when interacting HEC endpoint even priv key is expected ?
dr % curl --cert splunkserverdefaultcert-chain.crt https://-splunkhec.:8088/services/collector
curl: (58) unable to set private key file: 'splunkserverdefaultcert-chain.crt' type PEM
splunkserverdefaultcert-chain.crt -- is downloaded from https://-splunkhec.:8088/services/collector .
Why is the priv key needed to interact with HEC endpoint on splunk
I am expecting to be able interact with only certificate chain
Related
I am trying to setup a Kafka cluster with mTLS authentication using certificates signed by GCP's CAS (Certificate Authority Service). I have three Kafka nodes: a master and two workers. Each node has a PEM truststore containing the CA Root certificate from the authority on CAS and a PEM keystore containing a signed certificate from CAS and the private key. I followed this webpage for the setup.
This is the server.properties file for the master node. Other nodes have a similar config except the ssl.keystore.location property.
listeners=INTERNAL://:port,EXTERNAL://:port
advertised.listeners=INTERNAL://:port,EXTERNAL://:port
listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL
inter.broker.listener.name=INTERNAL
ssl.enabled.protocols=TLSv1.2
ssl.endpoint.identification.algorithm=
producer.ssl.endpoint.identification.algorithm=
consumer.ssl.endpoint.identification.algorithm=
ssl.client.auth=required
ssl.truststore.type=PEM
ssl.truststore.location=/path/ca.crt
ssl.keystore.type=PEM
ssl.key.password=<password>
ssl.keystore.location=/path/master.pem
The truststore is the ca.crt (Root CA certificate) file and the keystore has the private key and the signed certificate. There are no intermediate certificates, the certificates in the keystore are directly signed by the root certificate.
When I try to start the server on any nodes I am getting the following error. I am not sure why.
ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings.
P.S. I have already tried using the truststore and keystore in JKS and PKCS12 format. I keep getting the same error.
From what you shared, it doesn't seem that you've created valid keystores for the cert and CA.
ssl.truststore.location=/path/ca.crt
...
ssl.keystore.location=/path/master.pem
You're merely pointing to the original files. You need to create two valid java keystores with a JDK's keytool tool and import the files into each one. Depending on your certificate format you might need to convert them with openssl.
See https://stackoverflow.com/a/11954816/50114 for an example.
You mentioned earlier that you got the same error with JKS keystore and truststore. From the error message, it sounds like the keystore may not contain the whole chain. Can you first try with a JKS truststore containing the root cert and a JKS keystore containing the private key and the whole certificate chain (i.e. including root cert)?
If that run gives the same error, you could enable "javax.net.debug=ssl". If using Kafka scripts to start the broker, you can first export KAFKA_OPTS=javax.net.debug=ssl. Broker performs extra validation by attempting handshake using the provided keystore and truststore for the inter-broker listener. It looks like that validation is failing in your case. The extra debug may help to understand why.
Once you have the broker running with JKS, you can switch to PEM if required.
What does your keystore PEM file look like?
Does it have clear separate sections (with BEGIN and END)? See https://docs.progress.com/en-US/bundle/datadirect-hybrid-data-pipeline-installation-46/page/PEM-file-format.html
Can you try adding the Root CA in the PEM file too, after the signed certificate?
Have a simple server and client that uses openssl. Application program is in C++ and uses openssl-1.1.0g source code that I built myself. The simple case where I supply client and server certificates and private keys is working fine. Handshake happens fine and data transfer works great too. Now I have two more requirements:
Need to disable client authentication on server. client will have a CA certificate but no private key. Client will do server auth.
Don't know how to tell openssl api not to ask for client certificate
[Update] This is fixed. In the conf file, under the client section tried using keyword VerifyCAFile for CA certificate and removed the PrivateKey. Got handshake success without any code change.
Disable client and server auth. Both sides doesn't have certificate or private keys.
Tried using anon section in the conf file which doesn't have the certificate or the key specified. Also set the cipher string is aNULL in this section of the conf file. aNULL is the list of all anonymous ciphers according the page here:
https://www.openssl.org/docs/man1.1.0/apps/ciphers.html
But this doesn't work.
Here is the setup -
Server:
SSL_CTX_new(TLS_server_method()) - create server ctx
CONF_modules_load_file - load conf file
SSL_CTX_config - get section for server
BIO_new_socket((int)socket, BIO_CLOSE) - create socket BIO
SSL_new(ctx) - create ssl
SSL_set_bio - set bio in ssl
SSL_set_accept_state(_ssl); - set accept for server
SSL_do_handshake - do handshake
Client:
SSL_CTX_new(TLS_client_method()) - create server ctx
CONF_modules_load_file - load conf file
SSL_CTX_config - get section for client
BIO_new_socket((int)socket, BIO_CLOSE) - create socket BIO
SSL_new(ctx) - create ssl
SSL_set_bio - set bio in ssl
SSL_set_connect_state(ssl) - set connect for client
SSL_do_handshake - do handshake
Conf file:
testApp = test_sect
[test_sect]
# list of configuration modules
ssl_conf = ssl_sect
[ssl_sect]
server = server_section
client = client_section
anon = anon_section
[server_section]
CipherString = DEFAULT
Certificate = <path to server.cer>
PrivateKey = <path to server.key>
[client_section]
CipherString = DEFAULT
Certificate = <path to client.cer>
PrivateKey = <path to client.key>
[anon_section]
CipherString = aNULL
On the server, you want something like:
SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
I thought this was the default, however.
I can't connect to aws-ec2 centos. I get:
disconnected no supported authentication methods available (server
sent publickey) sent publickey gssapi keys with mic
Inside putty ssh we need to configure the ppk file. they only we can able to access the server through ssh. make sure you're mapped correctly. and check again.
Looking at Image in Error Msg I think you are entering wrong user name try centos not root.
Hope it Helps!
Unfortunately the .pem private key file downloaded from the EC2 console when you create a keypair is not compatible with PuTTY by default! Putty expects a converted .ppk file for keypair authentication over SSH. See this answer for a tutorial on how to do this.
This is my first time creating a WCF service. I need to use HTTPS as I will be using MembershipBinding. The steps I have taken up to this point are:
Created a certificate authority using the makecert.exe application - from this I have created a server certificate and a client certificate.
Added the certificate authority to the Trusted Root Certification Authorities within Microsoft Management Console.
Added the client and server certificates to my personal certificates within Microsoft Management Console.
Created a https binding for the service in IIS using the server certificate.
Set the appropriate permissions for the app pool on the server certificate.
Defined the service certificate within the serviceBehaviours node in the web.config.
I am now testing the service using the WCF Test Client but I am getting the message:
Error: Cannot obtain Metadata from https://localhost:444/Service.svc If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address. For help enabling metadata publishing, please refer to the MSDN documentation at http://go.microsoft.com/fwlink/?LinkId=65455.WS-Metadata Exchange Error URI: https://localhost:444/Service.svc Metadata contains a reference that cannot be resolved: 'https://localhost:444/Service.svc'. Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost:444'. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.HTTP GET Error URI: https://localhost:444/Service.svc There was an error downloading 'https://localhost:444/Service.svc'. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.
The error suggests that there is an issue trusting the certificate but I have trusted the certificate authority used to create it so I don't know how to resolve it. The service worked fine when I was using http.
Thanks in advance.
As your certificate is self-signed, you need to add a hack to your client call :
using (MyWCFServiceClient client = new MyWCFServiceClient())
{
#if DEBUG
ServicePointManager.ServerCertificateValidationCallback = TrustAllCertificatesCallback;
#endif
client.MyCall();
}
And the definition for TrustAllCertificatesCallback :
internal static bool TrustAllCertificatesCallback(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors)
{
bool isValid = true;
// TODO logic to check your self-signed certifiacte
return isValid;
}
The TrustAllCertificatesCallback callback should be deactivated on your production environement.
Today I tried to ssh to my AWS instance, as usual but got a "Permision denied" error with -v giving me the following:
debug1: Next authentication method: publickey
debug1: Offering RSA public key: localuser#localmachine
debug1: Authentications that can continue: publickey
debug1: Trying private key: serverkey.pem
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
If I try to log as root#my-ip.com it will authenticate, but show the message: "Please login as the user "ubuntu" rather than the user "root"."
Last time I logged I created a new user for a web page within a new group "webapps". I assigned the home directory of this user to be the same as the ubuntu user since it was convenient. I have also tried to log in as this user with no success.
Also, I tried generating a new pair of keys (loacally and uploading the public key, and from the AWS console and saving the private key locally).
I would really appreciate if someone can help me!
Edit:
The command I use normally is ssh -i serverkey.pem ubuntu#my-ip.com after failing I generated the ssh key locally and uploaded it to AWS and used ssh ubuntu#my-ip.com with the key stored at ~/.ssh
You can't change the key after created ec2 instance.
Do you have the backup of serverkey.pem, if not, you can't login this instance any more. Recreate the ec2 instance with new key is the only way to go.
debug1: Trying private key: serverkey.pem
debug1: key_parse_private2: missing begin marker
Did you edit your private key file? Can you check the first line exactly is like this?
-----BEGIN RSA PRIVATE KEY-----
For anyone stumbling here I think my problem was assigning the second user's home folder to ubuntu's home folder. Since this is insecure it messes with the SSH connection. I had to make another instance and recover the info attaching the old volume to the new server instance.