Generating a certificate chain in Ansible - ansible

I am trying to generate a chain (self signed + one signed by the self signed) of certificates using Ansible OpenSSL modules.
So far have the following tasks:
- name: Generate a Self Signed OpenSSL certificate
become: yes
block:
- apt:
name: python-openssl
update_cache: yes
- openssl_privatekey:
path: /tmp/ansible.com.pem
- openssl_csr:
path: /tmp/ansible.com.csr
privatekey_path: /tmp/ansible.com.pem
common_name: ansible.com
- openssl_certificate:
path: /tmp/ansible.com.crt
privatekey_path: /tmp/ansible.com.pem
csr_path: /tmp/ansible.com.csr
provider: selfsigned
- openssl_privatekey:
path: /tmp/child.com.pem
- openssl_csr:
path: /tmp/child.com.csr
privatekey_path: /tmp/child.com.pem
common_name: child.com
- openssl_certificate:
path: /tmp/child.com.crt
privatekey_path: /tmp/ansible.com.pem
csr_path: /tmp/child.com.csr
provider: selfsigned
But the problem is that child certificate is not valid:
openssl verify -verbose -CAfile /tmp/ansible.com.crt /tmp/child.com.crt
/tmp/child.com.crt: CN = child.com
error 18 at 0 depth lookup:self signed certificate
OK
I am using Ansible 2.6.1

A self-signed certificate is a self-signed certificate regardless of what key you provided for signing (this key is never verified anyway, because "you trust the certificate directly").
If you check the contents of the child.com.crt certificate with openssl x509 -in /tmp/child.com.crt -text -noout command, you'll see:
Certificate:
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=child.com
Subject: CN=child.com
not Issuer: CN=ansible.com (and there is no way to know whose key it is during the signing task, based on the key alone ― a key is just a random number; you'd need to provide the certificate of the signing party somewhere in the task, which you don't).
What you want to achieve will be possible in Ansible 2.7 with a new provider ownca introduced by this commit:
The 'ownca' provider is intended for generate OpenSSL certificate signed with your own CA (Certificate Authority) certificate (self-signed certificate).
[ ]
Example:
- name: Generate an OpenSSL certificate signed with your own CA certificate
openssl_certificate:
path: /etc/ssl/crt/ansible.com.crt
csr_path: /etc/ssl/csr/ansible.com.csr
ownca_path: /etc/ssl/crt/ansible_CA.crt
ownca_privatekey_path: /etc/ssl/private/ansible_CA.pem
provider: ownca
For now (up to Ansible 2.6.x) you need to call openssl x509 -req (see examples) with the command module.

Related

How to correctly setup TLS/SSL on localhost using http-server?

I'm using http-server to serve my local project through HTTPS. To create the key.pem and the cert.pem files, I followed the documentation:
First, you need to make sure that openssl is installed correctly, and
you have key.pem and cert.pem files. You can generate them using this
command:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
You will be prompted with a few questions after
entering the command. Use 127.0.0.1 as value for "Common name" if you
want to be able to install the certificate in your OS's root
certificate store or browser so that it is trusted.
This generates a cert-key pair and it will be valid for 3650 days
(about 10 years).
Then you need to run the server with -S for enabling SSL and -C for
your certificate file.
http-server -S -C cert.pem
I used the openssl.exe come with the Git, and installed the generated certificate on Windows (onto the "Trusted Root Certification Authorities" entry). Here is the output after running the server:
Starting up http-server, serving ./ through https
http-server version: 14.1.1
http-server settings:
CORS: disabled
Cache: 3600 seconds
Connection Timeout: 120 seconds
Directory Listings: visible
AutoIndex: visible
Serve GZIP Files: false
Serve Brotli Files: false
Default File Extension: none
Available on:
https://10.20.30.232:8080
https://192.168.56.1:8080
https://192.168.1.126:8080
https://127.0.0.1:8080
Hit CTRL-C to stop the server
But, when I access the https://127.0.0.1:8080, I'm encountered with the following error on Google Chrome:
Your connection is not private
...
NET::ERR_CERT_COMMON_NAME_INVALID
Subject: 127.0.0.1
Issuer: 127.0.0.1
...
This server could not prove that it is 127.0.0.1; its security certificate does not specify Subject Alternative Names.
And, the following is the error message Mozilla Firefox presents:
127.0.0.1:8080 uses an invalid security certificate.
The certificate does not come from a trusted source.
Error code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
https://127.0.0.1:8080/
The server uses a certificate with a basic constraints extension identifying it
as a certificate authority. For a properly-issued certificate, this should not
be the case.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
So, what am I missing on setting up the HTTPS server to avoid the aforementioned errors?!
Chrome should accept this certificate if you explicitly list 127.0.0.1 as a "Subject Alternative Name" (SAN) of type IP. You can do so by adding -addext "subjectAltName = IP:127.0.0.1" to the openssl command:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem -addext "subjectAltName = IP:127.0.0.1"
Firefox complains about a very different issue, i.e. that a certificate with a basic constraints extension with CA:TRUE is being used as an end-entity certificate. See also: https://bugzilla.mozilla.org/show_bug.cgi?id=1034124
You could try to generate the certificate without the basic constraints extenstion.
The shortcut solution would be to leverage existing solutions like https://github.com/FiloSottile/mkcert or https://github.com/davewasmer/devcert.

My self-signed APK got Blocked by Play Protect

I am a home user working on Windows 7 X64. I have a problem with my signed APK.
My app is only for home use and learning. I won't submit to Google Play.
When installed, it shows
Blocked by Play Protect.
Play Protect doesn't recognise this app's developer.
Apps from unknown developers can sometimes be unsafe.
Tools:
keytool.exe v8.0.3019.9
openssl.exe v1.1.1k
zipalign.exe v29.0.3
apksigner.jar v29.0.3
Batch Script:
cls
del /f KEY.JKS
del /f KEY.PEM
del /f KEY.PK8
del /f CERT.PEM
"C:\Program Files\Java\jre1.8.0_301\bin\keytool.exe" -genkeypair -v -alias MYKEY -storepass 123456 -keypass 123456 -keystore KEY.JKS -keyalg RSA -keysize 2048 -validity 9999 -dname "EMAILADDRESS=android#android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US"
openssl.exe req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout KEY.PEM -out CERT.PEM -subj "/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android#android.com" -config openssl.cnf
openssl.exe pkcs8 -topk8 -nocrypt -inform PEM -outform DER -in KEY.PEM -out KEY.PK8
zipalign.exe -f -p 4 myApp.apk myApp_Align.apk
rem java -jar apksigner.jar sign --ks KEY.JKS --ks-pass pass:123456 --out myApp_Signed.apk myApp_Align.apk
java -jar apksigner.jar sign --key KEY.PK8 --cert CERT.PEM --out myApp_Signed.apk myApp_Align.apk
java -jar apksigner.jar verify -v --print-certs myApp_Signed.apk
pause
My key got blocked:
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Number of signers: 1
Signer #1 certificate DN: EMAILADDRESS=android#android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: 07d51277869be18dfe8618d797ad1c0c8e16b7c067d9d224962af960c0382bfb
Signer #1 certificate SHA-1 digest: 85789690f7f12d0d6f4c7f67adb96429c326049f
Signer #1 certificate MD5 digest: 13b9633388142f4d40295cd45ac65aa9
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: bb280251b6eb2a1dd5e2493a3ac23881e254274318a2247bce84fd067181c441
Signer #1 public key SHA-1 digest: b2be0f31d13ce91162bf7ccf9fa4662e7c47b2d6
Signer #1 public key MD5 digest: 9648bca600a81a383cffd490a8614852
I downloaded some APK from the internet and it doesn't get blocked.
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): false
Number of signers: 1
Signer #1 certificate DN: EMAILADDRESS=android#android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc
Signer #1 certificate SHA-1 digest: 61ed377e85d386a8dfee6b864bd85b0bfaa5af81
Signer #1 certificate MD5 digest: e89b158e4bcf988ebd09eb83f5378e87
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: ef57b690165cb561b5026922c00d2d6574e8b184fa7d161e076f06e06e6d35db
Signer #1 public key SHA-1 digest: 0c2440c055c753a8f0493b4e602d3ea0096b1023
Signer #1 public key MD5 digest: 452f8cfe026b30a8a3e99a6074e5f285
I downloaded KEY.PK8 and CERT.PEM from the internet and it doesn't get blocked.
Verified using v1 scheme (JAR signing): true
Verified using v2 scheme (APK Signature Scheme v2): true
Verified using v3 scheme (APK Signature Scheme v3): true
Number of signers: 1
Signer #1 certificate DN: EMAILADDRESS=lorenz#londatiga.net, CN=Lorensius W. L. T, OU=AndroidDev, O=Londatiga, L=Bandung, ST=Jawa Barat, C=ID
Signer #1 certificate SHA-256 digest: 518ac8bdaf0c767deb31bae1eba826adbef793a68f22784cf3e19c67ba87ecb9
Signer #1 certificate SHA-1 digest: ece521e38c5e9cbea53503eaef1a6ddd204583fa
Signer #1 certificate MD5 digest: eea6f6f40858b8215c48b0465fe479b8
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 1024
Signer #1 public key SHA-256 digest: d8dc2ef9b37fcb543b07678a2d64d3a1dc5122642ee824a61dfbed0bf86d25c4
Signer #1 public key SHA-1 digest: 74bd7b456d9e651fc84446f65041bef1207c408d
Signer #1 public key MD5 digest: 58d291bc49e568eb8fc84dabaf508d08
What's wrong with my steps? I switched to keystore (KEY.JKS), it didn't work too.
Unless google knows your key's fingerprint or the APK itself is signed with a google key, it gets flagged by play protect as "unknown developer". You can "verify" your key by submitting an application signed by that particular key on google play

Invalid SSL cert error when connecting to elasticsearch using DBeaver es driver

I have trouble using SSL keystore or truststore to connect to Elasticsearch client using DBeaver. This is an elastic stack on k8s installation on my local machine. I followed this official tutorial to set up a connection using DBeaver, but I have trouble figuring out how to make cert validation work.
I logged into the elasticsearch pod, downloaded the cert and key at /usr/share/elasticsearch/config/http-certs/tls.crt and /usr/share/elasticsearch/config/http-certs/tls.key. I combined them into a p12 format using this command:
openssl pkcs12 -export -in combined.pem -out cert.p12
elasticsearch.config:
http:
ssl:
certificate: /usr/share/elasticsearch/config/http-certs/tls.crt
certificate_authorities: /usr/share/elasticsearch/config/http-certs/ca.crt
enabled: true
key: /usr/share/elasticsearch/config/http-certs/tls.key
transport:
ssl:
certificate: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.crt
certificate_authorities:
- /usr/share/elasticsearch/config/transport-certs/ca.crt
- /usr/share/elasticsearch/config/transport-remote-certs/ca.crt
enabled: "true"
key: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.key
verification_mode: certificate
However, I'm getting this invalid cert error:
These are the driver parameters:
What certs do I need in order to pass the cert check? I wish there was an insecure flag to ignore the validation since it runs in localhost.

Self-Signed certificate: openssl 21 (unable to verify the first certificate) [duplicate]

I have two extremely similar self signed certificates, generated via two different methods.
To test them I have:
Added an entry in my hosts file for local.mydomain.com
Set up an nginx server to listen on that domain on port 443 with the certificate under test plus associated private key (I then switch the cert and restart nginx to compare)
Connected to nginx with openssl s_client -connect local.mydomain.com -CAfile /path/to/the/ca/cert.pem
One certificate fails:
CONNECTED(00000003)
depth=0 CN = local.mydomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = local.mydomain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=local.mydomain.com
i:/CN=local.mydomain.com
---
One certificate succeeds:
CONNECTED(00000003)
depth=0 CN = local.mydomain.com
verify return:1
---
Certificate chain
0 s:/CN = local.mydomain.com
i:/CN = local.mydomain.com
---
I compare the details of the certificates with openssl x509 -in /path/to/the/ca/cert.pem -text -noout
The failing cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:dc:02:c7:11:fc:8e:96:45:22:aa:6b:23:79:32:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=local.mydomain.com
Validity
Not Before: Nov 18 11:55:31 2016 GMT
Not After : Nov 18 12:15:31 2017 GMT
Subject: CN=local.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<stuff>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:local.mydomain.com
X509v3 Subject Key Identifier:
6D:4F:AF:E4:60:23:72:E5:83:27:91:7D:1D:5F:E9:7C:D9:B6:00:2A
Signature Algorithm: sha256WithRSAEncryption
<stuff>
The working cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9b:6b:3d:a3:b9:a3:a4:b4
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=local.mydomain.com
Validity
Not Before: Nov 19 13:27:30 2016 GMT
Not After : Nov 19 13:27:30 2017 GMT
Subject: CN=local.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<stuff>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
03:E7:DA:AA:2E:CC:23:ED:C5:07:3D:E1:33:86:F5:22:D4:76:EB:CB
X509v3 Authority Key Identifier:
keyid:03:E7:DA:AA:2E:CC:23:ED:C5:07:3D:E1:33:86:F5:22:D4:76:EB:CB
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
57<stuff>
Looking at this the most obvious difference is that the working cert has CA:TRUE under X509v3 Basic Constraints. However, from reading around the web I was under the impression that self signed certs weren't meant to be CAs, in particular this says they normally won't be:
https://security.stackexchange.com/questions/44340/basic-self-signed-certificate-questions
The answer there says that being self-signed there is no CA involved. But maybe openssl requires self signed certs to have that set anyway?
From my own experiments I can confirm what you see. My explanation of the behavior is that a self signed certificate is still a certificate which is signed by the issuer, even if the issuer's certificate is the certificate itself. But only CA certificates can be used to sign certificates, i.e. that's exactly the constraint CA:true allows. This means that a self-signed certificate needs also to be a CA certificate with the constraint CA:true.
RFC5280 says:
So, if your certificate does not have CA:TRUE flag, this certificate may not be used to verify the signature on any certificate, including itself. OpenSSL correctly follows the RFC.
It is incorrect to think that a certificate belongs to one of two types, either "CA certificate" or "end-entity certificate". A certificate with CA:TRUE can be used for authenticating the entity. This is exactly what you do when you authenticate with a self-signed certificate. It can also be a certificate with CA:TRUE, signed by someone else.

Docker for Mac: x509: certificate signed by unknown authority error

I am using the latest Docker on Mac (native) and just try to do this:
docker run -d -p 8888:8888 jupyter/all-spark-notebook
But I got below error:
Unable to find image 'jupyter/all-spark-notebook:latest' locally
latest: Pulling from jupyter/all-spark-notebook
fdd5d7827f33: Pull complete
a3ed95caeb02: Pull complete
f08e494cf5cc: Pull complete
6548f4aff175: Downloading
d762b5abb43e: Download complete
c841d1ad6a8e: Download complete
78ff99539390: Download complete
99dfa5547e73: Download complete
408ccccf138d: Download complete
0f7e4eccd74d: Download complete
9177afc586c3: Download complete
b474b13b1b14: Download complete
f204d6cd4f55: Downloading
a8a42c20abb9: Download complete
9ac0b73ff157: Downloading
0553d92e0f21: Downloading
dfaa7db17378: Download complete
262fc767b542: Download complete
a21800239eaa: Download complete
afe6294b97d7: Download complete
3d4589d060ea: Download complete
b81971b6c8e4: Download complete
9daebe0247b8: Downloading
ce63d084a226: Downloading
73eb272114bc: Download complete
b2c0c287ae3a: Download complete
f306272598a0: Downloading
04882c9afb9d: Downloading
docker: x509: certificate signed by unknown authority.
See 'docker run --help'.
I am doing this inside company VPN so it's behind firewall / proxy. If I get out of VPN to pull image and then get back in VPN to run, it's fine.
However, I do need to fix this problem because I do work inside the company a lot and cannot disconnect VPN at work. I have tried Google and found many Github issues like this https://github.com/docker/docker/issues/6474 but none solved the problem. I have tried docker run -d -p 8888:8888 jupyter/all-spark-notebook --insecure-registry https://index.docker.io:8888 and it didn't work either.
Below are some outputs based on what people were checking:
openssl s_client -connect index.docker.io:443 output this:
CONNECTED(00000003)
depth=1 /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEpDCCA4ygAwIBAgIDAyF3MA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
...
YMYqJP5MkuAKzDL5u0b8mD/EHtoPkfWOIsA5i9YrAAoWRVOJHwfFfgSY+EpXpFc4
AZUPmdZGh6q1YNavRoOL/1D5aP/VBBtofj54uMbKOK8q6vxIXSyzaw==
-----END CERTIFICATE-----
subject=/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 2429 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: F2A7D08F3628FFC3334DBFF7698E05CC5027A61F4F88914E541F466FD6004702
Session-ID-ctx:
Master-Key: 1EF9EB10A666597135CA6D5F14F10C717483C4C3873288281D0156410FE93C232E494A0935AA416EA736AE8CBDFBD925
Key-Arg : None
Start Time: 1462855143
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed
And openssl s_client -showcerts -verify 32 -CApath . -connect index.docker.io:443 output this:
verify depth is 32
CONNECTED(00000003)
depth=1 /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
verify return:1
---
Certificate chain
0 s:/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
-----BEGIN CERTIFICATE-----
MIIEpDCCA4ygAwIBAgIDAyF3MA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
...
YMYqJP5MkuAKzDL5u0b8mD/EHtoPkfWOIsA5i9YrAAoWRVOJHwfFfgSY+EpXpFc4
AZUPmdZGh6q1YNavRoOL/1D5aP/VBBtofj54uMbKOK8q6vxIXSyzaw==
-----END CERTIFICATE-----
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
...
ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
gP8L8mJMcCaY
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 2429 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 04E8384F625F401B53C8ACA4D1F68A4EC300C0039ABE6C4117DE97C721B58DB2
Session-ID-ctx:
Master-Key: F08AD33B9D234A31DB7A9940A1CA6C4EC1FD780871F117780108E7F39909487B647FEBC5643BF1F2ADC5377407968D8C
Key-Arg : None
Start Time: 1462857210
Timeout : 300 (sec)
Verify return code: 27 (certificate not trusted)
---
^C
Could someone help me figure out a solution without disconnect from VPN to pull image and get back in to run each time?

Resources