My containers are working now. But I can not access docker remote API.
And the docker setting folder is located /Users/lala/.boot2docker
Get nothing back by curl http://192.168.59.103:2376/info
.zshrc
export DOCKER_HOST=tcp://192.168.59.103:2376
export DOCKER_CERT_PATH=/Users/lala/.boot2docker/certs/boot2docker-vm
export DOCKER_TLS_VERIFY=1
You need to create a pkcs12 certificate to get curl to talk to docker when it's in secure/TLS mode. My answer is based on this post. I'll assume that you run the pkcs12 creation command (openssl) in the current directory).
openssl pkcs12 -export -inkey $DOCKER_CERT_PATH/key.pem -in $DOCKER_CERT_PATH/cert.pem \
-name b2d-client-side -out b2d-client-side.p12 -password pass:mysecret
curl -k --cert b2d-client-side.p12:mysecret \
https://$(boot2docker ip):2376/info
Related
My requirement is to create RSA private key file from certificate file (.crt extention file). Openssl installed in my system and I also set the environment variable in "PATH". Unfortunately, while I am executing the command in CMD it's not working... The response getting in the CMD is
The command I am executing in CMD
openssl pkcs12 -in myfile.crt -nocerts -out keyFile.key
The response is
pkcs12: Use -help for summary.
I am not familiar with Openssl, Not found a correct solution yet. If any help, it will be appreciated.
Thanks in advance.
i have to connect to a webservice, where a pkcs12 certificate is a must. the idea was to use curl in a bash script (under OS X, to be specific).
i have learnt that one of the few things curl cannot do in communication, is handling pkcs12 certificates (.p12). what are my options?
i have read that converting the certificate to PEM format would work (using openssl), however i have no idea how to tell curl that it gets a PEM and should communicate with a webservice requesting PKCS12 certificates.
converting pkcs12 to pem would be done like this (e.g.), it worked for me, however i haven't successfully used them with curl:
openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys
any hints? or, any alternatives to curl? the solution should be commandline based.
I think you have already resolved but I had the same problem. I answer to share my solution.
If you have a .p12 file your approach is right.
First of all, you have to get the cert and the key separated from the p12 file.
As an example, if you have a mycert.p12 file execute
openssl pkcs12 -in mycert.p12 -out file.key.pem -nocerts -nodes
openssl pkcs12 -in mycert.p12 -out file.crt.pem -clcerts -nokeys
Then you have to make the call to your url. For instance, assume that you want to get the WSDL of a specific web service
curl -E ./file.crt.pem --key ./file.key.pem https://myservice.com/service?wsdl
If the files file.crt.pem and file.key.pem are in your working folder "./" is mandatory.
Check if you have a newer curl. Newer versions can handle PKCS12 outright.
Tangentially, quote the password, or individually escape all shell metacharacters.
curl --cert-type P12 --cert cert.p12:'password' https://yoursite.com
bioffes answer is correct.
He was suggesting to do:
curl --cert-type P12 --cert cert.p12:password https://yoursite.com
For some reason that didn't work for me. I was getting:
curl could not open PKCS12 file
I just ended up exporting the p12 file without a password and ended up just using the following format.
curl --cert-type P12 --cert cert.p12 https://yoursite.com
You can easily check to see if your curl can handle p12. Very likely it does. Just do man curl and scroll down til you find the cert-type. Mine was like this:
--cert-type <type>
(TLS) Tells curl what type the provided client certificate is using. PEM, DER, ENG and P12 are recognized types. If not specified, PEM is assumed.
If this option is used several times, the last one will be used.
(I don't believe cmmd + F works to text not visible in the terminal. So you have to scroll down.
After running this:
openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys
I get prompted with the option descriptions.
After running this
openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes
I get prompted with "Enter Import Password:". What is this import password? I tried the one I set from the firefox backup and it responded with "Mac verify error: invalid password?". I'm sure that the password is correct because I tested it by importing it again into firefox.
I got the commands from the answer to this question!
I experienced the same thing too. Try to put the password in the command line like this. It works for me:
openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes -password pass:<mypassword>
I'm trying to create certificate request through below command line and returned with error:
./runmqckm -certreq -create -db
/var/mqm/qmgrs/QMGR01/ssl/sslreceiver.kdb -pw password123 -label
ibmwebspheremqsslreceiver -dn "CN=SSLCLIENT,O=IBMIBM,C=US" -file
/var/mqm/sslreceiverreq.arm
The keystore already contains an entry with label
'ibmwebspheremqsslreceiver'.
Choose a different label and try again.
However, there is no such entry as ibmwebspheremqsslreceiver in my current keystore file,
**#/usr/mqm/bin $ ./runmqckm -cert -list -db
/var/mqm/qmgrs/QMGR01/ssl/sslreceiver.kdb -pw password123
Certificates in database /var/mqm/qmgrs/QMGR01/ssl/sslreceiver.kdb:
ssl_ca
So why this happened?
The first command creates a certificate request.
The second command lists certificates.
If you want to list certificate requests, use the -certreq -list command instead of the -cert -list command.
Instead of going to Extension Builder > Build Packageā¦, I'd like to built a .safariextz package from the MyExtension.safariextension folder.
I know I can unpack an extension with xar -xf. I suspect the way back involves packing it with xar, but then I'll need to do the code signing thing, which may or may not involve codesign(1).
Here are Omar Ismail's instructions, omitting the need for separate shell scripts. This will all occur in a directory safari/, where we will be signing the directory safari/appname.safariextension/ to become the extension safari/appname.safariextz. The first thing is to sign the extension the official way, with Extension Builder's Build Package.
Set up Xar:
1. Download and unzip/untar
https://github.com/downloads/mackyle/xar/xar-1.6.1.tar.gz
to wherever you want the executable xar-1.6.1 (xar 1.6dev doesn't support the options we need)
2. in xar-1.6.1/
./configure
make
sudo make install
sudo ln -s /full/path/to/xar-1.6.1/src/xar /usr/local/bin/xar161
Set up your certificates:
1. in safari/
mkdir certs/
xar161 -f appname.safariextz --extract-certs certs/
2. open Keychain Access and export your Safari Developer certificate to safari/certs/certs.p12 (use a blank password for certs.p12, and then use your Mac's password to export the cert)
3. in safari/certs/
openssl pkcs12 -in certs.p12 -nodes | openssl x509 -outform der -out cert.der
(same blank password)
openssl pkcs12 -in certs.p12 -nodes | openssl rsa -out key.pem
(same blank password)
openssl dgst -sign key.pem -binary < key.pem | wc -c > size.txt
It's possible that you can get the certificates from certs/cert.p12, and not need the --extract-certs step (and hence not need the extension built the official way), but I don't know openssl well enough, and it's only for the set up that you need that step anyway.
Once everything is set up, to sign the extension:
In safari/
xar161 -czf appname.safariextz --distribution appname.safariextension/
xar161 --sign -f appname.safariextz --digestinfo-to-sign digest.dat --sig-size `cat certs/size.txt` --cert-loc certs/cert.der --cert-loc certs/cert01 --cert-loc certs/cert02
openssl rsautl -sign -inkey certs/key.pem -in digest.dat -out sig.dat
xar161 --inject-sig sig.dat -f appname.safariextz
rm -f sig.dat digest.dat
This was all on a 2006 Snow Leopard MacBook, so it's possible things may be different on a machine that's more up to date.
Looks like there is a way to patch XAR with a signature option. http://code.google.com/p/xar/issues/detail?id=76#c0