I have .cer and .p7b certificate I tried to apply it on my ssl config file but my apache suddenly crash so I retain the previous settings which is ca.crt and the apache return to active status.
Question 1 should I need to convert my .cer file to .crt before applying it on my ssl config?
Question 2 How to convert the file and make it compatible with my server/ssl?
If you need more details, let me know. Thank you!
I have some trouble configuring my Windows to work with az command line tools. I have tested multiple configuration. One on locally installed system and one with windows based docker container. I get the same error on both system.
In case I issue the following command:
az login --tenant my-domain.org
I get the following error:
HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /my-domain.org/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1125)')))
The container has the following az and openssl version:
PS C:\azp> az version
{
"azure-cli": "2.28.0",
"azure-cli-core": "2.28.0",
"azure-cli-telemetry": "1.0.6",
"extensions": {}
}
PS C:\azp> openssl version
OpenSSL 1.1.1k 25 Mar 2021
The local system has the following az and openssl version:
(base) PS C:\01_Dev\dockerdevimage> az version
{
"azure-cli": "2.26.1",
"azure-cli-core": "2.26.1",
"azure-cli-telemetry": "1.0.6",
"extensions": {}
}
(base) PS C:\01_Dev\dockerdevimage> openssl version
OpenSSL 1.1.1c 28 May 2019
I tried to understand why I get the error, so I tested the connection with openssl as follows:
PS C:\azp> openssl s_client -proxy 10.76.209.147:3128 -connect login.microsoftonline.com:443 -showcerts
CONNECTED(00000180)
Can't use SSL_get_servername
depth=2 DC = org, DC = my-domain, CN = PKI, CN = BB-CA-DD <-- edited manually
verify error:num=19:self signed certificate in certificate chain
verify return:1
I have also tested with the same proxy server and with Linux container and the az command works as expected:
$ az version
{
"azure-cli": "2.25.0",
"azure-cli-core": "2.25.0",
"azure-cli-telemetry": "1.0.6",
"extensions": {}
}
$ openssl version
OpenSSL 1.1.1f 31 Mar 2020
$ az login --tenant my-domain.org
The default web browser has been opened at https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/authorize. Please continue the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow with `az login --use-device-code`.
You have logged in. Now let us find all the subscriptions to which you have access...
[
{
"cloudName": "AzureCloud",
...
On Linux container the openssl command returns the following output:
$ openssl s_client -proxy 10.76.209.147:3128 -connect login.microsoftonline.com:443 -showcerts
Can't use SSL_get_servername
depth=2 DC = org, DC = my-domain, CN = PKI, CN = BB-CA-DD
verify return:1
I have also imported the certificate with the following command based on this link:
PS C:\azp> Import-Certificate -FilePath .\BB-CA-DD.crt -CertStoreLocation Cert:\LocalMachine\Root\
No changes. I'm not sure how to proceed.
Maybe this issue is related to the following posts and articles:
Can OpenSSL on Windows use the system certificate store?
How to Use OpenSSL with a Windows Certificate Authority to Generate TLS Certificates
Installing TLS / SSL ROOT Certificates to non-standard environments
Edit:
I've moved the solution from here to an Answer block to highlight that the issue for me was resolved. Based on the reactions, I've concluded that it is indeed useful for others too.
Finally I was able to resolve the issue as follows:
I've found the following documentation:
Setting up certificates for Azure CLI on Azure Stack Development Kit
The basic idea is to find the python installation used for Azure CLI and update the related certificate file.
In my case the Azure CLI was installed with python on the following location:
C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe
And using the command, that was suggested, returned as follows:
PS > & "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe" -c "import certifi; print(certifi.where())"
C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\lib\site-packages\certifi\cacert.pem
Updating the file mentioned above solved the az login issue for me. One of the python installation provided by my-domain.org contained a properly configured cacert.pem file.
You can use following method
Your azure CLI is looking for the cert at this location (if using Windows)
Default certificate authority bundle
Windows C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem
Download the Certificate of your Azure Portal (portal.azure.com)
Append the certificate on above cacert.pem file
and try Az login again After restarting powershell.
Alternatively
If you're using Azure CLI over a proxy server, it may cause the following error: SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",). To address this error, set the environment variable REQUESTS_CA_BUNDLE to the path of certificate authority bundle certificate file in PEM format.
Append the proxy server's certificate to this file or copy the contents to another certificate file, then set REQUESTS_CA_BUNDLE to it. You might also need to set the HTTP_PROXY or HTTPS_PROXY environment variables.
Link to Ms Docs Solution
I solved this problem by changing DNS for IPv4. Maybe it can work for you too. I ran az upgrade command after DNS change. When I ran az upgrade while giving this error, it said "check internet connection". It was upgraded with success and the related error has been resolved.
I used Google DNS as DNS.
8.8.8.8
8.8.4.4
Then I set DNS to automatic option. I can continue to use it without any problems. I can now access with the az login command.
Well, My problem starts with Google Maps API. Working local everything is fine, but When i published my system in web (Digital Ocean Host) i discovered that Google Maps API only works with HTTPS protocol.
So, searching in the internet i found the https://letsencrypt.org/ , a good way to use HTTPS without pay, beacause i'm justing testing, not production yet.
But i'm using a JBOSS EAP 7 and i didn't found any tutorial in letsencrypt.org to JBOSS, so i found this link: https://knowles.co.za/creating-renewing-a-lets-encrypt-certificate-for-apache-and-wildfly/.
Following the WildFly tutorial i tried execute this step:
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem -inkey /etc/letsencrypt/live/YOURDOMAIN/privkey.pem -out YOURKEYSTORENAME.p12 -name KEYSTOREALIAS
PS: I changed the YOURDOMAIN to my domain.
I got the following error:
No such file or directory fullchain.pem
This file didn't should be created automatically ?
I'm having trouble enabling TLS 1.2 connections on a Windows (environment has both Windows 2008 and Windows 10 environments) platform. Currently, my private keys are managed by the Windows certificate store, using the CAPI engineId within stunnel (v 5.41), which uses OpenSSL 1.0.2k-fips. Because of this, stunnel can only negotiate a TLS 1.1 connection (SSLv2 and SSLv3/TLS1 are disabled for obvious reasons).
I’ve tried compiling OpenSSL 1.1.0f and stunnel 5.41, but no luck either cross compiling under CentOS, nor under Windows using either MSYS2/MINGW32 or Cygwin.
I am specifically looking for a way to manage the pfx/p12 (private key) in stunnel without resorting to the Windows certificate store. I found an example on how to configure stunnel to use capi - which worked beautifully, but because openssl 1.0.2 doesn't support ciphers that are used in TLS 1.2, only TLS 1.1 works. I need TLS 1.2.
https://www.stunnel.org/pipermail/stunnel-users/2017-February/005720.html documents why I can't use TLS 1.2 with OpenSSL 1.0.2.
OpenSSL 1.0.2 is what is built into stunnel 5.41. Recompiling didn't work. I'm specifically looking for how to configure stunnel to point at a pkcs12 key.
Solution based on dave_thompson_085's comment:
The solution was to simply put in the location of the p12 file for the cert variable, do not include engineId, do not include key. Don't worry about the password, stunnel will prompt for password.
I kept thinking that I needed to set an engine - as with pkcs11 or capi.
Ie., I was over thinking and completely missed the obvious.
Example of snippet that worked for me below. (Everything above was left as default, except sslOptions, which was set to sslOptions=TLS1.2
[https-test-services]
client=yes
accept=127.0.0.1:7000
connect=hostname.of.remote.server:8443
verifyChain = yes
CAfile = ca-certs.pem
cert = C:\Location\To\certandkey.p12
checkHost = hostname.of.remote.server
OCSPaia=yes
Why Apple push notification server (server side) not working with jdk 1.7? I am getting com.notnoop.exceptions.NetworkIOException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown. I have tried the same code with jdk 1.6 and it is working perfectly fine.I am using ubuntu 12.04 and tomcat 7.
Any help would be appriciated.Thanks.
Java 7 (JDK 1.7) doesn't know about the Entrust Root CA. Import your APNS cert, key, AND the Entrust CA Root certificate into a p12 file. Point the code at that file and it will work.