when i want to Request a Certificate in Active Directory Certificates Services,i have this problem :
Related
I am trying to setup a Kafka cluster with mTLS authentication using certificates signed by GCP's CAS (Certificate Authority Service). I have three Kafka nodes: a master and two workers. Each node has a PEM truststore containing the CA Root certificate from the authority on CAS and a PEM keystore containing a signed certificate from CAS and the private key. I followed this webpage for the setup.
This is the server.properties file for the master node. Other nodes have a similar config except the ssl.keystore.location property.
listeners=INTERNAL://:port,EXTERNAL://:port
advertised.listeners=INTERNAL://:port,EXTERNAL://:port
listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL
inter.broker.listener.name=INTERNAL
ssl.enabled.protocols=TLSv1.2
ssl.endpoint.identification.algorithm=
producer.ssl.endpoint.identification.algorithm=
consumer.ssl.endpoint.identification.algorithm=
ssl.client.auth=required
ssl.truststore.type=PEM
ssl.truststore.location=/path/ca.crt
ssl.keystore.type=PEM
ssl.key.password=<password>
ssl.keystore.location=/path/master.pem
The truststore is the ca.crt (Root CA certificate) file and the keystore has the private key and the signed certificate. There are no intermediate certificates, the certificates in the keystore are directly signed by the root certificate.
When I try to start the server on any nodes I am getting the following error. I am not sure why.
ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings.
P.S. I have already tried using the truststore and keystore in JKS and PKCS12 format. I keep getting the same error.
From what you shared, it doesn't seem that you've created valid keystores for the cert and CA.
ssl.truststore.location=/path/ca.crt
...
ssl.keystore.location=/path/master.pem
You're merely pointing to the original files. You need to create two valid java keystores with a JDK's keytool tool and import the files into each one. Depending on your certificate format you might need to convert them with openssl.
See https://stackoverflow.com/a/11954816/50114 for an example.
You mentioned earlier that you got the same error with JKS keystore and truststore. From the error message, it sounds like the keystore may not contain the whole chain. Can you first try with a JKS truststore containing the root cert and a JKS keystore containing the private key and the whole certificate chain (i.e. including root cert)?
If that run gives the same error, you could enable "javax.net.debug=ssl". If using Kafka scripts to start the broker, you can first export KAFKA_OPTS=javax.net.debug=ssl. Broker performs extra validation by attempting handshake using the provided keystore and truststore for the inter-broker listener. It looks like that validation is failing in your case. The extra debug may help to understand why.
Once you have the broker running with JKS, you can switch to PEM if required.
What does your keystore PEM file look like?
Does it have clear separate sections (with BEGIN and END)? See https://docs.progress.com/en-US/bundle/datadirect-hybrid-data-pipeline-installation-46/page/PEM-file-format.html
Can you try adding the Root CA in the PEM file too, after the signed certificate?
I have a comodo positive SSL certificate. put it on my server and started my server using this:
python manage.py runserver_plus --cert-file /my/cert --key-file /my/key 0.0.0.0:443
but it is not trusted in browsers yet. shows this:
I passed my files that have same name with my domain to runserver_plus. I think maybe i used wrong files.
now i want to know what is my problem?
What you have is not a certificate signed by a Comodo certificate authority (CA). It seems to be self-signed given that the issuer and subject appear to be the same.
Two solutions:
Accept this certificate in the web browser settings.
Or don't used a self-signed certificate. I doubt however that you can find a CA that will issue you a certificate for localhost.
I try to test REST api in Postman but every time I try to POST I get the following error
Error: self signed certificate in certificate chain.
I have tried with the SSL certificate verification on and off but both methods dont work. Postman is also updated to latest v7.3.6.
Tbh I dont know what to try anymore and would really appreciate any tip.
Go to Postman Settings > General > turn OFF SSL certificate verification
"make ssl certificate verification on and make it still work"
If you're under organization environment, you can:
Export your organization self-signed certificate as Base-64 encoded X.509 (.CER) format flat file. It could be done from Chrome.
Go back to Postman: Settings -> Certificates -> CA Certificates, switch on and select the file you just exported.
Adding CA certificates doesn't work for me. My certs are not self-signed but got the same error. Adding client certificates solved my problem. Quoted docs from Postman here: To send requests to an API that uses mutual TLS authentication, add your client certificate to Postman.
I used mkcert and here's how I managed to get rid of the error :
On the Site Information Icon, click where it's written Connection Not Secure
On the Connection Info dialog, click on More Information
On Page Info, click on View Certificate
On the Certificate tab, scroll down till where you'll see 2 links for the PEM files, and download the PEM (Chain) file
On Postman, go to Settings -> Certificates -> CA Certificates (make sure the toggle button is ON), and specify (click on Select File) the location of your PEM Chain file.
There you are !!!
This is my first time creating a WCF service. I need to use HTTPS as I will be using MembershipBinding. The steps I have taken up to this point are:
Created a certificate authority using the makecert.exe application - from this I have created a server certificate and a client certificate.
Added the certificate authority to the Trusted Root Certification Authorities within Microsoft Management Console.
Added the client and server certificates to my personal certificates within Microsoft Management Console.
Created a https binding for the service in IIS using the server certificate.
Set the appropriate permissions for the app pool on the server certificate.
Defined the service certificate within the serviceBehaviours node in the web.config.
I am now testing the service using the WCF Test Client but I am getting the message:
Error: Cannot obtain Metadata from https://localhost:444/Service.svc If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address. For help enabling metadata publishing, please refer to the MSDN documentation at http://go.microsoft.com/fwlink/?LinkId=65455.WS-Metadata Exchange Error URI: https://localhost:444/Service.svc Metadata contains a reference that cannot be resolved: 'https://localhost:444/Service.svc'. Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost:444'. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.HTTP GET Error URI: https://localhost:444/Service.svc There was an error downloading 'https://localhost:444/Service.svc'. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.
The error suggests that there is an issue trusting the certificate but I have trusted the certificate authority used to create it so I don't know how to resolve it. The service worked fine when I was using http.
Thanks in advance.
As your certificate is self-signed, you need to add a hack to your client call :
using (MyWCFServiceClient client = new MyWCFServiceClient())
{
#if DEBUG
ServicePointManager.ServerCertificateValidationCallback = TrustAllCertificatesCallback;
#endif
client.MyCall();
}
And the definition for TrustAllCertificatesCallback :
internal static bool TrustAllCertificatesCallback(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors)
{
bool isValid = true;
// TODO logic to check your self-signed certifiacte
return isValid;
}
The TrustAllCertificatesCallback callback should be deactivated on your production environement.
I have one .cer file which is a self-signed public certificate. I have added it in a truststore, configured it in a https connector, and referenced it in the WSC component. But while trying to run the code, I am getting a "no trusted certificate found error". Do I need to configure keystore or anything else?
Self signed certs can be used by the <tls:context> component. After configuration you're able to use it for http other other supported components.
<tls:context name="customContext">
<tls:trust-store path="/etc/mule/tls/.." password="yourPass"/>
<tls:key-store path="/etc/mule/tls/.." keyPassword="yourKeyPass" password="yourPass"/>
</tls:context>
More can be found at https://docs.mulesoft.com/mule-runtime/4.2/tls-configuration