I'm at the end of my rope on this one. I have a DB server that connects to our web server locally. We are finally setting up SSL on the web server, something that should have happened years ago, but hasn't for I don't know what reason (nothing legitimate, that's for sure. In fixing this gaping security hole, a different problem has emerged: the utl_http requests are failing with an ORA-29024 error, and despite my efforts, I cannot make them succeed.
I have created a wallet with the certificate in it, including the entire chain with the providers. I have used both .cer files and p7b files. I have the set_wallet command set properly, and the entire process works with the self-signed certificates that I created on a test bed system and locally. I simply cannot get them to work with the actual valid certificate.
My Oracle version is 11.2.0.4.180417. Here is my code:
Create the wallet:
mkdir c:\oracle_wallet
orapki wallet create -wallet "c:\oracle_wallet" -pwd xxxxxxxx -auto_login
orapki wallet add -wallet "c:\oracle_wallet" -trusted_cert -cert "c:\certificates\cert.p7b" -pwd xxxxxxx
Make the HTTP call:
begin
UTL_HTTP.set_wallet('file:c:\oracle_wallet', 'xxxxxxx');
...lines that build up the URL variable
results := utl_http.request(url);
...
end
Again, I've tried .p7b files with the full certification path, and Base 64 .cer files, with separate files for each level on the chain, and neither work. The certificate is valid in a browser, when I hit the exact URL that Oracle tries to get in a browser it is perfectly fine with it. Here is the precise error:
Is there any way I can get more detail on the error from Oracle? It's quite vague. Note: I am downloading the certificate from my browser using the exact URL that Oracle is hitting.
Related
While troubleshooting an ORA-24263 error ("ORA-24263: Certificate of the remote server does not match the target address"), I came across this "UTL_HTTP and SSL (HTTPS) using Oracle Wallets" article which describes, in part, how to add site certificates to an Oracle wallet.
I understand that Oracle 12+ no longer allows wildcard certificates in the same way; that perhaps the UTL_HTTP.request() call requires the setting of a https_host parameter. Notably, the ORA-24263 error emerged in our environment only once we upgraded to Oracle19c.
I'd like to see the certificates associated with the pre-existing, previously-working, Oracle wallet entry. How can I see what certificates are associated with an oracle wallet?
A ORACLE wallet is just a ZIP file with several files: .p12, .pem, .sso, .jks… that you can look in using java keytool among others...
I've been trying to use this documentation as guide but I am having no luck setting up a gitlab-runner on Windows. It correctly polls for jobs but when it tries to pull artifacts, it returns a x509: certificate signed by unknown authority error.
Can anyone step through how to generate the proper certificate and attach it to the Windows gitlab-runner in order to get things to work?
I've tried generating certificates using openssl and setting the --tls-ca-file flag but so far, it hasn't helped.
I got this working finally using this as a reference.
The basic idea, when you're not hosting your own gitlab server, is to pull the certificate from gitlab.com. From your browser, click on the little lock symbol next to the https://gitlab.com URL and download the certificate. From Safari, it's just dragging the little certificate image over to your Desktop.
Once you have the cert, store it in your Gitlab-Runner folder and reference it with the tls-ca-file parameter in your config.toml.
THIS IS STILL AN ISSUE ANY HELP WOULD BE APPRETIATED
I am having an issue setting up TLS through a custom CA between Kibana and Enterprise search. I have the default x-pack security set up for the interconnection of my Elasticsearch nodes with both Kibana and Enterprise search, which was done according to the following docs: minimal security basic security ssl/tls config. I can successfully run Enterprise search through http, however my issue arises when I enable ssl/tls for ent-search..
When I have https configured for ent-search using this doc, the server is "running", however I receive an error after boot and Kibana throws an error when attempting to connect.
ent-search error (non corresponding with Kibana's hit to the ent-search hostname, this error raises shortly after ent-search is "starting successfully", but isn't fatal)
[2022-06-14T20:37:45.734+00:00][6081][4496][cron-Work::Cron::SendTelemetry][ERROR]: Exception:
Exception while performing Work::Cron::SendTelemetry.perform()!: Faraday::ClientError: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
Kibana error (directly corresponding to when I ping http://obfuscated-dns:5601/app/enterprise_search/overview)
[2022-06-14T20:43:51.772+00:00][ERROR][plugins.enterpriseSearch] Could not perform access check to
Enterprise Search: FetchError: request to https://obfuscated-dns:3002/api/ent/v2/internal/client_config
failed, reason: unable to get issuer certificate
The steps I took to generate said certificate were: I created a csr on my server using elasticsearch-certutil csr along with a yml file which specified the distinguished name, I sent the unzipped csr to my CA (Digicert), uploaded the signed certificate and intermediate certificate provided by Digicert to my server, used openssl to generate a keystore using the signed cert and that private key generated along-side the original csr, then finally converted the keystore to .jks format using keytool.
From my understanding, the path of this keystore is what is needed for the configuration file for enterprise-search and the intermediary cert is what is used in the Kibana certificate authority config field (ca.pem). I have also tried to stuff both the signed and intermediate cert in the same .pem, as well as the private-key, signed and intermediate cert. Below are the relevant configurations:
kibana.yml
enterpriseSearch.host: https://ofuscated-dns:3002
enterpriseSearch.ssl.verificationMode: certificate
enterpriseSearch.ssl.certificateAuthorities:
- /path/ca.pem
enterprise-search.yml
ent_search.external_url: https://obfuscated-dns:3002
ent_search.listen_host: 0.0.0.0
ent_search.listen_port: 3002
ent_search.ssl.enabled: true
ent_search.ssl.keystore.path: "/path/keystore.jks"
ent_search.ssl.keystore.password: "pass"
ent_search.ssl.keystore.key_password: "pass"
I'm starting to feel like I fundamentally misunderstand something here. A lot of the jargon behind SSL/TLS certificates seems to lack standardization. While we are at it, what is a root cert in relation to what I have listed? Is it the intermediate cert? I see there is a master "root certificate" for the Digicert CN I certified under, however I'm unsure where this fits in. The config variable "certificateAuthorities" doesn't document what this .pem file should contain specifically and when searched the concept of a certificate authority is never associated with file contents, but instead is simply abstracted to the entity which provides certification (duh).
To put it succinctly: What does this variable "certificateAuthorities" explicitly entail?
UPDATE 09/28/2022
I have now confirmed that SSL is working when calling enterprise-search outside of the VM its running in. I can utilize its endpoint with my flutter and react app, however Kibana is till throwing the error mentioned above. I have checked that the root/intermediate CA provided to kibana's configuration is indeed the certificate linked with the signed cert provided to enterprise search and even confirmed so using SSLPoke.. This leaves me with the suspicion that perhaps Java is a bad actor in the mix? I've added the root/intermediate CA to the cacerts keystore in the ssl/java directory of the Linux VM, but still no luck. Any thoughts?
I'm fairly new to the whole certificate shebang and not a versed Linux admin.
In our company, we run a Windows domain, but we also have some CentOS servers for different services.
On one of said servers we have our ticket system, which is browser based. I want to certify it with a certificate, signed by our Windows root CA, but no matter what I do, the certificate is shown as invalid in the browser.
Funny enough, both certificates in the chain (CA -> server) are shown as valid.
I already did the following:
start certificate process from scratch
tried different certificate formats (.cer, .pem)
verified server cert with root cert
checked validity with openssl (OK)
checked SSL connection with openssl, no issues
added root cert to Linux server trusted CA store
recreated cert chain (of 2)
restarted Apache over and over
reset browser cache
tried different browser
checked DNS entries
checked, if root CA is trusted in Windows (it is)
manually installed server cert in my browser
Both the server cert and the root cert show up as valid in the browser, with the correct relation.
I'm completely lost here. Is there some key step I forgot and not one of the ~30 guides I read forgot to mention?
Any help is greatly appreciated
Your question is missing some information:
Did you check the SSL connection from outside the server?
Did you verify the RootCA cert is inside the cert-store of the server (sometimes it is rejected without error messages)?
I would check the reason for rejecting the certificate in the browser (FireFox is usually more informative than Chrome), and look for the error-code.
Reasons can be (some of which you have already verified):
Wrong certificate properties (missing the required values in the "usage" attribute)
Wrong domain name
Expired certificate
Certificate could not be verified on the client-side
See this image as an example of an error code:
https://user-images.githubusercontent.com/165314/71407838-14f55a00-2634-11ea-8a30-c119d2eb1eb1.png
Note: My database works because I am able to migrate and query from within the application.
So I've setup my application and database on digital ocean's new "App" feature. And now I am trying to connect to the production database but I'm getting connection timeout error. Below are the details I inputed, but maybe I am missing my SSL cert ? If yes, how do I go about getting this ? Because I believe digital ocean automatically setup the SSL for me..
Database : postgresql
Tool used to connect : TablePlus
UPDATE
My site is SSL'ed
Checked directly on DO, and there's no certificate stored on my account
So after a few days I gave up and swap to using Droplets. I feel Apps Platform is cool for quick prototypes but I don't have much control in what I want can do in it. I don't think I could even run sudo in the console when I tried.
Here are a few other links I ran through that may or may not help others that was in similar situation if you were using a dev database on digital ocean. And also my support tickets solutions that I received.
Links
https://www.digitalocean.com/community/questions/cannot-connect-with-dev-database-due-to-ssl-issue?answer=67513
https://docs.digitalocean.com/products/databases/postgresql/how-to/connect
How to add an SSL certificate (ca-cert) to node.js environment variables in order to connect to Digital Ocean Postgres Managed Database?
DO Support Replied
I understand that you are trying to connect to the database with an
SSL certificate. Firstly, I want to let you know that you have
attached the dev database to your app "mysite" and not the production
database. However, you should be able to add the following env
variable to store the SSL certificate:
KEYS: CA_CERT VALUES: ${mysitedb.CA_CERT}
Once you add the above env variable then you should be able to use the
"CA_CERT" variable to fetch the SSL certificate in your app.
Additionally, you can view the SSL certificate by running the
following command in the console:
echo $CA_CERT
Thanks for getting back to us. This output would be intended. To use
the contents of that cert you would need to save the env variable to a
file or convert it from string using a method within your application.
You can then specify that file in your configuration and use the
certificate in your connection to the database.
An example of how to do this can be found here:
How to add an SSL certificate (ca-cert) to node.js environment variables in order to connect to Digital Ocean Postgres Managed Database?
Let us know if you have any questions.
Thank you for getting back to us!
From the screenshot, I see you are using the incorrect port number
5432. You have to use port number 25060 to connect to the database.
Regarding the SSL certificate, one thing to note here is that the
database is managed by DigitalOcean and it is not possible to generate
clients key (private key) and certificate (public key) via cloud
panel. That is the reason, you will need to generate those on your
local machine or from whichever client you plan to establish a
connection to the database.
Here is an example of how to use SSL on a client like Navicat, you
will need to download or have OpenSSL installed on your operating
system which you will use to generate Client Key File and Client
Certificate File which will be referred to as private and public keys
respectively
You need the below three files to connect
Client Key File
Client Certificate File
CA Certificate File
https://www2.navicat.com/manual/online_manual/en/navicat/linux_manual/SSLSettings.html
As a guide to establishing a connection
Generate Client Key File and Client Certificate File from your client or the local machine
Copy the certificate from app console to any .crt file and pass that file to connect to database.
Here is how to use the OpenSSL to generate the Client Key File and
Client Certificate File:
https://knowledge.digicert.com/solution/SO27347.html
openssl req -x509 -newkey rsa:2048 -keyout client-key.pem -out
client-cert.pem -days 3650 -nodes -subj '/CN=localhost'
For the Client Key File, Client Certificate, and CA Certificate choose
the directory location you saved them and click on "Test" button in
your client to test the connection.
Please let us know if you have any additional questions, and have a
wonderful day!