On my local dev machine (osx), I'm using jboss to server web services on 8443. When I hit the urls directly I get the json responses I'm looking for. The architecture we have at work includes a middle layer (apache/php) that does authentication and routing. If things authenticate then it forwards the request to the backend.
When I was working with apache on port 80 and jboss on 8081 (using http). Everything worked fine for me. Now that I'm trying to use 8443, things aren't working.
I recently changed the backend to server through https (8443) instead of http (8081). I can hit the requests on https 8443 directly and get the json response. When I hit apache and it authenticates then tries to redirect to the https 8443 I get the following message from chrome's inspector: "SSL: can't load CA certificate file /etc/pki/tls/certs/ca-bundle.crt".
My vhost is setup to catch *:80 requests. I think I might need to setup vhosts to accept 443 requests or install ca-certificates like talked about in How do I deal with certificates using cURL while trying to access an HTTPS url? . I'm looking to see if anyone knows what the proper direction should be.
When I look on the file system, the file /etc/pki/tls/certs/ca-bundle.crt doesn't exist. When I make the request to the middle layer, I see the request hit /var/log/apache2/access_log and nothing comes up in /var/log/apache2/error_log.
What is needed to resolve this issue? Is it a configuration of vhosts to catch request to 443? Is it to install ca-cert stuff like in the link? A combination of both? Or something else? Please provide enough info on how to solve it, or provide links that provide enough info.
I solved my issue and am doing a post for documentation purposes, in case anyone else has similar issues. There was a couple of issues I had to resolve to fix this.
PHP Install
My /etc/apache2/httpd.conf referenced my default osx php install instead of my home brew install of php. Solution was to edit the httpd.conf and point it to the right install.
#LoadModule php5_module /usr/local/opt/php53/libexec/apache2/libphp5.so
LoadModule php5_module /usr/local/Cellar/php53/5.3.29_4/libexec/apache2/libphp5.so
You can create a similar setup of php using home brew by the following commands:
brew install homebrew/php/php53
brew install homebrew/php/php53-igbinary --build-from-source
brew install homebrew/php/php53-intl
brew install homebrew/php/php53-mcrypt
brew install homebrew/php/php53-memcached
brew install homebrew/php/php53-mongo
brew install homebrew/php/php53-xdebug
Create the CA Cert Bundle File
The system is looking for /etc/pki/tls/certs/ca-bundle.cert which is a standard path on linux, but not on osx. We get around this by generating the file.
I generated the .keystore file using keytool and used jboss for my alias. In order to build the ca bundle file, we need it to be in the pem format, so we need to add the -rfc to our export statement. Below are the commands:
cd /usr/local/jboss-eap-6.4/standalone/configuration
keytool -export -alias jboss -file local-sbx.dev.yourcompany.com.crt -keystore .keystore -rfc
After you have the file, you can cat it out and verify that the file has the BEGIN CERTIFICATE and END CERTIFICATE stuff in it. If so, its in the right format.
Lastly, create the directory structure, move the cert to act like the bundle (which is just a bunch of certs appended to each other) and then restart apache:
mkdir -p /etc/pki/tls/certs/
sudo cp local-sbx.dev.yourcompany.com.crt /etc/pki/tls/certs/ca-bundle.crt
sudo apachectl restart
Related
We have a superset docker containers which is using keycloak as identity broker. All this setup is working fine on http. Further, we have installed ssl certificate on keycloak and same is also working fine. Our superset and keycloak integration code changes look exactly like its mentioned in the answer here.
Now, when we changed auth uris from http to https in superset/docker/pythonpath_dev/client_secret.json, we are getting below error after the login flow is redirected from keycloak to superset.
Forbidden
'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)'
We also tried installing root certificates on superset by mounting them on /usr/local/share/ca-certificates and then executing update-ca-certificates in the container, but still there was no help. Any idea how this can be resolved?
Thanks #sventorben for the tip. Indeed it was python which was not able to read my ca files. Since I am new to this, I would detail out all the steps followed. However, some of these steps might be redundant.
After I received my root as well intermediary CA files, I first converted them to PEM format as they were in DER format using openssl.
openssl x509 -inform DER -in myintermediary.cer -out myintermediary.crt
openssl x509 -inform DER -in myroot.cer -out myroot.crt
Then, I mounted these files to my superset container at path /usr/local/share/ca-certificates/
Then, I logged into my container and executed update-ca-certificates command and verified that 2 new pem files got added at /etc/ss/certs/ path i.e. myroot.pem and intermediary.pem.
Then, I added these CA files to python certifi inside my container. To find out the path of cacert.pem, I executed below commands into python terminal.
import certifi
certifi.where()
exit()
Here, second command gave me the path of cacert.pem which was like /usr/local/lib/python3.7/site-pacakges/certifi/cacert.pem.
After this, i appended my ca files at the end of cacert.pem
cat /etc/ssl/certs/myroot.pem /etc/ssl/certs/intermediary.pem >> /usr/local/lib/python3.7/site-pacakges/certifi/cacert.pem
In the end i logged out of my container and restarted it.
docker-compose stop
docker-compose up -d
Note:
I feel step 3 is redundant as python does not read CA files from there. However, i still did it and I am in no mood of reverting and test it out again.
Also, this was my temporary fix as executing the commands inside the container is not useful as they are ephermal.
Update:
Below are the steps followed for production deployment.
Convert root certificates in PEM format using openssl.
Concat both PEM files into a new PEM file which will be installed as bundle. Lets say, the new PEM file is mycacert.pem and same is mounted at /app/docker/.
Create one sh file called start.sh and write 2 commands as below.
cat /app/docker/mycacert.pem >> /usr/local/lib/python3.7/site-pacakges/certifi/cacert.pem
gunicorn --bind 0.0.0.0:8088 --access-logfile - --error-logfile - --workers 5 --worker-class gthread --threads 4 --timeout 200 --limit-request-line 4094 --limit-request-field_size 8190 'superset.app:create_app()'
Modify docker-compose.yml and change command as below.
command: ["/app/docker/start.sh"]
Restart superset container.
docker-compose stop
docker-compose up -d
My domain is: https://www.neasy.de
I ran this command:
git clone https://github.com/certbot/certbot
cd certbot
./certbot-auto certonly -a standalone -d neasy.de -d www.neasy.de
cd /etc/letsencrypt/live/neasy.de
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version): linux
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0
4 month ago i first used letsencrypt and I was success to use it. I learned I have to generate certificate
with and without www. prefix and it is important. My company has changed the domain name from neasy.app to neasy.de and for that I deleted my old certificate and generate new one for neasy.de
Now i am in a new trouble that if i write in my browser neasy.de it does not work even if i write www.neasy.de it does not work. But for at least once time if I write https://neasy.de or https://www.neasy.de it works, and for the next time i dont need to write https:// prefix.
This issue really seems weird to me any help will be appreciated. If you already tried writting https://neasy.de then you can open firefox browser private window
Since you're using Ubuntu please follow this guide:
https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache.html (jus make sure to choose your ubuntu release from the dropdown).
this will guide you through the whole process without manual work.
Just make sure to run all apt-related commands.
Was there a route for the old domain neasy.app which was redirecting the http traffic to https ? It looks like you forgot to update that route with the new domain name.
Usually when you enter any new website in the address bar of browser it by default uses http protocol. On the server site you have to do a 301 redirect from http to https.
I have already tried a lots of options available for this problem on stackoverflow, unfortunately nothing is working for me so far.
It started with composer installation. My env details are listed below:
OS: Windows 7
PHP V 7.1.10, XAMPP version
I am running MINGW64, (which was installed with git v2.1.5)
curl --version
curl 7.56.1 (x86_64-w64-mingw32) libcurl/7.56.1 OpenSSL/1.0.2l (WinSSL) zlib/1.2.11 libidn2/2.0.4 libssh2/1.8.0 nghttp2/1.26.0
Release-Date: 2017-10-23
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 HTTPS-proxy MultiSSL Metalink
Now here it seems CURL with OpenSSL is installed correctly.
When I was doing composer require or install it was reported me an error as follows:
I searched and figured out that its the local certificate problem so I downloaded the certificate/bundle from https://curl.haxx.se/docs/caextract.html, placed the certificate under C:\xampp\php\extras\ssl\ and changed the PHP.ini
curl.cainfo="C:\xampp\apache\bin\curl-ca-bundle.crt"
openssl.cafile="C:\xampp\php\extras\ssl\curl-ca-bundle.crt"
this never worked. Then I placed my certificates under C:\Windows\System32\curl-ca-bundle.crt, changed the ini still it didn't work.
Then I downloaded cacert.pem from
https://gist.github.com/VersatilityWerks/5719158/download
and repeated steps to make it work with pem file.
However I am afraid still no success here.
Can anyone help me whats wrong going on here? Any help in this direction is much
appreciated.
This is for Windows users, using curl-7.57.0-win64-mingw or similar version.
I have already shared this on another thread, but I think Windows users might stumble upon this question and my answer might help. So, sharing the step-by-step process.
This error basically means, curl is failing to verify the certificate of the target URI. If you trust the issuer of the certificate (CA), you can add that to the list of trusted certificates (e.g. It's a local IIS certificate, and you trust it for your development purposes).
For that, browse the URI (e.g. on Chrome) and follow the steps
Right click on the HTTPS secure padlock 🔒 icon on address bar
Click on certificate, it'll open a window with the certificate details
Go to 'Certification Path' tab
Click the ROOT certificate
Click View Certificate, it'll open another certificate window
Go to Details tab
Click Copy to File... button, it'll open the export wizard
Click Next
Select 'Base-64 encoded X.509 (.CER)'
Click Next
Give a friendly name that you can remember e.g. 'MyDomainX.cer' (browse to desired directory) and save
Click Next
Click Finish, it'll save the certificate file
So what did we do?
We basically saved the root certificate for the desired site (that we actually trust) as a local file. What do we do next?
Add that certificate to the list of trusted certificates
Now open this .cer file and copy the contents (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----)
Now go to the directory where curl.exe is saved e.g. C:\SomeFolder\curl-7.57.0-win64-mingw\bin
Open the curl-ca-bundle.crt file with a text editor (right click and open with...)
Append the copied certificate text to the end of the file. Save
What did we do now?
We added the certificate (content) to curl's main certificate bundle. So now curl will recognize this certificate and allow the domain.
Now your command should execute fine on curl.
Just posting this here for posterity as I spent the last 2 hours on this.
NOTE: only tested on windows.
Make sure you have the curl version with ssl included ( the latest exe installer has it)
Download the cacert.pem from http://curl.haxx.se/docs/caextract.html
Rename cacert.pem to curl-ca-bundle.crt
Move the cacert.pem file to the curl.exe directory.
Fixed.
My eventual workaround for the issue below was to convince our IT guys not to man-in-the-middle the dockerhub registry. I was not able to get anything else to work, alas.
I am running into a problem with my initial attempt to get Docker running on my Mac at work, which is running 10.8.5. It appears that my company's certificate-rewriting proxy seems to be getting in the way of fetching images:
orflongpmacx8:docker pohl_longsine$ docker run hello-world
Unable to find image 'hello-world:latest' locally
Pulling repository hello-world
FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth")
(Indeed, when I log onto the guest wireless – which does not have the meddlesome proxy – I can get past this step. However, I need to figure out how to make this work through the proxy since using the guest wireless is untenable as a long-term solution.)
My issue, on the surface, appears to be very much like the one answered in this question. However, the accepted answer in that question does not work for me, since the root_unix.go file they discuss does not get invoked on a Mac. (From browsing around, I would guess that root_cgo_darwin.go and/or root_darwin.go would be involved instead.)
That doesn't really tell me how, operationally, I need to do the equivalent work of installing some sort of trusted certificate. I managed to get my hands on a *.cer file that I believe to be the one that I need, but I'm at a loss as to what to do with it.
I'm hoping that someone can point me in the right direction.
Edit: I thought that maybe I needed to to something akin to what this page suggests, to add the certificate. Alas, my attempt at following those instructions failed in the following way:
orflongpmacx8:docker pohl_longsine$ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "~/Desktop/Certs/redacted.cer"
Password:
***Error reading file ~/Desktop/Certs/redacted.cer***
Error reading file ~/Desktop/Certs/redacted.cer
Edit 2: I may have come one step closer to solving this. I should have known better to use a path with a tilde inside quotation marks. If I use an absolute path instead, I can successfully run the above command to add certs.
Alas, this did not alleviate the ultimate symptom:
FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth")
According to the boot2docker README
Insecure Registry
As of Docker version 1.3.1, if your registry doesn't support HTTPS, you must add it as an insecure registry.
$ boot2docker init
$ boot2docker up
$ boot2docker ssh
$ echo 'EXTRA_ARGS="--insecure-registry <YOUR INSECURE HOST>"' | sudo tee -a /var/lib/boot2docker/profile
$ sudo /etc/init.d/docker restart
then you should be able to do a docker push/pull.
The source of http://golang.org/src/crypto/x509/root_darwin.go shows that the command:
cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain")
is used to find the certificate.
Try adding the .cer file into the OSX certificate key-chain.
If you use the docker-machine
edit $USER/.docker/machine/machines/default/config.json
"EngineOptions": {
"InsecureRegistry": [
"XXX.XXX.virtual"
],
}
when i made https enabled in secure url and front end secure url usage to yes in magento the checkout page becomes not found. Should i need to do anything more? where i have to place my ssl certificates.
please help me in this
You need to configure your web server (presumably apache?) and point it to your ssl certificate. You also need to make sure that mod_ssl is enabled. The config files will be in /etc/apache2 or /etc/httpd depending on the OS. You should find the ssl.conf file and set the location of the certificate there. To enable mod_ssl you can issue the following command in the command line:
a2enmod ssl