I've installed HAPRoxy 1.5-dev19, adn I am trying to bind using SSL.
I generated openssl certs in /etc/ssl/certs keys and validated that they are there and look good, and updated haproxy.cfg as below:
openssl req -nodes -x509 -newkey rsa:2048 -keyout /etc/ssl/certs/private.key -out /etc/ssl/certs/cert.pem -days 2000
frontend XRE
bind *:9045 ssl crt /etc/ssl/certs/private.key
But I still get:
parsing [/etc/haproxy/haproxy.cfg:48] : 'bind :443' : unable to load SSL certificate from PEM file '/etc/ssl/certs/private.key'.
Proxy 'haproxyLoopback': no SSL certificate specified for bind ':443' at [/etc/haproxy/haproxy.cfg:48] (use 'crt').
Your help is appreciated,
Many thanks,
Charlie
You are pointing the wrong file. It should be like this:
frontend XRE bind *:9045 ssl crt /etc/ssl/certs/cert.pem
Related
I apologize if this is a silly rookie question, I'm not really experience in dealing with SSL / https so please help me out.
I have docker swarm setup and using Traefik to handle all the HTTPS services. when I first load the page (take grafana page for example), there is a warning page and I click "Advanced" and "Proceed (accept risk)", then the page display and working just fine, the only problem is the "Not Secure" sign showing on browser.
A few things could be contributing to this:
Self-created CA and self-signed cert: I'm at development stage so I created my own CA and signed the cert using openssl, and use this cert in Traefik dynamic configuration.
Command to generate CA:
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca.pem
Command to generate self-signed cert:
openssl req -newkey rsa:2048 -days 365 -nodes -keyout key.pem -out req.pem
openssl x509 -req -in req.pem -days 365 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out cert.pem
See attached screenshot for the errors of the certs: "Subject Alternative Name missing" & "This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID)."
Chrome Dev Tool Certificate Error
Traefik configuration: Not using Let's Encrypt since I don't have an account, so using my own self-signed cert. I don't think this is the issue because I can see the page is using the cert I provided. But if anyone has similar experience with Traefik v2 maybe can give me some pointer if there is anything I set wrong?
Dynamic configuration file that declares the certs:
tls:
stores:
default:
defaultCertificate:
certFile: configuration/cert.pem
keyFile: configuration/key.pem
Question:
Is missing SAN a really important factor that will causes my page to be not secure? If yes, how can I add SAN while creating cert with openssl?
I understand that 2nd error "ERR_CERT_AUTHORITY_INVALID" means browser doesn't recognize the cert's validity. Does that mean I have to install my CA? Where and how to install it? Is it on docker swarm's manager node (this is where Traefik service and the certs at), or is it on any client's machine that trying to access the page?
I have to deploy a backend that wants to handle HTTPS on its own.
The README of that backend provides the following command to generate a self signed cert:
openssl req -x509 -nodes -newkey rsa:2048 -keyout tls.key -out tls.crt -days 3650
That gives me a tls.key and tls.crt file. However, the NGINX guide at https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/ requires some more stuff which I don't have.
It would be awesome if someone could tell me how to generate all the certificate files I need so that NGINX can talk to the backend via SSL.
The outside facing SSL connection is covered by Lets Encrypt.
I need to make client approve a server CA certificate which is not known to it.
I have generated cert.pem using the following command
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
And then using the following command I came to know that requests points to <full-path>/cacert.pem.
python -mrequests.certs
So, I have copied the generated cert.pem to the same path and gave it to verify. I have tried the following to do so. I don't want to use verify=False.
requests.get("https://<ip>:<port>/route1", verify='<full-path>/cert.pem')
Still I see that the client is throwing the following error.
SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
How do I make the client approve the server certificate? Am I missing anything? Any help would be appreciated.
Server side code
context = ('cert.pem', 'key.pem')
#app is flask object
app.run(host="<ip>", port=port, debug=Ture, ssl_context=context)
I have installed on my server IceCast with SSL. The program works perfectly but the SSL certificate is recognized as non-secure in the browser. I generated the certificate with the following code:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout icecast2.pem -out icecast2.pem
Page capture: http://i.imgur.com/V5V3zM4.png
Does anyone know how I can fix it?
PD: I´m running Apache2 Server and Debian.
Many Thanks.
You've got a self-signed certificate that is not contained in any trustchain. Hence, it is marked as insecure by your browser.
There is hardly any way to fix this with your existing certificate. You can try through the Let's Encrypt initiative.
I am having issue configuring https on my aws elastic load balancer using a self-signed certificate. After I've done with the set up, making connection to https endpoint does not work. http connection is still fine.
Here's what I did.
Generate the self-signed certificate using this command
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
Verified the key and certificate is working by using this command:
openssl rsa -in privateKey.key -check
openssl x509 -in certificate.crt -text -noout
Convert the certificate the key and the cert into a .pem encoded format to comply with aws certificate requirement.
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in certificate.crt > public.pem
Upload the certificate to my elastic load balancer using the the AWS Management Console
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_UpdatingLoadBalancerSSL.html. For the private key and public cert value, I used the private.pem and public.pem that were generated in step 3.
Go into EBL Listener configuration, added a https listener and used the certificate that I just uploaded. Here's the configuration for the Listener:
Any thought on what might be wrong in my configuration? Thanks!!!
Does the Security Groups of the Load Balancer include an inbound HTTPS 443 Port for source 0.0.0.0/0? I just spent a few hours until I finally found this solution.