I would like to enable HTTPS in Lighttpd. I have a "key" file (created using openssl), along with the certificate and intermediate certificates generated by the SSL provider but I'm not sure how these files are usedin Lighttpd. It seems like the config file is expecting a file in "pem" format.
For completeness, I will also include the step for generating the keystore and CSR file.
CSR Generation
On the terminal, type (and enter your details).
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
HTTPS Configuration
1) You need to merge your keystore with the certificate returned by the issuer. This can be done in a text editor but I'd recommend doing it on the command line.
cat server.key domain_com.crt > domain.pem
2) To enable HTTPS in Lighttpd, open lighttpd.conf and enter the following
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "[path to domain.pem]"
ssl.ca-file = "[path to CA bundle containing root and intermediate certs]"
}
3) Make sure the server has the relevant permissions to read the certificate files.
4) Restart the Lighttpd service.
Related
Context
I have a keystore (keystore.jks) that is protected by a password.
I can get jmeter to use keys from that store by providing
-Djavax.net.ssl.keyStore
-Djavax.net.ssl.keyStorePassword
with the appropriate values as long as the keys themselves are not password protected.
However, my particular keystore contains multiple keys that each require a password to retrieve them.
How I access the key in plain old Java:
String keyStorePath = "/keystore.jks";
char[] keyStorePassword = "keyStorePassword".toCharArray();
String keyAlias = "keyAlias";
char[] keyPassword= "keyPassword".toCharArray();
KeyStore keyStore = KeyStore.getInstance("JKS");
try (InputStream is = this.getClass().getResourceAsStream(keyStorePath )) {
keyStore.load(is, keyStorePassword);
}
PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyAlias, keyPassword);
X509Certificate certificate = (X509Certificate) keyStore.getCertificate(keyAlias);
How would I retrieve and use such keys in JMeter?
That is the question.
JMeter's Keystore Configuration does not allow you to specify a key's password.
After looking around I concluded that this is currently (JMeter 5.0) not possible.
Get jmeter to use certificates from a key store by providing these properties at startup:
-Djavax.net.ssl.keyStore
-Djavax.net.ssl.keyStorePassword
The certificates inside the store should have the same password as the store, then they are picked up without problems when you use a Keystore Configuration specifying (a variable that holds) the certificate alias.
Convert key and value(.crt) file into single file and use it in Jmeter
Steps
Open command prompt
Go to the directory where key and values are placed
Run below commands
openssl pkcs12 -export -out jmeterkeystore.p12 -inkey your.private.key -in your.certificate
above command create a .p12 type file
4. Convert .p12 file to jks type, use below command
keytool -importkeystore -srckeystore jmeterkeystore.p12 -srcstoretype pkcs12 -
destkeystore MY_KEYSTORE.jks -deststoretype jks -deststorepass changeit
In jmeter bin folder, open system.properties file and set following properties
javax.net.ssl.keyStoreType=jks
javax.net.ssl.keyStore=C:/Dev/cer/<JKSfilname.jks>
javax.net.ssl.keyStorePassword=
Done you can now run your script
I would like to add HTTPS to my local domain, however we can't do this on localhost.
My website goes fine when I run with this Caddyfile
localhost:2020 {
bind {$ADDRESS}
proxy / http://192.168.100.82:9000 {
transparent
}
}
But I would like to name this website or at least enable HTTPS on it. According to Caddy, you can't do this on localhost, but what if I have a domain name ?
I have tried using my own local address with this Caddyfile
192.168.100.26 {
bind {$ADDRESS}
proxy / http://192.168.100.82:9000 {
transparent
}
}
All works fine but I still don't have HTTPS...
And when I try to add a random domain name for example
www.mycaddytest.com {
bind {$ADDRESS}
proxy / http://192.168.100.82:9000 {
transparent
}
}
I got the following error
Activating privacy features...2016/08/18 11:53:26 [www.mycaddytest.com] failed to get certificate: acme: Error 400 - urn:acme:error:connection - DNS problem: NXDOMAIN looking up A for www.mycaddytest.com
Error Detail:
Validation for www.mycaddytest.com:80
Resolved to:
Used:
I know this error is dues to an unexisting domain name, but is there a way to deal with ?
Just getting HTTPS on localhost or ip address will be enough
Since Caddy 0.9 we can use the tls self_signed attribute.
Use this Caddyfile
localhost:2020 {
bind {$ADDRESS}
proxy / 192.168.100.82:9000
tls self_signed
}
And try https://localhost:2020
For caddy version 2.4.5, the accepted answer did not work me. What worked is shown below:
localhost:443 {
reverse_proxy 127.0.0.1:8080
tls internal
}
I know that answer is already accepted. But I had the same problem with Caddy v0.10.14 and it's a solution that helped me (but with real SSL certificate instead of self_signed):
Firstly, certificate & key pair must be in this directories: /etc/pki/tls/certs/ for certificate and /etc/pki/tls/private/ for key. So go to one of this directory with cd command
Then, create our own, self-signed certificate for HTTP2.0 testing with a single command, however. Just execute on your commandline to generate a SSL certificate + key pair:
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout cert.key -out cert.crt
After that, move files to correct directories (see the first point)
Next, use this Caddyfile and try https://localhost:2020:
localhost:2020 {
bind {$ADDRESS}
root /var/www
gzip
tls your.address#example.com
tls /etc/pki/tls/certs/cert.crt /etc/pki/tls/private/cert.key
}
Also if you are running caddy in a docker container, you may need to import and trust the Root certificate.
docker ps
docker cp container_id:/config/caddy/pki/authorities/local/root.crt ~/Desktop
then the caddyfile, for laravel sail for example, could look something like this:
yourlocaldomain.dev{
tls internal
reverse_proxy laravel.test
}
more may be here https://gilbitron.me/blog/enabling-https-ssl-for-laravel-sail-using-caddy/
How do I create a new keystore file with wsadmin tool in websphere.
I tried this command
AdminTask.createKeyStore('-keyStoreName <someName>
-keyStoreType PKCS12
-keyStoreLocation <some file location.p12>
-keyStorePassword <pwd>
-keyStorePasswordVerify <pwd>'
)
but looks like it just loads the keystore in the given location. but i want to create a new keystore and store it in the given location.
What command should I use for that?
Thanks.
What do you mean it 'loads keystore'?
I've used the following command:
AdminTask.createKeyStore('[-keyStoreName testKS -keyStoreType PKCS12
-keyStoreLocation c:/testKeyFile.p12 -keyStorePassword testpwd
-keyStorePasswordVerify testpwd -keyStoreIsFileBased true
-keyStoreInitAtStartup true -keyStoreReadOnly false]')
and I see keystore correctly created in the file system, and also visible via admin console.
Remember to call AdminConfig.save() afterwards to save changes.
See details here KeyStoreCommands command group for the AdminTask object
A lot of what I've seen around SO and blog posts is that
By default, Net::HTTP does not verify peer SSL certificates
To force Net::HTTP to verify peer, you need to to it too and supply a CA cert file containing trusted authorities
However, I've found that this is not completely necessary. On my Mac, I have the following code
http = Net::HTTP.new('www.google.com', 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.start do
http.request_get('/') do |response|
puts response.body
end
end
This works. But what is Ruby using to verify the peer with? When I look at the output of http.ca_path and http.ca_file they are both blank.
I'm running this code in Ruby 1.9.3p374. Perhaps when Ruby was compiled on my Mac, it pulled in some default location of CA cert chains from openssl or something?
It looks like if no verify callback is set then OpenSSL library default callback is used. See line 217 in the openssl module verify callback wrapper (the ok argument is the result of the default callback).
On OS X, Apple has apparently customized the default callback in their OpenSSL library to hook in to the OS X Keychain facility. The root CA of Google's certificate is Equifax Secure Certificate Authority. If you change the trust setting in Keychain (e.g. using the Keychain Access utility) for this CA then your ruby test behaves accordingly.
I believe the answer to your question is that when peer certificate verification is required but not configured, the ruby shipped with OS X verifies using Keychain.
node 0.2.6 way:
var credentials = crypto.createCredentials({ "key": SSLKey, "cert": SSLCert, "ca": Ca, "password": SSLKeyPass })
var client = http.createClient(apiPort, host, true, credentials)
node 0.4 way:
var options = {
host: apiHost,
port: apiPort,
method: 'GET',
path: uri,
headers: {host: host},
key:SSLKey,
cert:SSLCert,
ca:Ca,
password:SSLKeyPass
}
var request = https.request(options, function (response) {
As you can see there is a password needed, I don't know where the password is supposed to go in node 0.4.
Where does SSLKeyPass go on node 0.4?
So even in the node 0.2.6 source code, the crypto.js module is not looking for a password property in the object you pass to createCredentials. Here's the createCredentials source from node 0.2.6. In version 0.4.8 there is still no mention of the word password in the crypto.js module. Did your 0.2.6 code really work?
As a general comment, use openssl to decrypt your private key, keep that secured on disk, and have your node code read that file. This seems to be the most commonly used option. The other options being A) have to manually type the passphrase to decrypt your private key whenever you launch your node server (pretty much nobody does this) or B) keep your cleartext passphrase on disk, which is not any different that just keeping the cleartext private key on disk, so AFAIK this is also a very uncommon solution to the problem of private key security.
You can decrypt your private key with the openssl command line like this:
openssl rsa -in your_encrypted_private.ekey -out your_private.key
openssl will prompt your for the passphrase interactively.
For the record, you can provide a passphrase when creating a Credentials object in Node.js. This section of Node.js documentation on the crypto module states that the passphrase option can be provided, for either the private key or PFX file. You do not have to keep your private key in clear text on disk somewhere for Node.