I want to secure the rethinkdb http admin interface with a certificate created by let's encrypt. Therefore I added
http-tls-key=/path/privkey.pem
http-tls-cert=/path/cert.pem
to my instance1.conf. If I restart the instance, it only says
rethinkdb: instance1: Waiting for instance to stop (pid 13693) .... Stopped.
rethinkdb: instance1: Starting instance. (logging to `/var/lib/rethinkdb/instance1/data/log_file')
but it doesn't start and the log file remains empty. I'm starting the instance via init.d script. The key files are readable by the rethinkdb user. I think maybe the fullchain.pem is missing but I don't see an option for specifing it for the http admin, there are only options for the driver and the cluster: https://rethinkdb.com/docs/config-file/
Can someone help me? Thanks in advance!
is your either cert and key okey ?
because if you're copying from /etc/letsencrypt/live/example.com/* directly, it's seems everyting just symlink.
so, you need to read for the actual file
readlink -f /etc/letsencrypt/live/example.com/*
then just copythem to your rethinkdb_cert directory
mkdir $PATH_WD/rethinkdb_cert
cp /etc/letsencrypt/archive/example.com/* $PATH_WD/rethinkdb_cert/.
or just declare directly where those certificate files belong
http-tls-key=$PATH_WD/rethinkdb_cert/privkey.pem
http-tls-cert=$PATH_WD/rethinkdb_cert/cert.pem
make sure what the actually file are...,
are they have right permission too...
ls -la
chown rethinkdb.rethinkdb -R $PATH_WD/rethinkdb_cert
chmod 644 $PATH_WD/rethinkdb_cert/*
chmod 600 $PATH_WD/rethinkdb_cert/privkey.pem
Related
I use the following command and i got the code from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
ssh -i my-key-pair.pem ec2-user#ec2-198-51-100-1.compute-1.amazonaws.com
I'm not sure if it's because I lost the .pem file and recreated it or what is going on here, but no matter if I use the user ubuntu, root, or ec2-user the terminal asks me for a password.
Your local private key must be shrouded as it should be. It can be disabled with key management tools if you really want, but not advised.
Double-check the file permissions on your key file. Do:
chmod 400 my-key-pair.pem
and try again.
It is also likely that the key file is just the wrong one.
You have to terminate the instance and copy it with a new ssh key. If a key is lost then access to the server is also lost.
I had a script which is used to create dumps of Database and transfers the files from Ubuntu server to Linux machine, I use scp for file transfer it prompts for password every time, need to automate it. I had the Rsa public key of Linux in Ubuntu machine as authorized_keys, when i scp it says Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password) checked the permissions and every thing like passwordAuthontication off etc no luck.
Can i write the password in my script and use regardless of security as i will provide 700 permissin and no one can access it except me the root user.
This is my script:
export DB_DUMP_DIR=/home/database_dump
export DB_NAME=database_name_$(date '+%Y_%m_%d').sql
mysqldump -u root mysql > ${DB_DUMP_DIR}/${DB_NAME}
if [ $? -eq 0 ];then
scp -i /root/.ssh/id_rsa ${DB_DUMP_DIR}/${DB_NAME} root#192.0.0.0:
else
echo "Error generating database dump"
fi
The first things that come to mind are
Is the server set to allow key authentication authentication? (that's PubkeyAuthentication yes in sshd_config)
Is the server allowing RSA keys? (this might look like RSAAuthentication no in your sshd_config)
Is root's ~/.ssh directory set to 700? (or tighter)
Is root's ~/.ssh/authorized_keys set to 600? (or tighter)
Is the remote machine allowing you to log in as root? (the PermitRootLogin no option in sshd_config)
Is it really the right key you're sending here? Did you try with a different key you created just to test this?
Lastly, it is never, ever a good idea to write the password down in a script. Just don't do it. Fix the problem you have with key authentication here instead.
I am trying to transfer a file to an ec2 instance. I followed the Amazon's documentation, this is what my command looked like:
scp -i [the key's location] Documents/[the file's location] ec2-user#[public dns]:[home/[destination]]
where I replaced all the variables with the proper things, I am sure it's the correct key and it has permission 400. When I call the command, it tells me the RSA key fingerprint, asks me if I want to continue connecting. I type yes and it replies with
Permission denied (publickey,gssapi-with-mic)
lost connection
I have looked at many of the other similar questions on stack overflow and can't find a correct way to do it.
Also ssh traffic is enabled on port 22.
The example amazon provided is correct. It sounds like a folder permissions issue. If you created the folder you are trying to copy to with another user or another user created it, chances are you don't have permissions to copy to it or edit it.
If you have sudo abilities, you can try opening access for yourself. Though not recommended to be left this way, you could try this command:
sudo chmod 777 /folderlocation
That gives complete read/write/executable permissions to anyone (hence why you shouldn't leave it at 777) but it will give you the chance to test your scp command to rule out permissions.
Afterwards if you aren't familiar with permissions, I suggest you read up on it. this is an example: http://www.tuxfiles.org/linuxhelp/filepermissions.html It is generally suggested you lock down the folder as much as possible depending on the type of information held within.
If that was not the cause some other things you might want to check:
are you in the directory of your key when executing the 'scp -i keyname' command?
do you have permissions to use the folder you are transferring from?
Best of luck.
The problem may be the user name. I copied a file to my Amazon instance and first tried to use the command:
scp -r -i ../.ssh/Amazon_server_key_pair.pem ./empty.test ec2-user#ec2-xx-yy-zz-tt.compute-1.amazonaws.com:~
and got the error:Permission denied (publickey).
I then realized that my instance is an Ubuntu environment and the user user is then "ubuntu" the correct command that worked for me is then:
scp -r -i ../.ssh/Amazon_server_key_pair.pem ./empty.test ubuntu#ec2-xx-yy-zz-tt.us-west-2.compute.amazonaws.com:~
The file "empty.test" is a text file containing the text "testing ...". Replace the address of your virtual server with the correct address to your instance's Public DNS. I have replaced the ip to my instance with xx.yy.zz.tt.
I have to use ubuntu# instead of ec2-user# because when i ssh i was seeing ubuntu# in my terminal, try changing to the name you see at your terminal
Also you have to set permission for pem file in your computer
chmod 400 /path/my-key-pair.pem
The below code will copy file from your computer to Ec2 instance.
scp -i ~/location_of_your_ec2_key_pair.pem ~/location_of_transfer_file/sample.txt ubuntu#ec2_your_ec2_instance.compute.amazonaws.com:~/folder_to_which_it_needs_to_be_copied
The below code will copy file from Ec2 instance to your computer
scp -i ~/location_of_your_ec2_key_pair.pem ubuntu#ec2_your_ec2_instance.compute.amazonaws.com:~/location_of_transfer_file/sample.txt ~/folder_to_which_it_needs_to_be_copied
I was facing the same problem. Hope this will work for you.
scp -rp -i yourfile.pem ~/local_directory username#instance_url:directory
Permission should also be correct to make this work.
Might be ones uses wrong username. Happened to me, was the same error msg -> Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
lost connection
I try to login using the ec2-user but for some reason the login fails:
Using the username: ubuntu I am able to login just fine, however, I don't have any privileges and I can't sudo su for the privileges to write to my files. I tried using the cyberduck terminal and send command options but sudo su doesn't work with them. Cyberduck just spins.
I don't think the ec2-user account works on recent Ubuntu AMIs, which may explain the failed login.
You can approach this in a few ways. The first is to create a new user account specifically for FTP and give it permissions only to the necessary folders. First create the user, then create a public/private key pair for non-interactive login. This will allow you to operate your FTP client like normal.
My preferred solution is to upload the files to the ubuntu home directory and then run a script as root that moves the files to the correct location. You won't have to modify the system configuration this way, but you will have to do the file transfer in two steps.
Create a staging folder in /home/ubuntu and copy the files there. Create a /home/ubuntu/copy.sh script on the server like this:
#!/bin/bash
sudo su #this will only work if sudo doesn't prompt for a password
cp -r /home/ubuntu/stage/* /var/www/html/
Then from your dev machine, call the script:
$ ssh -i ~/path/to/key.pem ubuntu#ec2.hostname.com /home/ubuntu/copy.sh
If you want to get really fancy, you could set up a git repository and use a post-receive hook to handle this all for you when you push. No need for an FTP client at all.
Is there a way to log into an EC2 ubuntu ami or a way to set up an ubuntu ami so that non-root users can log in? I tried creating a user and logging in with the associated password. I also tried using the private key, copied the authorized-keys file into the .ssh directory of the non-root user's home directory and tried to log in to the box with that user account id. Neither method worked.
Thanks in advance.
So, this works, but the missing high-order bit of information here has to do with setting the right permission on the authorized-keys file in the home directory for the user. So, I copied /root/.ssh/authorized-key to /home/user, then did with
cp -r /root/.ssh /home/user
chown -R user /home/user/.ssh
This allowed me to use the keypair.pem file to log in.
Make sure you are sending your AWS keypair as the identity file, i.e.
ssh -i ~/.ssh/keypair.pem user#ec2-174-129-xxx-xx.compute-1.amazonaws.com
Also check that SSH is enabled in your security group
Assuming you would like to have users log in with a password so they need not supply a key every time, all you must do is turn on the ability to SSH in with a password. This option is turned off by default in all Linux AMIs.
vi, nano, pico, etc. into the following file with root privileges:
sudo vi /etc/ssg/sshd_config
Change the following setting to yes:
PasswordAuthentication = yes
Finally you must restart SSH (Since you are SSHed onto a remote machine, a simple reboot is fine.)
That's it! Of course, you must still add users with the adduser command and give them passwords with the passwd command for them to be able to login to your AMI. Checkout this link for more info on the OpenSSH SSH client configuration files.