Having trouble authenticating in Drush with SSL - windows

My Drupal site is hosted at Pantheon (getpantheon.com), I'm using Drush on a Windows 7 x64 machine. I was reading this article on commands using Drush + Terminus (a special Drush extension for Pantheon sites):
https://www.getpantheon.com/blog/five-steps-feeling-drush
I want to be able to use both Drush and Terminus to quickly and efficiently manage my Pantheon Drupal sites.
I installed Terminus fine and was able to issue all the drush-related commands and connect to the server. However, when I got to the part about using 'pauth' to authenticate and use the actual Terminus commands my authentication was successful but then on the part where it's supposed to say 'Success!' :) It says instead:
Dashboard unavailable: SSL certificate problem: unable to get local issuer certificate
Pantheon told me:
This is due to Windows not bundling an Internet-friendly set of Certificate Authority (CA) certs with curl. Check Stack Overflow or the like for a bunch of solutions
Any suggestions on how to proceed? I'm not familiar with cURL at all, so something basic would be great, thanks.

Still new here...figuring this out. I should have done more research :p I found the answer here:
AWS SSL security error : [curl] 60: SSL certificate prob...: unable to get local issuer certificate
Once I'd downloaded the .pem file and saved it in a directory and referenced it from php.ini I was good to go.

Related

How to setup TLS certificates for a Windows gitlab-runner?

I've been trying to use this documentation as guide but I am having no luck setting up a gitlab-runner on Windows. It correctly polls for jobs but when it tries to pull artifacts, it returns a x509: certificate signed by unknown authority error.
Can anyone step through how to generate the proper certificate and attach it to the Windows gitlab-runner in order to get things to work?
I've tried generating certificates using openssl and setting the --tls-ca-file flag but so far, it hasn't helped.
I got this working finally using this as a reference.
The basic idea, when you're not hosting your own gitlab server, is to pull the certificate from gitlab.com. From your browser, click on the little lock symbol next to the https://gitlab.com URL and download the certificate. From Safari, it's just dragging the little certificate image over to your Desktop.
Once you have the cert, store it in your Gitlab-Runner folder and reference it with the tls-ca-file parameter in your config.toml.

How to create a SSL certificate for a website being hosted in a IIS 7?

I'm trying to create a SSL certificate for an "old“ website being hosted in an IIS 7 server. The website currently uses http, but I will like to start using https. I'm trying to find the best and easiest way to do this, but I'm getting confused in what to do and how to do it.
I have tried reference articles like this https://www.digicert.com/kb/csr-ssl-installation/iis-7.htm#ssl_certificate_install and some other youtube videos, but
I cannot event get the application DigiCert to open on the windows machine (to buy a certificate)
It seems I have to buy the certificate for ~ $200 ??
Are there any (free ?) or other methods to make my current http site use https. I know certbot does this for me on nginx servers, but how to accomplish this on a windows server?
Thanks
You can generate a self-signed certificate from https://www.selfsignedcertificate.com/.
You can also request a trusted certificate for free from Certbot.
Or you purchase it from a trusted CA. Eg. Sectigo.
Easiest way is using certbot from Let's encrypt. You can choose Windows there as system. Also see https://community.letsencrypt.org/t/how-to-generate-a-ssl-certificate-for-iis-7-0-or-7-5/29467 .

Self Signed Certificate

I'm trying to get a cert to work with a dev url on my local machine.
I've generated a self signed cert using keytool and have it connected with jboss. In chrome I can click on the lock with the x in it to view the cert details.
I downloaded the cert, added it to System and set the trust level to Always Trust. As per directions in Getting Chrome to accept self-signed localhost certificate . Then I loaded the page (even restarted browser, followed by system reboot to make sure everything was picked up).
I still see the lock with red x in chrome, for my dev url, 127.0.0.1, and localhost. What am I doing wrong to get chrome to trust the site for the local host, which is followed by the real question, which is do I need to anything special to get it to work for my dev url?
My hosts file has the dev url and localhost resolving to 127.0.0.1. When doing real certs I know the domain has to be specified, which is making me wonder if I need to do anything special for the custom dev url.
I finally figured out my issue and am posting the answer for anyone else who runs into the same problem. I also posted the answer in the referenced question.
The question referenced has an answer suggest by bjnord, Google Chrome, Mac OS X and Self-Signed SSL Certificates. This blog did not solve the problem directly, however there was a comment to the blog that was gold:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain site.crt
You pretty much have to follow the directions in the blog to get the cert, then use the command above to install it properly.
I also found that for the java keytool that when you are prompted for your first and last name, this acts like the CN, so you enter your url there instead. After doing this, everything worked fine with the custom dev url.

SSL Certificate only works within Local Network

I am running windows server 2003 standard and have installed the ssl cert as per Godaddy's instructions. Let me know what information you need from me. Attempting to access the website securely outside of our network the page does not load. Thanks in advance!
Although it would help if you provided more information (like what error the clients are getting), I’m going to guess that you are missing the intermediate certificates that GoDaddy uses. These need to be installed on the server where the SSL certificate is installed.
Follow the procedure here.

Google Chrome doesn't trust mitmproxy's certfificates

I'm running mitmdump (from mitmproxy) on my Macbook Pro, and I'm connecting to the proxy through my Windows desktop PC.
However, Chrome (running on the PC) refuses to connect to so many sites because of the invalid certificates which mitmproxy provides.
Chrome throws the error: ERR::NET_CERT_AUTHORITY_INVALID
Here's what mitmdump shows:
But why? What's wrong with mitmproxy's certificates, why can't it just send back google's as if nothing happened?
I'd like to know how I can fix this and make (force) my desktop PC to connect to any website through my Macbook's mitmproxy.
Answering this question for people who may find this important now. To get the proxy working, you have to add the certificate as trusted in your browser.
For windows follow this: https://www.nullalo.com/en/chrome-how-to-install-self-signed-ssl-certificates/2/
For linux follow this: https://dev.to/suntong/using-squid-to-proxy-ssl-sites-nj3
For Mac-os follow this: https://www.andrewconnell.com/blog/updated-creating-and-trusting-self-signed-certs-on-macos-and-chrome/#add-certificate-to-trusted-root-authority
There are some additional details in the above links; tldr; import the certificate in your chrome://settings url and add the certificate as trusted. That shall do.
This will make your browser trust your self-signed certificate(mitm auto generated certificates too.)
The default certificates of mitmproxy is at ~/.mitmproxy/ directory.
Per the Getting Started page of the docs you add the CA by going to http://mitm.it while mitmproxy is running and selecting the operating system that you are using. This should solve your problem and will allow https sites to work with mitmproxy.
This is the expected behavior.
mitmproxy performes a Man-In-The-Middle attack to https connections by providing on-the-fly generated fake certificates to the client while it keeps communicating to the server over fully encrypted connection using the real certificates.
This way the communication between client and proxy can be decrypted. But the client has to actively approve using those fake certificates.
If that wasn't the case then SSL would be broken - which it isn't.
The whole story is very well explained here:
http://docs.mitmproxy.org/en/stable/howmitmproxy.html

Resources