I am working on integrating elasticsearch with gitlab. So, i have created one elasticsearch server and enabled https for it by using self signed certificates. when i tried to integrate with gitlab its giving me 500 error and below is the log i got.
Faraday::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
From this i think gitlab is unable to verify the certificate of elastic search. Is there a way to disable this verification or any other way to make sure that my elasticsearch gets integrated.
Any help would me much appreciated, Thank you.
You need to add into trusted path /etc/gitlab/trusted-certs.
once you will put the crt, der or pem files you can validate with next steps.
Please, validate the symlinks: sudo ls -al /opt/gitlab/embedded/ssl/certs
1.1. Check certs:
echo | /opt/gitlab/embedded/bin/openssl s_client -connect HOSTNAME:port
View a certificate’s details in text form using x509. Be sure to replace /path/to/certificate.crt with the certificate’s path:
/opt/gitlab/embedded/bin/openssl x509 -in /path/to/certificate.crt -text -noout
Fetch a certificate from a server and decode it. This combines both of the above commands to fetch the server’s SSL certificate and decode it to text:
echo | /opt/gitlab/embedded/bin/openssl s_client -connect HOSTNAME:port | /opt/gitlab/embedded/bin/openssl x509 -text -noout
Links:
https://docs.gitlab.com/omnibus/settings/ssl/index.html#install-custom-public-certificates
https://docs.gitlab.com/omnibus/settings/ssl/ssl_troubleshooting.html
Related
I have an internal RubyGems registry from which I want to download some Gems. The registry is protected and requires a valid TLS Client Certificate.
I am able to reach the registry in Chrome (imported the certificate bundle into Chrome), but I am not able to do it with Bundler.
The documentation says ssl_client_cert has to be:
Path to a designated file containing a X.509 client certificate and key in PEM format.
I get the following error when using the certificate provided:
either PUB key nor PRIV key: nested asn1 error
How do I assemble my certificate and key?
I finally found how to assemble the files:
# Concatenate the key and the certificate
openssl rsa -in key.pem > ruby-bundler-cert.pem
openssl x509 -in cert.pem >> ruby-bundler-cert.pem
# Tell bundler to use the file
bundle config ssl_client_cert ~/certs/ruby-bundler-cert.pem
Did you think this was enough? No! You also need to specify this value somewhere else: in your ~/.gemrc file.
:ssl_client_cert: "/full/path/to/the/certs/ruby-bundler-cert.pem"
Hope this will help other people.
I'm using Jython 2.latest and I cannot for the life of me figure out how to securely (i.e. not turning off verification) to download an HTTPS link.
All I can seem to find are examples where you turn off validation.
I'm using code like
thefile = urllib2.urlopen("https://example.com/index.php")
with open(save_path, 'wb') as output:
output.write(thefile.read())
logging.info("Successfully downloaded %s", save_path)
But I get a handshake error, totally expected.
So I've generated the ssl cert:
openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >example.pem
So now I have the PEM file. Now what do I do, does anyone know? Am I stuck installing the PEM file into the keystore?
Link here: Problem with Jython urllib2.urlopen for HTTPS pages says that you can only add it to the java keystore.
I have a questions about using SSL with self-signed certificate.
I was using this example here http://people.apache.org/~gmazza/restexamples/https-clientserver-grizzly
The unit test works perfectly. However, if I started grizzly server, and try to use curl to get the resources, I got errors like:
curl -v https://localhost:8443/api/v1/hello
* Adding handle: conn: 0x7ff69b004400
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7ff69b004400) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 8443 (#0)
* Trying ::1...
* Trying fe80::1...
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake
I already add the certificate to the system key chains with always trusted for all categories. Still, no browser can get the resource. Here is the error message I got from Chrome.
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR
Has anyone else encountered the same problem?
ADD:
For curl, I was generating java keystore and cert using key tool
keytool -genkey -keystore ./keystore_server -alias serverKey -dname "CN=localhost, OU=Jersey, O=Sun Microsystem, L=Prague, ST=Czech Republic, C=CZ"
keytool -export -alias serverKey -rfc -keystore ./keystore_server > ./server.cert
openssl x509 -in server.cert -inform PEM -text -out server.pem
I then ran
curl -E server.pem -v https://localhost:8443/api/v1/hello -u "username:password"
However, I got same error as before.
For browsers, I have now gotten it worked for Firefox and Chrome. However, I am still having trouble with Safari. I got error message saying that Safari cannot open the page because safari cannot establish a secure connection to the server.Anyone has any idea how can I make safari happy?
However, if I started grizzly server, and try to use curl to get the resources, I got errors like...
cURL does not use the operating system's keychain. The exception to the rule is if cURL is built against SecureTransport for iOS or OS X. See curl.1 the man page and the -E or --cert option. And even in that case, its not for trusted anchors.
If you have a particular CA you would like to use to certify the server, then you should specify it with the --cacert option. You can also specify the cacert.pem bundle with this option. See curl.1 the man page.
Chrome ... Error code: ERR_SSL_PROTOCOL_ERROR
This is a different issue. Chrome uses the operating system's keystore. See the Chromium Projects' Root Certificate Policy.
To fix it, you might want to look at Getting Chrome to accept self-signed localhost certificate.
It might be a good idea to post the certificate with your question. Use the following to generate it (assuming its PEM encoded):
openssl x509 -in <cert> -inform PEM -text -noout
Has anyone else encountered the same problem?
Others have probably experienced the issue, too.
I'm trying to connect to Apple's push notification server using my key and certificate
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert MyApp.pem -key MyApp.pem
I keep getting the following error. Does anyone know what might be wrong?
7495:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/bio/bss_file.c:358:
unable to load client certificate private key file
You might be entering the wrong pass phrase.
For various reasons I have created a simple HTTP server, and added SSL support via OpenSSL. I'm using self-signed certificates. IE, Firefox and Chrome happily load content as long as I add the CA to the trusted root CAs.
However, wget (even when using the --no-check-certificate flag) reports:
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
If I run the OpenSSL client against my server using:
openssl s_client -connect dnvista:82 -debug
I get back:
verify error:num=19:self signed certificate in certificate chain
verify return:0
and then
5852:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1060:SSL alert number 40
5852:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188:
Do wget and the OpenSSL client simply not work with self-signed certificates?
UPDATE:
For anyone that comes along later, adding this code helped with the OpenSSL client and Firefox:
EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);
I checked the man page of wget, and --no-check-certificate only seems to affect the server certificate. You need to specify your self-signed certificate as a valid CA certificate locally.
To do this, specify the certificate as --ca-certificate=... in wget and -CAfile in the s_client case.
You can also install trusted root CA certificates into OpenSSL in one of a number of ways:
Put your CA certificate in /etc/pki/tls/certs or equivalent directory, then create a link based on the certificate hash. See http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl for details.
Append your CA certificate to /etc/pki/tls/certs/ca-bundle.crt, /etc/pki/tls/cert.pem, or equivalent CA bundle.