I cannot seem to configure Dropwizard to use ssl.
I've created a key
openssl genrsa -des3 -out server.key 1024
and a certificate
openssl req -new -key server.key -days 365 -out server.crt -x509
and imported it into a keystore
keytool -import -file server.crt -keystore keystore.jks
From there, I've placed the keystore.jks file into /src/main/resources, alongside the config.yaml file for dropwizard.
Then I tried configuring ssl for dropwizard according to the manual:
http:
ssl:
keyStore: ./keystore.jks
keyStorePassword: ********
However, when I navigate to the login page, it only works without https: and gives Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error when using https.
Are there other steps that I'm missing?
I posted on the mailing list and Codahale was quick to respond. I hadn't set nonblocking+ssl connectors in my configuration yaml file under the http: section. Putting in
connectorType: nonblocking+ssl
fixed everything. Thanks dropwizard wizard!
Related
I am developing a REST server that runs with Jersey on Glassfish, and I want to make it run on HTTPS on localhost.
I have found many tutorials for generating a CA cert, others for generating .cer / .crt / .key / .csr / ... files, others for generating a jks keystore.
But they do not answer my (very basic) question: how to generate a self signed certificate and use it in my app that runs on Glassfish, on localhost? From scratch to the integration for a real usage, without any prerequiresite having a crt, a jks or any other file.
(For information I use Linux)
Thanks
EDIT: I have finally created a certificate with the following commands
openssl req -x509 -out localhost.crt -keyout localhost.key \
-newkey rsa:2048 -nodes -sha256 \
-subj '/CN=localhost' -extensions EXT -config <( \
printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
openssl pkcs12 -export -name localhostServerCert -in localhost.crt -inkey localhost.key -out localhostP12Keystore.p12
keytool -importkeystore -destkeystore localhostKeystore.jks -srckeystore localhostP12Keystore.p12 -srcstoretype pkcs12 -alias localhostServerCert
copy localhostKeystore.jks into /glassfish/domains/domain1/config
keytool -importkeystore -srckeystore localhostKeystore.jks -destkeystore keystore.jks
And I have modified http-listener-2 in the admin console with certificate nickname localhostServerCert, but I got an error page on https://localhost:8181 (ERR_CONNECTION_REFUSED)
EDIT 2 : I think there should be a problem with the certificate, since openssl s_client -showcerts -connect localhost:8181 returns no peer certificate available, No client certificate CA names sent
COMMON GOALS
It can be useful to run with SSL locally, and I like to start with real world URLs. This can also help you to think ahead to your production deployment design, which often involves a Private PKI these days, based on a self issued Root CA.
Web and API domains can sometimes be related these days, eg if an API issues secure cookies for the web origin. So for localhost development I first define URLs such as these:
https://api.mycompany.com
https://web.mycompany.com
DEVELOPER SETUP
Then add entries such as this to my hosts file:
127.0.0.1 localhost web.mycompany.com api.mycompany.com
:1 localhost
Then, in terms of certificates, I produce these deployable files:
Certificate
Filename
Usage
Root CA
mycompany.ca.pem
The root certificate authority that is trusted by the Java runtime
Wildcard Certificate
mycompany.ssl.p12
A password protected PKCS12 file deployed with the API
My Development Certificates Repository has an example of how to issue the certs using openssl, including a bash script you can use for your own domains. Essentially this is a Private PKI for a development computer.
CONFIGURING TRUST
You then just need to trust the Root CA in the Java runtime used by Glassfish. Personally I tend to avoid JKS files where possible, since they are specific to Java, whereas PKCS12 files are a more portable concept:
sudo "$JAVA_HOME/bin/keytool" -import -alias mycompanyroot -cacerts -file ~/Desktop/mycompany.ca.pem -storepass changeit -noprompt
FURTHER DEVELOPER SETUP INFO
These resources on a portable way to manage SSL development certs are provided below, which completes the architecture work:
My Developer SSL Blog Post
My Java API uses the above certs and loads the wildcard certificate via this code, where a P12 file is used as a keystore:
System.setProperty(
"server.ssl.key-store",
configuration.getApi().getSslCertificateFileName());
System.setProperty(
"server.ssl.key-store-password",
configuration.getApi().getSslCertificatePassword());
GLASSFISH
If Glassfish based setups mean the API itself does not load the PKCS12 file, then there may be a specific task to import the PKCS12 file. Many systems provide a GUI or API option for loading a PKCS12 file into a keystore. This may result in a command like this being run, which you can do manually if needed:
keytool -importkeystore -srckeystore mycompany.ssl.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks -v
I'm using ActiveMQ Artemis 2.17.0 replication with self-signed certificates. After trying to update to 2.18.0 I realized that something wrong with my certificates (see this thread). There is no SSL connections between brokers and clients.
Here is how I generated my certificates:
openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out brokerRoot.pem -subj "/C=US/ST=Maryland/L=Aberdeen/O=TestCompany/OU=IT/CN=test/emailAddress=test#gmail.com" -passin pass: passphrase
openssl pkcs12 -inkey private.key -in brokerRoot.pem -export -out broker_ks.p12 -password pass:keyStorePassword
keytool -import -alias broker -keystore client_ts.p12 -file brokerRoot.pem -deststoretype pkcs12 -storepass trustStorePassword -noprompt
and I'm using same client_ts.p12 and broker_ks.p12 on clients and on brokers. So the hostnames should match but it doesn't work anyway.
The ActiveMQ Artemis upgrade instructions for 2.18.0 references says:
...core clients will now expect the CN or Subject Alternative Name values of the broker's SSL certificate to match the hostname in the client's URL.
When you use the openssl command to create private.key you specify CN=test. This means your hostname must be test and your client should also use test in its URL.
Since it's not working my guess is that your hostname is not test. Therefore you need to change your SSL cert on the broker to use the proper CN value which matches the hostname of the broker and then use that in the client's URL.
I have _client-cert.pem and client-key.pem and ca.pem files which I am trying to add to my grails project.
I used following commands :
Convert client keys/certificate files to PKCS#12 before creating a keystore
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem \
-name “mysqlclient” -passout pass:mypassword -out client-keystore.p12
Create a Java Keystore using the client-keystore.p12 file
keytool -importkeystore -srckeystore client-keystore.p12 -srcstoretype pkcs12 \
-srcstorepass mypassword -destkeystore keystore -deststoretype JKS -deststorepass mypassword
Then Modified my application.yml file with that path :
enabled: true
key-store: /..../proxreg
key-store-password:kjsfghsfjlhgl
keyStoreType: pkcs12
keyAlias: tomcat
I was wondering if I am missing any step or what am I doing wrong. I am getting access denied error but when I try to connect thro mysql wokbench it works
You can generate a self-signed certificate using the openssl command-line utility.
We can use openssl's req command to create a self-signed certificate:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Above will prompt you to supply metadata about the certificate, such as Country, Organization, etc. Moreover, it will ask you to provide a PEM pass phrase. Enter a random password and keep it safe; we will need in the next step.
Now you have you self-signed certificate. Unfortunately Grails (and Spring Boot) doesn’t support the PEM format directly. Instead, we need to use the PKCS12 format for our keys. Fortunately, there is another openssl command to make the conversion:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 -name tomcat -caname root
Update grails-app/conf/application.yml with the following lines:
server:
port: 8443
ssl:
keyStore: /certificates/keystore.p12
keyStorePassword: secret
# keyAlias: tomcat
Above all worked fine with me. for more information please refer this and this
Hope this will help you.
I have a Jenkins instance from which I need to call other services/endpoints which reside behind a load balancer. This load balancer requires and does SSL client certificate validation.
Is it possible to make Jenkins use an SSL client certificate for the calls it makes towards those endpoints residing behind that load balancer?
Something like below:
Jenkins call ---present_SSL_client_cert---> LB(verify client cert) ---> endpoint
Thank you in advance!
To get Jenkins to use a client cert for other endpoints start Jenkins with
JAVA_OPTS="-Djavax.net.ssl.keyStorePassword=changeme -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=/cert/jenkins.p12"
I used a normal client cert:
openssl req -nodes -newkey rsa:4096 -days 365 -keyout cert/jenkins.key -out cert/jenkins.csr -subj "/C=DE/ST=somewhere/L=inCity/O=someOrg/OU=someBla/CN=jenkins"
signed it:
openssl x509 -req -days 365 -in ../jenkins/cert/jenkins.csr -CA ca/ca.crt -CAkey ca/ca.key -out ../jenkins/cert/jenkins.crt -passin env:CA_KEY
and converted it to PKCS12:
openssl pkcs12 -nodes -export -in cert/jenkins.crt -inkey cert/jenkins.key -out cert/jenkins.p12 -certfile ../nginx/ca/ca.crt -passout pass:changeme
It was important use a non empty keyStorePassword, otherwise Jenkins threw an Exception java.security.UnrecoverableKeyException: Get Key failed: null
Furthermore I added the server cert to the Java keystore:
keytool -import -alias server.domain.de -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -file /root/server.crt -noprompt -storepass changeit
I've tested this setup with jenkins:lts docker container and keycloak, both behind an nginx reverse proxy using client cert auth.
Using env-variables like JENKINS_HTTPS_KEYSTORE which one can sometime see for configuring Jenkins to use https itself did NOT work for client auth. I did not investigate further, but I assume the plugin OpenId Connect Authentication Plugin which I used did not honor this variable and uses basic java functionality.
We are try to set up the shield SSL in local machine.
Elasticsearch version : 2.2.1
Kibana version : 4.4.1
Shield version : Latest version
We generated self signed crt, key, pem file as below:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
openssl req -out CSR.csr -key privateKey.key -new
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key
openssl x509 -in certificate.crt -out certificate.pem
keytool -importcert -keystore node01.jks -file certificate.pem -alias my_ca
keytool -certreq -alias node01 -keystore node01.jks -file CSR.csr -keyalg rsa -ext san=dns:XXX.com,ip:XXXX.xxxx.xxx
keytool -importcert -keystore node01.jks -file Certificate-signed.crt -alias node01
openssl x509 -in Certificate-signed.crt -out node01-signed-noheaders.crt
and added in shield configuration.
Shield configuration:
shield.http.ssl: true
shield.transport.ssl: true
shield.ssl.keystore.key_password: XXXXX
shield.ssl.keystore.password: XXXX
shield.ssl.keystore.path: /es/config/shield/node01.jks
network.host: XX.XX.XX.XX
Kibana configuration:
elasticsearch.url: "https://XXXXX:9200"
elasticsearch.username: "username"
elasticsearch.password: "password"
elasticsearch.ssl.cert: /XXX/XXX/XXX/elasticsearchtls.crt
elasticsearch.ssl.key: /XXX/XXX/XXX/elasticsearchtls.key
elasticsearch.ssl.ca: /XXX/XXX/XXX/elasticsearch.pem
elasticsearch.ssl.verify: true
So when run the kibana the below error is displayed in elasticsearch log:
log [12:24:25.512] [error][elasticsearch] Request error, retrying -- self signed certificate
log [12:24:25.622] [warning][elasticsearch] Unable to revive connection: https://XXXX:9200/
log [12:24:25.624] [warning][elasticsearch] No living connections
log [12:24:25.627] [error][status][plugin:elasticsearch] Status changed from yellow to red - Unable to connect to Elasticsearch at https://XXXXXX:9200.
After that when I change the elasticsearch.ssl.verify: false Kibana is working fine, but showing some error in elasticsearch log:
ElasticsearchSecurityException[missing authentication token for REST request [/_mget?timeout=0&ignore_unavailable=true&preference=1461307913497]]
In elastic client also the same issue is coming. When we use rejectUnauthorized: true then client is not connecting to elasticsearch.
My questions are:
is the self signed certificate working in Elasticsearch, Kibana or not?
do we have to buy a commercial CA certificate?
are we missing anything?
You are using unnecessary steps when generating and importing the key. Also the certificate you are generating is not signed by the CA and hence it will never be trusted
Unless you have a large deployment I would just use a selfsigned certificate, rather than a certificate signed by a selfsigned CA.
1) Generate a selfsigned certificate with SAN extensions as indicated here How can I generate a self-signed certificate with SubjectAltName using OpenSSL?
2) Merge the key and certificate in a PKCS12 container and import it to the a java keystore as explained here importing an existing x509 certificate and private key in Java keystore to use in ssl