Develop Reference

FireFox ADMX Extension Management via GPO not working

Trying to block all but allow specific plugins. I have the okta one and the web password filler working, but not the logon assist. I've tried putting in (secret-server-logon-assist-ff57#thycotic.com), and {secret-server-logon-assist-ff57#thycotic.com}, and also without any extras. These codes come from just the numeric URL (ie https://addons.mozilla.org/firefox/downloads/file/1747490) which says "Secret Server Login Assist (secret-server-logon-assist-ff57#thycotic.com) is blocked by your system administrator. Extension not on OAI allowed list". Am I misreading this message, or missing something on this specific one?
I posted this on support.mozilla.org, but haven't gotten any replies yet...
{
"*": {
"blocked_install_message" : "Extension not on OAI allowed list",
"installation_mode": "blocked"
},
"dd1e31d5-3623-45cb-b1ad-64074d36b360#thycotic.com": {
"installation_mode": "allowed",
"install_url": "https://addons.mozilla.org/firefox/downloads/file/3906662/secret_server_web_password_filler-3.2-fx.xpi"
},
"secret-server-logon-assist-ff57#thycotic.com": {
"installation_mode": "allowed",
"install_url": "https://addons.mozilla.org/firefox/downloads/file/1747490/secret_server_login_assist-2.1.1-an+fx.xpi"
},
"plugin#okta.com": {
"installation_mode": "allowed",
"install_url": "https://addons.mozilla.org/firefox/downloads/file/3901586/okta_browser_plugin-6.8.0-an+fx.xpi"
}
}
snip

Websocket connection failing from Firefox extension

I have a Firefox extension which connects to a websocket server and sends a message. I packaged it with web-ext build, renamed the .zip to a .xpi. Last month I installed it in Firefox after setting xpinstall.signatures.required to false in about:config. I added the SSL key to the Firefox certificate manager. It worked for a month. Yesterday there was probably a Firefox update and now the extension is blocked becaue it is not signed. After some research, I found that the regular Firefox has not allowed unsigned extensions for a long time. It makes me wonder what version I had until yesterday; I am working on a Ubuntu 20.04 system I set up 2 months ago.
When the extension is loaded manually with about:debugging, the extension works as it did before (websocket creation is successful and a message is sent).
I read online that Firefox Developer edition allows unsigned extensions. But after following the exact same steps, I cannot get the extension to work with a .xpi or by temporarily loading the extension. It is the same error in both circumstances:
Firefox can’t establish a connection to the server at wss://localhost:9501/.
The extension has a manifest and a background script
manifest.json:
{
"description": "weblogging app",
"manifest_version": 2,
"name": "weblogger",
"version": "1.0",
"browser_specific_settings": {
"gecko": {
"id": "browser_logger#example.org",
"strict_min_version": "50.0"
}
},
"background": {
"scripts": ["background.js"]
},
"permissions": []
}
background.js:
var websocketArguments = 'wss://localhost:9501';
var connected = new Boolean(false);
var webSocket;
createWebsocket();
function onError(error)
{
console.log(`Error: ${error}`);
}
function createWebsocket()
{
webSocket = new WebSocket(websocketArguments);
webSocket.onerror = onWebSocketError;
webSocket.onopen = onWebSocketOpen;
}
function onWebSocketError(event)
{
console.log("WebSocket error observed:", event);
};
function onWebSocketOpen(event)
{
console.log("WebSocket open: ", webSocket.readyState);
webSocket.send("hello there");
connected = true;
};

Whatever the reason I could not get the extension to work when unsigned, it was just easier to get it signed.
https://addons.mozilla.org/en-CA/developers/

Traefik acme timeouts

Im trying to get Traefik working properly in AKS. Overall it works fine however i can not get the ACME certs to work. Below attached my traefik.toml configuration on which i cant find anything odd.
The 3 domains that are mentioned are dummy in this use case by actually exists and reply as well
# traefik.toml
logLevel = "info"
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/tls.crt"
KeyFile = "/ssl/tls.key"
[entryPoints.traefik]
address = ":8080"
[ping]
entryPoint = "http"
[kubernetes]
[traefikLog]
format = "json"
[acme]
KeyType = "RSA4096"
email = "pimjansen#domain.com"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = true
acmeLogging = true
[acme.httpChallenge]
entryPoint = "http"
[[acme.domains]]
main = "traefik.domain.com"
[[acme.domains]]
main = "elasticsearch.domain.com"
[[acme.domains]]
main = "kibana.domain.com"
[api]
entryPoint = "traefik"
dashboard = true
The actual error i am receiving is this:
{"level":"error","msg":"Unable to obtain ACME certificate for domains \"traefik.hardstyletop40.com\" : unable to generate a certificate for the domains [traefik.domain.com]: acme: Error -\u003e One or more domains had a problem:\n[traefik.domain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://traefik.hardstyletop40.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY: Error getting validation data, url: \n","time":"2019-09-11T14:47:13Z"}
With details about the challenge:
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "Fetching http://traefik.domain.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY: Error getting validation data",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/293838266/LPH2sA",
"token": "mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY",
"validationRecord": [
{
"url": "http://traefik.domain.com/.well-known/acme-challenge/mYkyJzIM-6Y2UIknhXpCkUUTZWjzsAeMuqx7eDCZloY",
"hostname": "traefik.hardstyletop40.com",
"port": "80",
"addressesResolved": [
"13.79.159.165"
],
"addressUsed": "13.79.159.165"
}
]
},
Thanks in advance

How letsencrypt works is by putting a file in the .well-known directory on your specified webserver.
You're saying they're dummy, so you might be doing them locally? In anycase, if the autogenerated file isn't found on the webserver, it can't be verified that the certificate is requested from the "owning" domain.
How the flow works heavily simplified:
letsencrypt -> generate file name: abc133......
letsencrypt -> find webroot of provided domain in webserver config
letsencrypt -> copy file to .well-known in webroot of given domain
letsencrypt -> send a webrequest with filename and domain name to letsencrypt.org
letsencrypt.org -> try to request the file from the given domain looked up via dns
letsencrypt.org -> successfully requested file and verified, output certificate
letsencrypt -> read certificate and copy to certificates folder, make a few symlinks
letsencrypt -> modify webserver configs if needed
Now if you're working with dummy domains and not on the live server, the above process will fail on step 3, which will cause step 5 to fail, which will result in an error which you are getting.
An alternative is that you set a DNS record key to verify, if you can't run the command on the webserver to generate the certificate.
sudo certbot -d your.dummy.com --manual --preferred-challenges dns certonly
This will give you a code you will need to put in a txt record on your domain server
When you have done that, you confirm in the letsencrypt app that you've set the record and continue.
In short, if you cannot run the command on the webserver to generate the certificates, or cannoot modify the dns records, you cannot obtain a certificate via letsencrypt.

FTP-Sync for Visual Studio Code with implicit FTP TLS/SSL

I'm trying to mimic my working WinSCP FTP site on Visual Studio Code with the FTP-Sync package and I can't get this done for some reason.
Our server requires implicit FTP so my working site is ftps://ftpwebsite.user:990 and it prompts for my user and pass which works.
This package tries to connect for a minute and then closes with no luck.
Config file:
{
"protocol": "ftps",
"host": "ftpweb.user",
"port": 990,
"user": "ftpweb.user|user123",
"pass": "**********",
"remote": "/",
"secure": false,
"uploadOnSave": true,
"passive": true,
"debug": true,
"privateKeyPath": null,
"passphrase": null,
"agent": null,
"watch":[],
"watchTimeout": 500,
"allow": [],
"ignore": [
"\\.vscode",
"\\.git",
"\\.DS_Store"
],
"generatedFiles": {
"extensionsToInclude": [
""
],
"path": ""
}
}

It seems that the ftp-sync uses Node.js node-ftp module.
And it seems that for it to use implicit TLS/SSL, you need to set secure to implicit:
secure - mixed - Set to true for both control and data connection encryption, 'control' for control connection encryption only, or 'implicit' for implicitly encrypted control connection (this mode is deprecated in modern times, but usually uses port 990) Default: false
See also How to connect to a implicit FTPS server with nodeJS?
Though are you sure that you need to use the implicit mode? As even mentioned in the above documentation, the implicit mode is obsolete.

Javascript get request from https server to localhost:port with self signed SSL

I have two servers configured and running om my Debian server. One main server and one Elasticsearch (search engine) server.
The main server is running on a https node server with a NGINX proxy and a purchased SSL certificate. The Elasticsearch server is running on a http server. I've added a new NGINX proxy server to redirect https://localhost:9999 to http://localhost:9200 with a self-signed SSL certificate. There's also a configured authentication on the Elasticsearch server with a username and a password.
Everything seem to be properly configured since I can get a successful response from the server when I'm doing a curl from the servers terminal towards https://localhost:9999 with the -k option to bypass the verication of the self-signed certificate, without it, it does not work.
I cannot do a cross-domain request from my https main server to my http localhost server. Therefore I need to configure https on my localhost server.
Without the -k option:
curl: (60) SSL certificate problem: self signed certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
With the -k option:
{
"name" : "server-name",
"cluster_name" : "name",
"cluster_uuid" : "uuid",
"version" : {
"number" : "x.x.x",
"build_hash" : "abc123",
"build_date" : "Timestamp",
"build_snapshot" : false,
"lucene_version" : "x.x.x"
},
"tagline" : "You Know, for Search"
}
Which is a successful Elasticsearch server response.
So the full curl request looks something like curl -k https://localhost:9999/ --user username:password.
So, the actual question:
I would like to be able to do a simple jQuery AJAX request towards this server. I'm trying with the following request $.get('https://username:password#localhost:9999/') but I'm getting ERR_CONNECTION_REFUSED.
My guess is that that the AJAX request does not bypass the self-signed certificate verification and therefore it refuses to connect.
Is there any simple way to solve this with request headers or something like that? Or do i need to purchase a CA-certificate to make this work with AJAX?

You are right the problem is the self signed certificate.If you try the same request but as http it will work.
Here is a workaround to make ElasticSearch work with https:
You need to implement your own Http Connector:
var HttpConnector = require('elasticsearch/src/lib/connectors/http');
var inherits = require('util').inherits;
var qs = require('querystring');
var fs = require('fs');
function CustomHttpConnector(host, config) {
HttpConnector.call(this, host, config);
}
inherits(CustomHttpConnector, HttpConnector);
// This function is copied and modified from elasticsearch-js/src/lib/connectors/http.js
CustomHttpConnector.prototype.makeReqParams = function (params) {
params = params || {};
var host = this.host;
var reqParams = {
method: params.method || 'GET',
protocol: host.protocol + ':',
auth: host.auth,
hostname: host.host,
port: host.port,
path: (host.path || '') + (params.path || ''),
headers: host.getHeaders(params.headers),
agent: this.agent,
rejectUnauthorized: true,
ca: fs.readFileSync('publicCertificate.crt', 'utf8')
};
if (!reqParams.path) {
reqParams.path = '/';
}
var query = host.getQuery(params.query);
if (query) {
reqParams.path = reqParams.path + '?' + qs.stringify(query);
}
return reqParams;
};
module.exports = CustomHttpConnector;
Then register it like so:
var elasticsearch = require('elasticsearch');
var CustomHttpConnector = require('./customHttpConnector');
var Elasticsearch = function() {
this.client = new elasticsearch.Client({
host: {
host: 'my.server.com',
port: '443',
protocol: 'https',
auth: 'user:passwd'
},
keepAlive: true,
apiVerison: "1.3",
connectionClass: CustomHttpConnector
});
}
https://gist.github.com/fractalf/d08de3b59c32197ccd65
If you want to make simple ajax calls not using ES the only thing you can do is prompt the user to visit the page and accept the certificate themselves when the request is denied.
Also see: https://stackoverflow.com/a/4566055/5758328