We Keep Coding

Handshake error to mysql via ssl

tldr: I get the following error with a client/server setup with ssl:
Specifically: ssl configuration error: UseCertificateChainFile: SSL errors: PEM routines:PEM_read_bio:no start line SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
The details:
I am hosting something similar to a mysql server on ec2 (specifically mongosqld)
I need to connect to it via ssl, so I create certs using openssl on the machine using this set of instructions provided by mysql: https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using-openssl.html
I run the server with the following command
mongosqld --schema=schema.drdl \
--addr=0.0.0.0:3307 \
--auth \
--sslMode=allowSSL \
--sslCAFile=ca.pem \
--sslPEMKeyFile=server-key.pem
And on my machine, I attach to the server like so:
mysql --protocol tcp \
--host my.host.on.amazon.com --port 3307 \
--enable-cleartext-plugin \
--ssl-cert mongosqlcerts/client-cert.pem
--ssl-key mongosqlcerts/client-key.pem
--ssl-ca mongosqlcerts/ca.pem
On the client side I get the following error:
SSL connection error: error:00000001:lib(0):func(0):reason(1)
On the server logs, a bit more helpful:
mongosqld starting: version=v2.3.1 pid=11461 host=ip-xx-xx-xx-xx
I CONTROL [initandlisten] git version: fa3535342a4c5abe36e3cc28a2ecf72864dfc6fe
I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
I CONTROL [initandlisten] options: {schema: {path: "schema.drdl"}, net: {bindIp: [0.0.0.0], ssl: {mode: "allowSSL", PEMKeyFile: "server-key.pem", CAFile: "ca.pem"}}, security: {enabled: true}}
I NETWORK [initandlisten] waiting for connections at [::]:3307
I NETWORK [initandlisten] waiting for connections at /tmp/mysql.sock
I NETWORK [conn1] connection accepted from 108.20.XXX.XXX:63353 #1 (1 connection now open)
E NETWORK [conn1] handshake error: ERROR 1043 (08S01): recv handshake response error: ERROR 1043 (08S01): ssl configuration error: UseCertificateChainFile: SSL errors: PEM routines:PEM_read_bio:no start line
SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
2017-12-01T22:24:50.394+0000 I NETWORK [conn1] end connection 108.20.XXX.XXX:63353 (0 connections now open)
Specifically: ssl configuration error: UseCertificateChainFile: SSL errors: PEM routines:PEM_read_bio:no start line
SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
Can anyone help me parse that error.
Thanks friends!

I got it!
so for the sslPEMKeyFile argument in mongosqld as stated in the docs you need to
Specifies the .pem file containing both the TLS/SSL certificate and key for MySQL clients. Specify the file name of the .pem file using relative or absolute paths.
So when I used openssl to create ca, server-cert and key files, I needed to create a new file that combined the private-key and the server-cert
so I created a new file called combined.pem with the following text in it:
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
and started the server with that and it worked!!!

Tortoise HG mercurial 502 BadGateway

few days ago we have started to see this error when we tried to hg push.
when running hg push --debug --traceback -v ive got this output:
pushing to https://<server>/repository
using https://<server>/repository
sending capabilities command
using auth.mrsdev.* for authentication
<server> certificate matched fingerprint <fingerprint>
using auth.mrsdev.* for authentication
http auth: user trannann, password ***********
using auth.mrsdev.* for authentication
<server> certificate matched fingerprint <fingerprint>
query 1; heads
sending batch command
using auth.mrsdev.* for authentication
searching for changes
all remote heads known locally
preparing listkeys for "phases"
sending listkeys command
using auth.mrsdev.* for authentication
received listkey for "phases": 15 bytes
checking for updated bookmarks
preparing listkeys for "bookmarks"
sending listkeys command
using auth.mrsdev.* for authentication
received listkey for "bookmarks": 0 bytes
sending branchmap command
using auth.mrsdev.* for authentication
<server> certificate matched fingerprint <fingerprint>
sending branchmap command
using auth.mrsdev.* for authentication
preparing listkeys for "bookmarks"
sending listkeys command
using auth.mrsdev.* for authentication
received listkey for "bookmarks": 0 bytes
8 changesets found
list of changesets:
e34d64fb754056d112d2da58cf0675e6c9e02842
8aab72238ada787283715b6bfc0415d7fbae3709
e3583d6b2fb359db2cfb430cde7b55f38992c640
ec49b6a57c2ed999d752a4a6556bf64304bbd36f
06cef21425beb141e9f168d968124e91e8b0d364
fde87053c99bdaa171df76e7d51203e4f166c65e
59702ada4e4fba01fd166747eb043032771f7da6
3e4f6b3323d2724c2b1af6820121bcaa0c081d24
sending unbundle command
sending 21543 bytes
using auth.mrsdev.* for authentication
<server> certificate matched fingerprint <fingerprint>
**HTTP Error: 502 (Bad Gateway)**
[command returned code 255 Wed May 03 14:53:55 2017]
Questions:
1) what is happening?
2) where can I find error logs on server? Googled a while but can not find the location of logs or where is the path set.

how openshift ldap auth provider trust self-signed certificate without a rootca signed

I'm trying to config openshift with my internal ldaps server as an IDP.
But the thing is my internal ldaps is self-signed without any root ca signed.
In master-config.yaml, I tried to config the self-signed certificate as ca attribute, but it always complain:
login.go:162] Error authenticating "xifeng" with provider "customer_own_ldap": LDAP Result Code 200 "": x509: certificate signed by unknown authority.
I understand the ca attribute in master-config.yaml might expect a ca-bundle certificate. but my case here its a self-signed cert.
Please advise how I can solve this issue ?

curl -cacert works fine, find below:
curl -v --cacert xf_ldaps_ca.crt ldaps://bogon:1636
About to connect() to bogon port 1636 (#0)
Trying 172.16.50.169...
Connected to bogon (172.16.50.169) port 1636 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: xf_ldaps_ca.crt
CApath: none
NSS: client certificate not found (nickname not specified)
SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Server certificate:
subject: CN=bogon,O=OpenDJ RSA Self-Signed Certificate
start date: Dec 23 12:11:19 2016 GMT
expire date: Dec 18 12:11:19 2036 GMT
common name: bogon
issuer: CN=bogon,O=OpenDJ RSA Self-Signed Certificate
LDAP local: ldaps://bogon:1636/
DN:
objectClass: top
objectClass: ds-root-dse
Connection #0 to host bogon left intact
openssl x509 -in xf_ldaps_ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1440710020 (0x55df7d84)
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=OpenDJ RSA Self-Signed Certificate, CN=bogon
Validity
Not Before: Dec 23 12:11:19 2016 GMT
Not After : Dec 18 12:11:19 2036 GMT
Subject: O=OpenDJ RSA Self-Signed Certificate, CN=bogon
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9e:a4:46:41:d2:9d:32:ae:e3:60:f9:13:ac:40:
--------------
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
8c:c4:34:2b:af:dd:ec:bc:f0:68:6a:95:53:02:74:d9:9f:5e:
----------------
E1223 20:58:37.810976 12227 login.go:162] Error authenticating "xftest" with provider "xf_ldaps_test": LDAP Result Code 200 "": x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "bogon")

Problems with system:admin login after changing to HTPasswd Identity Provider in Openshift Origin

Wanting to switch to HTPasswd Identity provider i have updated the master-config.yaml to look like this
identityProviders:
- name: my_htpasswd_provider
challenge: true
login: true
provider:
apiVersion: v1
kind: HTPasswdPasswordIdentityProvider
file: /path/to/users.htpasswd
Im using the oc cluster:
oc cluster up --host-data-dir=/opt/openshift_data --host-config-dir=/opt/openshift_conf --use-existing-config
, but when i try to log in with the system:admin user this happens.
oc login -u system:admin
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y
Login failed (401 Unauthorized)
You must obtain an API token by visiting https://:8443/oauth/token/request

I got this error, when I changed the authentication provider of my Openshift cluster, and I had already logged in as admin user with the old authentication provider settings.
I had to add mappingMethod: add option to my configuration, so It could map the existing user.
identityProviders:
- challenge: true
login: true
mappingMethod: add
name: my_htpasswd_provider
provider:
apiVersion: v1
kind: HTPasswdPasswordIdentityProvider
file: /var/openshift/users.htpasswd
This is Openshift documentation url:
https://docs.openshift.com/enterprise/3.2/install_config/configuring_authentication.html#mapping-identities-to-users
Hope this helps

Mercurial on windows and ssh configuration with Copssh problem

I've installed the copssh on a windows 2008 server and then I tried to clone a reposity on the server through ssh. But no matter how hard I tried I couldn't fix this error i got. here is the log:
C:\Users\Admin>hg clone ssh://ehsan#rafsanjani.ir
The authenticity of host 'rafsanjani.ir (96.31.90.174)' can't be established.
RSA key fingerprint is 41:a8:41:21:61:1a:67:2c:e8:44:99:6c:63:e7:06:73.
Are you sure you want to continue connecting (yes/no)? yes
ehsan#rafsanjani.ir's password:
remote: Could not create directory '/home/Administrator/.ssh'.
remote: Failed to add the host to the list of known hosts (/home/Administrator/.ssh/known_hosts).
remote: /bin/bash: Permission denied
abort: no suitable response from remote hg!
I tried to login with administrator but i get the same error message. Also i changed the permission of the folder located in C:\Program Files (x86)\ICW\home\administrator so that ehsan has the full access to this folder.
also when I connect to the server with putty and use this command:
cd /home/administrator/.ssh
echo test>test
file test will create! so it seems that I have the permission to this folder!
this is log when i try to clone with administrator account:
C:\Users\Admin>hg clone ssh://administrator#rafsanjani.ir
The authenticity of host 'rafsanjani.ir (96.31.90.174)' can't be established.
RSA key fingerprint is 41:a8:41:21:61:1a:67:2c:e8:44:99:6c:63:e7:06:73.
Are you sure you want to continue connecting (yes/no)? yes
administrator#rafsanjani.ir's password:
remote: Could not create directory '/home/Administrator/.ssh'.
remote: Failed to add the host to the list of known hosts (/home/Administrator/.ssh/known_hosts).
remote: bash: hg: command not found
abort: no suitable response from remote hg!

The latest versions of copssh/cwrsync use cygwin 1.7 and require a HOME environment variable. So just add a HOME=%HOMEDRIVE%%HOMEPATH% variable and it should work right away. It did for me :)