Using below code to zip a directory (works) and transfer it to the ec2 host using ssh.
data "archive_file" "scripts" {
type = "zip"
source_dir = "${path.module}/files/app"
output_path = "${path.module}/files/app.zip"
}
resource "null_resource" "upload" {
provisioner "file" {
source = data.archive_file.scripts.output_path
destination = "/home/${var.ec2_user}/${data.archive_file.scripts.output_path}"
connection {
type = "ssh"
user = var.ec2_user
private_key = file("C:/Users/myuser/.ssh/id_rsa.ppk")
host = var.hostname
}
}
}
However I get the following error:
Error: Failed to read ssh private key: no key found
How do I use a local ssh key to transfer the zip to the remote host?
The files are small, should I be using provisioner?
Thanks
Error: Failed to read ssh private key: no key found
That error means that no private key was found in the file specified.
In the following line of your example, you are specifying a private key in Putty format.
private_key = file("C:/Users/myuser/.ssh/id_rsa.ppk")
Terraform expects private keys to be RSA or ECDSA PEM files. Your SSH server might only support RSA. Newer SSH servers usually support both RSA and ECDSA.
If you created your private key with OpenSSL, then the private key filename defaults to id_rsa. If that file exists, change your Terraform to:
private_key = file("C:/Users/myuser/.ssh/id_rsa")
Related
I'm using Hashicorp vault as a secrets store and installed it via apt repository on Ubuntu 20.04.
After that, I added the root key to access the UI and I'm able to add or delete secrets using UI.
Whenever I'm trying to add or get a secret using the command line, I get the following error :
jarvis#saki:~$ vault kv get secret/vault
Get "https://127.0.0.1:8200/v1/sys/internal/ui/mounts/secret/vault": http: server gave HTTP response to HTTPS client
My vault config looks like this :
# Full configuration options can be found at https://www.vaultproject.io/docs/configuration
ui = true
#mlock = true
#disable_mlock = true
storage "file" {
path = "/opt/vault/data"
}
#storage "consul" {
# address = "127.0.0.1:8500"
# path = "vault"
#}
# HTTP listener
#listener "tcp" {
# address = "127.0.0.1:8200"
# tls_disable = 1
#}
# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/opt/vault/tls/tls.crt"
tls_key_file = "/opt/vault/tls/tls.key"
}
# Example AWS KMS auto unseal
#seal "awskms" {
# region = "us-east-1"
# kms_key_id = "REPLACE-ME"
#}
# Example HSM auto unseal
#seal "pkcs11" {
# lib = "/usr/vault/lib/libCryptoki2_64.so"
# slot = "0"
# pin = "AAAA-BBBB-CCCC-DDDD"
# key_label = "vault-hsm-key"
# hmac_key_label = "vault-hsm-hmac-key"
#}
I fixed the problem. Though the exception can be common to more than one similar problem, I fixed the problem by exporting the root token generated after running this command :
vault server -dev
The output is like this
...
You may need to set the following environment variable:
$ export VAULT_ADDR='http://127.0.0.1:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: 1+yv+v5mz+aSCK67X6slL3ECxb4UDL8ujWZU/ONBpn0=
Root Token: s.XmpNPoi9sRhYtdKHaQhkHP6x
Development mode should NOT be used in production installations!
...
Then just export these variables by running the following commands :
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN="s.XmpNPoi9sRhYtdKHaQhkHP6x"
Note: Replace "s.XmpNPoi9sRhYtdKHaQhkHP6x" with your token received as output from the above command.
Then run the following command to check the status :
vault status
Again, the error message can be similar for many different problems.
In PowerShell on Windows 10, I was able to set it this way:
$Env:VAULT_ADDR='http://127.0.0.1:8200'
Then
vault status
returned correctly. This was on Vault 1.7.3 in dev mode
You can echo VAULT_ADDR by specifying it on the command line and pressing enter - same as the set line above but omitting the = sign and everything after it
$Env:VAULT_ADDR
Output:
Key Value
--- ----- Seal Type shamir Initialized true Sealed false Total Shares 1 Threshold 1 Version
1.7.3 Storage Type inmem Cluster Name vault-cluster-80649ba2 Cluster ID 2a35e304-0836-2896-e927-66722e7ca488 HA Enabled
false
Try using a new terminal window. This worked for me
makecert
and press enter then this error occurs.
I tried with solutions provided but that not worked for me.
ex: set OPENSSL_CONF=c:/OpenSSL_Win64/bin/openssl.cnf
<pre>WARNING: can't open config file: ./bin/openssl.cnf
Unable to load config info from ./bin/openssl.cnf
WARNING: can't open config file: ./bin/openssl.cnf
Error opening Private Key privkey.pem
5344:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\
bss_file.c:398:fopen('privkey.pem','rb')
5344:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:40
0:
unable to load Private Key
WARNING: can't open config file: ./bin/openssl.cnf
Loading 'screen' into random state - done
server.csr: No such file or directory
Could Not Find C:\xampp\apache\.rnd
Could Not Find C:\xampp\apache\privkey.pem
Could Not Find C:\xampp\apache\server.csr
The system cannot find the file specified.
The system cannot find the file specified.
-----
Das Zertifikat wurde erstellt.
The certificate was provided.</pre>
Explaining your problem
This error occurs mainly on Windows computers when you are using OpenSSL package or the Windows installer!
The reason is that OpenSSL failed to locate the openssl.cnf file!
Step-by-Step instructions
I will recommend that you do the following (windows only):
Open your command prompt as Administrator (few OpenSSL commands opens in random state), thus when OpenSSL tries to write stuff on your disk it fails.
Try this easy and fast method: Open the Run dialog box with , type cmd and hit
Now before you run any OpenSSL command type the following:
set OPENSSL_CONF=c:\[PATH TO YOUR OPENSSL DIRECTORY]\bin\openssl.cfg
A sample path is: C:\OpenSSL-Win32\bin\openssl.cfg. For Windows (x64-bit) use C:\OpenSSL-Win64\bin\openssl.cfg!
After you did this now you are good to go with your OpenSSL stuff. Try openssl version and the error is gone.
Remember that everytime you open a command prompt you have to run the above command unless you set this as your environment variable.
Solve your problem
Your problem could be:
You set the environment variable into the folder OpenSSL_Win64. It should be maybe in OpenSSL-Win64!
You forgot maybe to run the command prompt as a Administrator!
You set the environment variable to the file openssl.cnf but it must be openssl.cfg!
Helpful sites
Read also:
WARNING: can’t open config file: /usr/local/ssl/openssl.cnf on Windows 7 (another detailed instructions for your problem)
How To Add/Edit Environment Variables in Windows 7 (helpful if you want set the environment variables forever on your Windows!)
Manually creating an openssl.cnf file in the correct location can solve the problem.
Here is a file template (edit as needed):
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
When install the application penSSL_Win64, will be located in C:\Program Files\OpenSSL-Win64 so , you need to set to this path with a console command and write:
set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg
I'm trying to install an applet into a J3A040 JCOP card.
As install method I have the following:
protected MainApplet() {
try {
// CREATE RSA KEYS AND PAIR
m_keyPair = new KeyPair(KeyPair.ALG_RSA_CRT, KeyBuilder.LENGTH_RSA_2048);
// STARTS ON-CARD KEY GENERATION PROCESS
m_keyPair.genKeyPair();
// OBTAIN KEY REFERENCES
m_publicKey = (RSAPublicKey) m_keyPair.getPublic();
m_privateKey = (RSAPrivateKey) m_keyPair.getPrivate();
} catch (CryptoException c) {
//this line will give you the reason of problem
short reason = c.getReason();
ISOException.throwIt(reason); // for check
}
register();
}
The installation always fails with the following error:
pro.javacard.gp.GPException: Install for Install and make selectable failed SW: 6A80
at pro.javacard.gp.GlobalPlatform.check(GlobalPlatform.java:1092)
at pro.javacard.gp.GlobalPlatform.installAndMakeSelectable(GlobalPlatform.java:798)
at pro.javacard.gp.GPTool.main(GPTool.java:478)
However, if I remove the keypair generation, everything works fine.
I have read the card specifications and it stands:
. RSA and RSA CRT (1280 up to 2048 bits keys) for en-/decryption and
signature generation and verification1 d. RSA CRT key generation (1280
up to 2048 bits keys) in a secured environment
I guess it shouldn't be a problem.
Any guesses?
The problem is caused by an invalid cast: you asked for an RSA KeyPair with the private key in the Chinese Reminder Theorem format (ALG_RSA_CRT).
That is why the getPrivate() method does not return an RsaPrivateKey instance, but an RsaPrivateCrtKey instance. Casting to RsaPrivateKey causes the 6A80 status word.
So you should either use the standard algorithm:
m_keyPair = new KeyPair(KeyPair.ALG_RSA, KeyBuilder.LENGTH_RSA_2048);
, or use a correct cast:
m_publicKey = (RSAPublicKey) m_keyPair.getPublic();
m_privateKey = (RSAPrivateCrtKey) m_keyPair.getPrivate();
I'm using Xamarin.mac. I need to get the fully qualified domain name of the local computer. On Windows this code works:
public string GetFQDN()
{
string domainName = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
string hostName = Dns.GetHostName();
string fqdn = "";
if (!hostName.Contains(domainName))
fqdn = hostName + "." + domainName;
else
fqdn = hostName;
return fqdn;
}
On a mac this code causes this error: System.NotSupportedException: This platform is not supported.
So, what is the equivalent in Xamarin.mac? Or just in Mono?
Just getting the computer name would be a good start.
To do this, you can pretty much do the same you'd do in C on a UNIX system, which is to retrieve the hostname with gethostname() and then use a DNS lookup to find the canonical network name for the host. Luckily, System.Net has ready-made calls for this. The following code should work on both OS X and Linux (in fact, on Linux it is more or less what hostname --fqdn does):
using System;
using System.Net;
class Program {
static void Main() {
// Step 1: Get the host name
var hostname = Dns.GetHostName();
// Step 2: Perform a DNS lookup.
// Note that the lookup is not guaranteed to succeed, especially
// if the system is misconfigured. On the other hand, if that
// happens, you probably can't connect to the host by name, anyway.
var hostinfo = Dns.GetHostEntry(hostname);
// Step 3: Retrieve the canonical name.
var fqdn = hostinfo.HostName;
Console.WriteLine("FQDN: {0}", fqdn);
}
}
Note that with a misconfigured DNS, the DNS lookup may fail, or you may get the rather useless "localhost.localdomain".
If you wish to emulate your original approach, you can use the following code to retrieve the domainname:
var domainname = new StringBuilder(256);
Mono.Unix.Native.Syscall.getdomainname(domainname,
(ulong) domainname.Capacity - 1);
You will need to add the Mono.Posix assembly to your build for this.
I've a private key made with OpenSSL and encrypted with RSA like this:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQILJ8rNTk54VICAggA
MBQGCCqGSIb3DQMHBAiXuThuf12hMwSCBMhrm8H2j7yzLBOIvSWbLoyUmIn7e9zA
6PLDzj1dos+h+wAkPN0IgJlkdoBBXlnF7tzGdoctOYOKiu/p+HLzMnvHaDfNSFwz
5zx4yyZsKtf90gT6IVuJy7TMiLK3gk4gdZJc820OeRr1FjdRV3iVpTXbVfpwG/B3
IbV0PX3ZaHeR1m8vWI0/XQB7ZL7lLT+3MO66X/PAMTPA9joFMxuPFasIb2uXSqe/
CJNOyY4iW89uYHFiOe53e4ggUdT/rupoR4OSNKKEH5f1y+FIuH1xNvlmi14hJn+k
KOOi89vVIcvh4abCM+jhYwpPOGB8Sz2bAXsYocgZPvKtKakHlis7RcSsd5Usx9Nt
tgQ=
-----END ENCRYPTED PRIVATE KEY-----
And I've stored it into a user.key file.
Actually I'm implementing a CMS encrypt and decrypt project in objective-c. Now I'm trying to decrypt my encrypted container file using certificates, private key, and so on...
I'm a little bit confused which method from OpenSSL I should choose to load the aforementioned key into an EVP_PKEY object.
It suggests me the following formats:
FORMAT_ASN1
FORMAT_PEM
FORMAT_PKCS12
FORMAT_MSBLOB
FORMAT_PVK
I know that it's not PEM and PKCS12. I would guess ASN1 or PVK but I really don't know and I haven't found any further information on this in the OpenSSL docu.
Can anyone tell me please which format the aforementioned key has?
EDIT:
To specify my question a bit more: I have the aforementioned key loaded into a BIO. I can read this BIO with BIO_read(keybio, ...) successfully and it contains the key (in ascii). Now I want to get an EVP_PKEY from this BIO.
I've tried...
EVP_PKEY *key = PEM_read_bio_PrivateKey(keybio, NULL, 0, NULL);
... but this doesn't work. When I call this it asks me to enter the passphrase in the console and when I do this, the key is NULL. :-/
The key is a PKCS#8 EncryptedPrivateKeyInfo wrapped in a PEM-container.
You can do something like this to get it into an EVP_PKEY-object:
// This must be called once:
OpenSSL_add_all_algorithms();
BIO* bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
X509_SIG* p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
if(p8==NULL){
BIO_printf(bio_err, "Error decoding key\n");
ERR_print_errors(bio_err);
return;
}
PKCS8_PRIV_KEY_INFO* p8inf = PKCS8_decrypt(p8, password, strlen(password));
if(p8inf==NULL){
BIO_printf(bio_err, "Error decrypting key\n");
ERR_print_errors(bio_err);
return;
}
EVP_PKEY* pkey = EVP_PKCS82PKEY(p8inf);
if(pkey==NULL){
BIO_printf(bio_err, "Error converting key\n");
ERR_print_errors(bio_err);
return;
}
That (extended) PEM format is used by OpenSSL for PKCS#8 encoded private keys.