I developed a task to simply execute a command on remote host:
- name: generate ssl
shell: ./example.sh
args:
chdir: /tmp/example-pki-scripts
The example.sh file execute some scripts in order: https://github.com/floragunncom/search-guard-ssl/tree/master/example-pki-scripts
then when I deploy this task on a remote host the following error appears:
fatal: [efk1]: FAILED! => {
"changed": true,
"cmd": "./example.sh",
"delta": "0:00:00.213500",
"end": "2017-01-20 12:02:10.703895",
"failed": true,
"invocation": {
"module_args": {
"_raw_params": "./example.sh",
"_uses_shell": true,
"chdir": "/tmp/example-pki-scripts",
"creates": null,
"executable": null,
"removes": null,
"warn": true
},
"module_name": "command"
},
"rc": 127,
"start": "2017-01-20 12:02:10.490395",
"stderr": "Generating a 2048 bit RSA private key\n.+++\n.......+++\nwriting new private key to 'ca/root-ca/private/root-ca.key'\n-----\nUsing configuration from etc/root-ca.conf\nCheck that the request matches the signature\nSignature ok\nCertificate Details:\n Serial Number: 1 (0x1)\n Validity\n Not Before: Jan 20 11:02:10 2017 GMT\n Not After : Jan 20 11:02:10 2027 GMT\n Subject:\n domainComponent = com\n domainComponent = example\n organizationName = Example Com Inc.\n organizationalUnitName = Example Com Inc. Root CA\n commonName = Example Com Inc. Root CA\n X509v3 extensions:\n X509v3 Key Usage: critical\n Certificate Sign, CRL Sign\n X509v3 Basic Constraints: critical\n CA:TRUE\n X509v3 Subject Key Identifier: \n EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n X509v3 Authority Key Identifier: \n keyid:EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n\nCertificate is to be certified until Jan 20 11:02:10 2027 GMT (3652 days)\n\nWrite out database with 1 new entries\nData Base Updated\nGenerating a 2048 bit RSA private key\n..............................................................................+++\n......................+++\nwriting new private key to 'ca/signing-ca/private/signing-ca.key'\n-----\nUsing configuration from etc/root-ca.conf\nCheck that the request matches the signature\nSignature ok\nCertificate Details:\n Serial Number: 2 (0x2)\n Validity\n Not Before: Jan 20 11:02:10 2017 GMT\n Not After : Jan 20 11:02:10 2027 GMT\n Subject:\n domainComponent = com\n domainComponent = example\n organizationName = Example Com Inc.\n organizationalUnitName = Example Com Inc. Signing CA\n commonName = Example Com Inc. Signing CA\n X509v3 extensions:\n X509v3 Key Usage: critical\n Certificate Sign, CRL Sign\n X509v3 Basic Constraints: critical\n CA:TRUE, pathlen:0\n X509v3 Subject Key Identifier: \n 19:19:0A:28:78:33:A8:04:A9:5F:62:81:CA:3D:9F:8A:1F:97:00:6F\n X509v3 Authority Key Identifier: \n keyid:EB:DC:70:FA:90:59:4A:C3:09:E3:73:80:92:E0:EE:70:9A:77:48:62\n\nCertificate is to be certified until Jan 20 11:02:10 2027 GMT (3652 days)\n\nWrite out database with 1 new entries\nData Base Updated\n./gen_root_ca.sh: line 72: keytool: command not found",
"stdout": "Root CA generated\nSigning CA generated",
"stdout_lines": [
"Root CA generated",
"Signing CA generated"
],
"warnings": []
}
so as you cam see the problem is line 72: keytool: command not found, but when I execute the same script example.sh on the machine locally it generates ssl keys with no problem.
The exact line where ansible stucks is:
cat ca/root-ca.pem | keytool \
-import \
-v \
-keystore truststore.jks \
-storepass $TS_PASS \
-noprompt -alias root-ca-chain
Use full path to the keytool executable in your script.
Ansible uses non-interactive, non-login shell session and shells do not source the same rc files as for interactive/login sessions thus the value of PATH differs.
Other solutions include: specifying PATH manually in the environment delaraction, or wrapping the command in a call to bash.
Related
I am trying on an Elasticsearch cluster to set up HTTPS for clients.
It works fine when I generate an SSL certificate from the cluster using certbot via the following command:
certbot certonly --standalone
My Elasticsearch cluster is configured as follows:
# elasticsearch.yml
cluster.initial_master_nodes: 10.132.0.3
cluster.name: elasticsearch
discovery.seed_hosts: 10.132.0.3:9200
network.host: 10.132.0.3
node.name: node-1
xpack.security.http.ssl.certificate: /etc/elasticsearch/ssl/my-subdomain.XXXX.com/fullchain.pem
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/ssl/my-subdomain.XXXX.com/privkey.pem
xpack.security.http.ssl.verification_mode: certificate
xpack.security.transport.ssl.enabled: true
I thus manage to authenticate in HTTPS on my elasticsearch using my login and password, via the following command:
curl https://my-subdomain.XXXX.com:9200 -u username:password
My problem is that I would now like to do the same operation but by generating the SSL certificate via Terraform using the ACME provider
and more precisely with the resource "acme_certificate".
Here is my Terraform code:
resource "acme_certificate" "elastic" {
account_key_pem = acme_registration.account_registration.account_key_pem
common_name = "${local.subdomain}.${var.domain_name}"
dns_challenge {
provider = "ovh"
config = {
OVH_ENDPOINT = var.ovh_endpoint
OVH_APPLICATION_KEY = var.ovh_application_key
OVH_APPLICATION_SECRET = var.ovh_application_secret
OVH_CONSUMER_KEY = var.ovh_consumer_key
}
}
}
From Terraform resource "acme_certificate" I get the following outputs:
"certificate_pem" which will become my "cert.pem" file (but I am not using it in my Elasticsearch setup)
"issuer_pem"
"private_key_pem" which will become my "privkey.pem" file
I am therefore missing the "fullchain.pem" file that I build by associating the "certificate_pem" and "issuer_pem" as follows (my error may be there):
resource "local_file" "fullchain" {
content = "${acme_certificate.elastic.certificate_pem}${acme_certificate.elastic.issuer_pem}"
filename = "/my/local/path/fullchain.pem"
}
My "fullchain.pem" file looks like this:
-----BEGIN CERTIFICATE-----
MIIFQjCCBCqgAwIBAgISBBxb+NtLDbApYlOYScK3+iXjMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA4MjAxMzAzNDFaFw0yMTExMTgxMzAzNDBaMCkxJzAlBgNVBAMT
HmRhdGEtZWxhc3RpYy11YXQuMzYwbWVkaWNzLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMObjLj+EncIyg0NlJn2BM9KYtUhCWSPCK37T7EcPieF
Z1BcoIU0qKzIvwOLScv98GXd3FHf6tJCJ/uS9x+WhxDzR+94d4LShgl+vQ5rZmc6
GrIL7W/+pLUfGi81vMtDVRm/xG5NpKK2LjqJEPyZlQh6ydmYY1usyKNQXBTUOzlp
GWtYUgR9c6CBkr041moohaNpL+URGdA60Ul/UvxaZDzRBlLGnR+CyT4/Wh/4Hj8E
cw2EWqjxpQZ9jZLd/OHPq1+5mosqSVZ6qgVfM0d8l3db1DUlLFmYFrqH+8Gm+8cm
ev9Ho9Tg8mUye4AbFfN3h+zo94kflEZjBN5CmZmTZ1sCAwEAAaOCAlkwggJVMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUuIHdFbQhRupc20jIB/NxFjzKxc0wHwYDVR0j
BBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsG
AQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6
Ly9yMy5pLmxlbmNyLm9yZy8wKQYDVR0RBCIwIIIeZGF0YS1lbGFzdGljLXVhdC4z
NjBtZWRpY3MuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEB
MCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYK
KwYBBAHWeQIEAgSB9QSB8gDwAHYARJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9Mz
lrW2gagAAAF7Y9/g0QAABAMARzBFAiEA3lbnbzdKvfS0XXt6xm0tlr/nxzWMK5hN
HUTCTmsIvr8CICHDYguCoKQbu4BJr8b8w6f61QvTMAyVrRCWlik8SYZ2AHYA9lyU
L9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF7Y9/grAAABAMARzBFAiEA
s0PVaOjanRy8ykpzhz6oja9lf1IBuLtOv07DJTWfQOoCIGft0IELso34PTZw8YnW
QkaNgEwijGjHiBe5ZM8UTHJXMA0GCSqGSIb3DQEBCwUAA4IBAQC3oKR21gY7xWc9
wTE8kAB9/ZHdF5/QuHCCR1aFMmmVwomdUs0ekKqc/fW/kPkAA3csePOosm6RjVfr
63MrPnRIDUHykeCTOeMNfvqHp6ePetBW0guaIOIWSbCJiavXSZBvpR8ctOQ/3JrZ
1/f5E/COL2ly6pYjqYg6M8wQEvC6z9qbq0uQ0eKcfbxtsWprvVUZNVasP3UnhNnD
hHaHRC4ZJOHIN+xC4v//x8soOcSY6okG/35XQq9JwH6Aie2RAhYeL9Ld26Fsz+Pk
uITGCclEL5bhLf+EtTN1hHMS4sfYwZ86zbgN6iOQOOTxGkotkF2Ct/jl8+WhGQdL
1vQ+n1Pb
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
In the same way as with cerbot, I inject my certificate into Elasticsearch with Terraform and verify that the Elastic user has the correct rights (with the chmod and chown commands)
The elasticsearch service restarts fine, but when I try to connect it gives me the following error:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
I don't understand what the problem is, I have the impression that the certificate returned by Terraform is not correct. But when I test their validity with cerbot, everything seems OK:
openssl x509 -enddate -noout -in cert.pem # notAfter=Nov 16 13:55:54 2021 GMT
openssl x509 -enddate -noout -in fullchain.pem # notAfter=Nov 16 13:55:54 2021 GMT
Thanks for your help !
We have a web service application in which we perform the following procedure to generate certificates:
1.Create a file named openssl.ini in the folder with the following content:
# OpenSSL configuration file.
#----Begin----
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3650
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = XYZ Corp
countryName_default = US
stateOrProvinceName_default = CA
localityName_default = San Francisco
emailAddress_default = support#xyz.com
organizationalUnitName_default = Business Division
commonName_default = ServerSystem1
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
#----End----
2.Run the following Openssl commands to generate the RootCA and Server certificate
md ServerCert
cd ServerCert
md newcerts private
copy ..\openssl.ini ServerCert
echo 01 > serial
copy /y nul index.txt
openssl genrsa -out private/cakey.pem 1024
openssl req -new -x509 -extensions v3_ca -key private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.ini
openssl x509 -in cacert.pem -out ServerCA.crt
openssl req -new -nodes -out req.pem -extensions v3_req -config ./openssl.ini
openssl ca -out cert.pem -extensions v3_req -config ./openssl.ini -infiles req.pem
move cert.pem tmp.pem
openssl x509 -in tmp.pem -out cert.pem
openssl rsa -in key.pem -inform PEM -out ServerKey.der -outform DER
openssl x509 -in cert.pem -inform PEM -out ServerCert.der -outform DER
At the end of the process, the 3 files that are used later are:
ServerCA.crt -> Used on Windows to trust the webserver application
ServerKey.der -> Key used by the webserver
ServerCert.der -> Certificate used by the webserver application
The web server application requires the DER files to send the certificates. But in the browser, upon running the web-service application, the browser shows “Not Secure” warning.
Upon clicking on the “Not Secure” warning, the following message is displayed.
However upon clicking on the Certificate and navigating to the tab “certification path”, the message says “This certificate is OK”.
This message is the same for Root Certificate and Server Certificate.
How to change the procedure to generate the certificates or modify the .ini file, so that the web-server application is trusted by the Browser?
Question Update:
To install the certificate in the Windows Trust store, i followed the following steps:
Typed "mmc" from command prompt(administrator)
Clicked on "File" -> "Add/Remove snap-in..."
Clicked on "Certificate" -> "Add" -> "Computer Account" -> "Next" -> "Finish"
Clicked on "Certificates" -> "Trusted Root Certification Authorities" -> "Certificates"
Right clicked on "Certificates"
Clicked on "All tasks" -> "import" -> "Next" -> "Browse" -> Selected the CRT file
I am trying to set a variable from my while loop to itself. I've looked around a lot and tested various methods but haven't been able to get anything to work.
while read ip port srv ban
do
rm -f certificate.crt #sterilizing
echo -e "$ban" | base64 -d | dos2unix | openssl x509 -inform d > certificate.crt
sleep .5
cert=$(openssl x509 -in certificate.crt -text -noout)
echo "$cert"
$ban = $cert
done < outfiles.txt
Here's what outfiles.txt looks like with a one line snippet.
xxx.xx.xxx.xxx 443 X509 MIIE/zCCA+egAwIBAgIEUdNARDANBgkqhkiG9w0BAQsFADCBsDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMWKGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE0MDkyMjE3MTQ1N1oXDTI0MDkyMzAxMzE1M1owgb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAwOSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAwBgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuoS2ctueDGvimekwAad26jK4lUEaydphTlhyz/72gnm/c2EGCqUn2LNf00VOHHLWTjLycooP94MZ0GqAgABFHrDH55q/ElcnHKNoLwqHvWprDl5l8xx31dSFjXAhtLMy54ui1YY5ArG40kfO5MlJxDun3vtUfVe+8OhuwnmyOgtV4lCYFjITXC94VsHClLPyWuQnmp8k18bs0JslguPMwsRFxYyXegZrKhGfqQpuSDtv29QRGUL3jwe/9VNfnD70FyzmaaxOMkxid+q36OW7NLwZi66cUee3frVTsTMi5W3PcDwa+uKbZ7aD9I2lr2JMTeBYrGQ0EgP4to2UYySkcQIDAQABo4IBDzCCAQswDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L3Jvb3RjYTEuY3JsMDsGA1UdIAQ0MDIwMAYEVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L0NQUzAdBgNVHQ4EFgQUanImetAe733nO2lR1GyNn5ASZqswHwYDVR0jBBgwFoAUaJDkZ6SmU4DHhmak8fdLQ/uEvW0wDQYJKoZIhvcNAQELBQADggEBAGkzg/woem99751V68U+ep11s8zDODbZNKIoaBjqHmnTvefQd9q4AINOSs9v0fHBIj905PeYSZ6btp7h25h3LVY0sag82f3Azce/BQPUAsXx5cbaCKUTx2IjEdFhMB1ghEXveajGJpOkt800uGnFE/aRs8lFc3a2kvZ2ClvhA0e36SlMkTIjN0qcNdh4/R0f5IOJJICtt/nP5F2l1HHEhVtwH9s/HAHrGkUmMRTMZb9n3srMM2XlQZHXN75BGpad5oqXnafOrE6aPb0BoGrZTyIAi0TVaWJ7LuvMuueSfWlnPfy4fN5Bh9Bp6roKGHoalUOzeXEodm2h+1dK7E3IDhA=
I'm trying to decode the cert, which I can do but I'm trying to replace (overwrite) the encoded certificate with the decoded certificate from the file I'm reading from on each line I go though by setting the $ban variable from while read ip port srv ban to the $cert variable.
So when looking at the outfiles.txt you should se
xxx.xx.xxx.xxx 443 Certificate: Data: Version: 3 (0x2) Serial Number: 1372799044 (0x51d34044) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority Validity Not Before: Sep 22 17:14:57 2014 GMT Not After : Sep 23 01:31:53 2024 GMT Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ba:84:b6:72:db:9e:0c:6b:e2:99:e9:30:01:a7: 76:ea:32:b8:95:41:1a:c9:da:61:4e:58:72:cf:fe: f6:82:79:bf:73:61:06:0a:a5:27:d8:b3:5f:d3:45: 4e:1c:72:d6:4e:32:f2:72:8a:0f:f7:83:19:d0:6a: 80:80:00:45:1e:b0:c7:e7:9a:bf:12:57:27:1c:a3: 68:2f:0a:87:bd:6a:6b:0e:5e:65:f3:1c:77:d5:d4: 85:8d:70:21:b4:b3:32:e7:8b:a2:d5:86:39:02:b1: b8:d2:47:ce:e4:c9:49:c4:3b:a7:de:fb:54:7d:57: be:f0:e8:6e:c2:79:b2:3a:0b:55:e2:50:98:16:32: 13:5c:2f:78:56:c1:c2:94:b3:f2:5a:e4:27:9a:9f: 24:d7:c6:ec:d0:9b:25:82:e3:cc:c2:c4:45:c5:8c: 97:7a:06:6b:2a:11:9f:a9:0a:6e:48:3b:6f:db:d4: 11:19:42:f7:8f:07:bf:f5:53:5f:9c:3e:f4:17:2c: e6:69:ac:4e:32:4c:62:77:ea:b7:e8:e5:bb:34:bc: 19:8b:ae:9c:51:e7:b7:7e:b5:53:b1:33:22:e5:6d: cf:70:3c:1a:fa:e2:9b:67:b6:83:f4:8d:a5:af:62: 4c:4d:e0:58:ac:64:34:12:03:f8:b6:8d:94:63:24: a4:71 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 Authority Information Access: OCSP - URI:http://ocsp.entrust.net X509v3 CRL Distribution Points: Full Name: URI:http://crl.entrust.net/rootca1.crl X509v3 Certificate Policies: Policy: X509v3 Any Policy CPS: http://www.entrust.net/CPS X509v3 Subject Key Identifier: 6A:72:26:7A:D0:1E:EF:7D:E7:3B:69:51:D4:6C:8D:9F:90:12:66:AB X509v3 Authority Key Identifier: keyid:68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D Signature Algorithm: sha256WithRSAEncryption 69:33:83:fc:28:7a:6f:7d:ef:9d:55:eb:c5:3e:7a:9d:75:b3: cc:c3:38:36:d9:34:a2:28:68:18:ea:1e:69:d3:bd:e7:d0:77: da:b8:00:83:4e:4a:cf:6f:d1:f1:c1:22:3f:74:e4:f7:98:49: 9e:9b:b6:9e:e1:db:98:77:2d:56:34:b1:a8:3c:d9:fd:c0:cd: c7:bf:05:03:d4:02:c5:f1:e5:c6:da:08:a5:13:c7:62:23:11: d1:61:30:1d:60:84:45:ef:79:a8:c6:26:93:a4:b7:cd:34:b8: 69:c5:13:f6:91:b3:c9:45:73:76:b6:92:f6:76:0a:5b:e1:03: 47:b7:e9:29:4c:91:32:23:37:4a:9c:35:d8:78:fd:1d:1f:e4: 83:89:24:80:ad:b7:f9:cf:e4:5d:a5:d4:71:c4:85:5b:70:1f: db:3f:1c:01:eb:1a:45:26:31:14:cc:65:bf:67:de:ca:cc:33: 65:e5:41:91:d7:37:be:41:1a:96:9d:e6:8a:97:9d:a7:ce:ac: 4e:9a:3d:bd:01:a0:6a:d9:4f:22:00:8b:44:d5:69:62:7b:2e: eb:cc:ba:e7:92:7d:69:67:3d:fc:b8:7c:de:41:87:d0:69:ea: ba:0a:18:7a:1a:95:43:b3:79:71:28:76:6d:a1:fb:57:4a:ec:
4d:c8:0e:10
Replace
$ban = $cert
with
ban=$cert
$ is only used to retrieve the value of a variable, not to set a variable.
Once I obtain the certificate, how do I generate a JKS key store from it?
How do I configure the Play application to use this key store?
Anything else I need to do?
Here is a script to obtain (update) the letsencrypt certificate:
#!/bin/bash
/path/to/your/app/stop # stop the play application; especially if it is running on port 80 otherwise the certificate generation will fail
rm -rf /etc/letsencrypt.bak
mv /etc/letsencrypt /etc/letsencrypt.bak
./letsencrypt-auto certonly --standalone -n -m email#example.com --agree-tos -d example.com -d www.example.com
cd /etc/letsencrypt/live/example.com
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.p12 -CAfile chain.pem -caname root -passout pass:your_password
keytool -importkeystore -srcstorepass your_password -destkeystore keyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -storepass your_password
/path/to/your/app/start # start the application
You can schedule a cron job to run this script periodically as letsencrypt certificates currently expire after 90 days.
Once you obtain the certificate you need to modify the application start script as follows:
/path/to/your/app/app_name_script -Dhttps.port=443 -Dplay.server.https.keyStore.path=/etc/letsencrypt/live/example.com/keyStore.jks -Dplay.server.https.keyStore.password=your_password -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.rejectClientInitiatedRenegotiation=true # ... more parameters if required
Nearly there. When you run the application you get A- rating from SSL Labs. The rating downgrade is related to the Forward Secrecy. In order to sort out the Forward Secrecy issue (and get a full A rating) you need to specify the order of the cipher suites by implementing a custom SSLEngineProvider:
package controllers
import java.nio.file._
import java.security.KeyStore
import javax.net.ssl._
import play.core.ApplicationProvider
import play.server.api._
class CustomSslEngineProvider(appProvider: ApplicationProvider) extends SSLEngineProvider {
val priorityCipherSuites = List(
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA")
def readPassword(): Array[Char] = System.getProperty("play.server.https.keyStore.password").toCharArray
def readKeyInputStream(): java.io.InputStream = {
val keyPath = FileSystems.getDefault.getPath(System.getProperty("play.server.https.keyStore.path"))
Files.newInputStream(keyPath)
}
def readKeyManagers(): Array[KeyManager] = {
val password = readPassword()
val keyInputStream = readKeyInputStream()
try {
val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
keyStore.load(keyInputStream, password)
val kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
kmf.init(keyStore, password)
kmf.getKeyManagers
} finally {
keyInputStream.close()
}
}
def createSSLContext(): SSLContext = {
val keyManagers = readKeyManagers()
val sslContext = SSLContext.getInstance("TLS")
sslContext.init(keyManagers, Array.empty, null)
sslContext
}
override def createSSLEngine(): SSLEngine = {
val ctx = createSSLContext()
val sslEngine = ctx.createSSLEngine
val cipherSuites = sslEngine.getEnabledCipherSuites.toList
val orderedCipherSuites =
priorityCipherSuites.filter(cipherSuites.contains) ::: cipherSuites.filterNot(priorityCipherSuites.contains)
sslEngine.setEnabledCipherSuites(orderedCipherSuites.toArray)
val params = sslEngine.getSSLParameters
params.setUseCipherSuitesOrder(true)
sslEngine.setSSLParameters(params)
sslEngine
}
}
Do not forget to set
play.server.https.engineProvider=controllers.CustomSslEngineProvider
in your application.conf.
Tested with Play 2.5.x
I searched in various forums, in the end I came up with a very fast (and almost automated) solution:
First, as on the letsencrypt website they suggest, run these:
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
then run
sudo certbot certonly --standalone -d domain.name.com
(for wildcards it's a bit more complicated, but the remainder of this procedure should be the same)
at this point it should tell you where the keys are, on some directory like /etc/letsencrypt/live/domain.name.com/*.pem (three keys: fullchain, privkey, and a chain)
then run openssl (editing domain name and password)
sudo openssl pkcs12
-export -in /etc/letsencrypt/live/domain.name.com/fullchain.pem
-inkey /etc/letsencrypt/live/domain.name.com/privkey.pem
-out cert_and_key.p12
-CAfile /etc/letsencrypt/live/domain.name.com/chain.pem
-caname root
-passout pass:<insert some password here>
then keytool (editing keystore path and password)
sudo keytool
-importkeystore
-srcstorepass <the password you inserted above>
-destkeystore <path/key>.jks
-srckeystore cert_and_key.p12
-srcstoretype PKCS12
-storepass <the password you inserted above>
and finally you should find the jks key on the path you wrote above.
In application.conf:
play.server.https.keyStore.path = "<path/key>.jks"
play.server.https.keyStore.type = "JKS"
play.server.https.keyStore.password = "<the password you inserted above>"
Tested with Play 2.6.15, on Ubuntu 16 and 18
I recently had to do this, here's my file:
#!/usr/bin/env bash
sudo killall java #stop the application gracefully
rm -rf /etc/letsencrypt.bak
cp -r /etc/letsencrypt /etc/letsencrypt.bak
certbot renew --standalone
cd /etc/letsencrypt/live/example.com/
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.p12 -CAfile chain.pem -caname root -passout pass:your_password
keytool -importkeystore -srcstorepass your_password -destkeystore keyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -storepass your_password
After this, you'll need to set the properties when running the app using the same format as the accepted answer:
sudo /path/to/app -Dhttp.port=80 -Dhttps.port=443 -Dplay.server.https.keyStore.path=/etc/letsencrypt/live/api.ali.actor/keyStore.jks -Dplay.server.https.keyStore.password=your_password -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.rejectClientInitiatedRenegotiation=true
Here is what I have after setting kerberos according to ansible:
http://docs.ansible.com/ansible/intro_windows.html
[libdefaults]
default_realm = MY.DOMAIN.COM
…
[realms]
MY.DOMAIN.COM = {
default_domain = my.domain.com
kdc = <domain-controller-server>.my.domain.com
kpasswd_server = <domain-controller-server>.my.domain.com
}
…
[domain_realm]
.my.domain.com = MY.DOMAIN.COM
…
I was able to create a kerberos ticket, here is my output:
root#alex-VirtualBox:/etc/ansible# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <user_name>#MY.DOMAIN.COM
Valid starting Expires Service principal
04/07/2016 13:58:52 04/07/2016 23:58:52 krbtgt/MY.DOMAIN.COM#MY.DOMAIN.COM
renew until 04/08/2016 13:58:48
04/07/2016 14:02:20 04/07/2016 23:58:52 HTTP/<windows-target-server>.my.domain.com#MY.DOMAIN.COM
renew until 04/08/2016 13:58:48
So what I am trying to do is run ansible playbook or even a simple command on . But I am getting this error which I am pretty sure have nothing to do with ansible:
root#alex-VirtualBox:/etc/ansible# ansible windows -m win_ping --ask-vault-pass
Vault password:
<windows-target-server>.my.domain.com | FAILED! => {
"failed": true,
"msg": "kerberos: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)), plaintext: 401 Unauthorized."
}
I even went ahead and created the keytab file:
> ktutil
ktutil: addent -password -p <user_name>#MY.DOMAIN.COM -k 1 -e rc4-hmac
provide password
ktutil: wkt <user_name>.keytab
ktutil: quit
But then I get different error:
root#alex-VirtualBox:/etc/ansible# ansible windows -m win_ping --ask-vault-pass
n2-2wbp-wbsvr01.na.msds.rhi.com | FAILED! => {
"failed": true,
"msg": "kerberos: (('An invalid name was supplied', 131072), ('Success', 100001)), plaintext: 401 Unauthorized."
}
Try to put the IP and Hostname of your Windows Host entry in /etc/hosts file and then try: https://github.com/diyan/pywinrm/issues/21#issuecomment-58958732 , https://github.com/diyan/pywinrm/issues/21#issuecomment-59084178
PS:
'Server not found in Kerberos database' - That usually means that the Linux host where you're running kinit is not joined to the domain (ie, it doesn't have a properly configured computer account in the domain). The existing docs unhelpfully omit that requirement...