While troubleshooting an ORA-24263 error ("ORA-24263: Certificate of the remote server does not match the target address"), I came across this "UTL_HTTP and SSL (HTTPS) using Oracle Wallets" article which describes, in part, how to add site certificates to an Oracle wallet.
I understand that Oracle 12+ no longer allows wildcard certificates in the same way; that perhaps the UTL_HTTP.request() call requires the setting of a https_host parameter. Notably, the ORA-24263 error emerged in our environment only once we upgraded to Oracle19c.
I'd like to see the certificates associated with the pre-existing, previously-working, Oracle wallet entry. How can I see what certificates are associated with an oracle wallet?
A ORACLE wallet is just a ZIP file with several files: .p12, .pem, .sso, .jks… that you can look in using java keytool among others...
Related
I'm having an issue making a proxy database connection to an ORACLE database using ODP.net. I need my program to attempt the proxy connection but then prompt me for my certificate and authenticate me with that.
I have a Perl script that does this and it only requires me to specify the name of the TNS entry and the user I want proxying in for me.
I also have my SQL Developer doing the same thing, pointing to the same TNS entry.
But when I try to attempt the same approach with ODP.NET it just gives me the ORA-12154 error, "TNS: Could not resolve the connect identifier specified."
From my limited knowledge of Oracle I ASSUME that the error means that it couldn't find that TNS entry. And I've verified that the entry DOES exist in my tnsnames.ora file and proved I could proxy to it via my Perl script and SQL Developer. Even put a breakpoint in my VB code to ensure I was specify the correct TNS Entry.
I've even stripped down the connection string to JUST the datasource to see what error I get. So I'm not sure if I have the connection string wrong or if it needs to be in a different format. But I DO know that the solution HAS to allow me to specify the TNS alias and the connection HAS to prompt me for my certificate. No password.
So I guess I'm trying to find out what the appropriate connection string would look like to do this and why .NET can't seem to figure out what this TNS alias is.
I've tried setting the USER ID attribute to the account I want proxying for me, set the PROXY USER ID attribute the same way as well as also tried "/", set the DATA SOURCE attribute to the TNS alias.
This program will be deployed to four different environments that have the same TNS alias in them but point to different servers. So I really need to be able to specify the TNS alias.
Note: My database works because I am able to migrate and query from within the application.
So I've setup my application and database on digital ocean's new "App" feature. And now I am trying to connect to the production database but I'm getting connection timeout error. Below are the details I inputed, but maybe I am missing my SSL cert ? If yes, how do I go about getting this ? Because I believe digital ocean automatically setup the SSL for me..
Database : postgresql
Tool used to connect : TablePlus
UPDATE
My site is SSL'ed
Checked directly on DO, and there's no certificate stored on my account
So after a few days I gave up and swap to using Droplets. I feel Apps Platform is cool for quick prototypes but I don't have much control in what I want can do in it. I don't think I could even run sudo in the console when I tried.
Here are a few other links I ran through that may or may not help others that was in similar situation if you were using a dev database on digital ocean. And also my support tickets solutions that I received.
Links
https://www.digitalocean.com/community/questions/cannot-connect-with-dev-database-due-to-ssl-issue?answer=67513
https://docs.digitalocean.com/products/databases/postgresql/how-to/connect
How to add an SSL certificate (ca-cert) to node.js environment variables in order to connect to Digital Ocean Postgres Managed Database?
DO Support Replied
I understand that you are trying to connect to the database with an
SSL certificate. Firstly, I want to let you know that you have
attached the dev database to your app "mysite" and not the production
database. However, you should be able to add the following env
variable to store the SSL certificate:
KEYS: CA_CERT VALUES: ${mysitedb.CA_CERT}
Once you add the above env variable then you should be able to use the
"CA_CERT" variable to fetch the SSL certificate in your app.
Additionally, you can view the SSL certificate by running the
following command in the console:
echo $CA_CERT
Thanks for getting back to us. This output would be intended. To use
the contents of that cert you would need to save the env variable to a
file or convert it from string using a method within your application.
You can then specify that file in your configuration and use the
certificate in your connection to the database.
An example of how to do this can be found here:
How to add an SSL certificate (ca-cert) to node.js environment variables in order to connect to Digital Ocean Postgres Managed Database?
Let us know if you have any questions.
Thank you for getting back to us!
From the screenshot, I see you are using the incorrect port number
5432. You have to use port number 25060 to connect to the database.
Regarding the SSL certificate, one thing to note here is that the
database is managed by DigitalOcean and it is not possible to generate
clients key (private key) and certificate (public key) via cloud
panel. That is the reason, you will need to generate those on your
local machine or from whichever client you plan to establish a
connection to the database.
Here is an example of how to use SSL on a client like Navicat, you
will need to download or have OpenSSL installed on your operating
system which you will use to generate Client Key File and Client
Certificate File which will be referred to as private and public keys
respectively
You need the below three files to connect
Client Key File
Client Certificate File
CA Certificate File
https://www2.navicat.com/manual/online_manual/en/navicat/linux_manual/SSLSettings.html
As a guide to establishing a connection
Generate Client Key File and Client Certificate File from your client or the local machine
Copy the certificate from app console to any .crt file and pass that file to connect to database.
Here is how to use the OpenSSL to generate the Client Key File and
Client Certificate File:
https://knowledge.digicert.com/solution/SO27347.html
openssl req -x509 -newkey rsa:2048 -keyout client-key.pem -out
client-cert.pem -days 3650 -nodes -subj '/CN=localhost'
For the Client Key File, Client Certificate, and CA Certificate choose
the directory location you saved them and click on "Test" button in
your client to test the connection.
Please let us know if you have any additional questions, and have a
wonderful day!
I have been managing Let's Encrypt's SSL certificates for a domain.
Now I am moving to Amazon API gateway. I will be using the AWS Certificate Manager to generate HTTPS certificates for the root domain and a bunch of subdomains.
If I make the transfer, what happens to my current HTTPS certificate which is associated with my domain. If browsers suddenly start seeing a new HTTPS certificate for a domain, for which they had been getting a different HTTPS certificate until now, would this be a problem?
Also, once I make the shift, what do I do with my current (manually managed) Let's Encrypt certificate? Is there a way to permanently void it?
Szabolcs Dombi says
You can have multiple valid certificates for the same domain at the
same time. Moving from one certificate issuer to another should not
cause a problem.
Toby Osbourn says
SSL certificates don’t last forever, most of them need to be renewed
on a yearly cycle and occasionally you will want to change the type of
the SSL certificate mid-cycle.
Since you are replacing certificates, I suggest you to back up the ones you have.
Once you have backed up the old certificates, just overwrite the .crt and .key files with your new ones. Then, reload your web server so it knows to look at these new certificates, and you should be good to go.
If it's within your interest to know more about how to Generate SSL certificate using Amazon Certificate Manager (ACM), I suggest Barguzar, A. (July 2018). Building Serverless Python Web Services with Zappa. where one can read a good step by step guide. See an excerpt of it below:
ACM is a service that manages and creates SSL/TSL certificates for
AWS-based services and applications. An ACM certificate works with
multiple domain names and subdomains. You can also use ACM to create a
wildcard SSL.
ACM is strictly linked with AWS Certificate Manager Private
Certificate Authority (ACM PCA). ACM PCA is responsible for validating
the domain authority and issuing the certificate.
You can have multiple valid certificates for the same domain at the same time. Moving from one certificate issuer to another should not cause a problem.
This also means that if you create a new certificate the old one still can be used unless it already expired.
I'm at the end of my rope on this one. I have a DB server that connects to our web server locally. We are finally setting up SSL on the web server, something that should have happened years ago, but hasn't for I don't know what reason (nothing legitimate, that's for sure. In fixing this gaping security hole, a different problem has emerged: the utl_http requests are failing with an ORA-29024 error, and despite my efforts, I cannot make them succeed.
I have created a wallet with the certificate in it, including the entire chain with the providers. I have used both .cer files and p7b files. I have the set_wallet command set properly, and the entire process works with the self-signed certificates that I created on a test bed system and locally. I simply cannot get them to work with the actual valid certificate.
My Oracle version is 11.2.0.4.180417. Here is my code:
Create the wallet:
mkdir c:\oracle_wallet
orapki wallet create -wallet "c:\oracle_wallet" -pwd xxxxxxxx -auto_login
orapki wallet add -wallet "c:\oracle_wallet" -trusted_cert -cert "c:\certificates\cert.p7b" -pwd xxxxxxx
Make the HTTP call:
begin
UTL_HTTP.set_wallet('file:c:\oracle_wallet', 'xxxxxxx');
...lines that build up the URL variable
results := utl_http.request(url);
...
end
Again, I've tried .p7b files with the full certification path, and Base 64 .cer files, with separate files for each level on the chain, and neither work. The certificate is valid in a browser, when I hit the exact URL that Oracle tries to get in a browser it is perfectly fine with it. Here is the precise error:
Is there any way I can get more detail on the error from Oracle? It's quite vague. Note: I am downloading the certificate from my browser using the exact URL that Oracle is hitting.
I am running windows server 2003 standard and have installed the ssl cert as per Godaddy's instructions. Let me know what information you need from me. Attempting to access the website securely outside of our network the page does not load. Thanks in advance!
Although it would help if you provided more information (like what error the clients are getting), I’m going to guess that you are missing the intermediate certificates that GoDaddy uses. These need to be installed on the server where the SSL certificate is installed.
Follow the procedure here.