I have a Debian box that I would like to talk to a remote server over SSL. The remote server has a self-signed certificate. How can I instruct my local machine to create a permanent security exception for the remote machine?
Note: I need a command line method for this
The method I found for doing this is based on material at http://www.madboa.com/geek/openssl/
Step 1: get the cert
use the get-cert.sh script
#!/bin/sh
#
# usage: retrieve-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
get the certificate file and save it in /usr/lib/ssl/certs with a .pem extension
Step 2: generate a hash for the cert
#!/bin/sh
#
# usage: certlink.sh filename [filename ...]
for CERTFILE in $*; do
# make sure file exists and is a valid cert
test -f "$CERTFILE" || continue
HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
test -n "$HASH" || continue
# use lowest available iterator for symlink
for ITER in 0 1 2 3 4 5 6 7 8 9; do
test -f "${HASH}.${ITER}" && continue
ln -s "$CERTFILE" "${HASH}.${ITER}"
test -L "${HASH}.${ITER}" && break
done
done
run the certlink.sh script on the file you downloaded in step 1 and then you are done.
The location of the cert files may vary with your operating system.
Can you not just add the remote server and its key to the list of known hosts?
Related
I'm using kubeadm to build k8s cluster and default ssl certs will be used in 1 year.
I plan use cfssl or opensll to gen new certs with 10 years use.
Could anynone pls help me.
Thanks all
You can generate certs using cfssl or openssl and store in a directory and specify that directory in Kubeadm init and kubeadm will not generate certs and use the provided certs.
kubeadm init --cert-dir
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#custom-certificates
Kubeadm also provides cert renew mechanism for renewing certs for 1 year.
kubeadm alpha certs renew
Since you have a running cluster which signs certs with 1 year of validity you can change this flag of kube controller manager default duration of cert signed to sign certs for 10 years.
--experimental-cluster-signing-duration duration Default: 8760h0m0s
Once this is done you can use below guide to sign cert valid for 10 years.
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#renew-certificates-with-the-kubernetes-certificates-api
To renew Kubernetes certs for 10 years (not recommended).
Check certs expiration
kubeadm alpha certs check-expiration --config="/etc/kubernetes/kubeadm-config.yaml"
Back up the existing Kubernetes certificates
mkdir -p $HOME/fcik8s-old-certs/pki
/bin/cp -p /etc/kubernetes/pki/*.* $HOME/fcik8s-old-certs/pki
Back up the existing configurtion files
/bin/cp -p /etc/kubernetes/*.conf $HOME/fcik8s-old-certs
Back up your home configuration
mkdir -p $HOME/fcik8s-old-certs/.kube
/bin/cp -p ~/.kube/config $HOME/fcik8s-old-certs/.kube/.
Add --cluster-signing-duration flag (--experimental-cluster-signing-duration prior to 1.19) for kube-controller-manager
Edit /etc/kubernetes/manifests/kube-controller-manager.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-controller-manager
tier: control-plane
name: kube-controller-manager
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager
...
- --experimental-cluster-signing-duration=87600h
...
...
87600h ~ 10 years
Renew all certs
kubeadm alpha certs renew all --config /etc/kubernetes/kubeadm-config.yaml --use-api
Approve the cert request
kubectl get csr
kubectl certificate approve <cert_request>
Update the kubeconfig file
kubeadm init phase kubeconfig all --config /etc/kubernetes/kubeadm-config.yaml
Overwrite the original admin file with the newly generated admin configuration file
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
Restart components
docker restart $(docker ps | grep etcd | awk '{ print $1 }')
docker restart $(docker ps | grep kube-apiserver | awk '{ print $1 }')
docker restart $(docker ps | grep kube-scheduler | awk '{ print $1 })
docker restart $(docker ps | grep kube-controller | awk '{ print $1 }')
systemctl daemon-reload && systemctl restart kubelet
Check api-server cert expiration
echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate
---- Introduction ----
I was getting issues such as 'Warning : SSL Errors' while running the following command :
wkhtmltopdf -B 0 -L 0 -R 0 -T 0 --javascript-delay 1000 --no-stop-slow-scripts --debug-javascript test.html output.pdf
Note that the above test.html runs some javascript over ssl / reverse proxy. Hence the SSL Errors..
---- Command CURL, Testing Phase ----
CURL command to test my certificate (without certificate) :
curl https://prod
Output :
curl: (60) SSL certificate problem: self signed certificate
CURL command to test my certificate (with certificate) :
curl https://prod --cacert cert.crt
Output :
<MY INDEX PAGE>
Takeway : Now I know the issue I have is to do with my remote machine certificate being selfsigned, I should be able to run my wkhtmlpdf command (assuming I can pass my certificate as an argument).
---- Tool WKHTML, Implementation Phase ----
The current build version I use is 0.12.4 (official release). It does not include ssl certificates support, so from there I have 2 options :
option 1 : I wait until an official version gets released (0.12.5), and have tweeted this : https://twitter.com/DeepCashkette/status/889491206673223681+
option 2 : I use a version that is more recent and potentialy unstable (wkhtmltopdf 0.13.0-alpha-7b36694).
I've opted for option 2, and downloaded wkhtmltox-0.13.0-alpha-7b36694_linux-precise-i386.deb and installed xvfb (required for alpha versions of wkhtmlX). Procedure here : wkhtmltopdf: cannot connect to X server
I end up with this script "wkhtmltopdf.sh:
xvfb-run -a -s "-screen 0 640x480x16" wkhtmltopdf --ssl-crt-path cert.crt "$#"
However it still outputs : Unknown long argument --ssl-crt-path, and I cannot proceed to the (pdf) conversion.
Let me know should you need more technical details, Thanks!
First of all, I see no question.
Your test and implementation phases are inconsistent :
curl --cacert is for server CA certificate
wkhtmltopdf --ssl-crt-path is for client certificate
wktmltopdf ignores self-signed certificates since v0.3, so except a warning you don't need to pass any parameter in order to make wktmltopdf generate a pdf from your host.
I have this error when I want install a commercial SSL in Zimbra
Your certificate was not installed due to the error : system failure:
exception executing command: zmcertmgr verifycrtkey comm
/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key
/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt with
{RemoteManager: mail.mydomain.com->zimbra#mail.mydomain.com:22}
Use below script for SSL install in Zimbra.
#!/bin/bash -x
# SSL certificate installation in Zimbra
# with SSL certificate provided by Let's Encrypt (letsencrypt.org)
# Author: Subhash (serverkaka.com)
# Check if running as root
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
read -p 'letsencrypt_email [xx#xx.xx]: ' letsencrypt_email
read -p 'mail_server_url [xx.xx.xx]: ' mail_server_url
# Check All variable have a value
if [ -z $mail_server_url ] || [ -z $letsencrypt_email ]
then
echo run script again please insert all value. do not miss any value
else
# Installation start
# Stop the jetty or nginx service at Zimbra level
su - zimbra -c 'zmproxyctl stop'
su - zimbra -c 'zmmailboxdctl stop'
# Install git and letsencrypt
cd /opt/
apt-get install git
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
# Get SSL certificate
./letsencrypt-auto certonly --standalone --non-interactive --agree-tos --email $letsencrypt_email -d $mail_server_url --hsts
cd /etc/letsencrypt/live/$mail_server_url
cat <<EOF >>chain.pem
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
EOF
# Verify commercial certificate
mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/$mail_server_url/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
ls -la /opt/zimbra/ssl/letsencrypt/
su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem'
# Deploy the new Let's Encrypt SSL certificate
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem'
# Restart Zimbra
su - zimbra -c 'zmcontrol restart'
# setting auto https redirect
cd /opt && touch https-redirect.sh && chown zimbra:zimbra https-redirect.sh && chmod +x https-redirect.sh
cat <<EOF >>/opt/https-redirect.sh
zmprov ms $mail_server_url zimbraReverseProxyMailMode redirect
EOF
su - zimbra -c '/opt/https-redirect.sh'
rm /opt/https-redirect.sh
fi
For more reference check this link: https://github.com/SubhashPatel/Install-Zimbra-mail-server-ubuntu/blob/master/configure-ssl-zimbra.sh
You should try using CLI to install SSL certificate for Zimbra. Also you need to verify that you have the same certificate which you have downloaded from the certificate authority.
For commercial.crt you need to copy one certificate downloaded from the authority. For commercial_ca.crt, there must be one CA bundle file, you will have from certificate authority.
Private key, you need to verify during generating your CSR and also verify with the hosting. After that restart the Zimbra by command
zmcontrol restart
finally i found the solution.
you shouldn't fill the subject alternative name when you want create csr!
thats all.
Every other year I spend hours on renewing the ssl certificates on zimbra with the help of hopeless outdated tutorials. A tedious process that I don't do often enough to remember how I did it. I learned the hard way that it is easier to use the admin console, than using CLI and messing around with concatinating the different certificates.
Hereby the steps that I take:
Please note that this is a walkthrough, dedicated to the
GoGetSSL Sectigo PositiveSSL Wildcard certificate, and may not work for other SSL providers.
Zimbra version: 8.8.15
We use the wildcard certificate on several servers, but we generate the CSR always(!) on the zimbra server. So go to admin console > Configure > Certificates, click the domain in the list and then in top right corner, choose install certificate. Choose the generate CSR option (second of the 3 options). Make sure that in the common name field you use the wildcard symbol: e.g.
*.example.com
Also check the checkbox that it concerns a wildcard common name
Fill out the rest of the info according to your situation. At the bottom, there's option to add other names; remove all of them (if any). Go to next page and download the CSR, finish the wizard.
on the GoGetSSL page create the new/renew the SSL certificate with the by Zimbra generated CSR. Finish up the entire process, including the validation. All the way up to that the certificate is issued and files can be downloaded. Choose to download the 'All files' zip file. extract on your local system.
browse to: https://www.gogetssl.com/wiki/intermediate-certificates/sectigo-intermediate-root-certificates/
On this page download the file: DV RSA Files > RSA DV Bundle with SHA-1 (TXT file)
go back to admin console > Configure > Certificates, click the domain in the list and then in top right corner, choose install certificate. This time you choose the 3rd option: install commercial signed certificate. First screen of the wizard shows the info you entered earlier for the CSR. The info may show up empty. For me this didn't give me any problems, so I left it. On the next screen: You have to upload 3 certificate files by default, but we need to upload 4, so we need to do Add Intermediate CA for the fourth file.
Choose files as follows:
Certificate: server certificate from the zip file: e.g. _example.com.crt
Root CA: RSA DV Bundle with SHA-1 (TXT file), from the link above
Intermediate CA: USERTrust_RSA_Certification_Authority.crt from zip file
(Added) Intermediate CA: AAA_Certificate_Services.crt
NOTE: I can't remember which Intermediate CA I chose first, so if any problems, try switching the last 2 mentioned files around.
Finish the wizard and test by sending and receiving email.
Then I take the certificates and update other servers with these certificates. (e.g. nginx, apache2, etc). Note: you may need to get the commercial.key file for use on other servers. On linux this file is located in: /opt/zimbra/ssl/zimbra/commercial/
If permission denied, you may use root account or do: sudo su - zimbra
I hope this helps for people struggling with the same certificate and zimbra
I just purchased an SSL Certificate. It came with 1 server certificate, 1 intermediate certificate and 1 root certificate.
I have my *.csr file and *.key used to create the certificates.
I am using Tutum with HAProxy and there is a SSL_CERT environment variable. I read the documentation but could not get it to work properly. How do I set this SSL_CERT environment variable?
I am the maintainer of the tutum/haproxy image. To use SSL_CERT, you need a file containing both your public certificate(your.crt) and private key(your.key). You can do as follows:
cp your.key cert.pem
cat your.crt >> cert.pem
Then, you can run:
awk 1 ORS='\\n' ~/cert.pem.
Copy the output to SSL_CERT
Done
I while ago I was wondering how I could create an ssl-certificate for a cname. This came up as we always use generic a-records for our virtual machines. Services running on those virtual machines should be accessed by users by their service name over SSL. We use FreeIPA as our Certificate Authority.
Sometimes you search for an answer for ages, and find the answer on multiple websites which are not very clear. I will explain my answer by means of an example to show the differences in requesting a certificate from FreeIPA with a cname and without a cname.
We make an imaginary virtual machine with an a-record being abc955-xy.example.com. On this machine we will run postgres. So, out of convenience, the cname will be postgresql.example.com. First we create a certificate for abc955-xy.example.com, which is only valid for the fqdn. Second, we create a certificate for the cname, which is also valid for the fqdn.
Certificate without a cname
# Generate a private key
openssl genrsa -out abc955-xy.example.com.key 4096
# Add the host to FreeIPA
ipa host-add abc955-xy.example.com --force
# Create a host principal for the service HTTP
ipa service-add HTTP/abc955-xy.example.com
# Add the host principal to the host
ipa service-add-host HTTP/abc955-xy.example.com --host abc955-xy.example.com
# Request a certificate for the host, using the principal and private key
ipa-getcert request -r -f abc955-xy.example.com.crt -k abc955-xy.example.com.key \
-K HTTP/abc955-xy.example.com -D abc955-xy.example.com
Cerfificate including a cname
# Generate a private key
openssl genrsa -out postgresql.example.com.key 4096
# Add the host to FreeIPA, using the cname
ipa host-add postgresql.example.com --force
# Create a host principal for the service HTTP
ipa service-add HTTP/abc955-xy.example.com
# Create a principal for the service HTTP with the cname
ipa service-add HTTP/postgresql.example.com --force
# Add the cname principal to the host
ipa service-add-host HTTP/postgresql.example.com --host abc955-xy.example.com
# Request a certificate for the host, using the principal and private key and cname
ipa-getcert request -r -f postgresql.example.com.crt -k postgresql.example.com.key\
-K HTTP/postgresql.example.com -D postgresql.example.com -D abc955-xy.example.com
Other than some naming differences, the main difference between both options is that you add the HTTP-principal with the cname to the host instead of the HTTP-principal with the fqdn.
Note: since browsers such as Chrome and Chromium only accept certificates with a Subject Alternative Name (SAN) as of version 65, you need to add a Subject Alternative Name to certificates without a cname too. This is where the option -D comes from in the ipa-getcert request. For certificates without a cname, you have to supply the fqdn.
# Set variables
DOMAIN=domain.name
CNAME=cname
DEST_MACHINE=dest-machine
# Add CNAME DNS-record
# $CNAME => $DEST_MACHINE
ipa dnsrecord-add $DOMAIN $CNAME --cname-hostname=$DEST_MACHINE
# Generate a private key
## to /etc/pki/tls/private
## or another dir (*selinux fcontext* of that dir should be *cert_t*)
sudo openssl genrsa -out /etc/pki/tls/private/$CNAME\_$DEST_MACHINE.key 4096
# Create HTTP service for $DEST_MACHINE\.$DOMAIN
ipa service-add HTTP/$DEST_MACHINE\.$DOMAIN
# Add alias HTTP/$CNAME\.$DOMAIN for HTTP/$DEST_MACHINE\.$DOMAIN
ipa service-add-principal HTTP/$DEST_MACHINE\.$DOMAIN HTTP/$CNAME\.$DOMAIN
# Request a certificate for HTTP/$DEST_MACHINE\.$DOMAIN
# for a DNSNAMEs:
## $DEST_MACHINE\.$DOMAIN
## $CNAME\.$DOMAIN
sudo ipa-getcert request -r \
-f /etc/pki/tls/private/$CNAME\_$DEST_MACHINE.crt \
-k /etc/pki/tls/private/$CNAME\_$DEST_MACHINE.key \
-K HTTP/$DEST_MACHINE\.$DOMAIN \
-D $DEST_MACHINE\.$DOMAIN \
-D $CNAME\.$DOMAIN
# Show info about certificate requests
sudo ipa-getcert list
# List content of certificates dir
ls /etc/pki/tls/private/
# Now just use that certificates with your web-services