementaion

I'm following https://getakka.net/articles/remoting/security.html documentation to implement TLS Secured communication using an Akka.Net cluster.
I have generated a self-signed certificate using IIS and imported the certoficate TheCertifcate.pfx to Local Computer/Trusted Root Certification Authorities. The certificate is listed there now.
I need to know how to use the certificate path
remote {
dot-netty.tcp {
hostname = "localhost"
port = XXXX
enable-ssl = true
log-transport = true
ssl {
suppress-validation = true
certificate {
# valid ssl certificate must be installed on both hosts
path = "C:\\Workspace\\CertficateUtils\\TheCertificate.pfx"
password = "thepassword"
}
}
}
}
What am I supposed to use in path?
Short answer The path will be just like above.
Long answer The path is the physical folder path where you save the self-signed certificate. In my case "C:\\Workspace\\CertficateUtils\\TheCertificate.pfx". You need to import this certificate to Local Computer/ Trusted Root Certification Authorities though.
But the above configuration is NOT ENOUGH to make an Akka.NET Actor System communicate with SSL encryption.
We need to specify the transport protocol as ssl where we specify actor node addresses.
That is in the hocon configurations or in code where we use any node adress like
"akka.tcp://lighthouse#127.0.0.1:port", "akka.tcp://RemoteSystem#127.0.0.1:port"
need to be updated to
"akka.ssl.tcp://lighthouse#127.0.0.1:port", "akka.ssl.tcp://RemoteSystem#127.0.0.1:port"
where akka.ssl.tcp is the transport protocol.

How to configure Mosca for mqtts without the client having a certificate?

I have a Mosca MQTT broker running on a node instance and I would like to encrypt all the incoming communications with SSL/TLS (MQTTs protocol) but without the client having to link any certificate to the connexion (I guess it has to do with self-signed certificates) just as https works. I want all my clients to connect just with credentials specifying the MQTTs protocol and the communication can be encrypted. I was using Amazon MQ just before and that's how it works so I want the same.
I can't figure how to configure properly Mosca to do so, I don't know what kind of certificate I must use.
I added the secure field in the configuration as shown here
For the certificate I tried to create a self signed certificate as shown here
I also tried with certbot certificates (Let's Encrypt) registered for my domain name : mq.xxx.com .
I'm running everything on a ec2 (ubuntu 18) and my network and firewall are open for 1883 and 8883. My key and cert are at the root of my project where the deamon is running with good rights and ownership. I know my instance access them correctly.
new mosca.Server({
port: 1883,
secure: {
keyPath: "./privkey.pem",
certPath: "./cert.pem"
},
backend: {
type: 'redis',
redis: require('redis'),
host: "localhost",
port: 6379,
db: 0,
return_buffers: true,
},
persistence: {
factory: mosca.persistence.Redis
}
});
My server is running and working with simple mqtt on port 1883 but when I try to connect with ssl/tls with a client on port 8883 specifying that the server uses self-signed certificates (I tried with MQTT.fx) it fails saying : "unable to find valid certification path to requested target".
I can't make my head around this issue, I think somehow the client cannot "accept" or "verify" the certificate provided. Maybe I'm providing the wrong key or certificate to Mosca but there is only one of each resulting openssl or certbot. Maybe I created wrong but I follow many tutorials on the very same subject such as this one
What kind of certificate do I need to do ?
Is there something more to do with them ?
Thank you.
If you are using a self created certificate then the client will need a copy of certificate that signed the broker's certificate. This certificate will be added to the list of trusted sources so it can prove the broker is who it claims to be.
If you do not want to / can not distribute a certificate then you will need to use a certificate for your broker that is issued by CA (Certificate Authority) whoes signing certificate you already have (bundled into the OS/client that you are using).
The Lets Encrypt signing certificates should be bundled into most OSes by now but they are also cross signed by IdenTrust again who's certs should be bundled with most OSes. If you are having problems with the Lets Encrypt certs then I suggest you ask a new question with the exact details of how you configured mosca with those certs and more details of how you are configuring MQTT.fx and the errors you receive.

BIg-F5 and Apache SSL configuration

Configure Apache and F5 loadbalancer.
From Apache layer we generate CSR and get the trusted cer as:
1) .cer
2) .p7b
Then I convert the .cer and .p7b file to .crt file and configure in our apache as keyfile, certificate and chain.
We are facing some issue while configuring the SSL between F5 and Apache. Our flow is:
Client(SSL) -> F5 (SSL drops ) -> (recreate ssl to apache layer) -> Apache webserver.
1) create CSR from apache web layer, get sign as trusted from the company (not external)
2) configure in ssl.conf and ciphersuite
Now initiate a request using openssl it is throwing:
depth = 1
DC = net
DC = racb
CN = XXXXXX
CA 1 verify error:num=20:unable to get local issuer certificate read from 0x1b9c8d0 [0x1ca04f3] (5 bytes => 5 (0x5))
In order to verify it I modified the /etc/hosts entry as xxx.xxx.xxx.net as 127.0.0.1 and move the chain certificate to /etc/pki/ca-trust/source/anchor and update-ca-trust extract and run the openssl which is return with error code=0 and waiting in SSL session.
What mistake we are doing in F5 no idea.
Can someone throw the lights?
If you're setting up a bridging config, you need both an SSL Client Profile (typically you take your Apache key/cert/chain) and an SSL Server Profile, and both are chosen on the Virtual Server configuration.
For the Client Profile you first need to import the private key, the certificate(s) and of course you have to see on the Certificates screen that the private key matches the certificate.
Usually for the Server Profile, if we know that we can trust the backend server, instead of setting up something with certificates of your own, we just choose the unsecure-compatible profile and it will work in almost all cases.
If there is no need to setup SNI, it's enough to make it work.

Use Berkshelf with custom CA certificate

I have a custom Chef server on premises with a TLS certificate that is signed by our own CA server. I added the CA certificate to .chef/trusted_certs and now knife ssl verify works fine.
But when I try to upload cookbooks using Berksfile I run into the following error:
$ berks upload
E, [2016-03-26T15:02:18.290419 #8629] ERROR -- : Ridley::Errors::ClientError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
E, [2016-03-26T15:02:18.291025 #8629] ERROR -- : /Users/chbr/.rvm/gems/ruby-2.3-head#global/gems/celluloid-0.16.0/lib/celluloid/responses.rb:29:in `value'
I have tried to append the CA certificate to /ops/chefdk/embedded/ssl/certs/cabundle.pem but it made no difference.
Create a custom CA bundle file and then set $SSL_CERT_FILE (or $SSL_CERT_DIR if you want to use that format) in your environment.
Use --no-ssl-verify. Berkshelf does not respect chef's trusted certs.
Alternatively, there is an option to specify this in berks config file.
Don't ignore certificate validation. That is not the safest choice, especially with news about attackers having recently inserted malware in places like Node Package Manager. You can easily configure Berkshelf to trust the same certificates you trust with Chef.
In your ~/chef-repo/.berkshelf/config.json file, make sure the ca_path is set to point at your Chef trusted certificates, like this (assuming your chef repo is located at ~/chef-repo)
{
"ssl": {
"verify": true,
"ca_path": "~/chef-repo/.chef/trusted_certs"
}
}
Then, use knife to manage your Chef certificates (like this):
$ cd ~/chef-repo
$ knife ssl fetch https://supermarket.chef.io/
$ knife ssl fetch https://my.chef.server.example.org/
All the certificates you trust with Chef will also be trusted by Berks.