Converting from cert8.db to PEM - ssl-certificate

I am having a cert8.db in /home/hari/Desktop/certs directory. Now I want to convert this into PEM. tried to do this by first trying to export the cert8.db in pkcs12 to pem using pkutil
pk12util -o cert.pem -n cert8.db -d /home/hari/Desktop/certs
However this throws an error
pk12util: function failed: security library: bad database.
I have no idea what's going wrong here. Please help me out with it. Also any suggestions on alternative ways of doing this would also be greatly appreciated. Thanks a lot in advance.

You probably have figured it out by now, that the file belongs to Mozilla Firefox 4.x - security database. On Windows 7 Pro this is stored on the system root for some odd reason, that causes my security software to go nuts...
Then again, you might not have Firefox installed in your env.

Related

<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)>

I did the manual installation on python 3.7.5 on Debian 8, when I will run the script I get this error:
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)>
I saw several questions here in the stackoverflow more regarding MacOS, In my case this error is in Linux.
I had the same issue. Here is what I found helped my problem.
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
Please see here for the original answer from markroxor. Hope it will help your problem as well.
I had
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)>
With python3 3.9.2-3, and other python related packages with the same, or similar, version. On Debian GNU/Linux 11 (Bullseye).
At first, using the suggested
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
managed to solve the problem. Though I do not know if, and which, down sides, or other side effects, this solution has.
Afterwards, I noticed the /etc/ssl/certs/ folder is empty. Installing the ca-certificates package fills in this folder. Which seem to be another solution, in which those 2 python ssl lines are not required. You can see here the detailed list of files the ca-certificates package installed. This article, from 2015, with a last comment from 2017, discusses the location of ca-certificates in various OSs/distributions. I think the ca-certificates package is rather basic, and is usually installed as part of the initial installation of the machine. I do not know how it was missing from that particular machine.
What worked for my MacOs:
Open the finder
Find the version of Python that you are using
Open its folder
Click on the "Install Certificates.command". It will open a terminal and install the certificate.
In my case (Dell computer), the SSL problem was caused by Dell software itself:
reported here. In that case, according to this answer to another question in the SE network, you can solve the problem by running the following command:
sudo cp /usr/lib/x86_64-linux-gnu/libcrypto.so.3 /opt/dell/dcc/libcrypto.so.3
And then, run this:
sudo update-ca-certificates --fresh
It worked for me on a Dell Latitude 7310, LinuxMint21. November 2022.
THIS IS NOT A SOLUTION:
I have encountered that several times, note however that i'm using windows, but i would assume that generally the resolving mehtods should be the same in principle for mac/linux.
What i used to do is to force it to not verify the certificate by using the below:
conda config --set ssl_verify false
Note this is not a solution to the issue, it's just a way to make the code run temporarily, or if you're trying to download a library then that should do the trick until you download it. Note that the suggested below is not usually recommended, if you do it, after running your code/ downloading your library, remember to turn it back on using the below:
conda config --set ssl_verify true
If this happened after you installed a python version manually, inside the python app folder, double click on the "Install Certificates.command" file and it should fix it.

Setting up SSHv1 on a server

I know SSHv1 is super insecure, however I need to set it up on a server for some testing. Trying to find an older version of openSSH was a hard task in itself, but now trying to set it up is impossible.
I'm trying to use openSSH 2.1.1 and openSSL 1.0.1.
From what I can tell, openSSL installs fine, however I run in to issues with openSSH
My configure (./configure --prefix=/usr --sysconfdir=/etc) works fine, however I run in to issues when I try to make
The error I'm getting is: authfd.c:354:41: error: dereferencing pointer to incomplete type ‘RSA {aka struct rsa_st}’ buffer_put_int(&buffer, BN_num_bits(key->n));
I've tried looking around, and have even started looking in some of the openSSL files, I think everything is coded correctly.
My guess is that these errors have something to do with trying to compile old versions of ssl and ssh with an up to date version of gcc
Has anyone managed to set up a server to use SSHv1, or at least have any ideas on how to solve this dereferencing error?
From the error you see it looks like you are using OpenSSL 1.1.0, which made RSA structures opaque and is therefore it is not compatible. Things to resolve:
Download older OpenSSL (1.0.2 should do that) and build this one
Configure with --with-ssh1 switch to enable SSH1 support

Unable to solve this error: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) -- any ideas on what to try?

This error arose while I was trying to deploy to aws. It turns out this is an issue on my machine that others are no experiencing.
jkazil#jlk:~/Projects/code/geoq-chef-repo [git master] $ vagrant up --provider=aws
Bringing machine 'default' up with 'aws' provider...
[default] Box 'ubuntu_aws' was not found. Fetching box from specified URL for
the provider 'aws'. Note that if the URL does not have
a box for this provider, you should interrupt Vagrant now and add
the box yourself. Otherwise Vagrant will attempt to download the
full box prior to discovering this error.
Downloading or copying the box...
An error occurred while executing multiple actions in parallel.
Any errors that occurred are shown below.
An error occurred while executing the action on the 'default'
machine. Please handle this error then try again:
An error occurred while downloading the remote file. The error
message, if any, is reproduced below. Please fix this error and try
again.
error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
jlk:~/Projects/code/geoq-chef-repo [git master] $
I found a couple of things on the internets that said I should look at my version of openssl. At first, it was 0.9.8, but I had 1.0.1f in homebrew. So I found this: Update OpenSSL on OS X with Homebrew and followed it. And I was was able to update OpenSSL.
jkazil#jlk:~/Projects/code/geoq-chef-repo [git master] $ openssl version
OpenSSL 1.0.1f 6 Jan 2014
jlk:~/Projects/code/geoq-chef-repo [git master] $
But that didn't fix the issue. Just to clarify, this is not an aws issue, but an me issue. Here is me trying to pull a machine down locally. I am using the insecure flag to try to push it through, but it didn't work with or without.
jkazil#jlk:~/Projects/code/geoq-chef-repo [git master] $ vagrant box add dummy https://github.com/mitchellh/vagrant-aws/raw/master/dummy.box --insecure
Downloading or copying the box...
An error occurred while downloading the remote file. The error
message, if any, is reproduced below. Please fix this error and try
again.
error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
jlk:~/Projects/code/geoq-chef-repo [git master] $
Lastly, I wanted to share my PATH, just in case someone had that question.
jlk:~/Projects/code/geoq-chef-repo [git master] $ echo $PATH
/usr/local/Cellar/ruby/2.0.0-p247/bin:/Users/jkazil/bin:/usr/local/bin:/usr/local/sbin:/usr/local/mysql/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
jlk:~/Projects/code/geoq-chef-repo [git master] $
Any suggestions?
This is going to be sad answer, but the resolution to this was to update to 10.9. Then the problem went away. I know that this is not the answer that people want to here, but I thought I would try after banging my head against the wall for awhile.
Thank you everyone for your help!
P.S. VAGRANT_LOG=info was help also in getting set up.
I found a couple of things on the internets that said I should look at my version
of openssl. At first, it was 0.9.8, but I had 1.0.1f in homebrew. So I found this:
OpenSSL Version MacOSX Homebrew and followed it. And I was was able to update OpenSSL.
Mac OS X will do as much as it can to load 0.9.8 in /usr/lib:
$ find /usr/ -iname libssl*
/usr//lib/libssl.0.9.7.dylib
/usr//lib/libssl.0.9.8.dylib
/usr//lib/libssl.dylib
You will need to ensure you are loading the expected version of OpenSSL. If you can get it under gdb, issue info shared and see what version of OpenSSL actually loaded.
A few things about OS X and its linker: (1) it ignores rpath's; (2) it ignores requests like -Bstatic; (3) more generally, it always links to the shared object if available (even on iOS where the only thing you are suppose to use is an archive); (4) LD_PRELOAD is not honored.
You might have some luck with using DYLD_LIBRARY_PATH.
If you can't get OS X to use 1.0.1f, then you will have to re-build the components in question. But instead of specifying -L/usr/local/ssl -lssl -lcrypto, you will need to omit the flags and specify the full archive like /usr/local/ssl/lib/libssl.a (without the -l).
Don't buy into the claims you don't have to do these things on OS X (claims like "use -L and -lssl because that's what your suppose to use"). I suffered them for years on Apple's gear, and I know for certain it does not work (and the people making the claims apparently don't use OS X). OS X is a real bastard at times.
One cause for this error could be an old version of OpenSSL trying to connect to a server which uses HTTPS with SNI:
http://sourceforge.net/p/curl/bugs/1037/?limit=10&page=1#aa7f
Try setting the log level higher (e.g. VAGRANT_LOG=debug vagrant up – see the Vagrant debugging guide) to see the URL in question and test it by hand using curl to confirm the failure.

SignTool internal error when trying to repackage an APPX package?

I'm analyzing existing Windows Store applications and modifying them to make sure my company's obfuscator works with them.
I've ran into a bit of a problem doing that though. I can grab an APPX package from the store easily enough(requires Fiddler to get the URL). I can then just use any unzip program to extract the appx to a folder. I can then take the assemblies in the APPX and modify the IL a bit. I then remake and sign the package:
makeappx pack /d "mypackage" /p "mypackage.appx"
signtool sign /fd sha256 /f temporarykey.pfx mypackage.appx
I then get an error with signtool though:
SignTool Error: An unexpected internal error has occured
Error information: "Error: SignerSign() failed." (-2147024885/0x800700b)
And then of course get an error when trying to install it with the standard powerscript file created by Visual Studio for installing/sideloading any APPX package.
Found package: C:\....mypackage.appx
Error: The package is not digitally signed or its signature is corrupted
I've used this exact process for packages generated from Visual Studio. Are temporary keys tied to a particular package or something? What am I missing? Is this a bug in signtool?
Apparently, you can't just take any temporary key and sign the APPX with it. In particular the certificate subject lines must match(the "publisher name"). I do not know of a better way of determining what the subject line much actually be. First, try to use signtool and sign the APPX file with any temporary key. Now go to Event Viewer. Then to Applications and Services and then Microsoft and then Windows and then AppxPackaging and finally Microsoft-Windows-AppxPackages/Operational. There should be an error event that just happened from that build. Check it. It should say something like
Error 0x800700B: The app manifest publisher name (CN=random-hex-number) must match the subject name of the signing certificate (CN=MyWrongName)
So, now make sure to hang on to that random-hex-number. That needs to be the subject line of the certificate and is the cause of the error. To generate a working certificate:
makecert.exe mycert.cer -r -n "CN=random-hex-number" -$ individual -sv private.pkv -pe -cy end
pvk2pfx -pvk private.pkv -spc mycert.cer -pfx mytemporarykey.pfx
Now finally, you should have a temporary key that will work with signtool!
Hopefully this answers serves other people well.

Problems running paster shell example.ini in Ubuntu while trying to install reddit

When I try to run paster shell example.ini, I run into:
connection failure: TLEngine(postgres://reddit/password#127.0.0.1/reddit)
followed by a laundry list of traceback.
At the end, I get:
FATAL: password authentication failed for user "reddit"
Would anyone be able to help me resolve this issue? Any help is much appreciated. Thanks!
The Reddit Setup Guide seems to be out of date or something. I had the exact same problem as you on two different machines.
Here's how I overcame it:
$ sudo su - postgresq
$ psql reddit
reddit=# CREATE USER reddit WITH PASSWORD 'password';
I looked in the example.ini file and reddit/password was the default username/password for the DB. At this point, if you re-run your command (paster shell example.ini), it should complete successfully.
Fair warning, there are more problems with this setup after you get past this point, but I haven't yet conquered those myself.
Best of luck, friend!