I got a certification error when I start my local environment in Google Chrome. The certificate is not valid. How can I fix this?
Don't forget to restart the httpd after replacing the server.key and server.crt.
As a temporary solution I created a new server certificate with:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
The files server.key and server.crt must be copied to server/local/httpd/conf
Related
I can't for the life of me get chrome to work with a wildcard cert ("*.localhost")
Here is what I'm doing to generate said cert.
First I gen my ca
openssl genrsa -out priv/cert/ca.key 2048
openssl req -new -x509 -nodes -subj "/C=US/O=_Development \
CA/CN=Development certificates" -key priv/cert/ca.key -sha256 \
-days 3650 -out priv/cert/ca.crt
Then I gen my localhost
openssl genrsa -out priv/cert/localhost.key 2048
openssl req -new -subj "/C=US/O=Local Development/CN=*.localhost" -key \
priv/cert/localhost.key -out priv/cert/localhost.csr
Then I make my ext file
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = #alt_names
[req]
req_extensions = req_ext
[req_distinguished_name]
commonName_default = localhost
[req_ext]
subjectAltName = #alt_names
[alt_names]
DNS.1 = *.localhost
DNS.2 = foo.localhost
DNS.3 = localhost
Then I sign.
openssl x509 -req \
-in priv/cert/localhost.csr \
-extfile priv/cert/localhost.ext \
-CA priv/cert/ca.crt \
-CAkey priv/cert/ca.key \
-CAcreateserial \
-out priv/cert/localhost.crt \
-days 365 \
-sha256
After trusting my crt and navigate locally to say localhost or foo.localhost I get all green but if I go to say bar.localhost the wild card does not work and I get a NET::ERR_CERT_COMMON_NAME_INVALID on chrome.
what am I missing here. I've addressed the Subject Alternative Name, I've ruled out that SAN via foo works. Common name does not even matter anymore from what I read. I'm at a loss.
TL;DR: Browsers will not accept *.localhost in a certificate.
In *.localhost the localhost suffix is treated as a top level domain (TLD) and wildcards directly below a TLD are not allowed. The idea behind this is basically that no single organization actually owns a TLD like com and thus allowing a certificate for *.com would be pretty dangerous. Therefore *.localhost will not be accepted, while *.foo.localhost will.
For more on this see Wildcard *.localhost SSL with Nginx and Chrome and Can a wildcard SSL certificate be issued for a second level domain?.
I'm having difficulties connecting Google Apps Script to my MariaDB instance.
This is the GAS I am using for this example:
https://gist.github.com/HappymanOkajima/8740727662e9ba0e0ffd52006484c47f
The MariaDB instance is from the original dockerhub image: mariadb:10.4
I have successfully configured MariaDB to run with SSL (verified with Metabase, and shows 'havessl'='YES')
For context, the following commands were used to generate ssl keys:
Generate key for CA-cert
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 > ./ca-key.pem
Generate CA-cert
openssl req -new -x509 -nodes -days 36500 -key ./ca-key.pem -out ./ca-cert.pem -subj "/C=US/ST=NY/L=NTC/O=company/CN=company"
Create SQL server key
openssl req -newkey rsa:4096 -nodes -keyout ./server-key.pem -out ./server-req.pem -subj "/C=US/ST=NY/L=NTC/O=company/CN=sql.server.com"
Create SQL server cert
openssl x509 -req -in ./kn-req.pem -days 36500 -CA ./ca-cert.pem -CAkey ./ca-key.pem -CAcreateserial -out ./server-cert.pem
Convert server key to RSA (mariadb only reads this)
openssl rsa -in ./server-key.pem -out ./server-key-rsa.pem
SQL server is configured with ca-cert.pem, server-cert.pem and server-key-rsa.pem
Create Client Key (for Supermetrics)
openssl req -newkey rsa:4096 -nodes -keyout ./client-key.pem -out ./client-req.pem -subj "/C=US/ST=NY/L=NTC/O=company/CN=supermetrics"
Create client cert
openssl x509 -req -in ./client-req.pem -days 36500 -CA ./ca-cert.pem -CAkey ./ca-key.pem -CAcreateserial -out ./client-cert.pem
Create RSA version, for Supermetrics
openssl rsa -in ./client-key.pem -out ./client-key-rsa.pem
I then used cat to print these files: ca-cert.pem, client-cert.pem, client-key.pem
And copy-pasted the strings into the Google Apps Script, appending \n\ to the end of each line.
This is the error that shows:
Exception: Failed to establish a database connection. Check connection string, username and password.
I have also verified that if I removed ?useSSL=true, the connection is completed successfully
What am I missing here? I have scoured every google dev forum posting and stackoverflow questions on this, and they all seem to say that this is the correct solution. Is anyone able to replicate this to verify?
I am attempting to use client certificates to limit secure access to an apache2 web server. However after installation google chrome returns a ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED error.
First I set up the CA for the Web Server by creating a CA key and an X509 PEM file:
openssl genrsa -out CA.key 2048
openssl req -x509 -new -nodes -key CA.key -days 7300 -out CA.pem
I already have an existing certificate for the web site set in apache2 for https communication allocated by a trusted third party. The following is the apache2 conf setting for this website where I have included SSLCACertificateFile for the certificate generated above, the SSLOptions, SSLVerifyClient and SSLVerfiyDepth directives:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName site.aname.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/site
<Directory /var/www/html/site>
Options FollowSymLinks
AllowOverride All
Require all granted
SSLOptions +StdEnvVars
SSLVerifyClient require
SSLVerifyDepth 1
</Directory>
LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCACertificateFile /etc/apache2/ssl/site/CA.pem
SSLCertificateFile /etc/apache2/ssl/site/fullchain.pem
SSLCertificateKeyFile /etc/apache2/ssl/site/privkey.pem
Include /etc/apache2/ssl/site/options-ssl-apache.conf
</VirtualHost>
</IfModule>
This completes the web server configuration and test without a client certificate and get the expected error.
I then generate a client certificate and sign with the CA and then package in pkcs12 with private key with the following:
GENERATE:
openssl genrsa -out user.key 2028
openssl req -new -key user.key -out user.csr
SIGN WITH:
openssl x509 -sha256 -req -in user.csr -out user.crt -CA CA.pem -CAkey CA.key -CAcreateserial -days 1095
CREATE PKCS12:
openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt
The resultant user.pfx is then installed on the user machines running chrome.
When attempting to connect, chrome asks for the key which is selected with the result being the error ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED.
Version of Chrome running under Windows 10 is: Version 74.0.3729.169 (Official Build) (64-bit)
Update:
I can connect successfully with curl from another linux server using:
curl --cert user.crt --key user.key --pass password https://site.aname.com/
however, the same from windows 10 command line results in:
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80090027) - The parameter is incorrect
Solved by ensuring that the signed user certificate was a "version 3" X.509 certificate and specifying both Key Usage and Enhanced Key Usage attributes within the v3 extension. This was achieved my modifying the openssl.conf file for the X509 sign request or if you use the openssl CA command.
Hey I want to connect to mySql db using ssl secure connection. I did the following:
Create self signed certificates (resource: https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html):
#server
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
openssl req -newkey rsa:2048 -days 3600 nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
#client
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
#signing
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
Created the my.cnf file in C:\Program Files\MySQL\MySQL Server X.Y (since it didn't exists) and added this lines (resource: https://dev.mysql.com/doc/connector-net/en/connector-net-tutorials-ssl.html)
ssl-ca=c:/certs/ca.pem
ssl-cert=c:/certs/server-cert.pem
ssl-key=c:/certs/server-key.pem
Then connected to mysql using root and created the sslclient user :
CREATE USER 'sslclient'#'localhost';
Now when I'm trying to connect to mySql db using ssl :
mysql -h localhost -u sslclient -p --ssl=1 --ssl-cert=client-cert.pem --ssl-key=client-key.pem --ssl-ca=ca.cert
I get the following exception:
SSL connection error: SSL is required but the server doesn't support it
I tried it also as the root user and also tried to change the ssl settings through MySQl Workbench > right click on my connection > edit connection > connection> ssl and filled the relevant fields.
EDIT : I found out that the .cnf can be the .ini file (located at C:\ProgramData\MySQL\MySQL Server X.Y), so I added the ssl-x lines to it, but now I'm getting this error :
SSL connection error: ASN: bad other signature confirmation
My task is to make all local and remote connections to MySQL encrypted and all clients must be verified by client SSL certificates.
But I can't even connect to MySQL from shell and always getting 'Access denied for user ssluser#localhost...)'
Platform:
Amazon EC2 micro with Amazon Linux AMI (all updates installed)
MySQL 5.7.7
I have created the self-signed certificate in accordance with this instruction
# Create CA certificate
# -----------
# CN = localdomain.com
$ openssl genrsa 2048 > ca-key.pem
$ openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
# -----------
# CN = cn1.localdomain.com
$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
$ openssl rsa -in server-key.pem -out server-key.pem
$ openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
# -----------
# CN = cn2.localdomain.com
$ openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
$ openssl rsa -in client-key.pem -out client-key.pem
$ openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
I have created the MySQL DB user for testing
CREATE USER 'ssl-user'#'%' identified by '123';
GRANT USAGE ON *.* TO 'ssluser'#'%' identified by '123' REQUIRE X509;
FLUSH PRIVILEGES;
Edited my.cnf
[mysqld]
ssl-ca=/etc/pki/mysql_ssl/ca.pem
ssl-cert=/etc/pki/mysql_ssl/server-cert.pem
ssl-key=/etc/pki/mysql_ssl/server-key.pem
[client]
ssl-cert=/etc/pki/mysql_ssl/client-cert.pem
ssl-key=/etc/pki/mysql_ssl/client-key.pem
and restarted mysqld...
Than I am trying to connect from shell
mysql -ussluser -p123123123 --ssl-cert=/etc/pki/mysql_ssl/client-cert.pem --ssl-key=/etc/pki/mysql_ssl/client-key.pem
And always get 'Access denied for ssluser#localhost (using password: YES).
I also tried to use our purchased WildCard Comodo Certificates to only encrypt the connection (but not verify the client) with no success.
I am a bit confused because I know a lot of people actually do MySQL SSL, but I am still can't get it working.
Any help would be much appreciated.
Problem is solved.
I switched back to MySQL 5.6
Re-created CA, server and client certificates with this detailed instruction
Added to my.cnf the client SSL section
[client]
ssl-ca=/etc/pki/mysql_ssl/ca-cert.pem
ssl-cert=/etc/pki/mysql_ssl/client-cert.pem
ssl-key=/etc/pki/mysql_ssl/сlient-key.pem
Created new mysql user
CREATE USER 'x509test'#'%' IDENTIFIED BY 'MyPassword1';
GRANT USAGE ON *.* TO 'x509test'#'%' REQUIRE X509;
FLUSH PRIVILEGES;
And finally I am able to connect
$ mysql --user=x509test --password --ssl-ca=/etc/pki/mysql_ssl/ca-cert.pem --ssl-cert=/etc/pki/mysql_ssl/client-cert.pem --ssl-key=/etc/pki/mysql_ssl/client-key.pem