I'm going to install SSL using OpenSSL on WAMPServer. The processes which I've been through are as follows:
I have installed apache, configured it and activated ssl module,
Added a new system variable OPENSSL_CONF:
Variable name: OPENSSL_CONF
Variable value: A:\wamp\bin\apache\apache2.4.9\conf\openssl.cnf
Restarted windows and made sure I saw the following line among the environment variables using command-line set | more command:
OPENSSL_CONF=A:\wamp\bin\apache\apache2.4.9\conf\openssl.cnf
Installed openSSL1.01Light(x64) on A:\OpenSSL and in its bin folder I have generated a key using command line command:
openssl req -new > webserver.csr
(Note that openSSL installation directory by default ain't have webserver.csr and I had to copy it from A:\wamp\bin\apache\apache2.4.9\bin directory)
The command ran and prompted me to enter a PEM pass phrase and verify it. I entered a pass phrase and verified it.
I entered information that would be incorporated into my certificate request.
I ran the following command:
openssl rsa -in privkey.pem -out webserver.key
I was prompted for the pass phrase from the previous step. The RSA key was written and the file webserver.key was then available in the folder.
Now I was going to covert the certificate into a signed one using the following command:
openssl x509 -in webserver.csr -out webserver.cert -req -signkey webserver.key -days 365
I got stock in this level that error occured with the following message:
5336:error:0906D06C:PEM routiness:PEM read bin:no start line:.\crypto\pem\pem_lib.c:703:Expecting: CERTIFICATE REQUEST
error in x509
How do I overcome this issue? Any idea? Thanks...
Related
After running sudo certbot --nginx -d mydomain.io -d www.mydomain.io
I'm getting:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.io/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.io/privkey.pem
For my app to work, I need private.key and certificate.crt files.
I have tried converting .pem files like so:
openssl x509 -outform der -in /etc/letsencrypt/live/mydomain.io/fullchain.pem -out certificate.crt
openssl rsa -outform der -in /etc/letsencrypt/live/mydomain.io/privkey.pem -out private.key
When trying to run my app, I'm getting this error in the browser dev tools:
WebSocket connection to 'wss://<my-ip>:<my-port>/' failed:
Error in connection establishment: net::ERR_CERT_COMMON_NAME_INVALID
On server I'm getting this error (apparently it means that my app couldn't parse the key file):
mbedtls error: returned -0x7780
So it looks like an issue with the certificate. Can you help me to figure out what I have done wrong? What could be causing this issue? Are there other ways to generate .crt and .key files, so I could double check that I didn't make a mistake?
Turns out my problem wasn't related to generating the keys, I was doing it correctly.
But the client version of my app was trying to connect to wss://<my-ip>:<my-port>/, and instead I was supposed to connect to wss://<my-domain-name>:<my-port>/.
I have set up a docker registry using harbor.
I have copied the appropriate certificates in /usr/share/local/ca-certificates and run sudo update-ca-certificates with success. (indicated the number of newly certs added).
When trying to login to the specific registry:
ubuntu#master1:/home/vagrant$ docker login my.registry.url
Username: pkaramol
Password:
Error response from daemon: Get https://my.registry.url/v2/: x509: certificate signed by unknown authority
However the following test succeeds:
openssl s_client -connect my.registry.url:443 -CApath /etc/ssl/certs/
...coming back with a lot of verbose output, the certificate itself and ending in :
Verify return code: 0 (ok)
curl also succeeds to the above https link (it fails when the site is not trusted).
Any suggestions?
If you read the documentation
Use self-signed certificates
Warning: Using this along with basic authentication requires to also trust the certificate into the OS cert store for some versions of docker (see below)
This is more secure than the insecure registry solution.
Generate your own certificate:
$ mkdir -p certs
$ openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt
Be sure to use the name myregistrydomain.com as a CN.
Use the result to start your registry with TLS enabled.
Instruct every Docker daemon to trust that certificate. The way to do this depends on your OS.
Linux: Copy the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt on every Docker host. You do not need to restart Docker.
See below link for more details
https://docs.docker.com/registry/insecure/#use-self-signed-certificates
I have an existing MQ MQI connection (Server-Connection) between an HP Nonstop and a Windows server. I am working on configuring the queue manager for SSL on the Nonstop.
I have followed a couple sources available on net closely but am still confused about a few things.
The Stash.sth file, I have not gotten the following command to work:
openssl pkcs12 -export -in cert.pem -inkey server_key.pem -out personal_cert.p12 -passin pass:certkey -password pass:certkey -chain -CAfile trust.pem
I get an "Error unable to get local issuer certificate chain."
The SSLUpdate.pdf document that is delivered with MQ mentions creating the Stash.sth file using:
amqrsslc -s cert (cert being the trusted certificate store), and this DOES work for me.
However, it also says "The amqrsslc command will prompt for the private key pass phrase used when creating the certificate/key pair and will write a masked copy of that pass phrase to the Stash.sth file"
If I should have specified the same pass phrase earlier, where should I have done that?
When I created the private key? Should I have specified a -passin or -passout parameter? All I used was openssl genrsa -out privatekey.pem 2048 -sha256
Or, when I generated the certificate request? There is a prompt to enter an optional password.
Or neither? Is the pass phrase used when creating the Stash.sth file completely arbitrary?
Thanks for any help!
The error usually means the list of trusted certificates is not complete.
I think you need to be sure you certificate chain is complete.
Here is from the technote:
If the certificate request is signed by an intermediate certificate, the
certificate chain for the signed personal certificate will need to be
added to the trust.pem file. You need to add the root certificate and
the intermediate to the trust.pem file. Review create_trust_file.sh
script for the syntax.
I also think this presentation document may be helpful to you.
http://www-01.ibm.com/support/docview.wss?uid=swg27023472&aid=1
I've set up an internal pypi server for internal projects.
It's hosted at https://<USER>:<PASS>#<INTERAL>/pypi with a self-signed certificate.
I can get pip to use this repository in addition to the central pypi server using extra-index-url in ~/.pip/pip.conf. As the certificate to my server is self-signed, and pip isn't using the system-wide (keychain) certificated, I've made it aware of it using cert = ... in the config file:
extra-index-url = https://<USER>:<PASS>#<INTERAL>/pypi
cert = /path/to/cert.pem
Now, whenever I install something using pip install, I get a warning that the certificate can't be verified for https://pypi.python.org:
$ pip install <PACKAGE-NAME>
Collecting <PACKAGE-NAME>
Could not fetch URL https://pypi.python.org/simple/<PACKAGE-NAME>/:
There was a problem confirming the ssl certificate: [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) -
skipping
Is there any way to tell pip only to use the self-signed certificate only for the extra-index-url repository?
Pip uses it's certificate bundle (a file) that can be found by running:
python -m pip._vendor.requests.certs
The bundle is just a file with certificates concatenated, one after another. We want to tell pip to use those AND our certificate,
so generate a new file using
cat $(python -m pip._vendor.requests.certs) /path/to/my/cert.pem > /path/to/my/bundle.pem
and make sure your .pip/pip.conf file contains something along these lines:
[global]
extra-index-url = https://user:pass#my-pypi.com
cert = /path/to/my/bundle.pem
Finally, you might want to periodically update /path/to/my/bundle.pem (in a cronjob or whatever).
Other notes
I also got the following error:
SubjectAltNameWarning: Certificate for my-pypi.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
Normally, you'd create a certificate something like:
openssl req -new -x509 -nodes -key my.key -out cert.csr -days 365
Instead, copy your openssl.cnf (possibly in /etc/pki/tls/openssl.cnf) to your working directory, and add an extension by adding the following to the end of the file:
[ san_env ]
subjectAltName=DNS:mypypi.com
and generating your certificate with
openssl req -new -x509 -nodes -key my.key -out cert.csr -days 365 -config openssl.cnf -extensions san_env
In addition, pip wants your certificate in a different format, which can be generated using
openssl x509 -inform der -in cert.cer -out cert.pem
This file cert.pem can be concatenated with the python ca bundle as described above to generate your custom bundle.
I am trying to connect to Apple APNS server with the following observations:
1)port 2195 is open 2)With Valid key passphrase for APNS_SSLCertificate_Key.pem 3)Entrust certificate (2048) downloaded from https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer
4)With the successful telnet response as below :
$ telnet gateway.sandbox.push.apple.com 2195 Trying 17.172.232.226...
Connected to gateway.sandbox.push-apple.com.akadns.net. Escape
character is '^]'.
But when i run the following openssl command in my server to test the APNS connectivity :
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert APNS_SSLCertificate_Key.pem -debug -showcerts -CAfile server-ca-cert.pem
I am getting error as follows:
unable to load certificate 57013:error:0906D06C:PEM
routines:PEM_read_bio:no start
line:/SourceCache/OpenSSL098/OpenSSL098-35/src/crypto/pem/pem_lib.c:650:Expecting:
TRUSTED CERTIFICATE
So please suggest how to resolve this problem
Thanks in advance ......
I ran into this same issue; what eventually resolved the error was to re-export the Entrust certificate from System Roots of OS/X Keychain Access application.
To be complete, I'll give a complete explanation of how I created the key/cert files (something which should have been in Apple's TechNote 2265: https://developer.apple.com/library/content/technotes/tn2265/_index.html)
Creating your APN-cert-and-key:
Run Keychain Access; select "login" Keychain and "My Certificates" category
Select the certificate with the name format of "Apple Development IOS Push Services: ..."
Export the certificate (in the menu, under "File" .. "Export Items")
Export to .p12 format.
This now contains your certificate and private key in an encrypted interchange format. The next step is to convert it to a passphrase protected .pem file
Using terminal, execute the following command (using your own filenames, of course):
openssl pkcs12 -in PushCertKey.p12 -out PushCertKey.pem
(You will need to enter the password for the .p12 file and provide another passphrase for the .pem file.)
If you really really really don't want a passphrase on the .pem file, try:
openssl pkcs12 -in PushCertKey.p12 -out PushCertKeyNoCrypt.pem -nodes
Creating CA Certificate file:
List item
Run Keychain Access application
Go to System Roots
Export the certificate named "Entrust.net Certification Authority (2048)" to a .pem file.
Note: My Roots container has four Entrust certificates; two of them with the name "Entrust.net Certification Authority (2048)" (but with different certificate extensions, via Get Info). Both of the "Entrust.net Certification Authority (2048)" certificates where effective in validating the trust chain; the other two Entrust certificates did not work. More significantly, the Entrust certificate pointed at by the Apple TechNote 2265 also does not work.
Make sure you export to .pem format; the default is .cer and this step is easy to miss.
Run the verification command:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushCertKey.pem -debug -showcerts -CAfile "Entrust.net Certification Authority (2048).pem"
This server and process assume that your are connecting to Apple's Dev sandbox APN server; if you are trying to use the production APN server, you will need to use the correct server and port.
For more information on openssl, I suggest the following pages:
https://www.madboa.com/geek/openssl/
https://www.sslshopper.com/article-most-common-openssl-commands.html
http://gagravarr.org/writing/openssl-certs/general.shtml
SSL problems: Step wise fix.
Most of the problems are due to the private key issues, which can be resolved as follows.
Follow the following commands and create the .p12 using openssl.
You will need
developer_identity.cer <= download from Apple
mykey.p12 <= Your private key
Run these commands in your terminal where openssl is configured,installed or working:
openssl x509 -in developer_identity.cer -inform DER -out developer_identity.pem -outform PEM
openssl pkcs12 -nocerts -in mykey.p12 -out mykey.pem
openssl pkcs12 -export -inkey mykey.pem -in developer_identity.pem -out iphone_dev.p12
Final p12 that you will require is iphone_dev.p12 file and the passphrase that you had set.
Try again, hope your problem is fixed, as it always does for me. :)