I'm trying to connect my hosted Kratos with an OIDC provider that has a non trusted certificate.
Is there an elegant way to fill to Ory Kratos a list trusted CA certificate ?
I'm facing this error when connecting to my app with my custom oidc provider:
"reason": "Unable to initialize OpenID Connect Provider: Get "https://my-custom-oidc-provider/.well-known/openid-configuration": x509: certificate signed by unknown authority"
Have a look at Where is Golang picking up root CAs from? to see where CAs are loaded from. There you can add it to the appropriate CA source for your setup.
Related
THIS IS STILL AN ISSUE ANY HELP WOULD BE APPRETIATED
I am having an issue setting up TLS through a custom CA between Kibana and Enterprise search. I have the default x-pack security set up for the interconnection of my Elasticsearch nodes with both Kibana and Enterprise search, which was done according to the following docs: minimal security basic security ssl/tls config. I can successfully run Enterprise search through http, however my issue arises when I enable ssl/tls for ent-search..
When I have https configured for ent-search using this doc, the server is "running", however I receive an error after boot and Kibana throws an error when attempting to connect.
ent-search error (non corresponding with Kibana's hit to the ent-search hostname, this error raises shortly after ent-search is "starting successfully", but isn't fatal)
[2022-06-14T20:37:45.734+00:00][6081][4496][cron-Work::Cron::SendTelemetry][ERROR]: Exception:
Exception while performing Work::Cron::SendTelemetry.perform()!: Faraday::ClientError: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
Kibana error (directly corresponding to when I ping http://obfuscated-dns:5601/app/enterprise_search/overview)
[2022-06-14T20:43:51.772+00:00][ERROR][plugins.enterpriseSearch] Could not perform access check to
Enterprise Search: FetchError: request to https://obfuscated-dns:3002/api/ent/v2/internal/client_config
failed, reason: unable to get issuer certificate
The steps I took to generate said certificate were: I created a csr on my server using elasticsearch-certutil csr along with a yml file which specified the distinguished name, I sent the unzipped csr to my CA (Digicert), uploaded the signed certificate and intermediate certificate provided by Digicert to my server, used openssl to generate a keystore using the signed cert and that private key generated along-side the original csr, then finally converted the keystore to .jks format using keytool.
From my understanding, the path of this keystore is what is needed for the configuration file for enterprise-search and the intermediary cert is what is used in the Kibana certificate authority config field (ca.pem). I have also tried to stuff both the signed and intermediate cert in the same .pem, as well as the private-key, signed and intermediate cert. Below are the relevant configurations:
kibana.yml
enterpriseSearch.host: https://ofuscated-dns:3002
enterpriseSearch.ssl.verificationMode: certificate
enterpriseSearch.ssl.certificateAuthorities:
- /path/ca.pem
enterprise-search.yml
ent_search.external_url: https://obfuscated-dns:3002
ent_search.listen_host: 0.0.0.0
ent_search.listen_port: 3002
ent_search.ssl.enabled: true
ent_search.ssl.keystore.path: "/path/keystore.jks"
ent_search.ssl.keystore.password: "pass"
ent_search.ssl.keystore.key_password: "pass"
I'm starting to feel like I fundamentally misunderstand something here. A lot of the jargon behind SSL/TLS certificates seems to lack standardization. While we are at it, what is a root cert in relation to what I have listed? Is it the intermediate cert? I see there is a master "root certificate" for the Digicert CN I certified under, however I'm unsure where this fits in. The config variable "certificateAuthorities" doesn't document what this .pem file should contain specifically and when searched the concept of a certificate authority is never associated with file contents, but instead is simply abstracted to the entity which provides certification (duh).
To put it succinctly: What does this variable "certificateAuthorities" explicitly entail?
UPDATE 09/28/2022
I have now confirmed that SSL is working when calling enterprise-search outside of the VM its running in. I can utilize its endpoint with my flutter and react app, however Kibana is till throwing the error mentioned above. I have checked that the root/intermediate CA provided to kibana's configuration is indeed the certificate linked with the signed cert provided to enterprise search and even confirmed so using SSLPoke.. This leaves me with the suspicion that perhaps Java is a bad actor in the mix? I've added the root/intermediate CA to the cacerts keystore in the ssl/java directory of the Linux VM, but still no luck. Any thoughts?
I created an API in springboot which internally calls a REST API which is self signed
The error i am getting is
pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requested target
Solution i tried
Since i am using EKS for deploying my application. what i did is
Create a config map with the self signed certificate for the REST API
Added The Root CA as a Volume mount in deployment file.
Verified whether the CA cert is added to Java trust store i can see the certificate
But when i am still getting the PKIX certification issue.
I am tryng to deploy my application in net core 2.1 with a client certificate in IIS.
To do that in IIS:
autentication configuration is disable
SSL is required
And I am autenticating with my pfx in mi local, and in the server is installed the certificate with .cer in trusted root.
But all the time i am getting the 403 error:forbidden.
¿How can i fix my problem?
If someone has the code or information or a video it will be so helpfully for me
first, check the iis log for the sub status code first which is located at %SystemDrive%\inetpub\logs\LogFiles.
if the error is 403.16 Forbidden: Client Certificate Untrusted or Invalid:
It seems that IIS 8.X is not using the Certificate Trust List by default, without this list client authentication via certificates will fail with the 403.16 error and the certificate is considered untrusted.
to resolve this issue you could try to set the below DWORD registry key:
SendTrustedIssuerList = 0 (stop sending a list of trusted root certification authorities during the TLS/SSL handshake process)
ClientAuthTrustMode = 2 (Set trust mode to Exclusive CA Trust, requires that a client certificate chain to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store.)
after doing changes restart the machine.
another thing is if you are using iis require SSL setting then set the client certificate to accept:
I am trying to connect to my webserver with Android apps which are using okhttp. The webserver is using an SSL certificate signed by my own personal CA. The CA is added to the phone/tablet, but I get the following error:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
The server contains the complete certificate chain. Should this work in principle? Does okhttp trust added personal CAs?
The https connection works without problems in the browser and other apps not using okhttp.
I setup AWS classic load balancer with HTTPS Listener using ACM certificate as described in http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html but the browser rejects it.
Errors:
This root certificate is not trusted (ssl_error_bad_cert_domain)
The certificate is not trusted because it is self-signed.
The certificate is only valid for the following names: localhost,
localhost.localdomain, ip-10-0-0-157,
ip-10-0-0-157.us-west-2.compute.internal
(Error code: sec_error_unknown_issuer)
The generated certificate seems pointed to localhost.