how to configure entrust SSL certificate with Heroku SSL - ssl

Hi I not bale to configure my entrust SSL certificate with Heroku
I download my certificate from entrust with below option
Select Certificate: my domain name
Select Server Type: Other
its give me three file for download
1)L1Cchain.txt
2)L1Croot.txt
3)entrustcert.crt
after that I fellow steps :
step 1) create private key using.
openssl genrsa -des3 -out server.pass.key 2048 with password "passone"
openssl rsa -in server.pass.key -out server.key with password "passone"
step 2) bundle all certificate in one file called server.pem.
-----BEGIN CERTIFICATE-----
L1Cchain.txt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
L1Croot.txt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
entrustcert.crt
-----END CERTIFICATE-----
step 3) heroku certs:add server.pem server.key -a myapp
when I am at step 3 I got error
heroku certs:add server.pem server.key -a myapp
Resolving trust chain... failed
! No key found that signs the certificate.
with option bypass
heroku certs:add heroku.pem server.key -a myapp --bypass
Adding SSL Endpoint to myapp... failed
! Key doesn't match the PEM certificate
please help me to solve this problem and what I am miss out to configure.
I am using windows PC and my heroku toolbelt
heroku --version
heroku/toolbelt/3.4.1 (i386-mingw32) ruby/1.9.3

I think you are bundling your chain in the wrong order. enTrust NGINX instructions (recommended by Heroku) says to bundle them in this order.
-----BEGIN CERTIFICATE-----
(Your Web server Certificate) // entrustcrt.crt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Entrust L1C Cross Certificate) // L1Cchain.txt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Entrust 2048 Root) // L1Croot.txt
-----END CERTIFICATE-----
After that, I got it working using...
heroku certs:add server.pem server.key -a myapp --bypass

Related

Create a PFX File from GoDaddy Issued Private Key and Wildcard Certificate

I recently purchased a wildcard SSL certificate from GoDaddy and I need to convert it to a pfx file.
First, GoDaddy gave me two text blobs in their web UI, a CSR and Private Key:
CSR:
-----BEGIN CERTIFICATE REQUEST-----
MIICWDCCAUICAQAwFzEVMBMGA1UEAwwMKi5jeW50aGlhLmlvMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzcxAT8EtKxb4BSCRYBYcTDt8DgR/Fe/rjBpl
...
Private Key:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDNzEBPwS0rFvgF
IJFgFhxMO3wOBH8V7+uMGmXDx+n3Mzvz9gk0nj/h5kX9RH+M9byS4iCfUZ8rURXQ
...
Next, I downloaded a Zip file containing two crt files and a pem file:
54994fbd90cc1fc8.crt
54994fbd90cc1fc8.pem
gd_bundle-g2-g1.crt
54994fbd90cc1fc8.crt
-----BEGIN CERTIFICATE-----
MIIGiDCCBXCgAwIBAgIIVJlPvZDMH8gwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
...
54994fbd90cc1fc8.pem
-----BEGIN CERTIFICATE-----
MIIGiDCCBXCgAwIBAgIIVJlPvZDMH8gwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
...
gd_bundle-g2-g1.crt
-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
...
-----END CERTIFICATE-----
I need to generate a pfx file for my cloud provider.
I tried this command:
openssl pkcs12 -export -out cert.pfx -inkey generated-private-key.txt -in 54994fbd90cc1fc8.pem
But I got this error:
unable to load private key
4530953728:error:0909006C:PEM routines:get_name:no start
line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
The file generated-private-key.txt has 400. permissions:
-r--------# 1 david staff 1707 Oct 24 20:12 generated-private-key.txt
How do I generate a pfx file from the files I have? Should I generate my own private key with ssh-keygen and then re-key with a new CSR in the GoDaddy UI?
This turned out to be because the key was in UTF8-BOM instead of UTF8 format.

Either remove or automatically enter pem passphrase for haproxy ssl; Chrome still warns about CA not signed

I recently received a signed certificate to use with haproxy SSL termination. In order for haproxy to use this, I needed to convert the jks file to a pem file. First, I converted the cer files I received into crt, as I had a previous error where haproxy was not able to find the crt files in the pem file. Do this for all certs:
$ openssl x509 -inform PEM -in <CER file here> -out <CRT output file>
I then import the root, intermediate, and service certs to the keystore, which already has the private key:
keytool -importcert -file $CERT -alias $ALIAS -keystore test.jdk
I then convert the jsk file to a p12 file, followed by converting that to a pem file:
$ keytool -importkeystore -srckeystore test.jks -destkeystore test.p12 -srcstoretype jks -deststoretype pkcs12
Enter destination keystore password:
Re-enter new password:
$ openssl pkcs12 -in test.p12 -out test.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
This generates a pem file with the following format:
Bag Attributes
friendlyName:
localKeyID:
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName:
subject=
issuer=
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
subject=
issuer=
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
subject=
issuer=
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
localKeyID:
subject=
issuer=
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Obviously, there is a lot of information missing from this, as I do not want to share that online; however, the structure is pretty much identical.
When I link this to haproxy:
frontend https
maxconn 2000
bind 0.0.0.0:4000 ssl crt /home/user/config/cert/test.pem
And I run it with haproxy -d -f haproxy.cfg, I'm asked to enter the PEM pass phrase. I need to be able to start haproxy automatically on server start up, so I can't enter this every time I want to run it. Is there any way to remove the pass phrase, or generate a pem file without one? Or can I supply via a script? The script I use to start haproxy on server start up is just the command you see above, with nohup to redirect the output.
Also, when I go to one of the services fronted by haproxy, Chrome still warns me that the CA is not trusted, like when I used a self signed certificate. Is there anything else I need to do beyond what I have above?
You will need to copy the password protected key to a not password protected key.
openssl rsa -in test.pem -out test-password-less.key
To provide the PEM now to HAProxy will you also need the certificate.
cat both Files to one PEM File for haproxy.
cat $CERT test-password-less.key > haproxy-test.pem
or instead remove pem passphrase on e.g an Amazon EC2 Fedora Linux instance:
sudo ssh-keygen -p -f EC2.pem

Comodo Essentials SSL: Vestacp "SSL intermediate chain is not valid"

I'm trying to install Comodo Essential SSL via Vestacp here's that I did. I opened www_example_com.crt and copied the digest and pasted it into SSL Certificate box then opened www_example_com.key used to generate the ssl at the beginning which starts with -----BEGIN PRIVATE KEY----- and pasted the digest into SSL Key box then copied the digest of the other 3 files in this order into one file and copied the whole digest and pasted it into SSL Certificate Authority / Intermediate box but I get SSL intermediate chain is not valid
AddTrustExternalCARoot.crt
USERTrustRSAAddTrustCA.crt
SectigoRSADomainValidationSecureServerCA.crt
Final digest looks like this
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
I checked the certificate and the key and have no issue using https://www.sslshopper.com/certificate-key-matcher.html
I restored a back up so the key file doesn't exist on the server now does it matter? It's the first time I try to install SSL so please assist. Thanks in advance.
The Authority digest must be the content of these files in this order
SectigoRSADomainValidationSecureServerCA.crt
AddTrustExternalCARoot.crt
USERTrustRSAAddTrustCA.crt

Bundled SSL Certificate Public Key does not match Private Key Public Key

I am trying to install a new SSL certificate into Traefik. My certificate is signed by a third party (Setigo), and was provided to me with the chain:
-----BEGIN CERTIFICATE-----
[[SNIP - Root CA]]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[[SNIP - Intermediate CA]]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[[SNIP - Intermediate CA]]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[[SNIP - MyServer Cert]]
-----END CERTIFICATE-----
The last certificate in the chain matches the individual certificate. When I pass that certificate and coresponding key to Traefik, I get the following error:
failed to load X509 key pair: tls: private key does not match public key
Researching online, I have found these commands to verify the public keys/modulus for the cert and private key
openssl rsa -modulus -noout -in myserver.key | openssl md5
openssl x509 -modulus -noout -in myserver.crt | openssl md5
When I run this against the chained cert the results do not match. When I run it against the individual cert it matches.
I can not use the individual cert, as it is not signed by a trusted root, so I get the following error when using OpenSSL s_client:
openssl s_client -connect myserver:443 -showcerts
verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
I'm wracking my brain here, what am I missing???
Your chain is wrong. You need to reverse it and drop the root CA certificate.
The server is thinking the root CA is the main certificate and it's trying to load the private key against the root ca certificate which it why you are seeing the message.
Also there is no need for the root CA as this should always be in the clients CA list, so you are sending the CA certificate to the client and the client will just ignore it.
i.e.
-----BEGIN CERTIFICATE-----
[[SNIP - MyServer Cert]]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[[SNIP - Intermediate CA]]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[[SNIP - Intermediate CA]]
-----END CERTIFICATE-----

Does ingress TLS secret need a SSL private key for __INGRESS_SECRET__?

I'm trying to
kubectl create secret tls foo-secret --key /tls.key --cert /tls.crt
From keys and certs I've used made from LetsEncrypt. This processes makes sense with self-signed certificates, but the files made by LetsEncrypt look like this:
cert.pem
chain.pem
fullchain.pem
privkey.pem
I can convert those pem files, I don't know if --key want's a public key or a private key, and the only option here is privkey.pem. I assume cert is cert.
I can convert private.pem with:
openssl rsa -outform der -in privkey.pem -out private.key
And cert.pem with:
openssl x509 -outform der -in cert.pem -out cert.crt
Is this the right process? Since I'll be using this secret for ingress oauth in place of __INGRESS_SECRET__, is this ingress suppose to have a private key? This ingress is acting as a TLS terminator for other things.
You are correct, you will need to provide your private key for the tls.key portion. However it's a good practice to automate the letsencrypt certificate generate process, using cert-manager. Check out this tutorial. Dong so will automatically create the tls secret resource for you on the cluster.
Your tls.key file is the private key and begins and ends like the following:
-----BEGIN RSA PRIVATE KEY-----
... [your private key]
-----END RSA PRIVATE KEY-----
And your tls.crt is going to be the concatenation of cert.pem and fullchain.pem, and it will look like the following:
-----BEGIN CERTIFICATE-----
...
[your cert content]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
[your fullchain cert content]
-----END CERTIFICATE-----