I created my network with a admin card which I request before, but when I want to import this card to card store it Error:
Failed to import identity. Error: privateKey not specified or not a string
and import failure.
My operation is:
1. create PeerAdmin card:
composer card create -p ./santai/byfn-network-test.json -u PeerAdmin -c ./santai/Admin#santai.chembeango.com-cert.pem -k ./santai/689f471246b0e180384660285aff48dcc5e12b9fd6bed4e5a47cce7ce367310f_sk -r PeerAdmin -r ChannelAdmin -f PeerAdmin#chembeango-network-test.card
import the PeerAdmin card into card store:
composer card import -f PeerAdmin#chembeango-network-test.card --card PeerAdmin#chembeango-network-test
identity request:
composer identity request -c PeerAdmin#chembeango-network-test -u test -s t789456 -d test
start network
composer network start -c PeerAdmin#chembeango-network-test -n chembeango-test-network -V 0.0.1 -o endorsementPolicyFile=./endorsement-policy.json -A test -C test/test-pub.pem
import admin card
composer card import -f test#chembeango-test-network.card
I checked My priv pem, it is:
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgGPwysYDw6+TLcgiv
QOHt7vhm3j5A9muqwmIKutoxdhGhRANCAASDNP95hp3tpLda5qGD2LTSfpjD4x4t
mqYlov5eIQhG1Nq7BXdn0fJYtpPB5T5odaoheUU0xDcC4BXAmqb9LYif
-----END PRIVATE KEY-----
I have mv my card to a zip file, and unzipped it,the structure is:
extracting: connection.json
extracting: metadata.json
creating: credentials/
extracting: credentials/certificate
I didn't find the priv key, is this the problem?
You are correct, the card that is automatically created for you does not contain the private key!
You need to delete that automatically generated card and create a new one yourself containing the certificate and key. So you will need 2 commands similar to these - I'm suggesting using 'test2' so there is no confusion:
composer card create -p ./santai/byfn-network-test.json -u test -c test/test-pub.pem -k test/test-priv.pem -f test2.card -n chembeango-test-network
composer card import -f test2.card -c test2#chembeango
(The automatically generated cards work OK in single org environments if you specify the username and secret on the composer network start command, but if you request the identity first and then use the certificate on the start command the resulting card does not contain the private key)
I solved this problem.
My operatios are:
added the test priv pem to the credentials folder,
renamed it to PrivateKey.
I zipped these files to zip file.
rename this zip file to card
import card to card store. It works!
Related
I have a leaf cert, intermediate cert, and a root cert.
client.crt contains all three, by way of cat leaf.crt intermediate.crt root.crt > client.crt
$ # Fails
$ openssl.exe verify client.crt
C = US, ...
error 20 at 0 depth lookup: unable to get local issuer certificate
error client.crt: verification failed
$ # Passes, as expected, since it has the whole chain
$ openssl.exe verify -CAfile client.crt client.crt
client.crt: OK
$ # Add intermediate and root to stores
$ certutil.exe -addstore -f "ROOT" .\root.crt
CertUtil: -addstore command completed successfully.
$ certutil.exe -addstore -f "CA" .\intermediate.crt
CertUtil: -addstore command completed successfully.
$ # Both client.crt and leaf.crt fail to verify
$ openssl.exe verify client.crt
C = US, ...
error 20 at 0 depth lookup: unable to get local issuer certificate
error client.crt: verification failed
$ openssl.exe verify leaf.crt
C = US, ...
error 20 at 0 depth lookup: unable to get local issuer certificate
error leaf.crt: verification failed
It appears as if openssl.exe is not picking up the certs I install. I've also gone through and installed these through the Windows certificate manager to no avail.
How do I get openssl to pick up this CA chain?
I need to respond at 3 questions in a script :
yes
password*
password*
This is the output when i use this command :
I don't want to use a specific other script just for this command.
printf "yes\password*\npassword*\n" | docker-compose run --rm openvpn ovpn_revokeclient "ovpn-"$1 remove
Please confirm you wish to revoke the certificate with the following subject:
subject=
commonName = ovpn-toto5
Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: Using configuration from /etc/openvpn/pki/easy-rsa-9.IlcpnJ/tmp.PKMKIm
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Revoking Certificate 6D9F08EFEB4D6A925969D8829F20A4C0.
Data Base Updated
IMPORTANT!!!
Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
Generating the Certificate Revocation List :
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Using configuration from /etc/openvpn/pki/easy-rsa-47.nEJLBc/tmp.OeLpeI
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
User interface error
139677322186056:error:2807106B:UI routines:UI_process:processing error:crypto/ui/ui_lib.c:545:while reading strings
unable to load CA private key
139677322186056:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:583:
139677322186056:error:0906A065:PEM routines:PEM_do_header:bad decrypt:crypto/pem/pem_lib.c:461:
Easy-RSA error:
CRL Generation failed.
ERROR: 1
I tried with echo too, but same problem..
I just don't understand how i can pass those values..
Thanks for help !
SEXPECT :
/usr/bin/sexpect spawn docker-compose run --rm openvpn easyrsa build-client-full "ovpn-toto" nopass
out=$(sexpect expect_out)
if [[ $out == "Enter pass phrase for /etc/openvpn/pki/private/ca.key:" ]]; then
sexpect send -enter "mypassword*"
continue
fi
I have a elasticsearch cluster running on Azure AKS. I want to connect to a different es cluster running on seperate AKS for which I need to export certificate from one cluster and add it to the other cluster. I am following the official documentation from here
.
However I am not able to export the certificate and getting error on executing the following command:
kubectl get secret europecluster-es-transport-certs-public -o
go-template='{{index .data "ca.crt"}}'
Error I am getting is:
error: error parsing template {{index .data ca.crt}}, template: output:1: function "ca" not defined
I am novice in elastic and kubernetes space, and not able to find solution for this on the internet.
If you are okay to manually extract the ca.crt value and decode it then you can try following:
Extract ca.crt value without quotes [copy to clipboard]
kubectl get secret europecluster-es-transport-certs-public | grep ca.crt
perform a base64decode and redirect it to a file
echo -n <paste clipboard content> | base64 -d -w 0 > remote.ca.crt
Above procedure performs same operation as go template is doing in your command.
Example:
kubectl get secret default-token-h8w57 -o json | grep -i ca.crt
"ca.crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01UQXlPVEV4TkRVeU9Gb1hEVE13TVRBeU56RXhORFV5T0Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEl4CmpjMCttcGVXWm5TL3NnenloZ1Ftd1ZaN3A1b2hoUktqY0gvNkVIbDBRbzljOTkyZVBTcmEzNEU0cHpmZXRBUE8Kdm1Ia0Q2Z0dCb1FyVUI3NHFMOFZpaUs4c0hZQXcyWElxMERTZHhHb3VqcUVabUM4SnpSK3gxVE1CaUZ2YUR4dQpaZVpTT3JTc1R2dGN6TjNnMG5XK0xPY1Q2UCtGQlRLbzh1RXBjbXY5cll1ZytOR25xZ0l3L0VNRXlQenM4RGk1CkhzYVJma0FwSmloeERUdTBTY1Z5MkpaakxZZ2RBMUlaSkRScjV6Unc1U3RlWlltTm5rVTY5cEtVVlNlQ2lQWnUKMFdlY3ZaTXE1NDhKWWtmUStWY3pFMjFtUTBJMSs4NXpOUUFvQmZ4aG5tYjNhcW5yL2hEdUZETm9PelIrdCtUSApteTU2ajRWTUtzY3RvNUxkOFFFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNZVlQcGVuYmV3RUg4bFFKdDlxaUs4bG5QWmFNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFDbFpIZGQrZDlWWElobTdsdhskhdjshdjsahdjkasdhkasdhasXOUhQNC9HMXRScTVLUWtZSlJjVHdreGZWNUlhMS8zNW1vRwpyeU5SOVZzYnRZeDF6aFNsRy91NWRGOWFYYjI3M2J4bWNEOVY0UUQvamNXMWRsdnJ6NlFWMGg3dEcwcUd6UG1xClUveC9saXJaTWMrTmVKSXJXZGo5ZjM5dXFuR2VCZnF6ZWN4QXBoRG5xY1dUNWZTVjlSVjdqaE5sNnhSZUVlRGMKUmZQMnFlb3g4d0xyYXBiVDVOSG9PK1FjS3NoUHhPL0FTNXhVVE9yOTZ2YTZkSFhzZFdsQWdaTUtva1lldlN1SApBdjVrYml3ODJBVzlaOHZrS0QrQXdFSWFwdzNNQnEvOUFxQjZBZm93RTJCckZVcTdwVzk3ZHUvRC81NWxQbTN5CllmVFo3ZVZnQUF4Yk1lTDRDdlhSZ1FJWHB5NmROTFN0SGJCSAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
echo -n LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01UQXlPVEV4TkRVeU9Gb1hEVE13TVRBeU56RXhORFV5T0Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTEl4CmpjMCttcGVXWm5TL3NnenloZ1Ftd1ZaN3A1b2hoUktqY0gvNkVIbDBRbzljOTkyZVBTcmEzNEU0cHpmZXRBUE8Kdm1Ia0Q2Z0dCb1FyVUI3NHFMOFZpaUs4c0hZQXcyWElxMERTZHhHb3VqcUVabUM4SnpSK3gxVE1CaUZ2YUR4dQpaZVpTT3JTc1R2dGN6TjNnMG5XK0xPY1Q2UCtGQlRLbzh1RXBjbXY5cll1ZytOR25xZ0l3L0VNRXlQenM4RGk1CkhzYVJma0FwSmloeERUdTBTY1Z5MkpaakxZZ2RBMUlaSkRScjV6Unc1U3RlWlltTm5rVTY5cEtVVlNlQ2lQWnUKMFdlY3ZaTXE1NDhKWWtmUStWY3pFMjFtUTBJMSs4NXpOUUFvQmZ4aG5tYjNhcW5yL2hEdUZETm9PelIrdCtUSApteTU2ajRWTUtzY3RvNUxkOFFFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNZVlQcGVuYmV3RUg4bFFKdDlxaUs4bG5QWmFNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFDbFpIZGQrZDlWWElobTdsdhskhdjshdjsahdjkasdhkasdhasXOUhQNC9HMXRScTVLUWtZSlJjVHdreGZWNUlhMS8zNW1vRwpyeU5SOVZzYnRZeDF6aFNsRy91NWRGOWFYYjI3M2J4bWNEOVY0UUQvamNXMWRsdnJ6NlFWMGg3dEcwcUd6UG1xClUveC9saXJaTWMrTmVKSXJXZGo5ZjM5dXFuR2VCZnF6ZWN4QXBoRG5xY1dUNWZTVjlSVjdqaE5sNnhSZUVlRGMKUmZQMnFlb3g4d0xyYXBiVDVOSG9PK1FjS3NoUHhPL0FTNXhVVE9yOTZ2YTZkSFhzZFdsQWdaTUtva1lldlN1SApBdjVrYml3ODJBVzlaOHZrS0QrQXdFSWFwdzNNQnEvOUFxQjZBZm93RTJCckZVcTdwVzk3ZHUvRC81NWxQbTN5CllmVFo3ZVZnQUF4Yk1lTDRDdlhSZ1FJWHB5NmROTFN0SGJCSAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | base64 -d -w 0 > remote.ca.crt
I'm trying to create a self sign certificate by makecert Here is what I do:
makecert -n "CN=TuyenTk CA, C=VN, ST=Hanoi, L=Hoan Kiem" -cy authority
-h 1 -a sha1 -sv "D:\TuyenTk CA.pvk" -r "D:\TuyenTk CA.cer"
makecert -n "CN=TuyenTk" -ic "D:\TuyenTk CA.cer" -iv "D:\TuyenTk CA.pvk"
-eku "1.3.6.1.5.5.7.3.3" -cy end -a sha1 -h 0 -sky exchange -pe "D:\TuyenTk.cer"
pvk2pfx -pvk "D:\TuyenTk CA.pvk" -spc "D:\TuyenTk CA.cer"
-pfx "D:\TuyenTk.pfx" -pi "myPassWord"
The first line is make self sign cert (CA cert), The second line is use CA cert sign other cert, and the last is generate pfx file to sign the exe file.
Though all above 3 commands is reported success, when I double click to TuyenTk CA.cer and TuyenTk.cer, in the Details tab windows tell that the basic constraints is critical. So when I use the TuyenTk.pfx file to sign my exe file, in the Digital Signatures Tab, the certificate is not valid: a certificate basic constraints extension has not been observed
I view cert's details before install it, and after install in trusted root or personal location of cert store, I still see the error.
How can I fix this problem? Thank!
To create your self-signed root CA certificate, try these options:
makecert -r -pe -m 1200 -len 2048 -n "CN=TuyenTk CA, C=VN, ST=Hanoi, L=Hoan Kiem" -ss CA -sr CurrentUser -a sha1 -sky signature -cy authority -sv "D:\TuyenTk_CA.pvk" "D:\TuyenTk_CA.cer"
I left off "-h 1" to give you unlimited signing depth in the basic constraints; some SSL packages don't like unlimited path lengths, so you can either have layers of keys or put in "-h 5" or whatever value you feel will serve your needs. Switches I added:
-pe Make private key exportable
-m 1200 Make CA key valid for 100 years (1200 months)
-ss CA This key goes into the CA certificate store
-sr CurrentUser Certificate store location
-sky signature Key type (use for signing)
I also added an underscore (instead of a blank) in the name; may not be necessary, but my certificate files do not have spaces (these utilities can be odd sometimes).
When you import the CA certificate, make sure you do so into the "Trusted Root Certification Authorities\Local Computer" physical store location. For instance, use this from an Admin cmd prompt:
certutil -addstore -v root "D:\TuyenTk_CA.cer"
These steps worked for me on XP and work today on Windows 7. Hope this helps!
drac
I have install a module in my magento(1.9.1) store to cache pages with varnish called tupertine, but i got some issues with it.
After the installation I entered in the file: /etc/varnish/secret and copied the secret key, so I went back to the backend and pasted this key, however to save the system shows me the following message:
Failed to apply the VCL to 127.0.0.1:6082: Got unexpected response code from Varnish: 107 ftfavpxpdqciyfzwuwtddrefouwffsdl Authentication required.
Reading the module documentation: https://github.com/nexcess/magento-turpentine/wiki/Configuration checked that the key contains a line break, then it is suggested to put a /n at the end of the key in backend
When trying to put /n the key in the backend system displays the following message:
Failed to apply the VCL to 127.0.0.1:6082: Varnish data to write over length limit by 122 characters
Varnish esi_syntax param is not set correctly, please see these instructions to fix this warning.
the key was :
b6736327-be5e-4b52-a05a-875ea9271424
and looked like this:
b6736327-be5e-4b52-a05a-875ea9271424\n
try this
edit file varnish
sudo nano /etc/default/varnish
set this for "DAEMON_OPTS"
DAEMON_OPTS="
-p cli_buffer=16384 \
-a :80 \
-T localhost:6082 \
-f /etc/varnish/default.vcl \
-S /etc/varnish/secret \
-s malloc,256m"