I'm very new to Amazon EC2. I am trying to setup https for my website, I follow the offical instruction from amazon doc: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https.html
And I get stuck at Upload the Signed Certificate step
aws iam upload-server-certificate --server-certificate-name <certificate_object_name> \
--certificate-body <public_key_certificate_file> --private-key <privatekey.pem> \
--certificate-chain <certificate_chain_file>
As a instruction, I just create a private key (privatekey.pem) and A Certificate Signing Request (csr.pem), but in the command line they request 4 params
certificate_object_name
public_key_certificate_file
private-key --> I only have this one
certificate_chain_file
I don't know where to get 3 remain params, please help to shed a light.
You probably found an answer for this already:
certificate_object_name -- This is anything you want as an identifier for the certificate
public_key_certificate_file -- This is the key that your certificate issuer provided you
private-key --> I only have this one -- This is the key that you used to generate the certificate request to the provider ... not the request itself
certificate_chain_file -- This is a bundle certificate also provided by the issuing authority. It is optional for the upload to AWS. See this line in the documentation:
"If you are uploading a self-signed certificate and it's not important that browsers implicitly accept the certificate, you can omit the --certificate-chain option and upload just the server certificate and private key"
Related
Environment: Azure Kubernetes Cluster
Container: Dotnetcore 2.2 Linux
The dot-net core application was able to query the external partner API endpoint but suddenly it started throwing the below is the mentioned exception
ExceptionId: c6c603bb-91cc-4556-98bf-d747903f522a. Error Message: The SSL connection could not be established, see inner exception.. Error Details: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Also tried the curl command from inside busybox pod and getting this error
Curl command : curl --location --request GET 'external url' --header 'Authorization: token'
Error:
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Note:
Other partner API calls are working fine, except this particular partner but the curl from the local system is working. From Pod, it is throwing an error.
What can be the issue:
External partner SSL expired. Which the partner is saying that it has not
External partner SSL is cached and now invalid in Kubernetes
Kubernetes configuration is the problem. What can be the correct one
I'm currently trying to setup GlusterFS integration for a Kubernetes cluster. Volume provisioning is done with Heketi.
GlusterFS-cluster has a pool of 3 VMs
1st node has Heketi server and client configured. Heketi API is secured with a self-signed certificate OpenSSL and can be accessed.
e.g. curl https://heketinodeip:8080/hello -k
returns the expected response.
StorageClass definition sets the "resturl" to Heketi API https://heketinodeip:8080
When storageclass was created successfully and I try to create a PVC, this fails:
"x509: certificate signed by unknown authority"
This is expected, as ususally one has to allow this insecure HTTPS-connection or explicitly import the issuer CA (e.g. a file simply containing the pem-String)
But: How is this done for Kubernetes? How do I allow this insecure connection to Heketi from Kubernetes, allowing insecure self-signed cert HTTPS or where/how do I import a CA?
It is not an DNS/IP problem, this was resolved with correct subjectAltName settings.
(seems that everybody is using Heketi, and it seems to be still a standard usecase for GlusterFS integration, but always without SSL, if connected to Kubernetes)
Thank you!
To skip verification of server cert, caller just need specify InsecureSkipVerify: true. Refer this github issue for more information (https://github.com/heketi/heketi/issues/1467)
In this page, they have specified a way to use self signed certificate. Not explained thoroughly but still can be useful (https://github.com/gluster/gluster-kubernetes/blob/master/docs/design/tls-security.md#self-signed-keys).
There's tons of Cloudfront questions out there, however the Googling for possible problems still amazes me. Here's mine...
What I'm currently attempting right now is to upload an SSL cert to IAM so I can use a custom domain name for Cloudfront (e.g. https://assets.mydomain.com). This, however, isn't going so well. The certs were purchased from DNSimple. The AWS cli upload is as so:
aws iam upload-server-certificate \
--server-certificate-name MyDomainProduction \
--path /cloudfront/ \
--certificate-body file://~/Downloads/STAR_mydomain_com/STAR_mydomain_com.crt \
--private-key file://~/Downloads/STAR_mydomain_com.key \
--certificate-chain file://~/Downloads/STAR_mydomain_com.pem
The error:
A client error (MalformedCertificate) occurred when calling the
UploadServerCertificate operation: Unable to validate certificate
chain. The certificate chain must start with the immediate signing
certificate, followed by any intermediaries in order. The index within
the chain of the invalid certificate is: 1
I think I've tried 500 different possibilities and I'm out of ideas as to why I can't get things to work. Here's what I got in my toolbox for what DNSimple and Comodo handed back to me:
STAR_mydomain_com.pem
STAR_mydomain_com.key
STAR_mydomain_com/AddTrustExternalCARoot.crt
STAR_mydomain_com/COMODORSADomainValidationSecureServerCA.crt
STAR_mydomain_com/COMODORSAAddTrustCA.crt
STAR_mydomain_com/STAR_mydomain_com.crt
What's the right combination of crts, pem, and key to get SSL working on Cloudfront?
You're almost done. The error is that you are using the wrong intermediate certificate file. You should use the bundle that only includes the chain, without the primary certificate.
In other words, from the DNSimple installation wizard, select Other and download the files (1), (2) and (4). You downloaded (3) instead of (4).
The main difference is that (3) is (4) + (1). But as you are already passing (1) explicitly using the --certificate-body param, Cloudfront only wants the chain without the primary.
I have 4 certificates which i received from CA (SSL) :
Root CA Certificate - 123.crt
Intermediate CA Certificate - 456.crt
Intermediate CA Certificate - 789.crt
Your PositiveSSL Certificate - 654.crt
I have generated circuit.pem -private key and csr.pem through which I got these certificates.
Now, i want to upload these certificates to IAM using
aws iam upload-server-certificate --server-certificate-name certificate_object_name --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file
AWS -Working with Server Certificates
But I am not able to gauge which is my server certificate and how can I upload my all certificates.
Please help me with the above command for my above certificates.
I tried :
aws iam upload-server-certificate --server-certificate-name MyServerCertificate --certificate-body file://www_advisorcircuit_com.crt --private-key file://circuit.pem --certificate-chain file://COMODORSAAddTrustCA.crt
I am getting this error:
A client error (InvalidClientTokenId) occurred when calling the UploadServerCertificate operation: The security token included in the request is invalid.
I have to say, getting this to work was a huge pain in the ass. Basically you are missing the user configuration details. You have to create a user on Amazon using the IAM service here https://console.aws.amazon.com/iam/home. Pay attention to what your region is in the url, you'll need that later. So create a user, attach a policy (I attached AdministratorAccess), "Create Access Key", download credentials for the user and use them to run:
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
Some caveats on getting the certificate install command to work. Make sure the file's have readable permissions....I think I specified 664. I specified the .pem extension on all the files...I believe AWS prefers the old school style key files, so I had to run
openssl rsa -in my_key.key -text > new_key.pem
An additional hint (because that's what happened to me)
Run echo $AWS_ACCESS_KEY_ID and echo $AWS_SECRET_ACCESS_KEY to check if these ENV variables are set.
No matter what you pass to aws configure, the ENV variables will override it.
Configuration Settings and Precedence
Yes, This is tricky even you have configured all IAM access to a user and then trying to upload certificate using their access keys.
I got this problem many times. Here is how I solved it.
When User is not having required IAM access like Upload Server certificate etc. -> You need to make sure that user has the right access, Maybe try after giving Full IAM access to the user.
Of Course, the region and the other user details should be correct as discussed in previous answers.
Was trying with an older session terminal(This terminal was running for more than 24 hours) -> Relaunch the terminal and try the same command. Yes, I observed this issue twice. I simply relaunched the terminal and performed the same command and it worked.
Command with absolute path:
*aws iam upload-server-certificate --server-certificate-name mycertificate --certificate-body file:///Users/raushan/Downloads/com/certificate.pem --private-key file:///Users/raushan/Downloads/com/private_key.pem --certificate-chain file:///Users/raushan/Downloads/com/CertChain.pem*
I am trying to upload the SSL certificates for my OpenShift gear's alias. I used the instructions here: http://cloudhostingsource.com/setup-ssl-certificate-openshift/
I am stuck however at the uploading part - I have already genereated the CSR, activated the certificate. Every time I try to upload the files it takes me back to the same page without so much as a notification.
Comodo SSL sent me 4 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
myApp.crt
How do I upload these? There are three fields to upload for Openshift... Which do I load into SSL Certificate? Certificate chain? I have my private key and I know the keypass.
Thanks
Just wanted to post an update for this for users who run into this issue in the future... I'm not sure if it was because I had added a public SSH key via the RHC setup but nothing I did (no permutations of copy paste chaining, switching files around) would work via the file uploader.
In the end, before deciding to call Red Hat and QQ, I used the command line console to add the SSL files...
Here is the command I used:
rhc alias update-cert php www.myapp.com --certificate myApp.crt --private-key myApp.key --passphrase mypass
This link includes more info: https://access.redhat.com/documentation/en-US/OpenShift_Online/2.0/html/User_Guide/Using_Custom_SSL_Certificates1.html
TLDR: You don't need to combine any of the Comodo files, just use your file #4, your privatekey, and your passphrase (if you have one)
Thats right!
First combine public with bundle:
cat dom_com.crt dom_com.ca-bundle >> dom_com.ALL.bundle
and upload both:
rhc alias update-cert app dom_com \
--certificate dom_com.ALL.bundle \
--private-key dom_com.key
And then you will obtain an A at https://www.ssllabs.com/ssltest/
You need to combine 1,2, and 3 into one chain certificate (in the correct order) and upload them in the chain certificate field, the key goes in the key field, and the myApp.crt goes in the certificate field.
I had a similar problem, and after some back and forth emails with the Certificate issuer, what helped me was to combine my site certificate with the Certificate chain into one file, and uploading it into the "SSL Certificate" field in OpenShift. I left the "SSL Certificate Chain" field blank, but of course I uploaded my public key in the "Certificate Private Key" field.