I'm having trouble getting mitmproxy to work with the ec2-api-tools.
In one terminal, I did this:
$ mitmproxy -p 8080
And in another, I did:
$ export EC2_JVM_ARGS="-DproxySet=true -DproxyHost=127.0.0.1 -DproxyPort=8080 -Dhttps.proxySet=true -Dhttps.proxyHost=127.0.0.1 -Dhttps.proxyPort=8080"
$ ec2-describe-instances
I get the following error:
Unexpected error:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:401)
at org.apache.commons.httpclient.contrib.amazon.ssl.StrictSSLProtocolSocketFactory.verifyHostname(StrictSSLProtocolSocketFactory.java:369)
at org.apache.commons.httpclient.contrib.amazon.ssl.StrictSSLProtocolSocketFactory.createSocket(StrictSSLProtocolSocketFactory.java:241)
at org.apache.commons.httpclient.HttpConnection.tunnelCreated(HttpConnection.java:786)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.tunnelCreated(MultiThreadedHttpConnectionManager.java:1521)
at org.apache.commons.httpclient.HttpMethodDirector.executeConnect(HttpMethodDirector.java:514)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:391)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.codehaus.xfire.transport.http.CommonsHttpMessageSender.send(CommonsHttpMessageSender.java:369)
at org.codehaus.xfire.transport.http.HttpChannel.sendViaClient(HttpChannel.java:123)
at org.codehaus.xfire.transport.http.HttpChannel.send(HttpChannel.java:48)
at org.codehaus.xfire.handler.OutMessageSender.invoke(OutMessageSender.java:26)
at org.codehaus.xfire.handler.HandlerPipeline.invoke(HandlerPipeline.java:131)
at org.codehaus.xfire.client.Invocation.invoke(Invocation.java:79)
at org.codehaus.xfire.client.Invocation.invoke(Invocation.java:114)
at org.codehaus.xfire.client.Client.invoke(Client.java:336)
at org.codehaus.xfire.client.XFireProxy.handleRequest(XFireProxy.java:77)
at org.codehaus.xfire.client.XFireProxy.invoke(XFireProxy.java:57)
at com.sun.proxy.$Proxy12.describeInstances(Unknown Source)
at com.amazon.aes.webservices.client.Jec2Impl.describeInstances(Jec2Impl.java:1517)
at com.amazon.aes.webservices.client.Jec2Impl.describeInstances(Jec2Impl.java:1492)
at com.amazon.aes.webservices.client.cmd.DescribeInstances.invokeOnline(DescribeInstances.java:58)
at com.amazon.aes.webservices.client.cmd.BaseCmd.invoke(BaseCmd.java:1040)
at com.amazon.aes.webservices.client.cmd.DescribeInstances.main(DescribeInstances.java:67)
I'm running on OS X, and I've configured keychain to trust the mitmproxy-ca-cert.pem certificate.
Thanks to Thomas Orozco's answer and this mitmproxy issue:
sudo keytool -importcert -alias mitmproxy -storepass "changeit" \
-keystore /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts \
-trustcacerts -file ~/.mitmproxy/mitmproxy-ca-cert.pem
You have to add the MITM proxy certificate to the certificate store that Java is using, which might not be OS X's keychain.
You should be able to use keytool for this: http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html
Related
Recently We have enabled SSL on AEM and after that we are facing issue to connect with third party services.
For some services we are getting
javax.net.ssl.SSLException: java.security.ProviderException: Could not derive key
Any pointers on how to resolve this issue?
Thanks,
Nidhi
I had this issue a while ago. The cert file was not installed to the java keystore in my case.
Ensure the cert file is installed to the java keystore. This command will list the installed certs, check if your cert is in there, you can search by the alias that was used to install the cert.
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
This will help you import to keystore if cert is not installed
keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"
You can also search by the alias that was used to install the cert
keytool -list -v -keystore keystore.jks -alias youralias
If you have multiple versions of java installed, ensure java_home points to the location of java where the cert is installed. Also check if PATH contains the same path.
I'm trying to link a Sonar issue to Jira using "Link to Jira" option, but getting "Impossible to connect to Jira - https://{Jira URL}.atlassian.net/.
I was able to create a JIRA with same configuration 8months ago, but not now. Not sure if JIRA has changed anything to force importing SSL certs to Sonar JRE now.
Could you please let me know how to get the Jira SSL cert and import it to the Sonar keystore?
Thanks in advance!
The SSL part of the connection isn't related to SonarQube, it's standard Java security. To your question, assuming the error is indeed a trust issue (you didn't provide debug logs):
Retrieve the server certificate:
echo -n | openssl s_client -connect JIRA_HOST:port | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.pem`
Add it to Java truststore:
keytool -import -trustcacerts -alias jira_server -file server.pem -keystore /<java_install>/jre/lib/security/cacerts
(default truststore password is changeit)
I am trying to setup SSL connection for my Play application. Here is the process I followed:
keytool -genkeypair -v -alias example.com -keystore example.com.jks
-keyalg RSA -keysize 2048 -validity 385
keytool -certreq -v -alias example.com -keypass password -storepass
password -keystore example.com.jks -file example.com.csr
Submitted the CSR to godaddy and downloaded the certificates.
keytool -import -v -alias root -file gdroot-g2.crt -keystore
example.com.jks -storetype JKS
keytool -import -v -alias intermed -file gdig2.crt -keystore
example.com.jks -storetype JKS
keytool -import -v -alias example.com -file 46826eerd8c69.crt
-keystore example.com.jks -storetype JKS
After this added 127.0.0.1 www.example.com to my /etc/hosts and started the play server as below.
./activator -Dhttps.port=9443
-Dhttps.keyStore=/tmp/ssl/example.com.jks -Dhttps.keyStorePassword=password run
Now when I try to access the url via browser https://www.example.com:9443, I see the following message. No errors on the server.
Unable to make a secure connection to the server. This may be a
problem with the server, or it may be requiring a client
authentication certificate that you don't have. Error code:
ERR_SSL_PROTOCOL_ERROR
I have no clue of what's happening. I followed the entire process twice, but still no luck.
Any help is appreciated.
The issue is because of accessing the application by adding 127.0.0.1 www.example.com to /etc/hosts. I followed the same procedure on a remove server and added it's ip to /etc/hosts, then things started worked fine.
Seems like for some reason the certificate is not getting accepted by loopback ip in /etc/hosts.
I'm having trouble getting ColdFusion to connect to a secure FTP server that uses a self-signed certificate. The connection just times out. I've tested the setup in an FTP client and it works, but you must accept an 'unknown certificate.'
The code, though it's not very helpful:
<cfftp
connection="ftp"
action="open"
server="server"
username="username"
password="password"
port="23456"
passive="true"
secure="true"
/>
Here's the error I get from ColdFusion:
Verify your connection attributes: username, password, server, fingerprint, port, key, connection, proxyServer, and secure (as applicable). Error: Session.connect: java.net.SocketTimeoutException: Read timed out.
Does anyone know if it's possible to accept the certificate? Or if that's even the problem?
I am not sure about cfftp but for cfhttp requests to sites with a self-signed certificate you have to import their certificate into the Java keystore on your ColdFusion server. So you might want to give that a try.
I always export the certificate in DER format
The command to import should be something like this:
keytool -import -v -alias giveUniqueName -file filename.cer -keystore cacerts -storepass thePassword
Here is the command line to verify an imported certificate:
keytool -list -v -keystore cacerts -alias giveUniqueName -storepass thePassword
I did not include the password here but am pretty sure you can Google it. If not, send me a message and I can give it to you.
Also, you may need to supply pathing information depending on where you run the keytool commands from and where your certificate file resides.
Another note, be sure you are updating the correct cacerts file that ColdFusion is using. In case you have more than one JRE installed on that server. You can verify the JRE ColdFusion is using from the administrator under the 'System Information'. Look for the Java Home line.
Oh - and you have to restart ColdFusion after making the import.
UPDATE FOR CF10
I found a forum discussion (here) talking about installing certificates on CF10. The keytool commands appear to be slightly different in their example. In case it is a bit different than CF9, here is what they said:
keytool -importcert -alias giveUniqueName -trustcacerts -file filename.cer -keystore cacerts -storepass thePassword
Trust this certificate? [no]: y
It looks like the verification command line has not changed.
I have a webstart application where I want to do client authentication while connecting to the server. I have created pkcs12 certificate which I install using certmgr.exe and it works fine.
I want to do for every client that uses the application. How should I do this? If I distribute the certificate
I get a bad_certificate error. I know there isn't a problem with the certifcate because it would work if you install the certificate using the browser.
I had created the public key using
keytool -export -alias myKey -keystore abc.p12" -storetype PKCS12 -storepass mypassword -rfc -file abc.cer
then I imported this file into my server's keystore for mutual authentication using:
keytool -import -v -file abc.cer -keystore C:\apache-tomcat-7.0.26\tomcat.keystore" -storepass mypassword
after this, if I install abc.p12 certificate in certmgr, it works fine.
To be able to do it from Java, I needed a truststore. I created a truststore where I import the public key using
>keytool -import -keystore client-truststore.jks -file abc.cer
If I try to access the server using
-Djavax.net.ssl.keyStore=abc.p12
-Djavax.net.ssl.keyStorePassword=mypassword
-Djavax.net.ssl.trustStore=trustore.jks
-Djavax.net.ssl.trustStorePassword=mypassword
I'm not sure if I'm doing the right thing. Please let me know what you think.
What should I be doing? Please let me know your suggestions.
You should have imported it into your server's trust store, not its keystore.
You have to import the cert to your certs file, in the JDK is the cacerts file. After do that you have to view the cert is living on the file, and you will have do that on every client.
The thing about the trust store is that you create your own JKS file.