I am trying to set a variable from my while loop to itself. I've looked around a lot and tested various methods but haven't been able to get anything to work.
while read ip port srv ban
do
rm -f certificate.crt #sterilizing
echo -e "$ban" | base64 -d | dos2unix | openssl x509 -inform d > certificate.crt
sleep .5
cert=$(openssl x509 -in certificate.crt -text -noout)
echo "$cert"
$ban = $cert
done < outfiles.txt
Here's what outfiles.txt looks like with a one line snippet.
xxx.xx.xxx.xxx 443 X509 MIIE/zCCA+egAwIBAgIEUdNARDANBgkqhkiG9w0BAQsFADCBsDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE0MDkyMjE3MTQ1N1oXDTI0MDkyMzAxMzE1M1owgb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAwOSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoS2ctueDGvimekwAad26jK4lUEaydphTlhyz/72gnm/c2EGCqUn2LNf00VOHHLWTjLycooP94MZ0GqAgABFHrDH55q/ElcnHKNoLwqHvWprDl5l8xx31dSFjXAhtLMy54ui1YY5ArG40kfO5MlJxDun3vtUfVe+8OhuwnmyOgtV4lCYFjITXC94VsHClLPyWuQnmp8k18bs0JslguPMwsRFxYyXegZrKhGfqQpuSDtv29QRGUL3jwe/9VNfnD70FyzmaaxOMkxid+q36OW7NLwZi66cUee3frVTsTMi5W3PcDwa+uKbZ7aD9I2lr2JMTeBYrGQ0EgP4to2UYySkcQIDAQABo4IBDzCCAQswDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L3Jvb3RjYTEuY3JsMDsGA1UdIAQ0MDIwMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L0NQUzAdBgNVHQ4EFgQUanImetAe733nO2lR1GyNn5ASZqswHwYDVR0jBBgwFoAUaJDkZ6SmU4DHhmak8fdLQ/uEvW0wDQYJKoZIhvcNAQELBQADggEBAGkzg/woem99751V68U+ep11s8zDODbZNKIoaBjqHmnTvefQd9q4AINOSs9v0fHBIj905PeYSZ6btp7h25h3LVY0sag82f3Azce/BQPUAsXx5cbaCKUTx2IjEdFhMB1ghEXveajGJpOkt800uGnFE/aRs8lFc3a2kvZ2ClvhA0e36SlMkTIjN0qcNdh4/R0f5IOJJICtt/nP5F2l1HHEhVtwH9s/HAHrGkUmMRTMZb9n3srMM2XlQZHXN75BGpad5oqXnafOrE6aPb0BoGrZTyIAi0TVaWJ7LuvMuueSfWlnPfy4fN5Bh9Bp6roKGHoalUOzeXEodm2h+1dK7E3IDhA=
I'm trying to decode the cert, which I can do but I'm trying to replace (overwrite) the encoded certificate with the decoded certificate from the file I'm reading from on each line I go though by setting the $ban variable from while read ip port srv ban to the $cert variable.
So when looking at the outfiles.txt you should se
xxx.xx.xxx.xxx 443 Certificate: Data: Version: 3 (0x2) Serial Number: 1372799044 (0x51d34044) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority Validity Not Before: Sep 22 17:14:57 2014 GMT Not After : Sep 23 01:31:53 2024 GMT Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ba:84:b6:72:db:9e:0c:6b:e2:99:e9:30:01:a7: 76:ea:32:b8:95:41:1a:c9:da:61:4e:58:72:cf:fe: f6:82:79:bf:73:61:06:0a:a5:27:d8:b3:5f:d3:45: 4e:1c:72:d6:4e:32:f2:72:8a:0f:f7:83:19:d0:6a: 80:80:00:45:1e:b0:c7:e7:9a:bf:12:57:27:1c:a3: 68:2f:0a:87:bd:6a:6b:0e:5e:65:f3:1c:77:d5:d4: 85:8d:70:21:b4:b3:32:e7:8b:a2:d5:86:39:02:b1: b8:d2:47:ce:e4:c9:49:c4:3b:a7:de:fb:54:7d:57: be:f0:e8:6e:c2:79:b2:3a:0b:55:e2:50:98:16:32: 13:5c:2f:78:56:c1:c2:94:b3:f2:5a:e4:27:9a:9f: 24:d7:c6:ec:d0:9b:25:82:e3:cc:c2:c4:45:c5:8c: 97:7a:06:6b:2a:11:9f:a9:0a:6e:48:3b:6f:db:d4: 11:19:42:f7:8f:07:bf:f5:53:5f:9c:3e:f4:17:2c: e6:69:ac:4e:32:4c:62:77:ea:b7:e8:e5:bb:34:bc: 19:8b:ae:9c:51:e7:b7:7e:b5:53:b1:33:22:e5:6d: cf:70:3c:1a:fa:e2:9b:67:b6:83:f4:8d:a5:af:62: 4c:4d:e0:58:ac:64:34:12:03:f8:b6:8d:94:63:24: a4:71 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 Authority Information Access: OCSP - URI:http://ocsp.entrust.net X509v3 CRL Distribution Points: Full Name: URI:http://crl.entrust.net/rootca1.crl X509v3 Certificate Policies: Policy: X509v3 Any Policy CPS: http://www.entrust.net/CPS X509v3 Subject Key Identifier: 6A:72:26:7A:D0:1E:EF:7D:E7:3B:69:51:D4:6C:8D:9F:90:12:66:AB X509v3 Authority Key Identifier: keyid:68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D Signature Algorithm: sha256WithRSAEncryption 69:33:83:fc:28:7a:6f:7d:ef:9d:55:eb:c5:3e:7a:9d:75:b3: cc:c3:38:36:d9:34:a2:28:68:18:ea:1e:69:d3:bd:e7:d0:77: da:b8:00:83:4e:4a:cf:6f:d1:f1:c1:22:3f:74:e4:f7:98:49: 9e:9b:b6:9e:e1:db:98:77:2d:56:34:b1:a8:3c:d9:fd:c0:cd: c7:bf:05:03:d4:02:c5:f1:e5:c6:da:08:a5:13:c7:62:23:11: d1:61:30:1d:60:84:45:ef:79:a8:c6:26:93:a4:b7:cd:34:b8: 69:c5:13:f6:91:b3:c9:45:73:76:b6:92:f6:76:0a:5b:e1:03: 47:b7:e9:29:4c:91:32:23:37:4a:9c:35:d8:78:fd:1d:1f:e4: 83:89:24:80:ad:b7:f9:cf:e4:5d:a5:d4:71:c4:85:5b:70:1f: db:3f:1c:01:eb:1a:45:26:31:14:cc:65:bf:67:de:ca:cc:33: 65:e5:41:91:d7:37:be:41:1a:96:9d:e6:8a:97:9d:a7:ce:ac: 4e:9a:3d:bd:01:a0:6a:d9:4f:22:00:8b:44:d5:69:62:7b:2e: eb:cc:ba:e7:92:7d:69:67:3d:fc:b8:7c:de:41:87:d0:69:ea: ba:0a:18:7a:1a:95:43:b3:79:71:28:76:6d:a1:fb:57:4a:ec:
4d:c8:0e:10
Replace
$ban = $cert
with
ban=$cert
$ is only used to retrieve the value of a variable, not to set a variable.
Related
How to send an email with attachment using openssl s_client command as:
openssl s_client -crlf -quiet -starttls smtp -connect $SMTPHostName:587
using bash script
You can pipe smtp commands into the openssl s_client with
$ openssl s_client -crlf -quiet -starttls smtp -connect smtp.xs4all.nl:587 <<< QUIT
Result:
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = smtp.xs4all.nl
verify return:1
250 8BITMIME
221 2.0.0 Bye
Available commands can be shown with 'help'.
The sequence of commands is usually something like this:
helo mail.example.com
data
To: dummy#dummy.nl
From: dummy#example.com
Date: Fri, 15 dec 2021 14:00:00 -0200
Message-ID: <xxxx.xxxx.xx#mail.example.com>
This is a test
.
NB. There may be an authentication needed.
To add an attachment something like the following needs to be added to the email.
Content-Type: image/png;
name="bullet.png"
Content-Transfer-Encoding: x-uuencode
begin 664 bullet.png
MB5!...
<snipped>
'
end
The file bullet.png was encoded with uuencode to ascii and added to the message. You can use other MIME formats.
Commands can vary from mailserver to mailserver depending on what for mailextensions and RFC's they support
I am trying on an Elasticsearch cluster to set up HTTPS for clients.
It works fine when I generate an SSL certificate from the cluster using certbot via the following command:
certbot certonly --standalone
My Elasticsearch cluster is configured as follows:
# elasticsearch.yml
cluster.initial_master_nodes: 10.132.0.3
cluster.name: elasticsearch
discovery.seed_hosts: 10.132.0.3:9200
network.host: 10.132.0.3
node.name: node-1
xpack.security.http.ssl.certificate: /etc/elasticsearch/ssl/my-subdomain.XXXX.com/fullchain.pem
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/ssl/my-subdomain.XXXX.com/privkey.pem
xpack.security.http.ssl.verification_mode: certificate
xpack.security.transport.ssl.enabled: true
I thus manage to authenticate in HTTPS on my elasticsearch using my login and password, via the following command:
curl https://my-subdomain.XXXX.com:9200 -u username:password
My problem is that I would now like to do the same operation but by generating the SSL certificate via Terraform using the ACME provider
and more precisely with the resource "acme_certificate".
Here is my Terraform code:
resource "acme_certificate" "elastic" {
account_key_pem = acme_registration.account_registration.account_key_pem
common_name = "${local.subdomain}.${var.domain_name}"
dns_challenge {
provider = "ovh"
config = {
OVH_ENDPOINT = var.ovh_endpoint
OVH_APPLICATION_KEY = var.ovh_application_key
OVH_APPLICATION_SECRET = var.ovh_application_secret
OVH_CONSUMER_KEY = var.ovh_consumer_key
}
}
}
From Terraform resource "acme_certificate" I get the following outputs:
"certificate_pem" which will become my "cert.pem" file (but I am not using it in my Elasticsearch setup)
"issuer_pem"
"private_key_pem" which will become my "privkey.pem" file
I am therefore missing the "fullchain.pem" file that I build by associating the "certificate_pem" and "issuer_pem" as follows (my error may be there):
resource "local_file" "fullchain" {
content = "${acme_certificate.elastic.certificate_pem}${acme_certificate.elastic.issuer_pem}"
filename = "/my/local/path/fullchain.pem"
}
My "fullchain.pem" file looks like this:
-----BEGIN CERTIFICATE-----
MIIFQjCCBCqgAwIBAgISBBxb+NtLDbApYlOYScK3+iXjMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA4MjAxMzAzNDFaFw0yMTExMTgxMzAzNDBaMCkxJzAlBgNVBAMT
HmRhdGEtZWxhc3RpYy11YXQuMzYwbWVkaWNzLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMObjLj+EncIyg0NlJn2BM9KYtUhCWSPCK37T7EcPieF
Z1BcoIU0qKzIvwOLScv98GXd3FHf6tJCJ/uS9x+WhxDzR+94d4LShgl+vQ5rZmc6
GrIL7W/+pLUfGi81vMtDVRm/xG5NpKK2LjqJEPyZlQh6ydmYY1usyKNQXBTUOzlp
GWtYUgR9c6CBkr041moohaNpL+URGdA60Ul/UvxaZDzRBlLGnR+CyT4/Wh/4Hj8E
cw2EWqjxpQZ9jZLd/OHPq1+5mosqSVZ6qgVfM0d8l3db1DUlLFmYFrqH+8Gm+8cm
ev9Ho9Tg8mUye4AbFfN3h+zo94kflEZjBN5CmZmTZ1sCAwEAAaOCAlkwggJVMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUuIHdFbQhRupc20jIB/NxFjzKxc0wHwYDVR0j
BBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsG
AQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6
Ly9yMy5pLmxlbmNyLm9yZy8wKQYDVR0RBCIwIIIeZGF0YS1lbGFzdGljLXVhdC4z
NjBtZWRpY3MuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEB
MCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYK
KwYBBAHWeQIEAgSB9QSB8gDwAHYARJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9Mz
lrW2gagAAAF7Y9/g0QAABAMARzBFAiEA3lbnbzdKvfS0XXt6xm0tlr/nxzWMK5hN
HUTCTmsIvr8CICHDYguCoKQbu4BJr8b8w6f61QvTMAyVrRCWlik8SYZ2AHYA9lyU
L9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF7Y9/grAAABAMARzBFAiEA
s0PVaOjanRy8ykpzhz6oja9lf1IBuLtOv07DJTWfQOoCIGft0IELso34PTZw8YnW
QkaNgEwijGjHiBe5ZM8UTHJXMA0GCSqGSIb3DQEBCwUAA4IBAQC3oKR21gY7xWc9
wTE8kAB9/ZHdF5/QuHCCR1aFMmmVwomdUs0ekKqc/fW/kPkAA3csePOosm6RjVfr
63MrPnRIDUHykeCTOeMNfvqHp6ePetBW0guaIOIWSbCJiavXSZBvpR8ctOQ/3JrZ
1/f5E/COL2ly6pYjqYg6M8wQEvC6z9qbq0uQ0eKcfbxtsWprvVUZNVasP3UnhNnD
hHaHRC4ZJOHIN+xC4v//x8soOcSY6okG/35XQq9JwH6Aie2RAhYeL9Ld26Fsz+Pk
uITGCclEL5bhLf+EtTN1hHMS4sfYwZ86zbgN6iOQOOTxGkotkF2Ct/jl8+WhGQdL
1vQ+n1Pb
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
In the same way as with cerbot, I inject my certificate into Elasticsearch with Terraform and verify that the Elastic user has the correct rights (with the chmod and chown commands)
The elasticsearch service restarts fine, but when I try to connect it gives me the following error:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
I don't understand what the problem is, I have the impression that the certificate returned by Terraform is not correct. But when I test their validity with cerbot, everything seems OK:
openssl x509 -enddate -noout -in cert.pem # notAfter=Nov 16 13:55:54 2021 GMT
openssl x509 -enddate -noout -in fullchain.pem # notAfter=Nov 16 13:55:54 2021 GMT
Thanks for your help !
We have a web service application in which we perform the following procedure to generate certificates:
1.Create a file named openssl.ini in the folder with the following content:
# OpenSSL configuration file.
#----Begin----
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3650
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = XYZ Corp
countryName_default = US
stateOrProvinceName_default = CA
localityName_default = San Francisco
emailAddress_default = support#xyz.com
organizationalUnitName_default = Business Division
commonName_default = ServerSystem1
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
#----End----
2.Run the following Openssl commands to generate the RootCA and Server certificate
md ServerCert
cd ServerCert
md newcerts private
copy ..\openssl.ini ServerCert
echo 01 > serial
copy /y nul index.txt
openssl genrsa -out private/cakey.pem 1024
openssl req -new -x509 -extensions v3_ca -key private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.ini
openssl x509 -in cacert.pem -out ServerCA.crt
openssl req -new -nodes -out req.pem -extensions v3_req -config ./openssl.ini
openssl ca -out cert.pem -extensions v3_req -config ./openssl.ini -infiles req.pem
move cert.pem tmp.pem
openssl x509 -in tmp.pem -out cert.pem
openssl rsa -in key.pem -inform PEM -out ServerKey.der -outform DER
openssl x509 -in cert.pem -inform PEM -out ServerCert.der -outform DER
At the end of the process, the 3 files that are used later are:
ServerCA.crt -> Used on Windows to trust the webserver application
ServerKey.der -> Key used by the webserver
ServerCert.der -> Certificate used by the webserver application
The web server application requires the DER files to send the certificates. But in the browser, upon running the web-service application, the browser shows “Not Secure” warning.
Upon clicking on the “Not Secure” warning, the following message is displayed.
However upon clicking on the Certificate and navigating to the tab “certification path”, the message says “This certificate is OK”.
This message is the same for Root Certificate and Server Certificate.
How to change the procedure to generate the certificates or modify the .ini file, so that the web-server application is trusted by the Browser?
Question Update:
To install the certificate in the Windows Trust store, i followed the following steps:
Typed "mmc" from command prompt(administrator)
Clicked on "File" -> "Add/Remove snap-in..."
Clicked on "Certificate" -> "Add" -> "Computer Account" -> "Next" -> "Finish"
Clicked on "Certificates" -> "Trusted Root Certification Authorities" -> "Certificates"
Right clicked on "Certificates"
Clicked on "All tasks" -> "import" -> "Next" -> "Browse" -> Selected the CRT file
I developed a task to simply execute a command on remote host:
- name: generate ssl
shell: ./example.sh
args:
chdir: /tmp/example-pki-scripts
The example.sh file execute some scripts in order: https://github.com/floragunncom/search-guard-ssl/tree/master/example-pki-scripts
then when I deploy this task on a remote host the following error appears:
fatal: [efk1]: FAILED! => {
"changed": true,
"cmd": "./example.sh",
"delta": "0:00:00.213500",
"end": "2017-01-20 12:02:10.703895",
"failed": true,
"invocation": {
"module_args": {
"_raw_params": "./example.sh",
"_uses_shell": true,
"chdir": "/tmp/example-pki-scripts",
"creates": null,
"executable": null,
"removes": null,
"warn": true
},
"module_name": "command"
},
"rc": 127,
"start": "2017-01-20 12:02:10.490395",
"stderr": "Generating a 2048 bit RSA private key\n.+++\n.......+++\nwriting new private key to 'ca/root-ca/private/root-ca.key'\n-----\nUsing configuration from etc/root-ca.conf\nCheck that the request matches the signature\nSignature ok\nCertificate Details:\n Serial Number: 1 (0x1)\n Validity\n Not Before: Jan 20 11:02:10 2017 GMT\n Not After : Jan 20 11:02:10 2027 GMT\n Subject:\n domainComponent = com\n domainComponent = example\n organizationName = Example Com Inc.\n organizationalUnitName = Example Com Inc. Root CA\n commonName = Example Com Inc. Root CA\n X509v3 extensions:\n X509v3 Key Usage: critical\n Certificate Sign, CRL Sign\n X509v3 Basic Constraints: critical\n CA:TRUE\n X509v3 Subject Key Identifier: \n EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n X509v3 Authority Key Identifier: \n keyid:EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n\nCertificate is to be certified until Jan 20 11:02:10 2027 GMT (3652 days)\n\nWrite out database with 1 new entries\nData Base Updated\nGenerating a 2048 bit RSA private key\n..............................................................................+++\n......................+++\nwriting new private key to 'ca/signing-ca/private/signing-ca.key'\n-----\nUsing configuration from etc/root-ca.conf\nCheck that the request matches the signature\nSignature ok\nCertificate Details:\n Serial Number: 2 (0x2)\n Validity\n Not Before: Jan 20 11:02:10 2017 GMT\n Not After : Jan 20 11:02:10 2027 GMT\n Subject:\n domainComponent = com\n domainComponent = example\n organizationName = Example Com Inc.\n organizationalUnitName = Example Com Inc. Signing CA\n commonName = Example Com Inc. Signing CA\n X509v3 extensions:\n X509v3 Key Usage: critical\n Certificate Sign, CRL Sign\n X509v3 Basic Constraints: critical\n CA:TRUE, pathlen:0\n X509v3 Subject Key Identifier: \n 19:19:0A:28:78:33:A8:04:A9:5F:62:81:CA:3D:9F:8A:1F:97:00:6F\n X509v3 Authority Key Identifier: \n keyid:EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n\nCertificate is to be certified until Jan 20 11:02:10 2027 GMT (3652 days)\n\nWrite out database with 1 new entries\nData Base Updated\n./gen_root_ca.sh: line 72: keytool: command not found",
"stdout": "Root CA generated\nSigning CA generated",
"stdout_lines": [
"Root CA generated",
"Signing CA generated"
],
"warnings": []
}
so as you cam see the problem is line 72: keytool: command not found, but when I execute the same script example.sh on the machine locally it generates ssl keys with no problem.
The exact line where ansible stucks is:
cat ca/root-ca.pem | keytool \
-import \
-v \
-keystore truststore.jks \
-storepass $TS_PASS \
-noprompt -alias root-ca-chain
Use full path to the keytool executable in your script.
Ansible uses non-interactive, non-login shell session and shells do not source the same rc files as for interactive/login sessions thus the value of PATH differs.
Other solutions include: specifying PATH manually in the environment delaraction, or wrapping the command in a call to bash.
I'm trying to generate RSA keypairs in Ruby, mostly using the examples from this blog post. Here is my slightly modified code:
def generate_keypair(passphrase)
rsa_key = OpenSSL::PKey::RSA.new(2048)
cipher = OpenSSL::Cipher::Cipher.new('aes-256-cbc')
private_key = rsa_key.to_pem(cipher, passphrase)
public_key = rsa_key.public_key.to_pem
return private_key, public_key
end
This successfully generates a private key and a public key, and I can write those out to files on the filesystem.
irb(main):002:0> private_key1, public_key1 = generate_keypair('test')
[...output of keys...]
irb(main):003:0> File.open("key.pem","w") {|f| f.write(private_key1) }
=> 1766
irb(main):004:0> File.open("pubkey.pem","w") {|f| f.write(public_key1) }
=> 426
However, OpenSSL complains when I try to use this public key:
$ openssl rsautl -encrypt -inkey pubkey.pem -pubin -in text.txt -out text.ssl
unable to load Public Key
If I use the openssl tool to extract the public key from the private key then everything works:
$ openssl rsa -in key.pem -pubout -out pubkey2.pem
Enter pass phrase for key.pem:
writing RSA key
$ openssl rsautl -encrypt -inkey pubkey2.pem -pubin -in text.txt -out text.ssl
$ openssl rsautl -decrypt -inkey key.pem -in text.ssl
Enter pass phrase for key.pem:
this is a
file that
needs to be
encrypted
The public key that the Ruby OpenSSL library produced is different from the public key that the openssl cli tool extracted from the private key:
$ cat pubkey.pem
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAzgNcsEL7yGBoLBYBXFYrDL6oLP8ZbW9+VwdoXyNG6Qt/NEhEx4Ww
5yOxtXAbqeUwyvbTUxRrJ02dQcb4FGcSMDgz2QHIZyCuDJkgC9Wj7KI1Q7g0GV+7
DcZvLcwPZOhLXqUzlcZXjDWM1PZ+az734qEribgyI+87LB8TujG8v5iOvdzT/Je4
JAllToZVGC3RddfTc6ww37gB39B++FYNzPg+nrIEU45KgEWPo2eJxBpX29lACh6q
EEBCQr9xyLxOC2eomYIl3dG2dV7nGGH7Pur2HjppgJphBvNkwxIWUa/pD6hAnOQ4
MkDDFGwWv7eJLb4UZuZjafTbqokHved3bwIDAQAB
-----END RSA PUBLIC KEY-----
$ cat pubkey2.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzgNcsEL7yGBoLBYBXFYr
DL6oLP8ZbW9+VwdoXyNG6Qt/NEhEx4Ww5yOxtXAbqeUwyvbTUxRrJ02dQcb4FGcS
MDgz2QHIZyCuDJkgC9Wj7KI1Q7g0GV+7DcZvLcwPZOhLXqUzlcZXjDWM1PZ+az73
4qEribgyI+87LB8TujG8v5iOvdzT/Je4JAllToZVGC3RddfTc6ww37gB39B++FYN
zPg+nrIEU45KgEWPo2eJxBpX29lACh6qEEBCQr9xyLxOC2eomYIl3dG2dV7nGGH7
Pur2HjppgJphBvNkwxIWUa/pD6hAnOQ4MkDDFGwWv7eJLb4UZuZjafTbqokHved3
bwIDAQAB
-----END PUBLIC KEY-----
I'm not quite sure what is going on here, but it seems as if the Ruby OpenSSL library is producing an invalid public key pem file. Am I doing something wrong?
It seems that OSSL doesn't support that format. What "openssl rsa" generates is an RSA_PUBKEY structure: a PUBKEY record which is ASN.1-"tagged" (with an OID) to indicate that it's an RSA key. What Ruby generates is a "raw" RSA key (where the bytes don't indicate that it is RSA; so you have to declare that in the PEM header).
OSSL should use an API function like PEM_write_bio_RSA_PUBKEY (or the generic PEM_write_bio_PUBKEY), instead of/in addition to PEM_write_bio_RSAPublicKey.