Note: My database works because I am able to migrate and query from within the application.
So I've setup my application and database on digital ocean's new "App" feature. And now I am trying to connect to the production database but I'm getting connection timeout error. Below are the details I inputed, but maybe I am missing my SSL cert ? If yes, how do I go about getting this ? Because I believe digital ocean automatically setup the SSL for me..
Database : postgresql
Tool used to connect : TablePlus
UPDATE
My site is SSL'ed
Checked directly on DO, and there's no certificate stored on my account
So after a few days I gave up and swap to using Droplets. I feel Apps Platform is cool for quick prototypes but I don't have much control in what I want can do in it. I don't think I could even run sudo in the console when I tried.
Here are a few other links I ran through that may or may not help others that was in similar situation if you were using a dev database on digital ocean. And also my support tickets solutions that I received.
Links
https://www.digitalocean.com/community/questions/cannot-connect-with-dev-database-due-to-ssl-issue?answer=67513
https://docs.digitalocean.com/products/databases/postgresql/how-to/connect
How to add an SSL certificate (ca-cert) to node.js environment variables in order to connect to Digital Ocean Postgres Managed Database?
DO Support Replied
I understand that you are trying to connect to the database with an
SSL certificate. Firstly, I want to let you know that you have
attached the dev database to your app "mysite" and not the production
database. However, you should be able to add the following env
variable to store the SSL certificate:
KEYS: CA_CERT VALUES: ${mysitedb.CA_CERT}
Once you add the above env variable then you should be able to use the
"CA_CERT" variable to fetch the SSL certificate in your app.
Additionally, you can view the SSL certificate by running the
following command in the console:
echo $CA_CERT
Thanks for getting back to us. This output would be intended. To use
the contents of that cert you would need to save the env variable to a
file or convert it from string using a method within your application.
You can then specify that file in your configuration and use the
certificate in your connection to the database.
An example of how to do this can be found here:
How to add an SSL certificate (ca-cert) to node.js environment variables in order to connect to Digital Ocean Postgres Managed Database?
Let us know if you have any questions.
Thank you for getting back to us!
From the screenshot, I see you are using the incorrect port number
5432. You have to use port number 25060 to connect to the database.
Regarding the SSL certificate, one thing to note here is that the
database is managed by DigitalOcean and it is not possible to generate
clients key (private key) and certificate (public key) via cloud
panel. That is the reason, you will need to generate those on your
local machine or from whichever client you plan to establish a
connection to the database.
Here is an example of how to use SSL on a client like Navicat, you
will need to download or have OpenSSL installed on your operating
system which you will use to generate Client Key File and Client
Certificate File which will be referred to as private and public keys
respectively
You need the below three files to connect
Client Key File
Client Certificate File
CA Certificate File
https://www2.navicat.com/manual/online_manual/en/navicat/linux_manual/SSLSettings.html
As a guide to establishing a connection
Generate Client Key File and Client Certificate File from your client or the local machine
Copy the certificate from app console to any .crt file and pass that file to connect to database.
Here is how to use the OpenSSL to generate the Client Key File and
Client Certificate File:
https://knowledge.digicert.com/solution/SO27347.html
openssl req -x509 -newkey rsa:2048 -keyout client-key.pem -out
client-cert.pem -days 3650 -nodes -subj '/CN=localhost'
For the Client Key File, Client Certificate, and CA Certificate choose
the directory location you saved them and click on "Test" button in
your client to test the connection.
Please let us know if you have any additional questions, and have a
wonderful day!
Related
I locally installed Elasticsearch with X-Pack and Kibana 8.2.2 and made it up and running. I also created a new project with Spring and Java that would connect with Elasticsearch. When running Elasticsearch for the first time it creates a certificate for the http and transport layers.
I want to use a certificate in Spring to login into Elasticsearch. Therefore I added elasticsearch-rest-client. My problem is, which certificate do I need from Elasticsearch to connect to it and be able to create e.g. role-mappings? So that I have superuser rights?
Quoting the documentation:
When Elasticsearch is configured to require client TLS authentication, for example when a PKI realm is configured, the client needs to provide a client certificate during the TLS handshake in order to authenticate. The following is an example of setting up the client for TLS authentication with a certificate and a private key that are stored in a PKCS#12 keystore.
If the client certificate and key are not available in a keystore but rather as PEM encoded files, you cannot use them directly to build an SSLContext. You must rely on external libraries to parse the PEM key into a PrivateKey instance. Alternatively, you can use external tools to build a keystore from your PEM files, as shown in the following example:
openssl pkcs12 -export -in client.crt -inkey private_key.pem -name "client" -out client.p12
How to set up PKI user authentication has a multi-page documentation and you'll be best served by using the one for your specific Elasticsearch version. The current version is available at https://www.elastic.co/guide/en/elasticsearch/reference/current/pki-realm.html but replace the current in the URL with whatever minor version you want to use (like 8.6).
PS: PKI authentication is a platinum licensed feature. But you can of course set it up with the free 30 day trial to see how it works.
I am trying to automate the certificate renewal process. I am able to generate the certificate then import the certificate to the server and now just need to update the SSL certificate to the new certificate imported for a particular application(ex : ABC). No changes in other property like port number or anything else. Just need to point the SSL Certificate to the new one added for a particular application. I tried doing a lot of research but no luck. Please help
I am working in Ec2 instance. I have connected my php files like http://13.57.220.172/phpinsert.php. But it is not secured site. So i want to convert http into https://13.57.220.172.
I have cloudflare ssl. When i try to add ssl certificate. It shows
com.amazonaws.pki.acm.exceptions.external.ValidationException: Provided certificate is not a valid self signed. Please provide either a valid self-signed certificate or certificate chain. Choose Previous button below and fix it.
i have enclose the image with it.
So how can i get the self signed certificate. is there any online tool available.
I think the error message your seeing has to do with this sentence:
If your certificate is signed by a CA, you must include the
certificate chain when you import your certificate.
from https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html.
Since it sounds like you're not yet in "production" mode, I'm guessing you're not particularly attached to your existing certificate, but just want a certificate to be able to do HTTPS on your web server (and don't really care if it's self-signed).
If you want to use AWS Certificate Manager, I think it would be easier to just let them (AWS) issue you a certificate instead of trying to import one from somewhere else. AWS doesn't charge anything for certificates. https://docs.aws.amazon.com/acm/latest/userguide/acm-billing.html
Even if you get the certificate setup in AWS Certificate Manager, that's not going to be installed directly on your EC2 instance, but rather (most likely) on a load balancer in front of your web server, which will add a little complexity to your setup. https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
If all you want to do is use HTTPS on your web server, Let's Encrypt (also free) is probably a simpler option. If you are using AWS Linux 2, there are instructions for getting a certificate here - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html
Well, add to the points which #jefftrotman has already mentioned.
If your expectation is to just secure your IP address using HTTPS you can achieve that using the below approaches:
A SELF SIGNED certificate that you can create using OpenSSL.
You can also get an SSL certificate from a trust signing authority like (GoDaddy or VeriSign) or Let's encrypt.
The only requirement in the second point is that for getting a certificate from a valid signing authority you need to have a domain name like "myphpapp.com" and then use this domain to get the SSL certificate.
The below details are in case you want to use AWS ACM(Amazon Certificate Manager)
If you prefer ACM, you can get the free Public SSL certificate which you can map to the IP address and your web application will be secured.
If your requirement is to add SSL certificates (like PEM files) to a web server like
NGINX or Apache then you first need to create a Private CA using in ACM and then you using this CA you will be able to create Private SSL certificates. After creating those you can export the files and add those files to the configuration file. (try to use Amazon Linux 2) ec2 image for ease.
I'm at the end of my rope on this one. I have a DB server that connects to our web server locally. We are finally setting up SSL on the web server, something that should have happened years ago, but hasn't for I don't know what reason (nothing legitimate, that's for sure. In fixing this gaping security hole, a different problem has emerged: the utl_http requests are failing with an ORA-29024 error, and despite my efforts, I cannot make them succeed.
I have created a wallet with the certificate in it, including the entire chain with the providers. I have used both .cer files and p7b files. I have the set_wallet command set properly, and the entire process works with the self-signed certificates that I created on a test bed system and locally. I simply cannot get them to work with the actual valid certificate.
My Oracle version is 11.2.0.4.180417. Here is my code:
Create the wallet:
mkdir c:\oracle_wallet
orapki wallet create -wallet "c:\oracle_wallet" -pwd xxxxxxxx -auto_login
orapki wallet add -wallet "c:\oracle_wallet" -trusted_cert -cert "c:\certificates\cert.p7b" -pwd xxxxxxx
Make the HTTP call:
begin
UTL_HTTP.set_wallet('file:c:\oracle_wallet', 'xxxxxxx');
...lines that build up the URL variable
results := utl_http.request(url);
...
end
Again, I've tried .p7b files with the full certification path, and Base 64 .cer files, with separate files for each level on the chain, and neither work. The certificate is valid in a browser, when I hit the exact URL that Oracle tries to get in a browser it is perfectly fine with it. Here is the precise error:
Is there any way I can get more detail on the error from Oracle? It's quite vague. Note: I am downloading the certificate from my browser using the exact URL that Oracle is hitting.
I have been working with web services connecting to URLs provided by different clients and so far it has all been done using one-way authentication. Now I'm asked to enable 2-way (mutual) authentication for one of the clients. I did a lot of research and reading but still confused about a lot of things.
I could test successfully on my local machine following instructions from various different articles. But the problem is now to deploy it in production.
Here's what I did for testing: I created a test Web service Host and assigned it a self-signed certificate and created a client to test this. After this I created a client certificate using makecert and verified that this is installed via MMC. I then modified my Host app to only allow clients with certificate and tested from client to see the connection refused due to not providing the client certificate. Then I modified the bindings in the client application to include the certificate name and I was able to connect to the Host successfully. So this completes local hosting.
Now the real problem. The tech team is going to create a certificate in "cert store" on the server. And I need to test again to make sure everything works as expected. We have a few different developers who all want to test on their machines on their local code. Can we all use the same certificate somehow? I don't think we would be allowed to import the certificate but what suggestions could I give them so all of us can use the same certificate?
I'm also confused about issues like difference between windows certificate and IIS certificate. What advantages would the IIS certificate provide?
Thanks for help!
Edit: Could one of the differences between installing on IIS be so that the hosted sites be accessed via SSL connection? This would mean we don't really need to install on IIS if it's just a client certificate. Is this correct?