We Keep Coding

How to renew Lets encrypt certificate in ejabberd configured server?

How to renew Lets encrypt certificate in ejabberd configured server? My server is Debian-jessie and I have tried to renew SSL certificates using the below command,
certbot certonly -d mydomainname
But it produced an unexpected error:
Failed authorization procedure. : urn:acme:error:connection ::Timeout
during connect (likely firewall problem). Skipping.
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Found the proper answer for this:
You need to stop the service ejabberd service before you do the
process,
service ejabberd stop
Then move the expired ssl pem file to somewhere else,
mv /etc/ejabberd/ejabberd.pem /etc/ejabberd/ejabberd.pem.backup
Go to the directory where the cert boot locating,
cd /root
Enter the below command in-order to renew the certificate for the
required domain
certbot certonly --webroot -w /etc/ejabberd -d yourdomain.com --force-renewal --rsa-key-size 4096
Then merge the generated ssl files to the ejabberd configuration file
cat /etc/letsencrypt/live/yourdomain.com/privkey.pem /etc/letsencrypt/live/chat.yourdomain.com/fullchain.pem > ejabberd.pem
Then move the pem file to the ejabberd root path
mv ejabberd.pem /etc/ejabberd
chown ejabberd /etc/ejabberd/ejabberd.pem
Enable ejabberd service
service ejabberd start
service ejabberd status

Gcloud sql proxy startup script runs but gives out an error

Here is my startup script:
#! /bin/sh
sudo apt-get update
sudo apt-get install mysql-client
wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
chmod +x cloud_sql_proxy
sudo mkdir /cloudsql; sudo chmod 777 /cloudsql
./cloud_sql_proxy -dir=/cloudsql --instances=a:us-east4:b &
Here is the error I get:
Feb 19 22:12:38 instance-group-1-th2f startup-script: INFO startup-
script: 2019/02/19 22:12:38 errors parsing config:
Feb 19 22:12:38 instance-group-1-th2f startup-script: INFO startup-script: #011Get https://www.googleapis.com/sql/v1beta4/projects/a/instances/b?alt=json&prettyPrint=false: dial tcp: lookup www.googleapis.com on [::1]:53: read udp [::1]:52058->[::1]:53: read: connection refused
Feb 19 22:12:38 instance-group-1-th2f startup-script: INFO startup-script: 2019/02/19 22:12:38 Ready for new connections
If I open the instance manually and run the following, it will work:
./cloud_sql_proxy -dir=/cloudsql -instances=a:us-east4:b &
I am guessing that it is an authentication problem, but based on this:
Note: If your Compute Engine instance has either the Full API access
or Cloud SQL API scope, you can skip this step; you do not need to
provide a certificate file when you start the proxy.
It shouldn't have any problems since mine has a Full API access
I have a second gen instance and the Cloud SQL Admin API is enabled.

dial tcp: lookup www.googleapis.com on [::1]:53: read udp [::1]:52058->[::1]:53: read: connection refused
It doesn't look like your issue is authenticated related, but instead you are unable to either lookup or reach www.googleapis.com. Do you have a firewall that might be blocking the outgoing connection?

Can I use openssl s_client to retrieve the CA certificate for MySQL?

Can I use openssl s_client to retrieve the CA certificate for MySQL?
I have access to the remote database server using the following
mysql -u theuser -h thehost --ssl --ssl-cipher=DHE-RSA-AES256-SHA -p thedatabase
Now I want to do to connect to it using JDBC.
I realize that I need to insert the public certificate into my Java key store. However, I cannot figure out how to retrieve the public certificate. I realize it sits on the remote server in /etc/mysql/ca.pem or a similar place. But, I don't have permission to read that file or even ssh into the machine.
I've tried
openssl s_client -cipher DHE-RSA-AES256-SHA -connect thehost:3306
and some variations. I always get errors. For example
CONNECTED(00000003)
30495:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/
Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:

Can I use openssl s_client to retrieve the CA certificate for MySQL?
You probably can't.
A well configured server will send the server certificate and all intermediate certificates required to build a path to the root CA. You have to have the root CA certificate already.
For example:
$ openssl s_client -connect www.cryptopp.com:443 -tls1 -servername www.cryptopp.com
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
...
The server sent the server's certificate. Its shown above as 0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications. S means its the Subject, while I means its the issuer.
The server sent two intermediate certificates at 1 and 2. However, we need to have the Issuer of certificate 2 locally to build the path for validation. The Issuer of certificate 2 goes by the Common Name "AddTrust External CA Root".
"AddTrust External CA Root" can be downloaded from Comodo's site at [Root] AddTrust External CA Root
It the server sent the root CA, then a bad guy could tamper with the chain and a client would be no wiser. They could swap-in their own CA and use an evil chain.
We can clear the verify error:num=20:unable to get local issuer certificate by fetching the root CA, and then using -CAfile:
$ openssl s_client -connect www.cryptopp.com:443 -tls1 -servername www.cryptopp.com \
-CAfile addtrustexternalcaroot.pem
It will result in a Verify Ok (0).

Yes, OpenSSL version 1.1.1 (released on 11 Sep 2018) now supports fetching the server certificate from a MySQL server.
openssl s_client -starttls mysql -connect thehost:3306
Source: answer by Paul Tobias

How to connect dovecot on 993 port using squirrelmail

I am trying to connect dovecot on 993 port but dovecot shows below error;
dovecot: imap-login: Disconnected (no auth attempts in 60 secs): user=<>, rip=192.***.***.***, lip=192.***.***.***, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<3k6jgTwVLwDAqL+E>
squirrelmail config;
$imap_auth_mech = 'login';
$use_imap_tls = 1;
$imapServerAddress = 'dovecot.server';
$imapPort = 993;
When I try to telnet and openssl on squirrelmail server;
[root#aa ~]# telnet dovecot.server 993
Trying 192.***.***.***...
Connected to dovecot.server.
Escape character is '^]'.
[root#aa ~]# openssl s_client -connect dovecot.server:993
...
...
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Note: 143 port works fine by the way.

Check your PHP error log for things like this:
PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ..
PHP Warning: fsockopen(): Failed to enable crypto ..
PHP Warning: fsockopen(): unable to connect to tls://dovecot.server:993 (Unknown error) ..
If that's the case, the openssl library isn't able to verify your server's cert. It's easily fixed by adding the certificate for the connection to your local cert stash. You can find out where that is with <PRE><?php var_dump(openssl_get_cert_locations()); ?> </pre> and looking at the ini_cafile setting.
You can get your server's cert with this command:
openssl x509 -in <(openssl s_client -connect dovecot.server:993 -prexit 2>/dev/null) > /tmp/cacert.pem
Add it to the cert file, and you should be going.
One caveat: the certificate CN MUST match the hostname that you're using to connect to the server! If it's self-signed, make sure it's using dovecot.server as the CN.

Mercurial on windows and ssh configuration with Copssh problem

I've installed the copssh on a windows 2008 server and then I tried to clone a reposity on the server through ssh. But no matter how hard I tried I couldn't fix this error i got. here is the log:
C:\Users\Admin>hg clone ssh://ehsan#rafsanjani.ir
The authenticity of host 'rafsanjani.ir (96.31.90.174)' can't be established.
RSA key fingerprint is 41:a8:41:21:61:1a:67:2c:e8:44:99:6c:63:e7:06:73.
Are you sure you want to continue connecting (yes/no)? yes
ehsan#rafsanjani.ir's password:
remote: Could not create directory '/home/Administrator/.ssh'.
remote: Failed to add the host to the list of known hosts (/home/Administrator/.ssh/known_hosts).
remote: /bin/bash: Permission denied
abort: no suitable response from remote hg!
I tried to login with administrator but i get the same error message. Also i changed the permission of the folder located in C:\Program Files (x86)\ICW\home\administrator so that ehsan has the full access to this folder.
also when I connect to the server with putty and use this command:
cd /home/administrator/.ssh
echo test>test
file test will create! so it seems that I have the permission to this folder!
this is log when i try to clone with administrator account:
C:\Users\Admin>hg clone ssh://administrator#rafsanjani.ir
The authenticity of host 'rafsanjani.ir (96.31.90.174)' can't be established.
RSA key fingerprint is 41:a8:41:21:61:1a:67:2c:e8:44:99:6c:63:e7:06:73.
Are you sure you want to continue connecting (yes/no)? yes
administrator#rafsanjani.ir's password:
remote: Could not create directory '/home/Administrator/.ssh'.
remote: Failed to add the host to the list of known hosts (/home/Administrator/.ssh/known_hosts).
remote: bash: hg: command not found
abort: no suitable response from remote hg!

The latest versions of copssh/cwrsync use cygwin 1.7 and require a HOME environment variable. So just add a HOME=%HOMEDRIVE%%HOMEPATH% variable and it should work right away. It did for me :)