How to setup TLS certificates for a Windows gitlab-runner? - windows

I've been trying to use this documentation as guide but I am having no luck setting up a gitlab-runner on Windows. It correctly polls for jobs but when it tries to pull artifacts, it returns a x509: certificate signed by unknown authority error.
Can anyone step through how to generate the proper certificate and attach it to the Windows gitlab-runner in order to get things to work?
I've tried generating certificates using openssl and setting the --tls-ca-file flag but so far, it hasn't helped.

I got this working finally using this as a reference.
The basic idea, when you're not hosting your own gitlab server, is to pull the certificate from gitlab.com. From your browser, click on the little lock symbol next to the https://gitlab.com URL and download the certificate. From Safari, it's just dragging the little certificate image over to your Desktop.
Once you have the cert, store it in your Gitlab-Runner folder and reference it with the tls-ca-file parameter in your config.toml.

Related

Two valid certificates equal one invalid certificate

I'm fairly new to the whole certificate shebang and not a versed Linux admin.
In our company, we run a Windows domain, but we also have some CentOS servers for different services.
On one of said servers we have our ticket system, which is browser based. I want to certify it with a certificate, signed by our Windows root CA, but no matter what I do, the certificate is shown as invalid in the browser.
Funny enough, both certificates in the chain (CA -> server) are shown as valid.
I already did the following:
start certificate process from scratch
tried different certificate formats (.cer, .pem)
verified server cert with root cert
checked validity with openssl (OK)
checked SSL connection with openssl, no issues
added root cert to Linux server trusted CA store
recreated cert chain (of 2)
restarted Apache over and over
reset browser cache
tried different browser
checked DNS entries
checked, if root CA is trusted in Windows (it is)
manually installed server cert in my browser
Both the server cert and the root cert show up as valid in the browser, with the correct relation.
I'm completely lost here. Is there some key step I forgot and not one of the ~30 guides I read forgot to mention?
Any help is greatly appreciated
Your question is missing some information:
Did you check the SSL connection from outside the server?
Did you verify the RootCA cert is inside the cert-store of the server (sometimes it is rejected without error messages)?
I would check the reason for rejecting the certificate in the browser (FireFox is usually more informative than Chrome), and look for the error-code.
Reasons can be (some of which you have already verified):
Wrong certificate properties (missing the required values in the "usage" attribute)
Wrong domain name
Expired certificate
Certificate could not be verified on the client-side
See this image as an example of an error code:
https://user-images.githubusercontent.com/165314/71407838-14f55a00-2634-11ea-8a30-c119d2eb1eb1.png

Self Signed Certificate

I'm trying to get a cert to work with a dev url on my local machine.
I've generated a self signed cert using keytool and have it connected with jboss. In chrome I can click on the lock with the x in it to view the cert details.
I downloaded the cert, added it to System and set the trust level to Always Trust. As per directions in Getting Chrome to accept self-signed localhost certificate . Then I loaded the page (even restarted browser, followed by system reboot to make sure everything was picked up).
I still see the lock with red x in chrome, for my dev url, 127.0.0.1, and localhost. What am I doing wrong to get chrome to trust the site for the local host, which is followed by the real question, which is do I need to anything special to get it to work for my dev url?
My hosts file has the dev url and localhost resolving to 127.0.0.1. When doing real certs I know the domain has to be specified, which is making me wonder if I need to do anything special for the custom dev url.
I finally figured out my issue and am posting the answer for anyone else who runs into the same problem. I also posted the answer in the referenced question.
The question referenced has an answer suggest by bjnord, Google Chrome, Mac OS X and Self-Signed SSL Certificates. This blog did not solve the problem directly, however there was a comment to the blog that was gold:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain site.crt
You pretty much have to follow the directions in the blog to get the cert, then use the command above to install it properly.
I also found that for the java keytool that when you are prompted for your first and last name, this acts like the CN, so you enter your url there instead. After doing this, everything worked fine with the custom dev url.

Why is Firefox saying that my website is using an "invalid security certificate"?

I have been using a wildcard SSL certificate for several of my company's B2B websites for some time. Recently, we noticed that Google Chrome started displaying a red unlocked lock with HTTPS crossed out for all of these websites. The solution I found was to reissue the certificate from the provider (Network Solutions). So, I did this, and updated the certificate for each of the websites, and the Google Chrome issue went away (HOORAY!). However, when visiting any of these websites in Firefox, it displays a security message stating the website is using an invalid security certificate:
How can I resolve this so that our users are not confused when visiting these websites?
P.S. These websites are running on IIS6.
It looks as if the certificate chain is incomplete and, thus, Firefox (and likely other browsers) cannot verify the site certificate. Normally browsers store intermediate certificates they have seen in the past - that might be a reason why it works in Chrome.
You can test using https://www.ssllabs.com/ssltest/analyze.html.
Depending on the server software (here, for Apache httpd and other servers which read the certificate in PEM/DER format), you can just paste the intermediate certificates together with the certificate in one .pem file (which is used as Certificate file).
The chain (intermediate certificates) is/are normally provided by your CA. In your case you could also use Chrome the review the certificate and then store/extract all intermediate certificates from the certificate view.
You can get this certificate is not trusted error if server doesn't send a required intermediate certificate.
Firefox automatically stores intermediate certificates that servers send in the Certificate Manager for future usage.
If a server doesn't send a full certificate chain then you won't get an untrusted error when Firefox has stored missing intermediate certificates from visiting a server in the past that has send it, but you do get an untrusted error if this intermediate certificate isn't stored yet.
You can inspect the certificate chain via a site like this:
http://www.networking4all.com/en/support/tools/site+check/
I followed the instructions at enter link description here, to import the intermediate certificates.
In IIS, there is an option under Directory Security to "Enable certificate trust list". I enabled it and added the "AddTrust External CA Root" to the CTL certificates list and this appears to have fixed the issue.

Having trouble authenticating in Drush with SSL

My Drupal site is hosted at Pantheon (getpantheon.com), I'm using Drush on a Windows 7 x64 machine. I was reading this article on commands using Drush + Terminus (a special Drush extension for Pantheon sites):
https://www.getpantheon.com/blog/five-steps-feeling-drush
I want to be able to use both Drush and Terminus to quickly and efficiently manage my Pantheon Drupal sites.
I installed Terminus fine and was able to issue all the drush-related commands and connect to the server. However, when I got to the part about using 'pauth' to authenticate and use the actual Terminus commands my authentication was successful but then on the part where it's supposed to say 'Success!' :) It says instead:
Dashboard unavailable: SSL certificate problem: unable to get local issuer certificate
Pantheon told me:
This is due to Windows not bundling an Internet-friendly set of Certificate Authority (CA) certs with curl. Check Stack Overflow or the like for a bunch of solutions
Any suggestions on how to proceed? I'm not familiar with cURL at all, so something basic would be great, thanks.
Still new here...figuring this out. I should have done more research :p I found the answer here:
AWS SSL security error : [curl] 60: SSL certificate prob...: unable to get local issuer certificate
Once I'd downloaded the .pem file and saved it in a directory and referenced it from php.ini I was good to go.

Apple APNs 2048-bit TLS/SSL certificate update

Today i received an email from apple telling they are changing something connected with push notifications, and wanted to ask what to do with the certificate they gave me link to... My server runs debian lenny, and im using php5 to send push notifications to apple apns. Do i have to just like... add it somewhere, or replace the 'old' one ?
Download the entrust_2048_ca.cer file, and install it on the servers that communicate with Apple's notification services. No need to do renew your actual push certificates, also you should not have to change anything in your code.
The important thing is that the servers that actually communicate with Apple's notification services have the certificate installed.
If you are lucky, your push server is already in contact with a Certificate Authority root, and this will solve the issue for you automagically. However, if you should lose that connection, your notifications will be out of order unless you have a "local" version of the certificate.
I am looking for the same solution, a quick hint from another forum says "simply download the .cer file and install it" http://www.iphonedevsdk.com/forum/iphone-sdk-development/66878-apns-question-email-apple.html.
We will try on our linux server and please see if this works for your situation.
I downloaded and copied the https://www.entrust.net/downloads/binary/entrust_2048_ca.cer file into /etc/ssl on my OpenBSD server. I haven't changed any of my server side code which is actually not using the entrust cert in any way. (I use the certs from Apple's provisioning site.)
On Dec 23rd, my notifications are sent and received with or without the entrust cert. I am confused about how exactly I am supposed to use the entrust cer file.
I think this sentence from the email from Apple tells me I am ok:
If you have been successfully
validating the certificate chain in
the APNs sandbox environment, you
already have the root certificate you
need. Simply install the same root
certificate on your production push
provider servers.
i.e.
Notifications were and are sent, hence my server already has what it needs.
UPDATE:
What I wrote above seems to be the case. If you use a fairly recent server you likely don't have to do anything at all. The sandbox environment has been using 2048 bits since March 2010. If it has been working, you are set. Full info here:
http://www.24100.net/2010/12/latest-apple-push-notification-certificate-changes-decrypted/
My PHP5 scripts that connect to the Apple Push Server are hosted on a Fedora system. For me, the migration was transparent. I had nothing to do despite I can't find the Entrust certificate somewhere on my system. Maybe is it available with the PHP5 SSL library.

Resources