I want to configure letsencrypt ca signed certificate for my exist-db app and I have used the below two guides but could not succeed.
https://www.cirt.gov.bd/a-step-by-step-guide-to-securing-a-tomcat-server-with-letsencrypt-ssl-certificate/
How to configure SSL in Jetty with CA signed certificate properly?
Can anyone help me to dig out the issue?
It might be easier to run your existdb instance behind a nginx proxy and let nginx handle SSL connections with letsencrypt certs.
More on existdb deployment scenarios here:
https://e-editiones.org/wp-content/uploads/2020/08/Common-eXist-db-TEI-Publisher-Deployment-Scenarios.pdf
Related
I'm now researching the Hashistack and trying to deploy pet microservice-based project on it. I deployed Nomad and Consul clusters with Ansible roles on bare metal nodes:
https://github.com/ansible-community/ansible-consul.git (v2.5.4)
https://github.com/ansible-community/ansible-nomad.git (v1.9.6)
Servers of Nomad and Consul are placed on the same nodes.
I do not use Vault. I created separate private CA, generated TLS certificates and private keys for these services and configured Nomad and Consul servers and clients to use them.
My goal is to setup production ready Hashistack cluster. So that I want to setup full TLS for both services.
I successfully connected to both UIs via HTTP, but when I try HTTPS, I get the SSL_ERROR_BAD_CERT_ALERT error.
I'll appreciate if you suggest the best practices to operate the Hashistack in production, and what steps are required for it.
Thank you!
I'm a bit late to respond, but came across the same error. Figured I'd leave my solution in case future readers find it helpful...
For me, the issue came down to the verify_https_client flag in my Nomad tls config block. Since Nomad is configured for mutual TLS, all clients (including web browsers) need to provide a client certificate signed by the same CA used by Nomad in order to connect. You'll need to generate/sign that certificate, and look up how to configure your browser to automatically provide it when needed.
For production use, that's the safest route. For a dev environment, you can just set that verify_https_client config to false in your Nomad config.
Here's a link to the Nomad docs for this flag: https://www.nomadproject.io/docs/configuration/tls#verify_https_client
You need first, generate a client certificate for your web brower.
Then convert it to PKCS12 format.
openssl pkcs12 -export -inkey ./nomad-cli.key -in ./nomad-cli.pem -out ./nomad-cli.p12
Let's say your are using Chrome,
Go to chrome://settings/certificates?search=certificate and import the converted certificate nomad-cli.p12.
I've found answer for same case.
When nomad cluster deployed with mTLS need deploy cli keys to each server nodes or at least on the node to which you are configuring the connection.
cli keys generated by instruction https://learn.hashicorp.com/tutorials/nomad/security-enable-tls#nomad-ca-key-pem
and nginx configured by instruction https://learn.hashicorp.com/tutorials/nomad/reverse-proxy-ui?in=nomad/manage-clusters
however this manual does not contain a description of configuring mTLS.
You need add following parameters in location /.
location / {
....
proxy_pass https://127.0.0.1:4646;
proxy_ssl_certificate /etc/nomad.d/cli.pem;
proxy_ssl_certificate_key /etc/nomad.d/cli-key.pem;
proxy_ssl_verify off;
....
}
In this case nginx can connect encrypted connection with nomad http port with TLS.
Also don't forget enable http basic auth at least.
We are trying to enable tls to the Consul so that our Rest service(which is using self-signed certificate) will be able to register to Consul in Https mode, For enabling TLS I am following Consul documentation as well as below links
https://www.digitalocean.com/community/tutorials/how-to-secure-consul-with-tls-encryption-on-ubuntu-14-04
http://russellsimpkins.blogspot.in/2015/10/consul-adding-tls-using-self-signed.html
Note: I am using centos 7.2
now my service try to register to the consul but in Consul dashboard its down and on the console I am getting below error:
x509: certificate signed by unknown authority
we found the solution. we have to add the CA cert to TLS trust store instead JVM trust store for centos it is "/etc/pki/tls/certs/ca-bundle.crt"
just by appending CA certificate to this file solved our issue
I am working to setup my application to watch calendar events through Google's Calendar API. In doing so I must setup a "Push" endpoint on my server that has a valid SSL certificate (not self-signed).
My production environment is running on Heroku so setting up an SSL cert was easy using Expidited SSL. I have two CNames setup in GoDaddy, one for my production application and one for my development environment tunneled through ngrok. I'm using the paid ngrok feature of white labeled domain tunneling (dev.mydomain.com).
Host Points To
www saga-1234.herokussl.com
dev ngrok.com
The problem is that my ssl certificate is recognized when you hit the production application (www.mydomain.com), but it uses ngrok's certificate when you visit the development application (dev.mydomain.com).
How can I setup my ngrok tunnel to use my ssl certificate?
Ngrok's white labeled domain does not support HTTPS if you are using your own domain. Simply because it serves it's own certificate, where you need to serve your domain's. That's why you are getting certificate mismatch issue.
Here's what you could do to watch calendar events on your dev machine:
Point ngrok.mydomain.com to another server, let's say a new EC2
micro instance
Point wildcard CNAME to ngrok.mydomain.com
Compile ngrok server and client to use your certificate (rather than
ngrok.com)
Run the ngroku-server on EC2 instance
On your dev machine config the client to use ngrok.mydomain.com instead of ngroku.com
Run ngrok -subdomain=dev 80
Your local dev machine's 80 port should be accessible via https://dev.mydomain.com
This is really cool and is very helpful when debugging Google's webhooks, which require valid HTTPS and a verified root domain name.
Another interesting trick is to use CloudFlare's universal SSL to have a valid https://dev-machine.mydomain.com pointing to your dev machine without purchasing a certificate. The steps are exactly the same except that you need to issue your own certificate for ngrok client-server communications and use CloudFlare's Flex SSL for dev-machine.yourdomain.com.
ngrok has a new feature that tunnels and terminates SSL. Thus you can use your own domain and HTTPS. No need to open ports in your router or PC. They call it TLS Tunneling. The following is a link to a GitHub repos that describes how to do it.
How to use your own domain to access your home PC over the internet. Use HTTPS without raising SSL errors.
I need to install VeriSign SSL certs on a Heroku app.
The requirements for using these certs are:
Dedicated IP address.
A CSR generated on the web server with the domain name.
Is it possible to achieve the above, either directly through the Heroku platform or via custom addons.
You should follow the Heroku SSL Endpoint Guide. Don't worry about the IP address, it comes courtesy of the Heroku SSL endpoint. I also don't think you need to create the certificate signing request on the server, once the certificate is created, you can use it where you want.
I am planning to add a SSL certificate to my app on Heroku. For that, I am planning to buy a wildcard ssl certificate. A requirement for that certificate is that I need to have a "dedicated IP address".
Afaik, I don't think I have a dedicated IP address as I am hosting my code with Heroku and I don't think I can be guaranteed an IP address of that machine.
Am I missing anything? Should I be looking at another kind of SSL certificate?
Thanks!
If your domain name is registered and pointing to Heroku as Heroku's documentation advises, then you should be able to get an SSL certificate for that domain name. Your SSL certificate authority should not require you to enter in an IP address. I can only speculate that it might say you need a "dedicated IP address" in order to discourage people from trying to get an SSL certificate for their residential cable modem, etc.