Good day!
I am trying to configure user invitation with email confirmation.
Invited user accept email, but when he push 'confirm account' button he get an error.
First there was a certificate error. but when I added the certificate, another error occurred. As I understand it, the error is quite logical, because the certificate was issued to our hostname. Is there any way to change localhost to our hostname? or are there other ways to solve this problem?
ERROR {org.wso2.carbon.identity.mgt.endpoint.util.client.ApiClient} - Error while performing the request method: POST on the resource: https://localhost:9443/api/identity/user/v1.0/validate-code com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching localhost found.
Editing RecoveryEndpointConfig.properties in repository/deployment/server/webapps/accountrecoveryendpoint/ dont solve this problem
You can configure the hostname by adding the following entry to the <IS_HOME>/repository/conf/deployment.toml config file,
[server]
hostname = "your_host_name"
Since by default IS uses localhost as the internal hostname, you will need to add it as a SAN for the certificate.
Another option is to define the hostname and internal_hostname both in the toml config as below,
[server]
hostname = "your_host_name"
internal_hostname = "your_host_name"
You may refer to the following official documentation to get a detail understanding of changing the hostname
https://is.docs.wso2.com/en/latest/deploy/change-the-hostname/
Related
i have my first custom domain (its through godaddy)
ive hooked it up to cloudflare.
i want to connect to it with traefik.
i have a django webpage that works fine on port 8000, so i switched it over to 80 and no dice. trying to connect to my custom domain just hangs and the port gives me a 404 error.
traefik dashboard looks fine and so do my records on cloudflare (as far as i can tell ive never done this before)
i was hoping someone could help me connect to my django page through my custom domain. is there anything ive done in the evidence provided below that looks wrong?
is there anything else you would need to see?
or any steps ive missed?
i recieve this error from traefik as the docker container starts
traefik2 | time="2023-02-13T14:08:29Z" level=error msg="Unable to obtain ACME certificate for domains \"tgmjack.com\": unable to generate a certificate for the domains [tgmjack.com]: error: one or more domains had a problem:\n[tgmjack.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 2606:4700:3033::ac43:a864: Invalid response from http://tgmjack.com/.well-known/acme-challenge/PnsiuL5AtrJXM9UQNrLvhlGdm1MpJ8ZS6i_atIVWCA4: \"<!doctype html><html lang=\\\"en\\\"><head><meta http-equiv=\\\"content-type\\\" content=\\\"text/html;charset=utf-8\\\" /><meta name=\\\"viewport\\\" c\"\n" providerName=myhttpchallenge.acme ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=frontend#docker rule="Host(`tgmjack.com`)"
according to chatgpt
required file is an ACME challenge file and it should be present at the URL specified in the log message: "http://tgmjack.com/.well-known/acme-challenge/qC1w4L8-pPVgXvXmWm55u6ETasZWK2iCqJUfZNArY5U".
investigating, i belive the following few lines from my cmd line show that the only file on my computer called acme.json is here.
[ec2-user#ip-172-31-19-18 letsencrypt]$ sudo find / -name "acme.json"
/home/ec2-user/thing4/new_ui_51_fix_backend_for_8081/running_prices/TRAEFIK/letsencrypt/acme.json
and also there is no "acme-challenge" anywhere.
so is TRAEFIK/letsencrypt/acme.json the correct file? because the path looks miles away from what it should be? i didnt make it.
#####################################
extra info below
#################################
below is a collection of screenshots each thing ive stated above
do you have any advice or questions?
ps:)
this happens on my local machine and on amazon-linux ec2 containers, i have all my ports open (on the aws end of things)
Some considerations:
GoDaddy's pointing is ignored if you are using Cloudflare for your DNS, so we only look at Cloudflare's.
On CloudFlare you need to remove that random ip you found set as the A record.
You don't need to change your container port from 8000 to 80, you'll have to manage with an "ingress" or otherwise a webserver (nginx for example) a proxypass to localhost:8000.
Traefik,p probabbly, already has an "ingress" used to provisoning the certificate, which is why it returns you an error on ".well-known/acme-challenge". This file is used to identify the actual ownership of a domain and this is needed to generate a valid SSL/TLS certificate.
To do this you need to make sure that when you call your server at localhost:8000/.well-know/acme-challenge it returns the file with the unique key. You certainly find this information on Traefik (https://doc.traefik.io/traefik/https/acme/) this a link to the tutorial.
I recommend you to start checking the correct configuration of CloudFlare targeting by removing anything that is not useful to you.
I hope I have been of some help to you!
<ip> is showing an actual ip address, I just didn't include it in the title.
I believe this ip address is the internal ip of my EC2 instance. I'm using AWS Elastic beanstalk to host.
I see this question has been answered a lot on SO, and the answer is always to add the ip address to the ALLOWED_HOSTS, but in my case I've set ALLOWED_HOSTS=['*'] and I'm still getting the error.
The weird thing is, I'm only getting the error when I try to access the site from my phone. When I access from the desktop browser, it works fine...
Things I've tried:
I've double checked my elastic beanstalk deployment and the changes are definitely deployed.
Ok so this probably won't be the answer for other people but it was for me..
In my case, I was doing an http GET request from my frontend and forgot the extra "/" at the end of the url. My django urls.py defines the url with a slash at the end. My fix was to add the extra "/" when doing the http GET.
On my desktop, this was automatically handled because django would reply with an automatic redirect (302) and my desktop browser would go to the url with / at the end, but my phone was not doing the redirect!
This somehow was throwing the invalid HTTP_HOST header error.
For most people, the fix for an error message like this is to add all of your domains to the list of ALLOWED_HOSTS.
Oh and if you're using elasticbeanstalk like me, don't forget to add the AWS domain name. It should look something like this:
ALLOWED_HOSTS = ['<your-unique-id>.elasticbeanstalk.com',
'example.com', '<your-subdomain>.example.com']
DON'T do ALLOWED_HOSTS = ['*'] in prod!!
The problem I am facing is that after changing the hostname and configuring the reverse proxy as described here and here, as well as following the troubleshooting guide here to resolve the 'the registered callback does not match' I am unable to get any further.
I've followed a number of other examples of how to configure nginx and add the reverseProxy property to the settings.js configs but with no luck.
As you can see below if I go to https://example.com/publisher I continue getting the error 'The registered callback does not match'
Here is what I have the callback regex set to:
regexp=(https://example.com/publisher/services/auth/callback/login|https://example.com/publisher/services/auth/callback/logout)
If I inspect the authorize request query I can see that the redirect_url is being set to 127.0.0.1 and I suspect that is the problem as when I add that url to the service provider regex callback it works, but this is not suitable in a non local environment.
And here is the request query (where I suspect the main issue lies - note redirect_uri):
https://example.com/oauth2/authorize?response_type=code&client_id=1obvNiUMBcJwMa3euoHjrsckuGIa&scope=apim:api_create%20apim:api_delete%20apim:api_import_export%20apim:api_product_import_export%20apim:api_publish%20apim:api_view%20apim:app_import_export%20apim:client_certificates_add%20apim:client_certificates_update%20apim:client_certificates_view%20apim:document_create%20apim:document_manage%20apim:ep_certificates_add%20apim:ep_certificates_update%20apim:ep_certificates_view%20apim:external_services_discover%20apim:mediation_policy_create%20apim:mediation_policy_manage%20apim:mediation_policy_view%20apim:pub_alert_manage%20apim:publisher_settings%20apim:shared_scope_manage%20apim:subscription_block%20apim:subscription_view%20apim:threat_protection_policy_create%20apim:threat_protection_policy_manage%20openid&state=/&redirect_uri=https://127.0.0.1/publisher/services/auth/callback/login
Here is how my deployment.toml is configured (I've replaced my actual domain with example.com):
Note I had to remove the ports to work behind the proxy
And here is my settings.js:
I added the reverseProxy property as suggested in a github issue
And here is my nginx conf:
This is a known limitation. Please find the steps to resolve the issue - https://apim.docs.wso2.com/en/latest/troubleshooting/troubleshooting-invalid-callback-error/#troubleshooting-registered-callback-does-not-match-with-the-provided-url-error
The reason for this error comes down to a missing X-Forwarded-For header, I ended up changing the forwardedHeader in settings.js to Host as that was being passed from my proxy server.
Thanks for the detailed question "user3745065".
I was having the exactly same issue you described in this post, and I guess I nailed the problem down.
Like you mentioned the issue is with the forwardedHeader, that in your case you switched to Host.
But checking the product documentation, the sample they provide is the following:
customUrl: { // Dynamically set the redirect origin according to the forwardedHeader host|proxyPort combination
enabled: true,
forwardedHeader: 'X-Forwarded-Host',
},
It took me a while to noticed that the forwardedHeader is supposed to be 'X-Forwarded-Host' not 'X-Forwarded-For' as it comes as default.
Few other things I needed to tweak that wasn't clear in the documentation for changing the hostname (here), I had to remove the port variable ${mgt.transport.https.port} from devportal.
That's outlined on the installation step 5 also, here. However worth mentioning:
from:
[apim.devportal]
url = "https://{Your Domain}:${mgt.transport.https.port}/devportal"
to
url = "https://{Your Domain}/devportal"
otherwise when the it tries to redirect to the portal (for instance, from the publisher) it construct the url with the port number, and that default port 9443 isn't going to work on your proxy (tested on nginx with the provided settings that is on the documentation here) which is listening and expecting calls on port 443.
Things that I noticed you configured but perhaps it's not necessary:
Set the apim.idp settings
Set the reverseProxy settings
Set the apim.gateway.environment settings (Not related to the callback url issue, this is meant for you to configure the runtime gateway urls)
Last but not the least, Following the "Troubleshooting 'Registered callback does not match with the provided url' error", again you need to remove the port number from the url, otherwise you will have the same issue aforementioned on your proxy.
Just my 2 cents! ;)
I am currently trying to secure our backup server and it's interface as it currently does not have any kind of (extra) security other than a strong password. The backup server is based on CentOS 7.x.
Log file location:
/var/log/backup
Log file names:
backuplog-2019310.log
backuplog-2019309.log
backuplog-2019308.log
backuplog-2019307.log
False logins are logged like:
[2019-11-06T13:13:33+01:00] [Audit] Web login failure for account 'admin': Invalid authentication (Address=200.100.150.50:28534)
[2019-11-06T13:13:34+01:00] [Audit] Web login failure for account 'test': Invalid authentication (Address=120.30.40.20:28534)
[2019-11-06T13:13:35+01:00] [Audit] Web login failure for account 'info': Invalid authentication (Address=85.80.75.70:28534)
[2019-11-06T13:13:35+01:00] [Audit] Web login failure for account 'user': Invalid authentication (Address=25.125.155.190:28534)
In /etc/fail2ban/jail.local:
[backup]
enabled = true
filter = backup
logpath = /var/log/backup/backuplog-*.log
port = 80,443
The use of the asterisk in there is allowed, right?
So far I understand it correctly, I hope.
However I am experiencing issues with creating a correct filter for this custom fail2ban ban rule (= filter).
Example of /etc/fail2ban/filter.d/backup.conf:
[Definition]
failregex = [[]Web login failure for account []] .* Invalid authentication
ignoreregex =
But it's not working. So I am guessing my failregex is incorrect? Maybe someone can advice me the correct failregex to apply to make it work?
I am receiving the following error messages when starting up fail2ban:
ERROR NOK: ("No 'host' group in '[[]Web login failure for account []] .* Invalid authentication'",)
So I am guessing the failregex is incorrect?
//update 1 - STILL ISSUES + ADDITIONAL QUESTION
Fooled around a bit more. This is the updated failregex:
failregex = [][] Web login failure for account .* <HOST>
Now I am not getting the "ERROR NOK" anymore, however it's still not working. This is the fail2ban log:
2019-11-06 14:44:39,111 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
2019-11-06 14:44:41,706 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
2019-11-06 14:44:42,082 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
2019-11-06 14:44:42,623 fail2ban.filter [20978]: WARNING Unable to find a corresponding IP address for authentication: [Errno -2] Name or service not known
So what am I doing wrong here?
Also, coming to think of it, I think using "/var/log/backup/backuplog-*.log" is not that great. Especially when more and more log files are created. Right?
Is there a way to target the current or latest log file e.g. backuplog-2019310.log?
Thanks in advance.
In the meantime I will fool around a bit more.
//update 2 - MAIN ISSUE SOLVED!!
I guess I solved it by using the following failregex:
failregex = Invalid authentication \(Address=<HOST>
Will see if I can make it somewhat better obviously. But it's a great start for me.
So maybe someone can help me with the issue in regards to the log file as mentioned above. For easier reading I will ask it here again:
Also, coming to think of it, I think using
"/var/log/backup/backuplog-*.log" is not that great. Especially when
more and more log files are created. Right?
Is there a way to target the current or latest log file e.g.
backuplog-2019310.log?
Maybe someone has a solution for this?
Thank you in advance.
As for regex, it is always better to use anchored RE's, so either at end:
failregex = Invalid authentication \(Address=<HOST>\)\s*$
or at begin:
failregex = ^\[\] \[Audit\] Web login failure for account '[^']+': Invalid authentication \(Address=<HOST>
And disable usedns for this jail if no hostnames in log are expected (or use <ADDR> instead of <HOST> if f2b >= v.0.10).
As for current (latest) log file, simply create a symlink in postrotate (see https://stackoverflow.com/a/58430149/7161854).
I am trying to get the contents of a page where only https urls work and it does not have a valid certificate.
import requests
session_requests = requests.session()
result = session_requests.get("some https url")
I am getting the following error:
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
However if i use this:
requests.get('https://url.retail.publishedprices.co.il/login', verify=False)
It works, but i need to do the same kind of thing with the requests.session() since i am logging in.
If you look at the SSLLabs report for this site you will find out that there are several things wrong:
The name in the certificate does not match the name given in the URL. If you try to access this site with a browser you get an error message too.
The trust chain is incomplete and thus cannot be validated. Some browsers might try to download the missing intermediate certificate but others will simply fail here too.
Instead of trying to working around this broken setup I recommend to contact the ones who setup the site so that these serious issues gets fixed. After the fixes no workarounds in your script are needed.
Also, I don't consider disabling the validation as an acceptable workaround in this situation. This is a public accessible site which asks for sensitive data (at least username and password). And this site is explicitly enforcing https.