I have a windows server VM, running server 2019, on a company network, and it is to be used as a web server with Apache. I have got a copy of apache 2.4 installed on it and it serves http pages just fine, but I am trying to set up SSl for https connections.
I have been talked through using the MMC to add the certificates snap in then using this to generate a request. (This is AKA the key file I think?) and sent this file to the necessary admin in the business to provide me with a ceritificate so that the users browsers display a green address bar when visiting the site via https on the company intranet.
They sent me back the following files:
certnew.cer
certnew.p7b
intermediate.cer
root.cer
I then did a lot of googling and found various gides about how to use these files, and I have come to the following conclusions: (please correct if wrong).
Cer files and crt files are the same thing. They can have some kind
of different encoding in the contents, but you generaly use a .cer
file in the same place(s) you could use a .crt file, so if Apache
instructions are mentioning one, I can probably use the other and
just rename the file extension.
The file I sent off was the private key file that I will need to use
in the SSL configuration.
There was some kind of changes between Apache 2.4 and earlier
versions, so I should be carefull when looking at guides about SSL to
ensure it's correct for 2.4 versions.
I need to enable SSL in the main http config file and add the details for my certificate files and server into the httpd-ssl.conf file
The relivant part of that file currently looks like this:
<VirtualHost *:443>
# General setup for the virtual host
DocumentRoot "${SRVROOT}/htdocs"
ServerName <servername>
ServerAdmin <internal email>
ErrorLog "${SRVROOT}/logs/error.log"
TransferLog "${SRVROOT}/logs/access.log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile "${SRVROOT}/conf/primary.crt"
#SSLCertificateFile "${SRVROOT}/conf/server-dsa.crt"
#SSLCertificateFile "${SRVROOT}/conf/server-ecc.crt"
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "${SRVROOT}/conf/private.key"
#SSLCertificateKeyFile "${SRVROOT}/conf/server-dsa.key"
#SSLCertificateKeyFile "${SRVROOT}/conf/server-ecc.key"
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
SSLCertificateChainFile "${SRVROOT}/conf/certificate.crt"
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath "${SRVROOT}/conf/root.cer"
SSLCACertificateFile "${SRVROOT}/conf/root.cer"
So I took a copy of the files I had been sent, as well as my key file I sent to them, and renamed them as above so they are refrenced in the ssl config file.
When I try to start the apache service, it fails if I enable SSL in the main http file with a generic error. (but still works fine when i comment out the SSL in the main conf file.) So I then tried to launch the httpd.exe file from a command prompt to get some error that is more helpful, and after running the file with no error responce, I checked in the error logs, and the following lines of errors are shown for my most recent attempt:
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file D:/Apache24/conf/private.key)
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] AH02311: Fatal error initialising mod_ssl, exiting. See D:/Apache24/logs/error.log for more information
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] AH02564: Failed to configure encrypted (?) private key <servername>:443:0, check D:/Apache24/conf/private.key
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSAPrivateKey)
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
AH00016: Configuration Failed
I don't really know what any of that means, but I'm guessing it's teling me there is something wrong with my private key file, but I have no idea how to tell what is wrong or how to fix it. I have checked that the modules for ssl are enabled in the main apache conf file.
Can anyone provide any guidence?
Thanks.
Meta: this Q is not programming or development and is arguably multiple questions, but this semi-A is much too long for comments. I will delete (or agree to a mod deleting) if needed.
request ... is AKA the key file I think?
Absolutely not, and I think this is most of your problem. The whole security of 'public-key' cryptography, also called 'asymmetric', is based on you not ever sending, giving, or otherwise providing your private key to anyone else.
The 'request' is a CSR and is basically temporary; once the certificate is issued the CSR is no longer needed or used. If you want to be tidy, you could delete it.
users browsers display a green address bar
The green bar was only for Extended Validation (EV) certificates, which from real public CAs cost quite a bit of money. It's possible your company has tweaked all the PCs (or all the relevant ones) to accept an internal or ad-hoc CA as valid for EV, but I don't see why they'd bother, as browsers dropped the green bar several years ago. What you get now is a padlock on the URL/address bar for HTTPS with any valid certificate (regardless of validation class), and for an invalid certificate you get either a warning/error icon modifying or replacing the padlock and/or a complete warning/error page.
Cer files and crt files are the same thing ... I can probably ... just rename the file extension.
Kind of. There are two main encodings used for a (single) certificate in a file and some other places: DER also called binary, and PEM also (and incorrectly) called by Microsoft base64. People variously use both extensions .cer .crt (and sometimes others as well) for both formats. Much software can use both, but httpd can only use PEM -- in a file with any name or extension, even FeeblyGorp.snork if that's what you want.
However, an HTTPS server actually needs (in addition to the privatekey) not just a certificate but a chain consisting of several (almost always at least 2, and usually 3 or 4) certificates. There is more variation in handling such a chain. The simpler way is just to take the certificates and concatenate them. Another way that developed in the past and is still used is a particular type of PKCS7 message which conventionally has the extension .p7b or .p7c (although again most programs can handle any name, in spite of Microsoft persistently trying to make you believe a filename's extension somehow controls the content, which it does not and never did). Apache supports only the plain-sequence in PEM method, not the PKCS7 method.
The file I sent off [the CSR] was the private key file
No. See above.
There was some kind of changes between Apache 2.4 and earlier versions, so I should be carefull when looking at guides about SSL to ensure it's correct for 2.4 versions.
There are changes not just between the 2.2 and 2.4 'families', but between point releases within 2.4. Search the documentation for "version 2.4." to see. If you try to use something that is newer than the version you are running it will almost certainly give an error message, but if you use an older feature it will still work on newer versions with very rare exceptions.
I need to enable SSL in the main http config file and add the details for my certificate files and server into the httpd-ssl.conf file
Not really. httpd reads one config file initially, and if that file contains one or more <Include> directives referring to other files it reads them also; I expect that is what you mean by 'enable SSL in the main config file' -- you're not enabling SSL as such, you're using a file that happens to provide SSL configuration. httpd can handle all the config in one file just fine, but people often find it more convenient to put logical 'pieces' such as different vhosts, or in your case the SSL config, in separate files that can be named to reflect each one's contents. In short, you must add the SSL related config, but you aren't required to put it in a separate file with a specific name.
So, net, your problem is that you need the privatekey in a file usable by httpd, meaning one of a few PEM formats. When you create a certificate request with MMC/cert it stores the privatekey within the Windows certificate store in a hidden location; normally when you get the resulting cert from the CA you load it into the same store with MMC and it is matched up with the hidden privatekey so that Windows-specific programs like IIS can use both of them together. Once you do that it may be possible to export the privatekey with the cert as a PFX/PKCS12 file, which httpd cannot use directly but which can be converted to suitable PEM file(s) using OpenSSL if you have or get that. However, if the key is marked unexportable, you're out of luck.
The usual (and simple) way to get a cert for httpd is OpenSSL: it can create the privatekey in a PEM file and the CSR, and when you get back the cert (and chain) you just combine them with the privatekey you already have.
I am trying to send emails using the net/smtp library but I receive the following error message:
SSL_connect returned=1 errno=0 state=unknown state: unknown protocol (OpenSSL::SSL::SSLError)
The code I am using is an extract from Peter Cooper's Beginning Ruby book, modified to use SSL, as required by yahoo servers:
require 'net/smtp'
message = %q{
From: Private Person <me#privacy.net>
To: myself <username#yahoo.com>
Subject: SMTP e-mail test
This is a test e-mail message.
}
smtp = Net::SMTP.new('smtp.mail.yahoo.com', 587)
smtp.enable_ssl
smtp.start('example.org', 'username#yahoo.com', 'password', :login) do |s|
s.send_message message, 'me#privacy.net', 'username#yahoo.com'
end
I tested the above code with Ruby 2.3.1 and Ruby 2.5.1 but I keep receiving the same error message.
By using Net::SMTP#enable_ssl (which is an alias to Net::SMTP#enable_tls), you are instructing the Ruby SMTP client to open a TLS tunnel as the very first step after connecting to the server. This requires the server to also support this on the used server port.
With Yahoos SMTP servers, they support this mode on port 465. With many other providers, you will see that they only support opportunistic TLS on port 587.
What happens there is that the client first starts with plain text SMTP and then negotiates with the server whether they support to update the connection to a TLS tunnel by using the STARTTLS command.
With net/smtp in Ruby, you can use Net::SMTP#enable_starttls instead.
If you are not sure of the server supports STARTTLS and you want to gracefully fallbvack to plaintext transfer of your password and the email to the server, you can also use Net::SMTP#enable_starttls_auto.
Thus, with Yahoo, you have two options:
you can use Net::SMTP#enable_tls on port 465
or you can use Net::SMTP#enable_starttls on port 587
The following error is occurred in the exchange server 2007 and mail are not disseminating to all recipients.
I tried with get-queue | fl commands and also followed some of the online suggestions made for other users. But nothing worked out to fix my issue.
Can some one help me out to fix this issue with my mail server?
I got this error:
NextHopDomain : hub version 15
LastError : 451 4.4.0 Primary target IP address responded with: "235 00000870YIIGUAYJKoZIhvcSAQICAQBuggY/MIIGO6ADAgEFoQMCAQ6iBwMFAAAAAACjggTEYYIE
wDCCBLygAwIBBaEPGw1JTkNPSVMuR09WLklOoigwJqADAgECoR8wHRsHU01UUFNWQxsSTUFJTC5pbmNvaXMuZ292Lmluo4IEeDCCBHSgAwIBEqEDAgFMooIEZgSCBGIjDRqya
dXg4Y1GQAcMZKo9KfI/2l1JPauKHPjVxyi3sP+6PV8wXjzRn36QjnIsLu7OPtzWDRkJBR/VFnJMLT3wTpg0uEe4eAr7kAgJ+mo4vbuFdlYb+ns23tnLO2kyt3dfXgrPF5Ulm4
C6me734JrfOrkT51UCliUMKmlcDAhcPEmDUagjCg9XmLatKNTn41sFZktRjFs8bXexAacl/Wil+gFI5qZbh9nrs922FUoLhmX1U7dS6xiyH2VHaxCAodcbNh14apN/rK0SvjQ
Zi+L2bO2RSF3Rx5LO4zAPfn9LAlNQRwQo8U8NR7J1JACBUwe3t3InTRA0TXyJNCxVGZBM5QjgeJFgBRN6pqa6jZyT7tUgURrG1fHFs4fV77jyxgKjxcrUdc5n7MWT77sfLlb4
Ao5HJukOnWlBVUyoDCDvVarc+8/5VJdWFxnNUkohaVUPnDYMMGiGsadDYy39omsSasFkLShLqE7vBGx3WdsvQQnH2kOTwS4mfbWsuulDUfgHOoBg4AW/fB1oxCUT5E3/siLDd
urZX/LEjSCmwxbtzzLJ9IGhAlMb+WUUhlZiNb2mn3pZAUlQnDip0ZkXi2nYm71FaTnBb1chScpnpBJ+o30C6yPubBnP562F33sgd/CqB9ZbH4nawrG4pPa6yoVDFgB9lVnQ0h
EGlcyNotCTdFMuJrqVF/XFwGKPT+V9uxdNtMNqDkXjLNGE7FshmmhAMbPPVtGdpJaPyAx5RKf1IqZRs2aHwU294AdChan+SsxZkruzB3ahiyIlops5j3Ie64lPJOnQdAmT9LU
WBG4ssEToAILaVfNvgfPx60dh1noK8Ih0plJ0+r7dV7SctqijbRtgyDccKYqrM5z+UjdbTJjzEwq54dljmq2MyEC7lghBcUkzNA0v1gKztXiIDa+vED9Z0u34n5bUghzZCSpF
41BjMt82S6IKzFfZxVZgW68I3kCvslzRFHmnn0V3ICQBkwrwUoz73l9xnWUqvSyg8khALOMcuyXfrDT3H5Mb/Ar62e6VnOb2RAh7Mc28I3JsbZ6oucv80Xpe9uHTkvNcitUUD
4lFKyHPv65t6/19lju4clUXC+fbP94uL1I9g8nQlCBWSmQt+QZeCZ5xcBoCh0qb1CexWVihixZPRxcp7Ut+JCt1RCL1IYNJqA7k33xTT7KyXgV8f0BYuck5PdeDMFYVB77dju
kAlWDpRd2PYOTosswHnF6d1rTQihawC+BOBx2U03jROO57K/xnto/shWxuz4j8kBQHuX+RJfZvOZLtO5AsgmM/34iTe6fitAQ5MVi5R1X7BioxUik9OgXUjRa/ilFvm9JfAe/
TxYclvNckP3ZtnsLyM3vynitaKIzUPhDotnvfJhZb1hVL69KYl77Bh/b6/wKF8vzoytXHgUkwgaBfvGvugD4oyH0yhzRWaazi905+OkbqwH2pb+/JY11PSQgRxaVYMvvgfcfg
sDvfjS0CA44oj/Nz0//fAhYYBW6kggFcMIIBWKADAgESooIBTwSCAUsxZR1eKvSuYI6zhYpUMZJQ5cyo/GmW7Zrq9qcFO3pZjdOI9/gGKp9H5pYsmOcEx6zzCfRw1yBsVz7Mh
BmAITrQ7FslxYzQS/O6TTaJsT2TPL3dfwyOaqM7xv4xtht3GN9vr6KceDhfU7jBC6osgSioL5/HOzTuwpZW7eUg+22PDdLx/1XbTlBcYL9ZVJ73ELgbv/EadMCWwe1VCowKJx
YZjaZTTiIhPa68Nogxu7QnaXGE7CLUD8LeJuoh3fL1VGMfD+5X/azU8Bla2pqMT1OvUfhuDUK9s/3++tzFUNIVuzYlP+IxVFFM6kSrxlV1Raoywasu0PIczzjQ4hRV3xJ1NEI
yCuiXSN4oxJP3kq6a/TzFsxURdBbKK5YuNIRmb3t/mTpgihoGXKJPoDwEPpbB55IUBhhDG9t3y7sPEcpo48M4JVAJxslG5GM+0000002CPuzRqM2PPoahT81xmujDkYbkp2uE
O19dIzolNFXEmmU=." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery f
ailed to all alternate hosts.
NextHopDomain : Submission
LastError :
I just had this issue and the problem was the time between the 2 hub transport servers was greater then 5mins. I synced the time and retried the queue and the mail flowed again.
when i run from windows-7 with cygwin to connect CFEngine bersion 3.4.2
cf-agent -Bs 217.64.173.210
Challenge response from server 217.64.173.210/217.64.173.210 was incorrect!
I: Made in version 'not specified' of '/var/cfengine/inputs/update.cf' near line 47
!! Authentication dialogue with 217.64.173.210 failed
Challenge response from server 217.64.173.210/217.64.173.210 was incorrect!
I: Made in version 'not specified' of '/var/cfengine/inputs/update.cf' near line
and in /var/cfengine/inputs/update.cf on line 47 is
47 : perms => m("600"),
on cgwin in folder keys
/var/cfengine/ppkeys
localhost.pub
localhost.priv
root-MD5=b8825ba0a0e7017e34b15766d3b3ac58 (which is also at CFEngine Server Side shared ky)
on Cf-Engine Server Side
/var/cfengine/ppkeys/
localhost.priv
localhost.pub
root-MD5=b8825ba0a0e7017e34b15766d3b3ac58
With Regards
Sandeep
Did you also get the server to trust the client's key? like so:
cf-key -t root-MD5=b8825ba0a0e7017e34b15766d3b3ac58
(on the server)
Also, try restarting cf-serverd in verbose mode with the -v switch on the server, and watch what error messages you get on that end.
I'm working on a very large puppet deployment, but seem to be hitting a brick wall. My ideal setup is to use Nginx + Passenger to serve puppet. The problem I am having is that Puppet throws errors when running through passenger. If I start puppetmasterd, everything works fine, but serving through Passenger gives the following errors:
Jun 22 07:33:04 $master_hostname puppet-master[15710]: Starting Puppet master version 2.6.8
Jun 22 07:33:04 $master_hostname puppet-master[15720]: No support for http method POST
Jun 22 07:33:04 $master_hostname puppet-master[15720]: Denying access: Forbidden request: $client_hostname($client_ip) access to /report/$client_hostname [save] authenticated at line 0
Jun 22 07:33:04 $master_hostname puppet-master[15720]: Forbidden request: $client_hostname($client_ip) access to /report/$client_hostname [save] authenticated at line 0
Everything seems to point to an auth.conf problem, but my auth.conf file is about as generic as it could get, and like I said, everything works when I serve puppet using Rack directly.
Has anybody ever ran into this issue?
Sounds like this:
http://groups.google.com/group/puppet-users/browse_frm/thread/910994e88f21a497/cae809c17a9acd8a?#cae809c17a9acd8a
The concept being that you need to configure NGINX to pass information through to Puppet as it now provides the SSL layers.