Other than using browser,How can I get the public key of a websites which use https protocol ?
Are there other ways ? Like from the terminal.
Update - i want all the ways so that i can choose what fits best for me
openssl s_client -connect example.com:443
Certificate is between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Is this OpenSSL command what you are looking for?
openssl s_client -connect ${REMHOST}:${REMPORT}
Related
I am working on integrating elasticsearch with gitlab. So, i have created one elasticsearch server and enabled https for it by using self signed certificates. when i tried to integrate with gitlab its giving me 500 error and below is the log i got.
Faraday::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
From this i think gitlab is unable to verify the certificate of elastic search. Is there a way to disable this verification or any other way to make sure that my elasticsearch gets integrated.
Any help would me much appreciated, Thank you.
You need to add into trusted path /etc/gitlab/trusted-certs.
once you will put the crt, der or pem files you can validate with next steps.
Please, validate the symlinks: sudo ls -al /opt/gitlab/embedded/ssl/certs
1.1. Check certs:
echo | /opt/gitlab/embedded/bin/openssl s_client -connect HOSTNAME:port
View a certificate’s details in text form using x509. Be sure to replace /path/to/certificate.crt with the certificate’s path:
/opt/gitlab/embedded/bin/openssl x509 -in /path/to/certificate.crt -text -noout
Fetch a certificate from a server and decode it. This combines both of the above commands to fetch the server’s SSL certificate and decode it to text:
echo | /opt/gitlab/embedded/bin/openssl s_client -connect HOSTNAME:port | /opt/gitlab/embedded/bin/openssl x509 -text -noout
Links:
https://docs.gitlab.com/omnibus/settings/ssl/index.html#install-custom-public-certificates
https://docs.gitlab.com/omnibus/settings/ssl/ssl_troubleshooting.html
I need help with configuring ssl certificate on google cloud. I've already obtained my ssl certificate (crt file & private key). And I've followed the link trying to create a "SSL certificate resource".
I've tried everything but the cmd below just doesn't work:
gcloud compute ssl-certificates create cert --certificate /opt/bitnami/etc/
smartmeetingroom_tk.crt --private-key /opt/bitnami/etc/serv.key
The error message I got is:
Could anyone tell me what is wrong with my command (or file)?
Thanks a million!!
update:
below is the screenshot of error msg when I add "--verbosity debug":
I obtained ssl certificate from this website.
BTW the crt & private key is already pem encoded. Cos they are all readable using text editor and:
The start&end of crt file looks like:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
The start&end of private key file looks like:
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
Do you have read permissions for those files?
As suggested, add verbosity flag for more details.
If you are trying to create SSL certificate for HTTPS load balancer- I'd suggest using Google's managed certificate
As described here, you can try your command with the equals sign as follows:
gcloud compute ssl-certificates create cert --certificate=/opt/bitnami/etc/smartmeetingroom_tk.crt --private-key=/opt/bitnami/etc/serv.key
Consider:
A managed SslCertificate is provisioned and renewed for you. A self-managed certificate is created by passing the certificate obtained from Certificate Authority through --certificate and --private-key flags.
The certificate must be in PEM format. The certificate chain must be no greater than 5 certs long. The chain must include at least one intermediate cert.
The private key must be in PEM format and must use RSA or ECDSA encryption.
If the certificate is PEM formatted, check the following as established in the official documentation:
You can validate your certificate using the following OpenSSL command, replacing CERTIFICATE_FILE with the path to your certificate file:
openssl x509 -in CERTIFICATE_FILE -text -noout
If OpenSSL is unable to parse your certificate:
Contact your CA for help.
Create a new private key and certificate.
I recently got this problem and the issue was due to certificate holding an passkey phrase. So you need to remove that to fix this for GCP.
https://cloud.google.com/load-balancing/docs/ssl-certificates/troubleshooting
Run below via Powershell to generate new file without privatekey phrase
openssl rsa -in sample.pem -out samplewopk.pem
this fixed the issue
If the key happens to be encrypted using ecparam -name prime256v1 (that was my case) you should add "EC" to both
-----BEGIN PRIVATE KEY-----
your_key_content_here
-----END PRIVATE KEY-----
so, you key file will look like:
-----BEGIN EC PRIVATE KEY-----
your_key_content_here
-----END EC PRIVATE KEY-----
After this change it worked for me.
This might be helpful to someone else even after four years the original question was asked (It'll save me plenty of time)
I'm using Jython 2.latest and I cannot for the life of me figure out how to securely (i.e. not turning off verification) to download an HTTPS link.
All I can seem to find are examples where you turn off validation.
I'm using code like
thefile = urllib2.urlopen("https://example.com/index.php")
with open(save_path, 'wb') as output:
output.write(thefile.read())
logging.info("Successfully downloaded %s", save_path)
But I get a handshake error, totally expected.
So I've generated the ssl cert:
openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >example.pem
So now I have the PEM file. Now what do I do, does anyone know? Am I stuck installing the PEM file into the keystore?
Link here: Problem with Jython urllib2.urlopen for HTTPS pages says that you can only add it to the java keystore.
I'm trying to use SSL client certificates with Firefox (34.0.5 on Mac is my test platform, but I want them to work on other Mozilla programs & systems).
I've set up a 2-level CA: top/root/self-signed certificate -> CA certificate
Then I create key/request/certificate/PKCS12 and install into Firefox.
When I navigate to a web server that requests client identification, Firefox asks me to pick a certificate, but it doesn't offer my new certificate. Instead, my only choice is a user certificate I got from a different provider.
I think the problem is the Key Usage or Extended Key Usage settings in my client certificate -- I suspect that Firefox thinks my certificate isn't suitable for client authentication, so it doesn't offer it.
Does anybody know how Firefox picks suitable certificates for client identification purposes?
(The certificates import into the database OK and the parent certificates are trusted, so I think it's the user certificate flags. However, it might be the one-level-up CA certificate not being authorized to sign client certificates? Below are the Key Usages I'm trying [of course, I've tried a bunch of different combinations, but this is one set that doesn't work])
root#machine:/dir# openssl x509 -text -in tls/certs/TOP-LEVEL.crt
Certificate:
Data:
Version: 3 (0x2)
[...]
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:2
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
[...]
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
root#machine:/dir# openssl x509 -text -in tls/certs/MID-LEVEL.crt
Certificate:
Data:
Version: 3 (0x2)
[...]
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage:
Certificate Sign, CRL Sign
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
root#machine:/dir# openssl x509 -text -in user.crt
Certificate:
Data:
Version: 3 (0x2)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
My premise was (probably) incorrect. It turns out that when an SSL server requests a client-side certificate, it sends a list of all the CAs that it will accept, and the client should send a certificate signed by one of those (if it has one). I didn't have my new CA certificate in the right place, so it wasn't sent to Firefox as an acceptable CA, so Firefox didn't offer my new certificate as a choice of what to send.
I tracked it down with a combination of openssl s_client (which can be convinced to print a lot of useful information) and strace on openssl verify (you can see what certificate files it tries to open and where).
As usual, certificate problems require careful organization of files, paths and configurations.
I want to send IMAP commands via Mac OS X Terminal to server and get response. I can connect to the server using this line:
openssl s_client -connect imap.gmail.com:993
And I can successfully login:
? LOGIN m.client2 passwordhere
But all other commands do not work, no response from server. I tried for instance this:
? LIST "" "*"
? SELECT INBOX
Found an error by help of a friend:
openssl s_client -connect imap.gmail.com:993 -crlf
-crlf is critical
Try this, this should works for you (replace the first line by your
openssl s_client -connect imap.gmail.com:993 -crlf
command (mandatory -crlf) & type only the blue part) :
First thing first, is imap activated on your gmail account???
if you are able to login successfully that means ssl is working fine.
whats the return code that you get for
a1 LOGIN m.client2 passwordhere command.
have you tried the command
a1 capability
try other alternative commands since not all IMAP servers implementa all the IMAP commands.
I have faced this issue while I was creating the data migration tools for different vendors like gmail rediffmail yahoo...
A few more options to consider: You may be connecting to a server offering STARTTLS (esp. for IMAP on port 143) in which case you can tell openssl to proceed in negotiating this, you need to specify which protocol you're using (choose from pop3, imap, smtp, ftp); the -crlf option has been mentioned by others, and I also find the -showcerts option useful if I'm debugging an SSL/TLS configuration. So for example you might end up with,
openssl s_client -showcerts -connect target.server.name.here:143 -starttls imap
More options with the relevant man page if you've got that available,
man s_client