microk8s untrusted dashboard - how to verifiy certificate - macos

I am trying out microk8s following this
I am getting a certificate error when browsing the dashboard(multipass ls - ip address)
I guess I need to copy and verify kuberneters certificate from multipass host(macos) on macos keychain?

Related

how to add a trusted CA for local Consul docker container

how to add a trusted CA for local Consul docker container?
So I have a consul running as a docker container and I am able to access it using chrome at localhost:8500 after exposing the ports, as expected. But due to company setting there is a security CA being added that chrome trusts, since it is added to MacOS keychain, but consul does not seems to trust when I try to use golang library to connect to consul
x509: โ€œMenlo Security Intermediate CAโ€ certificate is not trusted"
I get a certificate is not trusted error. I am able to export the CA to a RootCA.cer file from the keychain but how do I configure consul image to trust this CA file?
https://iotech.force.com/edgexpert/s/article/secure-consul-tls
I see articles like this
ca_file is used to check the authenticity of the client and server connections
cert_file is provided to clients and server to verify the agent's authenticity
key_file is used with the certificate to verify the agent's authenticity
but for me, the .cer export file will be used as cert_file?
how should I do it in docker compose?
consul:
image: dockerproxy.comp.com/consul:latest
ports:
- "9500:9500"

https call failed from python using FastAPI

Ran the following commands.
PS C:\Users\anups\Desktop\Cloud_AntiScalant> mkcert -install
Created a new local CA ๐Ÿ’ฅ
The local CA is now installed in the system trust store! โšก๏ธ
PS C:\Users\anups\Desktop\Cloud_AntiScalant> mkcert localhost
Created a new certificate valid for the following names ๐Ÿ“œ
- "localhost"
The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" โœ…
It will expire on 5 October 2024 ๐Ÿ—“
Started the uvicorn server with the following command.
cls;uvicorn main:app --reload --host 127.0.0.1 --port=8000 --ssl-certfile="C:\Users\anups\Desktop\Cloud_AntiScalant\localhost.pem" --ssl-keyfile="C:\Users\anups\Desktop\Cloud_AntiScalant\localhost-key.pem"
I am able to open browser with https://127.0.0.1:8000 but it still shows that its unsecure and says certificate status says OK.
I am running the client app with the following code:
url = 'https://127.0.0.1:8000/'
r = requests.get(url)
I get the following error:
requests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=8000): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))
I checked the certmgr.msc and I see the mkcert installed.
Any someone please help me?

kubectl giving error: Unable to connect to the server: x509: certificate signed by unknown authority

docker desktop on mac is getting error:
Unable to connect to the server: x509: certificate signed by unknown authority
The following answers didn't helped much:
My system details:
Operating system: macOS Big Sur Version 11.6
Docker desktop version: v20.10.12
Kubernetes version: v1.22.5
When I do:
kubectl get pods
I get the below error:
Unable to connect to the server: x509: certificate signed by unknown authority
Posting the answer from comments
As appeared after additional questions and answers, there was a previous installation of rancher cluster which left its traces: certificate and context in ~/.kube/config.
The solution in this case for local development/testing is to delete entirely ~/.kube folder with configs and init the cluster from the scratch.
If you are using a corporate laptop, and everything you do goes through a proxy, you will get this message. Hence, when docker desktop tries to connect to the server defined in ~/.kube/config, it will try to go through the proxy and you will need the cert issued by the company. Long story short, you are getting blocked by the the company... To fix, you can add the no proxy props, adding what ever value server: internal.docker defined in~/.kube/config . Meaning, if I am connecting to docker cluster which runs locally in my laptop, do not direct my traffic through proxy.
When doing docker info, after setting no proxy, you should see something like this.
docker info | grep -i proxy
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal,localhost,127.0.0.1,.local,.us.example.com,.examplecorp.com,.examplevcn.com,kubernetes.docker.internal
hubproxy.docker.internal:5000

How do I renew my Let's Encrypt TLS certificate on AWS Lightsail Wordpress instance?

I setup a wordpress instance on AWS Lightsail and enabled HTTPS using bncert-tool as per this guide. Today I received an urgent email from Let's Encrypt asking to renew my TLS certificate(s) that were issued from Let's Encrypt using the TLS-ALPN-01 validation method.
How do I renew the certificate?
SSH into your lightsail instance and run the following commands:
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start
In the preceding commands, replace EMAIL-ADDRESS and DOMAIN with the correct values.
You can use any of your working email addresses. Or, you can use the same email address that you used when you installed the certificate. You can retrieve the email you used when installing the certificate by running the following command:
sudo ls /opt/bitnami/letsencrypt/accounts/acm*
You can confirm the domain name by running the following command:
sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt list
For more info, please refer to this documentation
Now by default Bitnami bncert-tool renew the certificate automatically each month.
Source: generate-install-lets-encrypt-ssl
Run the following command:
sudo /opt/bitnami/bncert-tool
If you encounter Account [EMAIL ADDRESS] is not registered. Use 'run' to register a new account.
Use this command to register a new account and create a new certificate:
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" run
Source: letsencrypt community

WHM https with port 8443 throwing warning

I have installed Mirth connect and it is running on https://example.com:8443 but it throwing https warning. If I run https://example.com it doesn't show any warning because ssl certificate is instaled. The issue is with the port. Please help me out from this problem.
Thanks.
Mirth Connect generates a new self-signed certificate on first startup. You can replace this with your own cert, it's the "mirthconnect" alias in the keystore.jks file. Follow the Changing The Server Certificate section in the user guide.

Resources