I have 4 certificates which i received from CA (SSL) :
Root CA Certificate - 123.crt
Intermediate CA Certificate - 456.crt
Intermediate CA Certificate - 789.crt
Your PositiveSSL Certificate - 654.crt
I have generated circuit.pem -private key and csr.pem through which I got these certificates.
Now, i want to upload these certificates to IAM using
aws iam upload-server-certificate --server-certificate-name certificate_object_name --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file
AWS -Working with Server Certificates
But I am not able to gauge which is my server certificate and how can I upload my all certificates.
Please help me with the above command for my above certificates.
I tried :
aws iam upload-server-certificate --server-certificate-name MyServerCertificate --certificate-body file://www_advisorcircuit_com.crt --private-key file://circuit.pem --certificate-chain file://COMODORSAAddTrustCA.crt
I am getting this error:
A client error (InvalidClientTokenId) occurred when calling the UploadServerCertificate operation: The security token included in the request is invalid.
I have to say, getting this to work was a huge pain in the ass. Basically you are missing the user configuration details. You have to create a user on Amazon using the IAM service here https://console.aws.amazon.com/iam/home. Pay attention to what your region is in the url, you'll need that later. So create a user, attach a policy (I attached AdministratorAccess), "Create Access Key", download credentials for the user and use them to run:
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
Some caveats on getting the certificate install command to work. Make sure the file's have readable permissions....I think I specified 664. I specified the .pem extension on all the files...I believe AWS prefers the old school style key files, so I had to run
openssl rsa -in my_key.key -text > new_key.pem
An additional hint (because that's what happened to me)
Run echo $AWS_ACCESS_KEY_ID and echo $AWS_SECRET_ACCESS_KEY to check if these ENV variables are set.
No matter what you pass to aws configure, the ENV variables will override it.
Configuration Settings and Precedence
Yes, This is tricky even you have configured all IAM access to a user and then trying to upload certificate using their access keys.
I got this problem many times. Here is how I solved it.
When User is not having required IAM access like Upload Server certificate etc. -> You need to make sure that user has the right access, Maybe try after giving Full IAM access to the user.
Of Course, the region and the other user details should be correct as discussed in previous answers.
Was trying with an older session terminal(This terminal was running for more than 24 hours) -> Relaunch the terminal and try the same command. Yes, I observed this issue twice. I simply relaunched the terminal and performed the same command and it worked.
Command with absolute path:
*aws iam upload-server-certificate --server-certificate-name mycertificate --certificate-body file:///Users/raushan/Downloads/com/certificate.pem --private-key file:///Users/raushan/Downloads/com/private_key.pem --certificate-chain file:///Users/raushan/Downloads/com/CertChain.pem*
Related
I am trying to send my app to a Google Cloud Cluster using the kubectl command behind a corporative proxy that needs a certificate ".crt" file to be used when doing HTTPS requests.
I already ran the gcloud container clusters get-credentials... command and it also asked for a certificate. I followed the given instructions by Google and I configured my certificate file without any issue and it worked.
But when I try the kubectl get pods I am getting the following message:
"Unable to connect to the server: x509: certificate signed by unknown authority"
How can I configure my certificate file to be used by the kubectl command?
I did a search about this subject but I found too difficult steps. Could I just run something like this:
kubectl --set_ca_file /path/to/my/cert
Thank you
The short answer up to what I know is no.
here[1] you can see the step by step of how to get this done in the easiest way I found so far, is not a one line way but is the closest to that.
after having your cert files you need to run this:
gcloud compute ssl-certificates create test-ingress-1 \ --certificate [FIRST_CERT_FILE] --private-key [FIRST_KEY_FILE]
then you need to create your YAML file with the configuration (in the link there are two examples)
run this command:
kubectl apply -f [NAME_OF_YOUR_FILE].yaml
[1] https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
There's tons of Cloudfront questions out there, however the Googling for possible problems still amazes me. Here's mine...
What I'm currently attempting right now is to upload an SSL cert to IAM so I can use a custom domain name for Cloudfront (e.g. https://assets.mydomain.com). This, however, isn't going so well. The certs were purchased from DNSimple. The AWS cli upload is as so:
aws iam upload-server-certificate \
--server-certificate-name MyDomainProduction \
--path /cloudfront/ \
--certificate-body file://~/Downloads/STAR_mydomain_com/STAR_mydomain_com.crt \
--private-key file://~/Downloads/STAR_mydomain_com.key \
--certificate-chain file://~/Downloads/STAR_mydomain_com.pem
The error:
A client error (MalformedCertificate) occurred when calling the
UploadServerCertificate operation: Unable to validate certificate
chain. The certificate chain must start with the immediate signing
certificate, followed by any intermediaries in order. The index within
the chain of the invalid certificate is: 1
I think I've tried 500 different possibilities and I'm out of ideas as to why I can't get things to work. Here's what I got in my toolbox for what DNSimple and Comodo handed back to me:
STAR_mydomain_com.pem
STAR_mydomain_com.key
STAR_mydomain_com/AddTrustExternalCARoot.crt
STAR_mydomain_com/COMODORSADomainValidationSecureServerCA.crt
STAR_mydomain_com/COMODORSAAddTrustCA.crt
STAR_mydomain_com/STAR_mydomain_com.crt
What's the right combination of crts, pem, and key to get SSL working on Cloudfront?
You're almost done. The error is that you are using the wrong intermediate certificate file. You should use the bundle that only includes the chain, without the primary certificate.
In other words, from the DNSimple installation wizard, select Other and download the files (1), (2) and (4). You downloaded (3) instead of (4).
The main difference is that (3) is (4) + (1). But as you are already passing (1) explicitly using the --certificate-body param, Cloudfront only wants the chain without the primary.
I am trying to upload the SSL certificates for my OpenShift gear's alias. I used the instructions here: http://cloudhostingsource.com/setup-ssl-certificate-openshift/
I am stuck however at the uploading part - I have already genereated the CSR, activated the certificate. Every time I try to upload the files it takes me back to the same page without so much as a notification.
Comodo SSL sent me 4 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
myApp.crt
How do I upload these? There are three fields to upload for Openshift... Which do I load into SSL Certificate? Certificate chain? I have my private key and I know the keypass.
Thanks
Just wanted to post an update for this for users who run into this issue in the future... I'm not sure if it was because I had added a public SSH key via the RHC setup but nothing I did (no permutations of copy paste chaining, switching files around) would work via the file uploader.
In the end, before deciding to call Red Hat and QQ, I used the command line console to add the SSL files...
Here is the command I used:
rhc alias update-cert php www.myapp.com --certificate myApp.crt --private-key myApp.key --passphrase mypass
This link includes more info: https://access.redhat.com/documentation/en-US/OpenShift_Online/2.0/html/User_Guide/Using_Custom_SSL_Certificates1.html
TLDR: You don't need to combine any of the Comodo files, just use your file #4, your privatekey, and your passphrase (if you have one)
Thats right!
First combine public with bundle:
cat dom_com.crt dom_com.ca-bundle >> dom_com.ALL.bundle
and upload both:
rhc alias update-cert app dom_com \
--certificate dom_com.ALL.bundle \
--private-key dom_com.key
And then you will obtain an A at https://www.ssllabs.com/ssltest/
You need to combine 1,2, and 3 into one chain certificate (in the correct order) and upload them in the chain certificate field, the key goes in the key field, and the myApp.crt goes in the certificate field.
I had a similar problem, and after some back and forth emails with the Certificate issuer, what helped me was to combine my site certificate with the Certificate chain into one file, and uploading it into the "SSL Certificate" field in OpenShift. I left the "SSL Certificate Chain" field blank, but of course I uploaded my public key in the "Certificate Private Key" field.
So I have been working on this for hours now and no luck. I have configured OpenSSL, created private a private key, created a csr, submitted the csr to a certificate authority, received the approved certificate and now when I try to upload it I have no luck. I am using this format:
aws iam upload-server-certificate --server-certificate-name certificate_object_name --certificate- body file://public_key_certificate_file --private-key file://privatekey.pem
When I try to upload it with file:// I get the following:
aws iam upload-server-certificate --server-certificate-name steptproductions --certificate-body file://Users/markhoyt/Downloads/www_steptproductions_com/www_steptproductions_com.crt.pem --private-key file://Users/markhoyt/private-key.pem
Error parsing parameter '--certificate-body': file does not exist: Users/markhoyt/Downloads/www_steptproductions_com/www_steptproductions_com.crt.pem
When I try to upload it with file:/ I get the following:
aws iam upload-server-certificate --server-certificate-name car.pem --certificate-body file:/Users/markhoyt/Downloads/www_steptproductions_com/www_steptproductions_com.crt.pem --private-key file:/Users/markhoyt/private-key.pem
A client error (MalformedCertificate) occurred when calling the UploadServerCertificate operation: Unable to parse certificate. Please ensure the certificate is in PEM format.
I have created an instance and am logged onto Amazon Linux AMI with:
ssh -i steptproductions.pem ec2-user#ec2-54-183-166-45.us-west-1.compute.amazonaws.com
I cannot seem to get the files to upload to the server. Can anyone help?
I'm very new to Amazon EC2. I am trying to setup https for my website, I follow the offical instruction from amazon doc: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
And I get stuck at Upload the Signed Certificate step
aws iam upload-server-certificate --server-certificate-name <certificate_object_name> \
--certificate-body <public_key_certificate_file> --private-key <privatekey.pem> \
--certificate-chain <certificate_chain_file>
As a instruction, I just create a private key (privatekey.pem) and A Certificate Signing Request (csr.pem), but in the command line they request 4 params
certificate_object_name
public_key_certificate_file
private-key --> I only have this one
certificate_chain_file
I don't know where to get 3 remain params, please help to shed a light.
You probably found an answer for this already:
certificate_object_name -- This is anything you want as an identifier for the certificate
public_key_certificate_file -- This is the key that your certificate issuer provided you
private-key --> I only have this one -- This is the key that you used to generate the certificate request to the provider ... not the request itself
certificate_chain_file -- This is a bundle certificate also provided by the issuing authority. It is optional for the upload to AWS. See this line in the documentation:
"If you are uploading a self-signed certificate and it's not important that browsers implicitly accept the certificate, you can omit the --certificate-chain option and upload just the server certificate and private key"