Im using ubuntu18 desktop and i have added the certificates i need to firefox 73.0:
/usr/share/ca-certificates/mozilla
and also added it to :
/etc/ca-certificates.conf
At the end of the file like :
mozilla/caname.crt
And run :
update-ca-certificate
now, i can see certificates are in firefox certificate list through the browser but does not have any trust box marked, so it doesnt work.
Is there a way from cli to force the trust flag on this certificates, maybe with certutil ?
I know there is a lot of ways to enter certificate to firefox using cli commands but none have worked for me, and now i was able to add the certificates using the commands above, but i need to add the trust.
Found this solution to add certificates to firefox on ubuntu :
https://github.com/mozilla/policy-templates/#proxy
Simply need to add this file to :
/usr/lib/firefox/distribution/
touch policies.json
In policies.json add:
{
"policies": {
"Certificates": {
"ImportEnterpriseRoots": true,
"Install" [
"somecert1.crt",
"usr/local/share/ca-certificates/somecert1.crt"
]
}
}
}
The install part is first the name of the cert and then the path.
And restart firefox. if somthing doesnt work try resetting firefox as if you have set somthing before it can stuck it.
This method works good without certutil
for an upcoming IMAP migration, I need to proxy my users.
I plan to use Nginx for proxying IMAP and POPS traffic and directing them according to a LDAP attribute (mailHost)
But Nginx can't proxy SIEVE.
Dovecot PigeonHole seems to be able to proxy SIEVE protocol.
I try to configure it to avoid LDAP authentication because there's already an authentication on IMAP stores.
That doesn't work for now.
Here's my conf following this doc:
Pasword DB extra fields
Dovecot proxies
/etc/dovecot/dovecot.conf:
protocols sieve
!include conf.d/*.conf
/etc/dovecot/conf.d/90-sieve.conf
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
/etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain login
!include auth-ldap.conf.ext
/etc/dovecot/conf.d/auth-ldap.conf
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
/etc/dovecot/dovecot-ldap.conf.ext
hosts = xxx.xxx.xxx.xxx
ldap_version = 3
base = ou=myOU, dc=domain, dc=example
pass_attrs = \
=user=%{ldap:user}, \
=password=, \
=proxy=y, \
=host=%{ldap:mailHost}
And here's the error in the log when I try to modify a sieve script using Horde Webmail:
dovecot: managesieve-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, session=
I surely missed a setting somewhere.
For now, I haven't found yet.
Any help will be greatly appreciated
Thanks
OK, I've found the problem
To proxy password to IMAP backends:
/etc/dovecot/dovecot-ldap.conf.ext:
hosts = xxx.xxx.xxx.xxx
ldap_version = 3
base = ou=myOU, dc=domain, dc=example
pass_attrs = \
=user=%{ldap:user}, \
=password=, \
=proxy=y, \
=nopassword=y, \
=host=%{ldap:mailHost}
=port=2000
The doc says:
If you don’t want proxy itself to do authentication, you can configure it to succeed with any given password. You can do this by returning an empty password and nopassword field.
And port 2000 is needed because the IMAP backend still in production is running an old version of timsieved (cyrus sieve implementation)
Then, the backends are waiting for PLAIN authentication.
That's disabled by default in Dovecot, so activate it with:
/etc/dovecot/conf.d/10-auth.conf:
disable_plaintext_auth = no
auth_mechanisms = plain login
!include auth-ldap.conf.ext
This degrades the security, so I will limit access to port 2000 to the dovecot pigeon-hole proxy.
I would like to enable HTTPS in Lighttpd. I have a "key" file (created using openssl), along with the certificate and intermediate certificates generated by the SSL provider but I'm not sure how these files are usedin Lighttpd. It seems like the config file is expecting a file in "pem" format.
For completeness, I will also include the step for generating the keystore and CSR file.
CSR Generation
On the terminal, type (and enter your details).
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
HTTPS Configuration
1) You need to merge your keystore with the certificate returned by the issuer. This can be done in a text editor but I'd recommend doing it on the command line.
cat server.key domain_com.crt > domain.pem
2) To enable HTTPS in Lighttpd, open lighttpd.conf and enter the following
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "[path to domain.pem]"
ssl.ca-file = "[path to CA bundle containing root and intermediate certs]"
}
3) Make sure the server has the relevant permissions to read the certificate files.
4) Restart the Lighttpd service.
I'm trying to use Bower for a web app, but find myself hitting some sort of proxy issues:
D:\>bower search jquery
bower retry Request to https://bower.herokuapp.com/packages/search/jquery failed with ECONNRESET, retrying in 1.2s
bower retry Request to https://bower.herokuapp.com/packages/search/jquery failed with ECONNRESET, retrying in 2.5s
bower retry Request to https://bower.herokuapp.com/packages/search/jquery failed with ECONNRESET, retrying in 6.8s
bower retry Request to https://bower.herokuapp.com/packages/search/jquery failed with ECONNRESET, retrying in 15.1s
bower retry Request to https://bower.herokuapp.com/packages/search/jquery failed with ECONNRESET, retrying in 20.3s
bower ECONNRESET Request to https://bower.herokuapp.com/packages/search/jquery failed: tunneling socket could not be established, cause=Parse Error
Relevant points:
I can browse to https://bower.herokuapp.com/packages/search/jquery and it returns a full json response.
I can use git to clone, both using the git:// protocol and http(s).
I can use NPM directly without these issues
I've tried using Fiddler to determine what's being blocked, but it doesn't detect any calls from the Bower command. I can see calls from NPM commands in Fiddler.
I've searched the Bower issues list, seen similar issues, but they either have no solution or it doesn't seem quite the same as mine.
Any ideas?
Thanks #user3259967
This did the job.
I would like to add that if you are behind a proxy that needs to be authenticated, you can add the username/password to your .bowerrc file.
{
"directory": "library",
"registry": "http://bower.herokuapp.com",
"proxy":"http://<USERNAME>:<PASSWORD>#<PROXY_IP>:<PROXY_PORT>/",
"https-proxy":"http://<USERNAME>:<PASSWORD>#<PROXY_IP>:<PROXY_PORT>/"
}
NOTICE the use of http:// in https-proxy
The solution for me is this config .bowerrc
{
"directory": "vendor",
"registry": "http://bower.herokuapp.com",
"proxy": "http://<user>:<pwd>#proxy.host.br:8080",
"https-proxy": "http://<user>:<pwd>#proxy.host.br:8080",
"strict-ssl": false
}
Using the http protocol in https-proxy plus registry entry with http protocol.
Remember to change 8080 port number to whatever is yours proxy server port.
Are you behind a proxy?
Have you set up environment variables HTTP_PROXY and HTTPS_PROXY?
SET HTTP_PROXY=http://yourproxyserver:yourproxyport
SET HTTPS_PROXY=http://yourproxyserver:yourproxyport
Try changing the registry value in your .bowerrc:
{
"registry": "http://bower.herokuapp.com"
}
I did not have a .bowerrc file to configure my bower settings. I found the settings living in a file called defaults.js. found under "C:\...\bower\node_modules\bower-config\lib\util\defaults.js"
I hope this helps others:
var defaults = {
'cwd': process.cwd(),
'directory': 'bower_components',
'registry': 'http://bower.herokuapp.com',
'shorthand-resolver': 'git://github.com/{{owner}}/{{package}}.git',
'tmp': paths.tmp,
'proxy': '<<http://user:pass#proxy:port>>', // change proxy here or at the top
'https-proxy': '<<http://user:pass#proxy:port>>', // change proxy here or at the top
'timeout': 30000,
'ca': { search: [] },
'strict-ssl': false,
'user-agent': userAgent,
'color': true,
'interactive': null,
'storage': {
packages: path.join(paths.cache, 'packages'),
links: path.join(paths.data, 'links'),
completion: path.join(paths.data, 'completion'),
registry: path.join(paths.cache, 'registry'),
empty: path.join(paths.data, 'empty') // Empty dir, used in GIT_TEMPLATE_DIR among others
}
};
module.exports = defaults;
you can try suggest #thebignet into same issue on GitHub
Set proxy, https-proxy and strict-ssl configuration into .bowerrc File :
{
"proxy" : "http://<host>:<port>",
"https-proxy" : "http://<host>:<port>",
"strict-ssl" : false
}
But you must run Command from terminal:
git config --global url."https://".insteadOf git://
"strict-ssl": false
in .bowerrc did for me
For Win 7.
What worked for me , are below steps as suggested at this link - read #nanowizard answer.
In .bowerrc file, remove any http_proxy / https_proxy settings that
you might have done earlier. This is important.
So final content of this file should look like :-
{
"directory": "app/bower_components"
}
Set environment variables in your pc - http_proxy and https_proxy to your corporate firewall proxy. In case, your corporate proxy requires authentication and if your password contains special characters, convert it to hex form as suggested by this link. As in my case escaping of characters with '\' did not help. Also I had to restart my system.
Note :
http_proxy and https_proxy should contain same proxy address as shown below
http_proxy = http://<user>:<password>#<your company proxy>:<port>
https_proxy= http://<user>:<password>#<your company proxy>:<port> ->Note no 's' in http://...
I am behind corporate firewall and I have to specify domain name too.
None of these answers worked for me. Here is what I did -
Downloaded CNTLM from http://cntlm.sourceforge.net/
Obviously installed it.
Open up cntml.ini and change the following
Domain your_domain_name
Username your_domain_username
Password your_domain_passowrd
PassLM 1AD35398BE6565DDB5C4EF70C0593492 (uncomment this)
PassNT 77B9081511704EE852F94227CF48A793 (uncomment this too)
Proxy http://localhost:8888
Go to services.msc and start the CNTLM Authentication service.
Download Fiddler 4/2 (whatever they call it).
Install this too. This will run in http://localhost:8888
Now whatever program you’re running forward(proxy) it to http://locahost:3128 ( that’s what CNTLM is running.)
In this case specify http.proxy and https.proxy as http://localhost:8888
This will work for other client programs. Just specify proxy as http://localhost:8888
its work for me to change in .bowerrc file
{
"directory": "client/lib",
"registry": "http://bower.herokuapp.com",
"proxy":"http://192.168.1.205:3228",
"https-proxy":"http://192.168.1.205:3228"
}
where client/lib is installation directory where do you want to install
and http://192.168.1.205:3228 is your proxy ip with port. corporate proxy can be different according to oraganization.
In addition to setting the below proxy in .bowerrc:
{
"directory": "app/bower_components",
"proxy":"http://<user>:<password>#proxy.company.com:<proxy-port>",
"https-proxy":"http://<user>:<password>#proxy.company.com:<proxy-port>",
"http-proxy":"http://<user>:<password>#proxy.company.com:<proxy-port>",
"strict-ssl": false,
"registry": "http://bower.herokuapp.com"
}
I am required to run the following commands to fix the issue:
npm cache clean
bower cache clean
bower install
The registry used in the the other answers is now deprecated. Please update it!
{
"proxy":"http://<user>:<password>#proxy.company.com:<proxy-port>",
"https-proxy":"http://<user>:<password>#proxy.company.com:<proxy-port>",
"registry": "https://registry.bower.io"
}
{
"directory": "library",
"registry": "http://bower.herokuapp.com",
"proxy":"http://<USERNAME>:<PASSWORD>#<PROXY_IP>:<PROXY_PORT>/",
"https-proxy":"http://<USERNAME>:<PASSWORD>#<PROXY_IP>:<PROXY_PORT>/"
}
This code worked for me. I am using Win 7 and chrome and also git bash. Here few things need to be cleared. This takes me huge time to find the actual data regarding the user name, password, proxy IP and Port. I will describe it step by step so that every learners can easily grasp the message:
Create a file in the notepad named .bowerrc in the login folder; You can go there by typing at Start>Run>%UserProfile% and press OK.
Type above code in the .bowerrc file with the following changes:
Replace <USERNAME> with your internet connection user ID or login ID
Replace <PASSWORD> with your internet connection password or login password.
Replace <PROXY_IP> and <PROXY_PORT> with the working proxy IP address and its port number.
**Note: There should be no angle brackets.**
Proxy IP should be different than your own IP.
Before using any proxy IP and port you should check it is working by changing your proxy IP and port.
You can go through this link to know the details of proxy settings at description here
From this proxy settings you will get Proxy IP and Port.
Recheck all the input so that all are correct and save and close the file.
Open git bash and change directory to the project file and type command and hit enter, in my case, git bash command:
a#a-PC MINGW32 /d/conFusion
$ bower install
It worked like magic.
In case it helps someone, I had a 'bower blocked by group policy' error.
Solution was to make an exception in CryptoPrevent, a application installed on our company computers to prevent crypto lockers.
For info, in your .bowerrc file you can add a no-proxy attribute. I don't know since when it is supported but it works on bower 1.7.4 and it solve the issue of bower behind a corporate proxy with an internal repository
.bowerrc :
{
"directory": "bower_components",
"proxy": "http://yourProxy:yourPort",
"https-proxy":"http://yourProxy:yourPort",
"no-proxy":"myserver.mydomain.com"
}
Regards
Please make sure there are no special characters in your proxy password. Convert it to hex. It works for me.
I'm trying to do the following request using TCL (OpenACS)
http::register https 443 tls::socket
set url "https://encrypted.google.com"
set token [http::geturl $url -timeout 30000]
set status [http::status $token]
set answer [http::data $token]
http::cleanup $token
http::unregister https
The problem is that when I read the $status variable I get "eof" and the $answer variable becomes empty. I tried enabling tls V.1
http::register https 443 [list tls::socket -tls1 1]
and it works only for the site https://www.galileo.edu, but not for https://encrypted.google.com.
The site what I'm trying to connect is https://graph.facebook.com/me/feed?access_token=...
but it doesn't work.
I used curl to retrieve the contents of the pages in HTTPS and it works, I have installed OpenSSL, so I can't see the problem, there is another way to do HTTPS connections with TCL?.
I can't see if this is a problem of coding (maybe I'm registered wrong the https protocol) or maybe It is a bad configuration of my server. Hope somebody helps!! Thanks!
Hmm, I can't reproduce that. Which patchlevel of Tcl are you using, and which version of the tls package?
I did this:
package require http
package require tls
# This is your code, cut-n-pasted with blank lines removed
http::register https 443 tls::socket
set url "https://encrypted.google.com"
set token [http::geturl $url -timeout 30000]
set status [http::status $token]
set answer [http::data $token]
http::cleanup $token
http::unregister https
puts $status
And it produces “ok” as output, with $status's contents looking likely too (but too long to paste here). This is with Tcl 8.5.2 (I know I need to upgrade), http 2.7 and tls 1.6.