Develop Reference

Configuring Vagrant CA Certificates

I am experiencing problems executing Vagrant commands behind a corporate proxy server and self-signed CA certificates. I have configured environment variables HTTP_PROXY, HTTPS_PROXY, and HTTP_NO_PROXY variables.
I have a Java key store containing all of the corporate certificates. I have used the -exportcert option of the keytool command with numerous options. I have utilized the openssl command also with numerous options and placed the resulting files in multiple locations within the embedded Ruby directories within the Vagrant installation without any success.
I have read a lot of sites containing information about configuring Ruby and curl but have not had any success in getting Vagrant commands to work. All of the posts I have located focus on Ruby and curl options that I do not understand how to utilize with Vagrant which includes Ruby as an embedded component of Vagrant.
Please provide instructions on how to correctly export certificates from the Java key store and optionally convert them and place the resulting files so that Vagrant will successfully be able to communicate through the corporate proxy to the internet.
Vagrant 1.9.5 on Windows 7
Vagrant installation directory C:\Apps\Vagrant\
C:\WorkArea> vagrant plugin install vagrant.proxyconf
ERROR: SSL verification error at depth 3: self signed certificate in certificate chain (19)
ERROR: Root certificate is not trusted (/C=US/O=xxx xxx/OU=xxx xxx Certification Authority/CN=xxx xxx Root Certification Authority 01 G2)
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
C:\WorkArea> vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Box 'puppetlabs/ubuntu-16.04-64-puppet' could not be found. Attempting to find and install...
default: Box Provider: virtualbox
default: Box Version: >= 0
The box 'puppetlabs/ubuntu-16.04-64-puppet' could not be found or
could not be accessed in the remote catalog. If this is a private
box on HashiCorp's Atlas, please verify you're logged in via
`vagrant login`. Also, please double-check the name. The expanded
URL and error message are shown below:
URL: ["https://atlas.hashicorp.com/puppetlabs/ubuntu-16.04-64-puppet"]
Error: SSL certificate problem: self signed certificate in certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

You don't explain what steps you have taken to try to fix the issue, but it would appear that you are not placing your root certificates in the correct location.
Go to the directory where you installed Vagrant, find the file embedded\cacert.pem, and then append the contents of your corporate certificates to the file. Save it and retry the operation. If you properly exported your root CA certificates then they should be read by Vagrant and allow the connection.
If you are still unable to make it work by combining the files, try running vagrant with SSL_CERT_FILE=/path/to/your/certs.pem in the environment. This will allow you to validate that you have properly exported your corporate certificates.

Let's Encrypt: How to manually test the certbot renewal process?

I have a working setup where Let's Encrypt certificates are generated with certbot. I wonder how you effectively test whether the renewal will work in production.
The certificates last for 90 days. Is there a way to reduce the lifespan to, for instance, 10 minutes, to see if the renewal works? (Using the staging system for that is fine.)
If you have an alternative approach how to make sure that your renewal code works (without having to wait for 90 days), it would also be appreciated.

You use the --dry-run option. E.g.:
$ sudo certbot renew --dry-run
From certbot -h:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
...
--dry-run Test "renew" or "certonly" without saving any certificates
to disk
This ensures that the certbot can validate your domain with your current configuration.
If you really want to save the certificates to disk and see if your system is using the new cert, then you can also use the --force-renewal option. In that case, you should visit your website and check that the active certificate is the new one. If it isn't, you likely need to adjust your cronjob to restart your web server. E.g.:
certbot renew && service apache24 restart

You can use "certbot renew --force-renewal"
https://certbot.eff.org/docs/using.html#configuration-file
--force-renewal, --renew-by-default
If a certificate already exists for the requested
domains, renew it now, regardless of whether it is
near expiry. (Often --keep-until-expiring is more
appropriate). Also implies --expand. (default: False)

BrowserStackLocal with proxy giving Error: Could not connect to www.browserstack.com

BrowserStackLocal gives Error: Could not connect to www.browserstack.com!
I am trying to use Charles Proxy with BrowserStackLocal. I want to use Rewrite feature of Charles Proxy. Both Charles Proxy and BrowserStackLocal are running on same Mac Laptop.
I am getting following error. Has anybody run into this problem?
$ ./BrowserStackLocal myKey -proxyHost 192.168.160.113 -proxyPort 8888 -force -forcelocal
BrowserStackLocal v5.5
*** Error: Could not connect to www.browserstack.com!
Configuration Options:
-v
Provides verbose logging
-f
If you want to test local folder rather internal server
-h
Prints this help
-version
Displays the version
-force
Kill other running Browserstack Local
-only
Restricts Local Testing access to specified local servers and/or folders
-forcelocal
Route all traffic via local machine
-onlyAutomate
Disable Live Testing and Screenshots, just test Automate
-proxyHost HOST
Hostname/IP of proxy, remaining proxy options are ignored if this option is absent
-proxyPort PORT
Port for the proxy, defaults to 3128 when -proxyHost is used
-proxyUser USERNAME
Username for connecting to proxy (Basic Auth Only)
-proxyPass PASSWORD
Password for USERNAME, will be ignored if USERNAME is empty or not specified
-localIdentifier SOME_STRING
If doing simultaneous multiple local testing connections, set this uniquely for different processes
To test an internal server, run:
./BrowserStackLocal <KEY>
Example:
./BrowserStackLocal DsVSdoJPBi2z44sbGFx1
To test HTML files, run:
./BrowserStackLocal -f <KEY> <full path to local folder>
Example:
./BrowserStackLocal -f DsVSdoJPBi2z44sbGFx1 /Applications/MAMP/htdocs/example/
View more configuration options at http://www.browserstack.com/local-testing

Charles Proxy generates its own certificates which is signed by 'Charles Root Certificate'. It seems Charles Proxy is modifying the certificate used by BrowserStackLocal due to which the request to BrowserStack fails and you receive "Could not connect to www.browserstack.com!". More information on SSL-Certificates and Charles is available here.
Can you disable this setting in Charles? This will allow BrowserStackLocal use its original certificate and connect to BrowserStack.

I disabled the SSL proxying in Charles Proxy and turned SOCKS . That solved the problem.

SSL: can't load CA certificate file /etc/pki/tls/certs/ca-bundle.crt

On my local dev machine (osx), I'm using jboss to server web services on 8443. When I hit the urls directly I get the json responses I'm looking for. The architecture we have at work includes a middle layer (apache/php) that does authentication and routing. If things authenticate then it forwards the request to the backend.
When I was working with apache on port 80 and jboss on 8081 (using http). Everything worked fine for me. Now that I'm trying to use 8443, things aren't working.
I recently changed the backend to server through https (8443) instead of http (8081). I can hit the requests on https 8443 directly and get the json response. When I hit apache and it authenticates then tries to redirect to the https 8443 I get the following message from chrome's inspector: "SSL: can't load CA certificate file /etc/pki/tls/certs/ca-bundle.crt".
My vhost is setup to catch *:80 requests. I think I might need to setup vhosts to accept 443 requests or install ca-certificates like talked about in How do I deal with certificates using cURL while trying to access an HTTPS url? . I'm looking to see if anyone knows what the proper direction should be.
When I look on the file system, the file /etc/pki/tls/certs/ca-bundle.crt doesn't exist. When I make the request to the middle layer, I see the request hit /var/log/apache2/access_log and nothing comes up in /var/log/apache2/error_log.
What is needed to resolve this issue? Is it a configuration of vhosts to catch request to 443? Is it to install ca-cert stuff like in the link? A combination of both? Or something else? Please provide enough info on how to solve it, or provide links that provide enough info.

I solved my issue and am doing a post for documentation purposes, in case anyone else has similar issues. There was a couple of issues I had to resolve to fix this.
PHP Install
My /etc/apache2/httpd.conf referenced my default osx php install instead of my home brew install of php. Solution was to edit the httpd.conf and point it to the right install.
#LoadModule php5_module /usr/local/opt/php53/libexec/apache2/libphp5.so
LoadModule php5_module /usr/local/Cellar/php53/5.3.29_4/libexec/apache2/libphp5.so
You can create a similar setup of php using home brew by the following commands:
brew install homebrew/php/php53
brew install homebrew/php/php53-igbinary --build-from-source
brew install homebrew/php/php53-intl
brew install homebrew/php/php53-mcrypt
brew install homebrew/php/php53-memcached
brew install homebrew/php/php53-mongo
brew install homebrew/php/php53-xdebug
Create the CA Cert Bundle File
The system is looking for /etc/pki/tls/certs/ca-bundle.cert which is a standard path on linux, but not on osx. We get around this by generating the file.
I generated the .keystore file using keytool and used jboss for my alias. In order to build the ca bundle file, we need it to be in the pem format, so we need to add the -rfc to our export statement. Below are the commands:
cd /usr/local/jboss-eap-6.4/standalone/configuration
keytool -export -alias jboss -file local-sbx.dev.yourcompany.com.crt -keystore .keystore -rfc
After you have the file, you can cat it out and verify that the file has the BEGIN CERTIFICATE and END CERTIFICATE stuff in it. If so, its in the right format.
Lastly, create the directory structure, move the cert to act like the bundle (which is just a bunch of certs appended to each other) and then restart apache:
mkdir -p /etc/pki/tls/certs/
sudo cp local-sbx.dev.yourcompany.com.crt /etc/pki/tls/certs/ca-bundle.crt
sudo apachectl restart

How to create a secure http server in dart?

I am trying to setup my dart http server to run only with https. So I gather I need to use HttpServer.bindSecure but I'm not clear from the description what needs to be passed in as certificateName and whether requestClientCertificate being true makes it more or less secure, or has no impact on security what so ever. The small sample code at the top of the HttpServer page passes in certificateName: 'localhost_cert' but before that it does something with a database, but doesn't seem to use it in anyway. Can anyone explain in more detail what these values are and what they need to be in order to make them secure?

The requestClientCertificate parameter of bindSecure is used to specify a client certificate. Client certificates are used by servers to identify and authorize clients, which appears not to be the objective of this question. It should be noted that there is a known issue with using client certificates in Dart on IE9 and Windows 7.
The certificateName parameter is used to specify the nickname of a certificate that exists in your certificate database. You specify the certificate nickname using the -n <nickname> option when importing a certificate to your database using certutil.
Use the following steps to:
Install the NSS utility (including certutil),
Create a new certificate database in directory <dir> with a password <password>, and
Import your self-signed or purchased certificate identified by nickname <host> such that it can be used to create an HTTPS server using the following sample code. Though the nickname can be chosen arbitrarily, we use the host name in this example. These steps have been confirmed working in Ubuntu 14.04 and Dart SDK 1.6 through (currently last stable version) 1.8.3.
Install the NSS utility
sudo apt-get install libnss3-tools
cd to the directory that will contain your certificate database
cd <dir>
Create a password file to use with the certificate database:
echo "<password>" > pwdfile
Create the certificate database
certutil -N -d 'sql:./' -f pwdfile
Either:
Generate a self-signed certificate:
certutil -S -s "cn=<host>" -n "self signed for dart" -x -t "C,C,C" -m 1000 -v 120 -d "sql:./" -k rsa -g 2048 -f pwdfile
where <host> is the host ("common name") for which to generate a certificate, for example "localhost"
Or, purchase a certificate by first creating a signing request for a real domain <host>, for example "myhost.com":
certutil -R -s "CN=<host>, O=None, L=San Diego, ST=California, C=US" -a -g 2048 -o <host>.csr -d "sql:./"
Then specify the content of file <host>.csr when prompted for a CSR upon purchasing a certificate from a signing authority.
Copy the purchased certificate to a file named <host>.crt
Import the certificate to the database
certutil -A -n <host> -t "p,p,p" -i <host>.crt -d "sql:./"
If necessary to use an intermediate certificate, it can be imported as such:
certutil -A -n my_intermediate_certificate -t "p,p,p" -i intermediate.crt -d "sql:./"
where "intermediate.crt" is the intermediate certificate file downloaded from the signing authority.
Verify that the certificates exist in the database
certutil -L -n <host> -d "sql:./"
certutil -L -n my_intermediate_certificate -d "sql:./"
To use this certificate and create an HTTPS server, do the following:
// Initialize secure socket to use certificate database (note: replace `<dir>`
// with the absolute path to the certificate database directory, and `<password>`
// with the value chosen above)
SecureSocket.initialize(database: "<dir>", password: "<password>");
// Bind secure HTTP server to specified host and port (typically 443)
HttpServer.bindSecure("<host>", 443, certificateName: "<host>")
.then((HttpServer httpServer) {
// Listen for incoming requests
httpServer.listen((HttpRequest httpRequest) {
// TODO: process request
});
})
.catchError((error) {
// TODO: handle error
});
Update
I don't have enough reputation points to respond to the comments, so here are additional details that may help answer the questions: Client certificates are not used to encrypt client-server communication and are not needed in the common scenario of establishing secure communication between a web browser and a webserver via HTTPS. The steps outlined above show how to create an HTTPS server in Dart using bindSecure.