I want to have a self-signed SSL Certificate for my local development server. I was following the guide on https://help.ubuntu.com/community/OpenSSL and at the last step where you issue the command to sign the certificate by issuing the following command:
openssl ca -in tempreq.pem -out server_crt.pem
I get the following error: (last line)
Using configuration from /home/user_name/.ssl/caconfig.cnf
Enter pass phrase for /home/user_name/.ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'localhost'
stateOrProvinceName :PRINTABLE:'AA'
countryName :PRINTABLE:'ET'
emailAddress :IA5STRING:'user#example.com'
organizationName :PRINTABLE:'Example Inc'
organizationalUnitName:PRINTABLE:'Development'
localhost:invalid type in 'policy' configuration
What can I do to solve it? Just to serve as a back ground, I don't have a domain name for my server, so I just used localhost to be the commanName. Is that the problem?
Thanks for your help.
Copy the policy from /etc/ssl/openssl.cnf to your configuration file
Rebuild all the file from beginning
The policy section is like following:
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
Related
I have a crl.cnf as below:
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = _CA_dir_
database = _index_fname_ # database index file.
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
In the above file, What does CA_dir , index_fname and ca_default variables refer to or how to find what values those variables hold? It would be really helpful if someone helps me to understand this. Thanks in advance!
The microstack.openstack project recently enabled/required tls authentication as outlined here. I am working on deploying an openstack cluster to microstack using a terraform example here. As a result of the change, I receive an unknown signed cert error when trying to create an openstack network client data source.
data "openstack_networking_network_v2" "terraform" {
name = "${var.pool}"
}
The error I get when calling terraform plan:
Error: Error creating OpenStack networking client: Post "https://XXX.XXX.XXX.132:5000/v3/auth/tokens": OpenStack connection error, retries exhausted. Aborting. Last error was: x509: certificate signed by unknown authority
with data.openstack_networking_network_v2.terraform,
on datasources.tf line 1, in data "openstack_networking_network_v2" "terraform":
1: data "openstack_networking_network_v2" "terraform" {
Is there a way to ignore the certificate error, so that I can successfully use terraform to create the openstack cluster? I have tried updating the generate-self-signed parameter, but I haven't seen any change in behavior:
sudo snap set microstack config.tls.generate-self-signed=false
I think insecure provider parameter is what you are looking for:
(Optional) Trust self-signed SSL certificates. If omitted, the OS_INSECURE environment variable is used.
Try:
provider "openstack" {
insecure = true
}
Disclaimer: I haven't tried that.
The problem was that I did not source the admin-openrc.sh file that I had downloaded from the horizon web page:
$ source admin-openrc.sh
I faced the same problem, if it could help, here my contribution :
sudo snap get microstack config.tls
Key Value
config.tls.cacert-path /var/snap/microstack/common/etc/ssl/certs/cacert.pem
config.tls.cert-path /var/snap/microstack/common/etc/ssl/certs/cert.pem
config.tls.compute {...}
config.tls.generate-self-signed true
config.tls.key-path /var/snap/microstack/common/etc/ssl/private/key.pem
In terraform directory, do :
cat /var/snap/microstack/common/etc/ssl/certs/cacert.pem : copy paste -> cacert.pem
cat /var/snap/microstack/common/etc/ssl/certs/cert.pem : copy/paste -> cert.pem
cat /var/snap/microstack/common/etc/ssl/private/key.pem : copy/past -> key.pem
And create a file in your terraform directory main.tf :
provider "openstack" {
user_name = "admin"
tenant_name = "admin"
password = "pass" (get with sudo snap get microstack config.credentials.keystone-password)
auth_url = "https://host_ip:5000/v3"
#insecure = true (uncomment & comment cacert_file + key line)
cacert_file = "/terraform_dir/cacert.pem"
#cert = "/terraform_dir/cert.pem" (if needed)
key = "/terraform_dir/private.pem"
region = "microstack" (or regionOne)
}
To finish terraform plan/apply
I'm using Spring WebClient to invoke a webservice over SSL, but I'm getting java.security.cert.CertificateException: No subject alternative DNS name matching lizzad.int.octa.com found.
As far as I can see, this means that the certificate does not have the name lizzad.int.octa.com. This makes some sense because I've the service invokation working if I invoke another url.
But I was told to change the URL and it was assured that the certificate should be the same. Nevertheless it is not working and then the client asked me if I could bypass something in order to make this work in tests environment.
After researching a bit I found some code I thought it could be hepful to configure WebClient.
TcpClient tcpClient = TcpClient.create().secure(sslContextSpec -> {
// configure ssl
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
sslContextBuilder
.trustManager(InsecureTrustManagerFactory.INSTANCE);
sslContextSpec.sslContext(sslContextBuilder)
.defaultConfiguration(SslProvider.DefaultConfigurationType.NONE)
.handshakeTimeoutMillis(30)
.closeNotifyFlushTimeoutMillis(12000)
.closeNotifyReadTimeoutMillis(12000)
.handlerConfigurator(
(handler)->{
SSLEngine engine = handler.engine();
engine.setNeedClientAuth(true);
SSLParameters params = new SSLParameters();
List<SNIMatcher> matchers = new LinkedList<>();
SNIMatcher matcher = new SNIMatcher(0) {
#Override
public boolean matches(SNIServerName serverName) {
return true;
}
};
matchers.add(matcher);
params.setSNIMatchers(matchers);
engine.setSSLParameters(params);
}
)
;
});
HttpClient httpClient = HttpClient.from(tcpClient);
return WebClient.builder()
.defaultHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
.defaultHeader(HttpHeaders.ACCEPT, MediaType.APPLICATION_OCTET_STREAM_VALUE)
.clientConnector(new ReactorClientHttpConnector(httpClient)).build();
But it seams that Matcher is not what will make the hostname to be ignore.
On the other hand I also found here [https://stackoverflow.com/questions/43371418/java-security-cert-certificateexception-no-subject-alternative-dns-name-matchin][1]
new javax.net.ssl.HostnameVerifier() {
public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) {
return true;
}
});
that if I was not using WebClient I could set a HostnameVerifier and return true in order to bypass the hostname verification.
Do you know if it is possible and how can I define a HostnameVerifier like this in my WebClient Configuration to prevent
java.security.cert.CertificateException: No subject alternative DNS name matching lizzad.int.octa.com
Thanks
[1]: java.security.cert.CertificateException: No subject alternative DNS name matching
I think this cannot be configured/ignored from the client side. You are trying to call the server on lizzad.int.octa.com and it is actually reaching it however the server is saying that it won't continue to talk with the client because lizzad.int.octa.com is not present within the SAN field of the server certificate.
This stackoverflow question/answer is similar to yours: Certificate for <localhost> doesn't match any of the subject alternative names
I would advise to recreate the server certificate if it is possible. You just need to add lizzad.int.octa.com as a DNS for the san field. See below for an example with keytool:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -dname "CN=server,OU=some-organisation-unit,O=some-organisation,C=US" -ext "SAN:c=DNS:lizzad.int.octa.com,IP:127.0.0.1" -validity 3650 -keystore identity.jks -storepass secret -keypass secret -deststoretype pkcs12
Recently I was working on a project that utilized the Alexa AVS Sample App (the one written in java, and currently in maintenance mode: https://github.com/alexa/alexa-avs-sample-app/wiki/Mac#4---generating-self-signed-certificates) and when I was attempting to follow the given instruction:
Edit the ssl.cnf configuration file with your favorite text editor. Replace any placeholder values that start with YOUR_.
Note: countryName must be two characters (e.g. US). If it is not two characters, certificate creation will fail. Additionally, if you will be accessing your device from any IP or DNS entry besides localhost (127.0.0.1 or 10.0.2.2), you must add the additional IP or or DNS entries to [alt_names]. One situation where you will need to add entries to [alt_names] is if you are going to authenticate using an Android or iOS companion app from a device instead of from the Android or iOS emulators on the same machine as the Node.js server and sample app.
I edited the file as said, and not sure if I did do it correctly, but her goes:
[req]
distinguished_name = req_distinguished_name
prompt = no
[v3_req]
subjectAltName = #alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
IP.2 = 10.0.2.2
[req_distinguished_name]
commonName = $ENV::COMMON_NAME # CN= Random
countryName = YOUR_COUNTRY_NAME # C= US
stateOrProvinceName = YOUR_STATE_OR_PROVINCE # ST= CA
localityName = YOUR_CITY # L= San Francisco
organizationName = YOUR_ORGANIZATION # O= VEor
organizationalUnitName = YOUR_ORGANIZATIONAL_UNIT # OU= VE
I also did previously replace the YOUR_ORGANIZATION and etc. with the country codes and etc. themselves, like the following:
[req]
distinguished_name = req_distinguished_name
prompt = no
[v3_req]
subjectAltName = #alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
IP.2 = 10.0.2.2
[req_distinguished_name]
commonName = $ENV::COMMON_NAME # CN= Random
countryName = US # C=
stateOrProvinceName = CA # ST=
localityName = San Francisco # L=
organizationName = VEor # O=
organizationalUnitName = VE
Yet, I still get this output:
❯ ./generate.sh
Generating RSA private key, 4096 bit long modulus
...........................++
.........................................................................................................................................................................................................................................++
e is 65537 (0x10001)
error on line 14 of ssl.cnf
140736175395720:error:0E065068:configuration file routines:STR_COPY:variable has no value:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/conf/conf_def.c:573:line 14
Generating RSA private key, 2048 bit long modulus
...........+++
........+++
e is 65537 (0x10001)
error on line 14 of ssl.cnf
140736175395720:error:0E065068:configuration file routines:STR_COPY:variable has no value:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/conf/conf_def.c:573:line 14
certs/client/client.csr: No such file or directory
Error opening input file certs/client/client.crt
certs/client/client.crt: No such file or directory
Generating RSA private key, 2048 bit long modulus
......................................................................................................................................+++
....+++
e is 65537 (0x10001)
error on line 14 of ssl.cnf
140736175395720:error:0E065068:configuration file routines:STR_COPY:variable has no value:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/conf/conf_def.c:573:line 14
certs/server/node.csr: No such file or directory
Generating RSA private key, 2048 bit long modulus
....+++
...................................+++
e is 65537 (0x10001)
error on line 14 of ssl.cnf
140736175395720:error:0E065068:configuration file routines:STR_COPY:variable has no value:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/conf/conf_def.c:573:line 14
error on line 14 of config file 'ssl.cnf'
Error opening input file certs/server/jetty.crt
certs/server/jetty.crt: No such file or directory
cp: certs/ca/ca.crt: No such file or directory
Error opening Certificate certs/ca/ca.crt
140736175395720:error:02001002:system library:fopen:No such file or directory:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/bio/bss_file.c:255:fopen('certs/ca/ca.crt', 'r')
140736175395720:error:20074002:BIO routines:FILE_CTRL:system lib:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/bio/bss_file.c:257:
unable to load certificate
cp: certs/ca/ca.der: No such file or directory
What should I do differently to ensure it works?
please modify ur openssl directory in generate.sh
->/usr/local/opt/openssl/bin/openssl
https://github.com/alexa/alexa-avs-sample-app/issues/1004
I have a problem verifiying a HTTPS endpoint when providing a specific certificate path to the 'verify' option; setting 'verify' to true DOES work however:
import requests
def run_tests():
url="https://www.google.com"
certfilename="google.crt"
generate_cert_file( certfilename )
response = requests.get( url, verify=False )
print "URL:%s, Verify=False. Result: %s"%(url, response.status_code )
response = requests.get( url, verify=True )
print "URL:%s, Verify=True. Result: %s"%(url, response.status_code )
response = requests.get( url, verify=certfilename )
print "URL:%s, Verify=%s. Result: %s"%(url, certfilename, response.status_code )
def generate_cert_file( filename ):
cert_text=('''\
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIIxZ+YmNtB9AwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwOTA5MjI1MzM5WhcNMTUxMjA4MDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqH1dz
jOr385g9DXVZowTLkhjCoYGQ/zOLzslSFowYqZnlMiE7iZ8Vm9/iJfhStSMoA6gZ
87uqLENCi3NK+pk4+n1SIPRZS0jorb1jsyenMMy6Fxb9sQe3ndqZpWBtsW5ezW9t
7q5HWA1cNm1KSi2fmwZpDrSaN0TYQdFbRAz6cPf6J/P66qyEC7OInFgLsy4FDdp8
itpjCo/gnk2gz1vpWjiRYLCkz/dlFY3M3kR/s7YcJa7UP7BZ+QmmDfN3y4mxmEfn
Cg8rB25ZbD+oQ+Hua3/oMrx4r3lliou3yrD08/ABEqs16EEPX5wFHtI4CQYAUt5E
rEDl36bpvFD0QkfLAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBQHiMS+8X3+WcfbMQymf9yX9XA1yDAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAUvY5/JbZLfahjC4F
IZU0jVtGRBDa6tXLhCHAdwLHYLQdHn74oQ8Y1vxL0AYd7V2SBAgrDjCoK9bDQbQi
UZ7xwG9K2O75bS2qYc/OlZLJr0Gdfs71ZpQzlv14SGBXvwPuD6noj+hiZjqICd6t
3Rd5oIFiZvkhNDdN6Uag28rIfR8HECdlkbZNZeLZnyoIaxsprANvlEkY0wEbn1K9
kww3/SYKbdPJ8VQSUOtWgGsO1RPFaE4PP7hCg8Q062+mmCs0ZMQSvrzzv7JQsO5J
EkdG6691HdVA6z/rRGGX8E6assTnJLmVMxRayV+Do07KvywLONTInUWue8heHUSX
EHJZbg==
-----END CERTIFICATE-----\
''')
with open(filename, "wb") as output:
output.write(cert_text)
if __name__=='__main__':
run_tests()
Am I doing something wrong here ? (I embedded the cert inline to make the code easier to run without having to provide a separate cert file)
I'm fetched 'requests' down from the git repository - the newest version TAG in the history is V2.7.0, and the latest commit is "46ff1a9a543cc4d33541aa64c94f50f0a698736e"
EDIT: I actually had the wrong certificate here (thanks Steffen Ullrich for pointing this out) : but I have now confirmed I have the correct cert/endpoint: and I get the same error.
I retrieved the cert like this:
openssl s_client -connect www.google.com:443
And just copied the cert details into the python program.
The issue is actually happening for my own in-house systems as well - using self-signed certs (which is my real use-case).
Alternatively : where does the 'verify=True' option actually look for trusted certs/CAs ? (On Java it would be 'cacerts' - not sure what the equivalent here is for Python/requests ?).
I'm on a Windows platform here.
You are using the certificate which is only valid for www.google.co.uk, but access www.google.com. Thus the certificate can not match at all. And I'm not sure if using the host certificate instead of an issuer certificate (i.e. root CA or intermediate CA) will work at all.
Can you try this:
s = Session()
req = Request('POST', 'https://www.google.com')
prepped = s.prepare_request(req)
resp = s.send(prepped, verify=False, cert=CERT_PATH)
if resp.status_code == 200:...