My Spring Boot project works fine on https / ssl, when serving locally, using a p12 cert, but fails when uploading to AWS Elastic Beanstalk.
The following is the application.properties configuration:
security.require-ssl=true
server.use-forward-headers=true
server.port=8443
server.ssl.key-store: classpath:keystore.p12
server.ssl.key-store-password: jonathan
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
The WebSecurityConfigurerAdapter subclass, configure(HttpSecurity http) method, contains the following line, to enable HTTPS / SSL:
http.requiresChannel().antMatchers("/**").requiresSecure();
Attached is classic load configurer configuration, inside AWS elastic beanstalk console:
Here is the SSL Certificate issued with the grasshapper.net domain, under AWS Certificate Manager:
I also have settings for under .ebextensions, the file with path is, src/main/resources/.ebextensions/.config (not sure if even needed):
option_settings:
aws:elb:listener:8443:
SSLCertificateId: [keeping private]
ListenerProtocol: HTTPS
InstancePort: 80
InstanceProtocol: HTTP
aws:elb:listener:80:
ListenerEnabled: false
Note (SSLCertifcateId): the ID is taken from the ARN, my AWS Certifcate manager SSL Certificate (if you expand the SSL Certificate you will see the ARN).
Does the proxy have a trusted IP address?
By default, IP addresses in 10/8, 192.168/16, 169.254/16 and 127/8 are
trusted. You can customize the valve’s configuration by adding an
entry to application.properties, as shown in the following example:
server.tomcat.internal-proxies=192\.168\.\d{1,3}\.\d{1,3}
Reference: https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/html/howto-embedded-web-servers.html#howto-customize-tomcat-behind-a-proxy-server
Related
how to add a trusted CA for local Consul docker container?
So I have a consul running as a docker container and I am able to access it using chrome at localhost:8500 after exposing the ports, as expected. But due to company setting there is a security CA being added that chrome trusts, since it is added to MacOS keychain, but consul does not seems to trust when I try to use golang library to connect to consul
x509: “Menlo Security Intermediate CA” certificate is not trusted"
I get a certificate is not trusted error. I am able to export the CA to a RootCA.cer file from the keychain but how do I configure consul image to trust this CA file?
https://iotech.force.com/edgexpert/s/article/secure-consul-tls
I see articles like this
ca_file is used to check the authenticity of the client and server connections
cert_file is provided to clients and server to verify the agent's authenticity
key_file is used with the certificate to verify the agent's authenticity
but for me, the .cer export file will be used as cert_file?
how should I do it in docker compose?
consul:
image: dockerproxy.comp.com/consul:latest
ports:
- "9500:9500"
I am trying to set up a spring boot application to talk to my Vault server over TLS. I want to use mutual certificate authentication. I could set up the Vault server with TLS and I am able to use the CLI to login to it using client certificates. However, the spring boot application is unable to present its client certificate to the Vault server - each time I run my app, the Vault server prints:
http: TLS handshake error from 127.0.0.1:33288: tls: client didn't provide a certificate
The client (my spring boot app) prints:
org.springframework.vault.authentication.VaultLoginException:
Cannot login using org.springframework.web.client.ResourceAccessException:
I/O error on POST request for "https://localhost:8200/v1/auth/cert/login":
Received fatal alert: bad_certificate;
nested exception is javax.net.ssl.SSLHandshakeException:
Received fatal alert: bad_certificate
... (a stack trace for VaultLoginException)
Here is my bootstrap.yml:
spring:
application.name: vault-demo
cloud.vault:
host: localhost
port: 8200
scheme: https
uri: https://localhost:8200
connection-timeout: 5000
read-timeout: 15000
config.order: -10
authentication: CERT
ssl:
trust-store: classpath:keystore.jks
trust-store-password: changeit
key-store: classpath:client-cert.jks
key-store-password: changeit
cert-auth-path: cert
I can't find any documentation around the various properties that needs to be configured under spring.cloud.vault.*.
My client-cert.jks store has the client certificate and key. Enabling SSL verbose logs, I can see this:
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
which indicates that the client found the server's certificate in its trust store, but it's not sending the client's certificate to the server.
Further, if I use curl to send a login request, it is successful:
curl -k --request POST \
--cert work/ca/certs/client.cert.pem \
--key work/ca/private/client.decrypted.key.pem \
--data #payload.json \
https://localhost:8200/v1/auth/cert/login
# gives me back a JSON with newly issued token.
I also tried using a config class and passed the javax.net.ssl.keyStore and related properties as JAVA_OPTS, but there is absolutely no difference - vault keeps on saying that the client didn't send a certificate:
#Configuration
public class AppConfig extends AbstractVaultConfiguration {
#Value("${vault.uri}")
URI vaultUri;
#Override
public VaultEndpoint vaultEndpoint() {
return VaultEndpoint.from(vaultUri);
}
#Override
public ClientAuthentication clientAuthentication() {
try {
RestTemplate restTemplate = new RestTemplate();
HttpClientBuilder httpClientBuilder = HttpClients.custom()
.setSSLContext(SSLContext.getDefault())
.useSystemProperties();
restTemplate.setRequestFactory(
new HttpComponentsClientHttpRequestFactory(
httpClientBuilder.build()));
return new ClientCertificateAuthentication(restTemplate);
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
}
Anyone can point out what I am missing / have done wrongly?
The issue was that my Vault configuration did not specify the tls_client_ca_file property correctly. Set it to the root CA certificate and everything worked. There was no need to add an AppConfig class either.
First, thanks to all who may or may not try to help me.
My Problem: I'm trying to create an ssl certificate with Let's Encrypt. Already installed everything mentioned in the documentation. I decided to use certbot / since it seemed to be the easiest way for me to fulfill my needs.
We have freed both ports 80 and 443 and every request that comes to one of these ports are redirected to my Ubuntu 18.04 machine's internal IP address.
There are no configurations on this machine, so nothing listens on port 80 or 443, as you can see on my netstat command:
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 895/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1211/sshd
tcp6 0 0 :::22 :::* LISTEN 1211/sshd
After creating the certificate I'll run a spring boot application, which should use the certificate.
As far as I understood from the documentation, it isn't required to have running applications listening on these ports. It ought be possible to create the certificate by using the standalone parameter. So I guess certbot creates a small application listening to one of these ports on it's own to verify that I'm the one, who I claim to be. Right?
placeholder.example.com is as you will assume a placeholder. I think it's obvious why I'm not publishing my domainname, when having port 80 & 443 opened.
root#urlaub:/# certbot certonly --standalone --preferred-challenges http -d placeholder.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for placeholder.example.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. placeholder.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://placeholder.example.com/.well-known/acme-challenge/jCJ4waxV0aYPxjqDI3OcBXXPReNSrse1kd6piK9Dwdo: Connection refused
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: placeholder.example.com
Type: connection
Detail: Fetching
http://placeholder.example.com/.well-known/acme-challenge/jCJ4waxV0aYPxjqDI3OcBXXPReNSrse1kd6piK9Dwdo:
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
EDIT: I've had tried this a lot of times, without success. Now there are 13 .pem files in /etc/letsencrypt/keys
Can I convert them to .p12 file to use it in an spring boot application?
It was an issue with the redirection to my server machine. So the above used command works properly and I was able to create a certificate. If anyone wants to use it: go for it.
My intent was to use it in a spring boot application and needed a pkcs12 file. I was able to convert the .pem files created by certbot to a .p12 file by using following command:
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname tomcat
In your application.properties you've to put following:
server.port: PORTNUMBER
server.ssl.key-store:/etc/letsencrypt/live/<YOURDOMAIN>/keystore.p12
server.ssl.key-store-password: <PASSWORD YOU WERE PROMPTED WHEN CREATING THE CERTIFICATE>
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
With Let's Encrypt if you use HTTP validation, you will need a server serving requests on port 80 (HTTP) for placeholder.mydomain.com so that the Let's Encrypt server can download the file .well-known/acme-challenge/jCJ4waxV0aYPxjqDI3OcBXXPReNSrse1kd6piK9Dwdo. This is how Let's Encrypt validates that you have control over the domain. Note: That filename is generated dynamically and will be different each time you attempt validation.
Another option that I use is to use DNS validation and then create the special record in my DNS server. You can then create the certificates on your desktop for any service that requires SSL for that domain name.
I have installed Mirth connect and it is running on https://example.com:8443 but it throwing https warning. If I run https://example.com it doesn't show any warning because ssl certificate is instaled. The issue is with the port. Please help me out from this problem.
Thanks.
Mirth Connect generates a new self-signed certificate on first startup. You can replace this with your own cert, it's the "mirthconnect" alias in the keystore.jks file. Follow the Changing The Server Certificate section in the user guide.
I am trying to add password authentication in my elasticsearch cluster using readonlyrest plugin. I installed the plugin successfully now i am trying to configure my configuration file(.yml file) but there In case 0 they are using a keystore see below
http.type: ssl_netty4
readonlyrest:
enable: true
ssl:
enable: true
keystore_file: "/elasticsearch/plugins/readonlyrest/keystore.jks"
keystore_pass: readonlyrest
key_pass: readonlyrest
Can anyone please tell me from where i can generate this keystore and also where is the username and password authentication parameters set in this plugin.
You can use Letsencrypt to generate a valid SSL certificate for free.
Use Letsencrypt's own tool called certbot
A Letsencrypt certificate works just fine in ReadonlyREST, but first you have to convert it into a JKS keystore.
Obtaining a JKS keystore from Letsencrypt certs is a common procedure: you would do the same if you want to use Letsencrypt with Tomcat. A very common, googleable use case.
PS: I will progressively release some detailed documentation in the following weeks on the official website.