LetsEncrypt lego script not working (Bitnami AWS Lightsail) - lets-encrypt

tl;dr: I used to use certbot to install a new certificate from LetsEncrypt, but that involved manually updating TXT records. So I tried to switch to lego to do it. But when I use lego to install a new certificate, it doesn't actually install a new certificate (old one still shows in browser).
Longer version:
I'm on an AWS Lightsail instance running Bitnami. I'm a little familiar with Linux, but I wouldn't consider myself "handy" with it.
In the past, I used to do the following to renew my certificates:
DOMAIN=mydomain.com
WILDCARD=*.$DOMAIN
sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly
(Install TXT records)
sudo /opt/bitnami/ctlscript.sh restart apache
However, this is a bit annoying to have to do, and LetsEncrypt helpfully provides the lego library to do this automatically. So based off the documentation I could find, I did the following:
$ sudo /opt/bitnami/ctlscript.sh stop
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
/opt/bitnami/php/scripts/ctl.sh : php-fpm stopped
/opt/bitnami/mysql/scripts/ctl.sh : mysql stopped
$ sudo /opt/bitnami/letsencrypt/lego --tls --email="myemail#domain.com" --domains="mydomain.com" --domains="www.mydomain.com" --path="/opt/bitnami/letsencrypt" run
2020/02/28 16:58:57 [INFO] [mydomain.com, www.mydomain.com] acme: Obtaining bundled SAN certificate
2020/02/28 16:58:57 [INFO] [mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3062019938
2020/02/28 16:58:57 [INFO] [www.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3062019945
2020/02/28 16:58:57 [INFO] [mydomain.com] acme: use tls-alpn-01 solver
2020/02/28 16:58:57 [INFO] [www.mydomain.com] acme: use tls-alpn-01 solver
2020/02/28 16:58:57 [INFO] [mydomain.com] acme: Trying to solve TLS-ALPN-01
2020/02/28 16:58:58 http: TLS handshake error from 74.108.143.17:49475: remote error: tls: illegal parameter
2020/02/28 16:58:58 http: TLS handshake error from 94.6.194.131:59130: remote error: tls: bad certificate
2020/02/28 16:58:58 http: TLS handshake error from 74.108.143.17:49476: remote error: tls: illegal parameter
2020/02/28 16:58:58 http: TLS handshake error from 94.6.194.131:59131: remote error: tls: bad certificate
2020/02/28 16:59:00 http: TLS handshake error from 81.187.9.124:49274: remote error: tls: bad certificate
2020/02/28 16:59:01 http: TLS handshake error from 74.108.143.17:49477: remote error: tls: illegal parameter
2020/02/28 16:59:01 http: TLS handshake error from 94.6.194.131:59136: remote error: tls: bad certificate
2020/02/28 16:59:03 [INFO] [mydomain.com] The server validated our request
2020/02/28 16:59:03 [INFO] [www.mydomain.com] acme: Trying to solve TLS-ALPN-01
2020/02/28 16:59:05 http: TLS handshake error from 94.6.194.131:59137: remote error: tls: bad certificate
2020/02/28 16:59:05 http: TLS handshake error from 74.108.143.17:49478: remote error: tls: illegal parameter
2020/02/28 16:59:06 http: TLS handshake error from 86.163.23.242:53113: remote error: tls: bad certificate
2020/02/28 16:59:08 http: TLS handshake error from 94.6.194.131:59138: remote error: tls: bad certificate
2020/02/28 16:59:08 http: TLS handshake error from 74.108.143.17:49479: remote error: tls: illegal parameter
2020/02/28 16:59:09 [INFO] [www.mydomain.com] The server validated our request
2020/02/28 16:59:09 [INFO] [mydomain.com, www.mydomain.com] acme: Validations succeeded; requesting certificates
2020/02/28 16:59:10 [INFO] [mydomain.com] Server responded with a certificate.
$ sudo /opt/bitnami/letsencrypt/lego --tls --email="myemail#domain.com" --domains="unmodchat.com" --domains="www.mydomain.com" --path="/opt/bitnami/letsencrypt" renew --days 90
2020/02/28 16:59:13 [INFO] [mydomain.com] acme: Trying renewal with 2158 hours remaining
2020/02/28 16:59:13 [INFO] [mydomain.com, www.mydomain.com] acme: Obtaining bundled SAN certificate
2020/02/28 16:59:14 [INFO] [mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3062019938
2020/02/28 16:59:14 [INFO] [www.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3062019945
2020/02/28 16:59:14 [INFO] [mydomain.com] acme: authorization already valid; skipping challenge
2020/02/28 16:59:14 [INFO] [www.mydomain.com] acme: authorization already valid; skipping challenge
2020/02/28 16:59:14 [INFO] [mydomain.com, www.mydomain.com] acme: Validations succeeded; requesting certificates
2020/02/28 16:59:14 [INFO] [mydomain.com] Server responded with a certificate.
$ sudo /opt/bitnami/ctlscript.sh start
/opt/bitnami/mysql/scripts/ctl.sh : mysql started at port 3306
/opt/bitnami/php/scripts/ctl.sh : php-fpm started
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
After doing that, and restarting my browser, when I look at the certificate details it lists the same expiration date as before (March 20th, less than a month from now).
What am I doing wrong? I have a feeling that lego might be installing the certificates to the wrong place, but I'm not quite sure how to find where the "right" place is, nor how to tell lego to put them there.


Solution thanks to Jota Martos from Bitnami. The documentation I found wasn't complete, and skipped step 3 from this documentation: https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#step-3-configure-the-web-server-to-use-the-let-s-encrypt-certificate
After completing those mv commands, and using the lego command again, all is working as it should be now. Thanks Jota!

Related

Cannot get wildcard certificate with traefik v2 and godaddy

I'm trying to set up a wildcard certificate mechanism with traefik v2.2 and GoDaddy. What I want to do is generating a valid certificate for the URLs pattern *.example.org. Here there is my docker-compose:
version: '3.7'
services:
traefik:
image: traefik:v2.2
container_name: traefik
restart: always
env_file:
- .provider.env
# .provider.env contains `GODADDY_API_KEY` and `GODADDY_API_SECRET`
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./tls-certificates:/tls-certificates
ports:
# http
- 8080:80
# https
- 443:443
command:
- --api.dashboard=true
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=proxy
- --entrypoints.webinsecure.address=:80
- --entrypoints.websecure.address=:443
# --certificatesresolvers.<name> Certificates resolvers configuration
# ACME V2 supports wildcard certificates.
# Wildcard certificates can only be generated through a DNS-01 challenge.
- --certificatesresolvers.wildcard-godaddy.acme.tlschallenge=true
- --certificatesResolvers.wildcard-godaddy.acme.dnsChallenge.provider=godaddy
- --certificatesResolvers.wildcard-godaddy.acme.dnsChallenge.delayBeforeCheck=0
# Email address used for registration.
- --certificatesresolvers.wildcard-godaddy.acme.email=foo#example.org
# Certificates storage
- --certificatesresolvers.wildcard-godaddy.acme.storage=/tls-certificates/acme.json
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=webinsecure"
- "traefik.http.routers.traefik.rule=Host(`traefik.example.org`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=${DASHBOARD_USERNAME}:${DASHBOARD_PASSWORD}"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.example.org`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=wildcard-godaddy"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=example.org"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.example.org"
- "traefik.http.routers.traefik-secure.service=api#internal"
networks:
proxy:
external: true
In my dns I have an A record * pointing to my ip address.
However when I start the compose I get the following error:
traefik | time="2020-04-15T16:40:50Z" level=debug msg="No default certificate, generating one"
traefik | time="2020-04-15T16:40:51Z" level=debug msg="Looking for provided certificate(s) to validate [\"example.org\" \"*.example.org\"]..." providerName=wildcard-godaddy.acme
traefik | time="2020-04-15T16:40:51Z" level=debug msg="Domains [\"example.org\" \"*.example.org\"] need ACME certificates generation for domains \"example.org,*.example.org\"." providerName=wildcard-godaddy.acme
traefik | time="2020-04-15T16:40:51Z" level=debug msg="Loading ACME certificates [example.org *.example.org]..." providerName=wildcard-godaddy.acme
traefik | time="2020-04-15T16:40:51Z" level=debug msg="Building ACME client..." providerName=wildcard-godaddy.acme
traefik | time="2020-04-15T16:40:51Z" level=debug msg="https://acme-v02.api.letsencrypt.org/directory" providerName=wildcard-godaddy.acme
traefik | time="2020-04-15T16:40:51Z" level=debug msg="Using DNS Challenge provider: godaddy" providerName=wildcard-godaddy.acme
traefik | time="2020-04-15T16:40:51Z" level=debug msg="Using TLS Challenge provider." providerName=wildcard-godaddy.acme
traefik | time="2020-04-15T16:40:51Z" level=debug msg="legolog: [INFO] [example.org, *.example.org] acme: Obtaining bundled SAN certificate"
traefik | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [*.example.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id1"
traefik | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [example.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id2"
traefik | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [*.example.org] acme: use dns-01 solver"
traefik | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [example.org] acme: use tls-alpn-01 solver"
traefik | time="2020-04-15T16:40:52Z" level=debug msg="TLS Challenge Present temp certificate for example.org" providerName=acme
traefik | time="2020-04-15T16:40:52Z" level=debug msg="legolog: [INFO] [example.org] acme: Trying to solve TLS-ALPN-01"
traefik | time="2020-04-15T16:40:58Z" level=debug msg="TLS Challenge CleanUp temp certificate for example.org" providerName=acme
traefik | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Preparing to solve DNS-01"
traefik | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Trying to solve DNS-01"
traefik | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Checking DNS record propagation using [127.0.0.11:53]"
traefik | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]"
traefik | time="2020-04-15T16:40:58Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik | time="2020-04-15T16:41:00Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik | time="2020-04-15T16:41:02Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik | time="2020-04-15T16:41:04Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik | time="2020-04-15T16:41:06Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik | time="2020-04-15T16:41:08Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik | time="2020-04-15T16:41:10Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik | time="2020-04-15T16:41:12Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik | time="2020-04-15T16:41:14Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Waiting for DNS record propagation."
traefik | time="2020-04-15T16:41:21Z" level=debug msg="legolog: [INFO] [*.example.org] acme: Cleaning DNS-01 challenge"
traefik | time="2020-04-15T16:41:22Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id1"
traefik | time="2020-04-15T16:41:22Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id1"
traefik | time="2020-04-15T16:41:22Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id2"
traefik | time="2020-04-15T16:41:22Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/id2"
traefik | time="2020-04-15T16:41:22Z" level=error msg="Unable to obtain ACME certificate for domains \"example.org,*.example.org\" : unable to generate a certificate for the domains [example.org *.example.org]: acme: Error -> One or more domains had a problem:\n[*.example.org] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: During secondary validation: Incorrect TXT record \"null\" found at _acme-challenge.example.org, url: \n[example.org] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url: \n" providerName=wildcard-godaddy.acme
I do not understand either I'm misconfiguring something or if there's a problem on the let's encrypt/godaddy side.
Edit:
On port 80 I have another nginx instance up & running

Turned out it was a bug (fixed in v.2.2.1). See here: https://github.com/go-acme/lego/issues/1113

Mac OSX Catalina + tunnelblick SSL/TLS handshake failed

I have installed a brand new Desktop iMac running Catalina version 10.15.4
And since yesterday I have had problems to authenticate on OpenVPN using Tunnelblick. I am currently using Tunnelblick 3.8.2 (build 5480)..
Bellow you can check the error logs from it.
*Tunnelblick: macOS 10.15.4 (19E266); Tunnelblick 3.8.2 (build 5480); Admin user
git commit 6155bb774cf9652ef0231b712d7784ee03d3c85e
Configuration vpngate_vpn244287220.opengw.net_udp_1673
"Sanitized" condensed configuration file for /Library/Application Support/Tunnelblick/Shared/vpngate_vpn244287220.opengw.net_udp_1673.tblk:
dev tun
proto udp
remote vpn244287220.opengw.net 1673
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
<ca>
[Security-related line(s) omitted]
</ca>
<cert>
[Security-related line(s) omitted]
</cert>
<key>
[Security-related line(s) omitted]
</key>
================================================================================
Files in vpngate_vpn244287220.opengw.net_udp_1673.tblk:
Contents/Resources/config.ovpn
================================================================================
Configuration preferences:
-routeAllTrafficThroughVpn = 1
-openvpnVersion = -
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
-loggingLevel = 3
-lastConnectionSucceeded = 0
================================================================================
Wildcard preferences:
-notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
================================================================================
Program preferences:
buildExpirationTimestamp = 1587379876
launchAtNextLogin = 1
tunnelblickVersionHistory = (
"3.8.2 (build 5480)",
"3.8.1 (build 5400)"
)
lastLaunchTime = 606821074.439207
lastLanguageAtLaunchWasRTL = 0
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = vpngate_118.241.144.186_udp_1195
keyboardShortcutIndex = 1
updateCheckAutomatically = 1
NSWindow Frame ConnectingWindow = 1085 937 389 187 0 0 2560 1417
NSWindow Frame SUUpdateAlert = 970 783 620 392 0 0 2560 1417
detailsWindowFrameVersion = 5400
detailsWindowFrame = {{1267, 756}, {920, 468}}
detailsWindowLeftFrame = {{0, 0}, {167, 350}}
detailsWindowViewIndex = 0
detailsWindowConfigurationsTabIdentifier = log
leftNavSelectedDisplayName = vpngate_vpn244287220.opengw.net_udp_1673
AdvancedWindowTabIdentifier = connectingAndDisconnecting
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
haveDealtWithAfterDisconnect = 1
SUEnableAutomaticChecks = 1
SUScheduledCheckInterval = 86400
SULastCheckTime = 2020-03-25 09:24:34 +0000
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 16
WebKitStandardFont = Times
buildExpirationTimestamp = 1587379876
================================================================================
Tunnelblick Log:
2020-03-25 09:26:50.201403 *Tunnelblick: macOS 10.15.4 (19E266); Tunnelblick 3.8.2 (build 5480)
2020-03-25 09:26:50.512597 *Tunnelblick: Attempting connection with vpngate_vpn244287220.opengw.net_udp_1673; Set nameserver = 769; monitoring connection
2020-03-25 09:26:50.513215 *Tunnelblick: openvpnstart start vpngate_vpn244287220.opengw.net_udp_1673.tblk 58118 769 0 3 0 1098544 -ptADGNWradsgnw 2.5_git_32723d2-openssl-1.1.1e
2020-03-25 09:26:50.531516 *Tunnelblick: openvpnstart starting OpenVPN
2020-03-25 09:26:50.794089 OpenVPN 2.5_git_32723d2 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 22 2020
2020-03-25 09:26:50.794152 library versions: OpenSSL 1.1.1e 17 Mar 2020, LZO 2.10
2020-03-25 09:26:50.795069 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:58118
2020-03-25 09:26:50.795116 Need hold release from management interface, waiting...
2020-03-25 09:26:51.136934 *Tunnelblick: openvpnstart log:
OpenVPN started successfully.
Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.5_git_32723d2-openssl-1.1.1e/openvpn
--daemon
--log /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Svpngate_vpn244287220.opengw.net_udp_1673.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1098544.58118.openvpn.log
--cd /Library/Application Support/Tunnelblick/Shared/vpngate_vpn244287220.opengw.net_udp_1673.tblk/Contents/Resources
--machine-readable-output
--setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5480 3.8.2 (build 5480)"
--verb 3
--config /Library/Application Support/Tunnelblick/Shared/vpngate_vpn244287220.opengw.net_udp_1673.tblk/Contents/Resources/config.ovpn
--setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Shared/vpngate_vpn244287220.opengw.net_udp_1673.tblk/Contents/Resources
--verb 3
--cd /Library/Application Support/Tunnelblick/Shared/vpngate_vpn244287220.opengw.net_udp_1673.tblk/Contents/Resources
--management 127.0.0.1 58118 /Library/Application Support/Tunnelblick/lnkadcnbabkakmcajkcbbhagnilekdiadephbbio.mip
--management-query-passwords
--management-hold
--redirect-gateway def1
--script-security 2
--route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2020-03-25 09:26:51.145350 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:58118
2020-03-25 09:26:51.214147 MANAGEMENT: CMD 'pid'
2020-03-25 09:26:51.214221 MANAGEMENT: CMD 'auth-retry interact'
2020-03-25 09:26:51.214269 MANAGEMENT: CMD 'state on'
2020-03-25 09:26:51.214311 MANAGEMENT: CMD 'state'
2020-03-25 09:26:51.214356 MANAGEMENT: CMD 'bytecount 1'
2020-03-25 09:26:51.215097 *Tunnelblick: Established communication with OpenVPN
2020-03-25 09:26:51.231465 *Tunnelblick: >INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info
2020-03-25 09:26:51.234302 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:51.234590 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2020-03-25 09:26:51.234626 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-03-25 09:26:51.239204 MANAGEMENT: >STATE:1585128411,RESOLVE,,,,,,
2020-03-25 09:26:51.528796 TCP/UDP: Preserving recently used remote address: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:51.528866 Socket Buffers: R=[786896->786896] S=[9216->9216]
2020-03-25 09:26:51.528884 UDP link local: (not bound)
2020-03-25 09:26:51.528899 UDP link remote: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:51.528956 MANAGEMENT: >STATE:1585128411,WAIT,,,,,,
2020-03-25 09:26:51.834207 MANAGEMENT: >STATE:1585128411,AUTH,,,,,,
2020-03-25 09:26:51.834286 TLS: Initial packet from [AF_INET]121.155.129.51:1673, sid=5882099d 9d031a26
2020-03-25 09:26:52.177465 VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
2020-03-25 09:26:52.177567 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-03-25 09:26:52.177582 TLS_ERROR: BIO read tls_read_plaintext error
2020-03-25 09:26:52.177593 TLS Error: TLS object -> incoming plaintext read error
2020-03-25 09:26:52.177603 TLS Error: TLS handshake failed
2020-03-25 09:26:52.178015 SIGUSR1[soft,tls-error] received, process restarting
2020-03-25 09:26:52.218256 MANAGEMENT: >STATE:1585128412,RECONNECTING,tls-error,,,,,
2020-03-25 09:26:52.225982 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:52.226119 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2020-03-25 09:26:52.226143 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-03-25 09:26:52.226301 MANAGEMENT: >STATE:1585128412,RESOLVE,,,,,,
2020-03-25 09:26:52.227535 TCP/UDP: Preserving recently used remote address: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:52.227590 Socket Buffers: R=[786896->786896] S=[9216->9216]
2020-03-25 09:26:52.227607 UDP link local: (not bound)
2020-03-25 09:26:52.227622 UDP link remote: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:52.227643 MANAGEMENT: >STATE:1585128412,WAIT,,,,,,
2020-03-25 09:26:52.227956 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:52.608861 MANAGEMENT: >STATE:1585128412,AUTH,,,,,,
2020-03-25 09:26:52.608945 TLS: Initial packet from [AF_INET]121.155.129.51:1673, sid=24e59327 4db6ce3c
2020-03-25 09:26:53.017553 VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
2020-03-25 09:26:53.017616 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-03-25 09:26:53.017631 TLS_ERROR: BIO read tls_read_plaintext error
2020-03-25 09:26:53.017642 TLS Error: TLS object -> incoming plaintext read error
2020-03-25 09:26:53.017652 TLS Error: TLS handshake failed
2020-03-25 09:26:53.017813 SIGUSR1[soft,tls-error] received, process restarting
2020-03-25 09:26:53.017836 MANAGEMENT: >STATE:1585128413,RECONNECTING,tls-error,,,,,
2020-03-25 09:26:53.026246 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:53.058693 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2020-03-25 09:26:53.058774 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-03-25 09:26:53.058959 MANAGEMENT: >STATE:1585128413,RESOLVE,,,,,,
2020-03-25 09:26:53.059957 TCP/UDP: Preserving recently used remote address: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:53.060007 Socket Buffers: R=[786896->786896] S=[9216->9216]
2020-03-25 09:26:53.060023 UDP link local: (not bound)
2020-03-25 09:26:53.060037 UDP link remote: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:53.060058 MANAGEMENT: >STATE:1585128413,WAIT,,,,,,
2020-03-25 09:26:53.060373 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:53.512826 MANAGEMENT: >STATE:1585128413,AUTH,,,,,,
2020-03-25 09:26:53.512940 TLS: Initial packet from [AF_INET]121.155.129.51:1673, sid=e66bd815 2a66696d
2020-03-25 09:26:53.836081 VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
2020-03-25 09:26:53.836141 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-03-25 09:26:53.836154 TLS_ERROR: BIO read tls_read_plaintext error
2020-03-25 09:26:53.836165 TLS Error: TLS object -> incoming plaintext read error
2020-03-25 09:26:53.836174 TLS Error: TLS handshake failed
2020-03-25 09:26:53.836333 SIGUSR1[soft,tls-error] received, process restarting
2020-03-25 09:26:53.836363 MANAGEMENT: >STATE:1585128413,RECONNECTING,tls-error,,,,,
2020-03-25 09:26:53.838259 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:53.838325 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2020-03-25 09:26:53.838340 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-03-25 09:26:53.838419 MANAGEMENT: >STATE:1585128413,RESOLVE,,,,,,
2020-03-25 09:26:53.839406 TCP/UDP: Preserving recently used remote address: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:53.839450 Socket Buffers: R=[786896->786896] S=[9216->9216]
2020-03-25 09:26:53.839465 UDP link local: (not bound)
2020-03-25 09:26:53.839480 UDP link remote: [AF_INET]121.155.129.51:1673
2020-03-25 09:26:53.839499 MANAGEMENT: >STATE:1585128413,WAIT,,,,,,
2020-03-25 09:26:53.839702 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:54.140756 MANAGEMENT: >STATE:1585128414,AUTH,,,,,,
2020-03-25 09:26:54.140859 TLS: Initial packet from [AF_INET]121.155.129.51:1673, sid=ce43006a 5a2277a1
2020-03-25 09:26:54.446583 VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
2020-03-25 09:26:54.446650 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-03-25 09:26:54.446674 TLS_ERROR: BIO read tls_read_plaintext error
2020-03-25 09:26:54.446685 TLS Error: TLS object -> incoming plaintext read error
2020-03-25 09:26:54.446695 TLS Error: TLS handshake failed
2020-03-25 09:26:54.446864 SIGUSR1[soft,tls-error] received, process restarting
2020-03-25 09:26:54.446905 MANAGEMENT: >STATE:1585128414,RECONNECTING,tls-error,,,,,
2020-03-25 09:26:54.457512 MANAGEMENT: CMD 'hold release'
2020-03-25 09:26:54.487380 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
The app seems to go into some sort of loop never authenticating.

Java 8 cryptography issue

I have developed a biometric authencation system on java8u144 and active directory password reset using ldaps on java8u191. When I tried to combine them...
Forst biometric encryption popped error for invalid key size. I updated JCE UNLIMITED .THEN BIOMETRIC STARTED WORKING BUT ldaps connection issues remain for ssl handshake pkix path building failed
I am not able to fix it
Pls help me out
I am running out of time
i am getting following exception
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
http-nio-8084-exec-2, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
http-nio-8084-exec-2, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 2E .......
http-nio-8084-exec-2, called closeSocket()
http-nio-8084-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
on java8u144 without jce code was working but biometric needed unlimited strength. i tried java8u144 java8u162 java8u191
currently using java8u162.
above exception is coming only after JCE upgrade.
kindly guide how to get certificate chain for this.
NOTE LDP.exe is working on client sucessfully.
& OPENSSL : unable to verify first cerificate

Why I can't forward port 8500 on host machine with consul image?

I try to run Consul image on Mac forwarding 8500 port for simple tests.
My command to run the image is:
docker run -it -p 8500:8500 consul agent -server -bootstrap 0.0.0.0
I do not use --net=host since it does not work on Mac so I try to forward 8500.
When I try to telnet from my Mac the connection gets immediately closed:
user$ telnet localhost 8500
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
Or when I try to add a new value I get:
consul kv put foo bar
Error! Failed writing data: Put http://127.0.0.1:8500/v1/kv/foo: dial tcp 127.0.0.1:8500: getsockopt: connection refused
What did I miss?

I have just tried what you have posted and seems that the port 8500 is opened
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f4ac8a5233e2 consul "docker-entrypoint..." 2 minutes ago Up 2 minutes 8300-8302/tcp, 8301-8302/udp, 8600/tcp, 8600/udp, 0.0.0.0:8500->8500/tcp sharp_knuth
And I get this:
Trying 0.0.0.0...
Connected to dev-consul
Escape character is '^]'.
Connection closed by foreign host.
However, it is running as you can see from the logs:
==> Starting Consul agent...
==> Consul agent running!
Version: 'v0.9.3'
Node ID: '27998add-58f9-e424-84a0-038db228629f'
Node name: '68bfdf141e7f'
Datacenter: 'dc1' (Segment: '<all>')
Server: true (Bootstrap: false)
Client Addr: 0.0.0.0 (HTTP: 8500, HTTPS: -1, DNS: 8600)
Cluster Addr: 127.0.0.1 (LAN: 8301, WAN: 8302)
Encrypt: Gossip: false, TLS-Outgoing: false, TLS-Incoming: false
==> Log data will now stream in as it occurs:
2017/10/02 20:26:27 [DEBUG] Using random ID "27998add-58f9-e424-84a0-038db228629f" as node ID
2017/10/02 20:26:27 [INFO] raft: Initial configuration (index=1): [{Suffrage:Voter ID:127.0.0.1:8300 Address:127.0.0.1:8300}]
2017/10/02 20:26:27 [INFO] raft: Node at 127.0.0.1:8300 [Follower] entering Follower state (Leader: "")
2017/10/02 20:26:27 [INFO] serf: EventMemberJoin: 68bfdf141e7f.dc1 127.0.0.1
2017/10/02 20:26:27 [INFO] serf: EventMemberJoin: 68bfdf141e7f 127.0.0.1
2017/10/02 20:26:27 [INFO] consul: Adding LAN server 68bfdf141e7f (Addr: tcp/127.0.0.1:8300) (DC: dc1)
2017/10/02 20:26:27 [INFO] consul: Handled member-join event for server "68bfdf141e7f.dc1" in area "wan"
2017/10/02 20:26:27 [INFO] agent: Started DNS server 0.0.0.0:8600 (udp)
2017/10/02 20:26:27 [INFO] agent: Started DNS server 0.0.0.0:8600 (tcp)
2017/10/02 20:26:27 [INFO] agent: Started HTTP server on [::]:8500
2017/10/02 20:26:27 [WARN] raft: Heartbeat timeout from "" reached, starting election
2017/10/02 20:26:27 [INFO] raft: Node at 127.0.0.1:8300 [Candidate] entering Candidate state in term 2
2017/10/02 20:26:27 [DEBUG] raft: Votes needed: 1
2017/10/02 20:26:27 [DEBUG] raft: Vote granted from 127.0.0.1:8300 in term 2. Tally: 1
2017/10/02 20:26:27 [INFO] raft: Election won. Tally: 1
2017/10/02 20:26:27 [INFO] raft: Node at 127.0.0.1:8300 [Leader] entering Leader state
2017/10/02 20:26:27 [INFO] consul: cluster leadership acquired
2017/10/02 20:26:27 [DEBUG] consul: Skipping self join check for "68bfdf141e7f" since the cluster is too small
2017/10/02 20:26:27 [INFO] consul: member '68bfdf141e7f' joined, marking health alive
2017/10/02 20:26:27 [INFO] consul: New leader elected: 68bfdf141e7f
2017/10/02 20:26:28 [INFO] agent: Synced node info
2017/10/02 20:27:27 [DEBUG] consul: Skipping self join check for "68bfdf141e7f" since the cluster is too small
2017/10/02 20:27:34 [DEBUG] agent: Node info in sync

error for public stream in Twitter 4j in IBM WAS 6.1

I'm getting below error for public stream using Twitter 4j in IBM WAS 6.1.Can you please suggest on this issue .
INFO: com.ibm.jsse2.util.h: No trusted certificate found
com.ibm.jsse2.util.h: No trusted certificate found
Relevant discussions can be found on the Internet at:
http://www.google.co.jp/search?q=944a924a or
http://www.google.co.jp/search?q=24fd66eb
TwitterException{exceptionCode=[944a924a-24fd66eb 944a924a-24fd66c1 944a924a-24fd66c1], statusCode=-1, message=null, code=-1, retryAfter=-1, rateLimitStatus=null, version=3.0.3}
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:192)
at twitter4j.internal.http.HttpClientWrapper.request(HttpClientWrapper.java:61)
at twitter4j.internal.http.HttpClientWrapper.post(HttpClientWrapper.java:98)
at twitter4j.TwitterStreamImpl.getFilterStream(TwitterStreamImpl.java:304)
at twitter4j.TwitterStreamImpl$7.getStream(TwitterStreamImpl.java:292)
at twitter4j.TwitterStreamImpl$TwitterStreamConsumer.run(TwitterStreamImpl.java:462)
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found
at com.ibm.jsse2.n.a(n.java:28)
at com.ibm.jsse2.jc.a(jc.java:235)
at com.ibm.jsse2.db.a(db.java:268)
at com.ibm.jsse2.db.a(db.java:272)
at com.ibm.jsse2.eb.a(eb.java:56)
at com.ibm.jsse2.eb.a(eb.java:122)
at com.ibm.jsse2.db.m(db.java:351)
at com.ibm.jsse2.db.a(db.java:173)
at com.ibm.jsse2.jc.a(jc.java:535)
at com.ibm.jsse2.jc.g(jc.java:203)
at com.ibm.jsse2.jc.a(jc.java:97)
at com.ibm.jsse2.jc.startHandshake(jc.java:44)
at com.ibm.net.ssl.www2.protocol.https.b.afterConnect(b.java:38)
at com.ibm.net.ssl.www2.protocol.https.c.connect(c.java:34)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:866)
at com.ibm.net.ssl.www2.protocol.https.a.getOutputStream(a.java:38)
at twitter4j.internal.http.HttpClientImpl.request(HttpClientImpl.java:150)
... 5 more
Caused by: com.ibm.jsse2.util.h: No trusted certificate found
at com.ibm.jsse2.util.g.a(g.java:24)
at com.ibm.jsse2.util.g.b(g.java:54)
at com.ibm.jsse2.util.e.a(e.java:9)
at com.ibm.jsse2.yb.checkServerTrusted(yb.java:4)
at com.ibm.jsse2.hb.checkServerTrusted(hb.java:9)
at com.ibm.jsse2.eb.a(eb.java:193)
... 17 more
Jul 3, 2013 10:14:56 AM twitter4j.internal.logging.CommonsLoggingLogger info
INFO: Waiting for 500 milliseconds
Jul 3, 2013 10:14:56 AM twitter4j.internal.logging.CommonsLoggingLogger info
INFO: Establishing connection.

The issue is now resolved by adding SSL certificate in JVM. This page really helped me to understand SSL connection concept in Java.

Resources