I am trying to get my Ghost Blog (https://ghost.org/) running in a Azure Docker Container.
In the Ghost documentation they describe how to configure the SSL connection for a MySQL database. In Azure I have a flexible MySQL server and I have downloaded the PEM certificate file. I have exported it to a text file, according to the Ghost Container (documentation)
https://ghost.org/docs/config/#configuration-options
In the documentation they tell me to use this command for the export to text:
(you can get the single line string with awk '{printf "%s\n", $0}' DigiCertGlobalRootCA.pem)
My Ghost Docker configuration looks like this now:
database__connection__ssl__ca: -----BEGIN CERTIFICATE-----\nMIIDrzCCApegAwI ... etc ... d4=\n-----END CERTIFICATE-----\n
But every time when I try to start the container now I get the following error
m Ghost server started in 3.906s
2023-02-19T11:09:07.296559486Z [2023-02-19 11:09:07] [31mERROR[39m self signed certificate in certificate chain
2023-02-19T11:09:07.296630486Z [31m
2023-02-19T11:09:07.296638786Z [31mself signed certificate in certificate chain[39m
2023-02-19T11:09:07.296645186Z
2023-02-19T11:09:07.296650786Z [33m"Unknown database error"[39m
Is there anyone else how has this problem?
I am trying to create the Azure VM and use the VM application to silently install the application. Link to the procedure is at https://learn.microsoft.com/en-us/azure/virtual-machines/vm-applications-how-to.
Application fails to install the driver with the error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
It looks like the driver can't be installed since some root CA is missing. And it can't be installed automatically since the user running silent install has no proper rights.
I tried to just create VM and then run silent install from the command prompt, and that works just fine.
Has anyone had problems like that and how was it solved?
I tried to reproduce same in my environment I got the error like below.
This error says root certificate, which is not trusted by the trust provider, as silently install is running sometimes root certificate is not installed automatically it may cause error on application installation.
To resolve this issue, try to download Microsoft Root Certificate
Click Start ->Run , type mmc , and then click OK
Click File -> Add/Remove snap in like below:
Click on certificate -> Add :
Select -> computer name and finish it.
In console1 MMC you can see certificate -> Expand Trusted Root Certification Authorities , like below:
Once the Trusted Root Certification Authorities as imported I can able to install the application successfully
I am trying to install a self-hosted build agent on my azure server and I am unable to install it due to below error,
However, I am able to install it on my other server without any error. I am not sure what am I missing on the server where I am getting the above error.
I had tried using the --sslskipcertvalidation as well but no success. I also created a self signed SSL cert as well by referring the below URL but still the issue exist.
https://thycotic.force.com/support/s/article/Installing-a-Self-Signed-SSL-HTTPS-Certificate
I was given a .NET Core project to run in a Linux Docker container to do the build, everything seems to be okay on the docker configuration side, but when I run this command: dotnet publish -c Release -o out, I get the SSL authentication error below.
The SSL connection could not be established, see inner exception. Authentication failed because the remote party has closed the transport stream.
I did my research and apparently it seemed that I was missing:
the environment variables Kestrel for ASPNET (as per https://github.com/aspnet/AspNetCore.Docs/issues/6199), which I add to my docker-compose, but I don't think it is the issue.
a Developer .pfx certificate, so I updated my docker-compose with the Kestrel Path to the certs file as seen below.
version: '3'
services:
netcore:
container_name: test_alerting_comp
tty: true
stdin_open: true
image: alerting_netcore
environment:
- http_proxy=http://someproxy:8080
- https_proxy=http://someproxy:8080
- ASPNETCORE_ENVIRONMENT=Development
- ASPNETCORE_URLS=https://+;http://+
- ASPNETCORE_HTTPS_PORT=443
- ASPNETCORE_Kestrel__Certificates__Default__Password="ABC"
- ASPNETCORE_Kestrel__Certificates__Default__Path=/root/.dotnet/corefx/cryptography/x509stores/my
ports:
- "8080:80"
- "443:443"
build: .
#context: .
security_opt:
- seccomp:unconfined
volumes:
- "c:/FakePath/git/my_project/src:/app"
- "c:/TEMP/nuget:/root"
networks:
- net
networks:
net:
I re-run the docker container and executed dotnet publish -c Release -o out with the same results.
From my host I can do this to my local NuGet:
A) wget https://nuget.local.com/api/v2 without issues,
B) but from the container I can't.
C) However from the container I can do this to official NuGet wget https://api.nuget.org/v3/index.json, so definetely my proxy is working okay.
Debugging SSL issue:
The given .pfx certificate is a self-signed one, and it is working okay from Windows OS (at least I was told that).
strace shows me from where the certs are being pulled from as below
root#9b98d5447904:/app# strace wget https://nuget.local.com/api/v2 |& grep certs open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 3
I exported the .pfx as follows:
openssl pkcs12 -in ADPRootCertificate.pfx -out my_adp_dev.crt then moved it to /usr/local/share/ca-certificates/, removed the private part, just left in the file public part (-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ) executed update-ca-certificates and I could see 1 added, double checked in file /etc/ssl/certs/ca-certificates.crt and the new cert was in there.
Executed this again wget https://nuget.local.com/api/v2 and failed.
I used OpenSSL to get more info and as you can see it is not working, the cert has a weird CN, because they used a wildcard for the subject and to me this is wrong, but they state that .pfx is working in Windows OS.
root#ce21098e9643:/usr/local/share/ca-certificates# openssl s_client -connect nuget.local.com:443 -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=0 CN = *.local.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.local.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=\x00*\x00l\x00o\x00c\x00a\x00l\x00.\x00c\x00o\x00m
i:/C=ES/ST=SomeCity/L=SomeCity/OU=DEV/O=ASD/CN=Development CA
---
Server certificate
-----BEGIN CERTIFICATE-----
XXXXXXXXXXX
XXXXXXXXXXX
-----END CERTIFICATE-----
subject=s:/CN=\x00*\x00l\x00o\x00c\x00a\x00l\x00.\x00c\x00o\x00m
issuer=i:/C=ES/ST=SomeCity/L=SomeCity/OU=DEV/O=ASD/CN=Development CA
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1284 bytes and written 358 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 95410000753146AAE1D313E8538972244C7B79A60DAF3AA14206417490E703F3
Session-ID-ctx:
Master-Key: B09214XXXXXXX0007D126D24D306BB763673EC52XXXXXXB153D310B22C341200EF013BC991XXXXXXX888C08A954265623
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1558993408
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
---
I don't know what issue I'm facing, but it appears to be that:
A) the self-signed .pfx was wrongly configured, and now that it is being used in Linux it doesn't work as it should.
B) I need some more config in the container, which I'm not aware of.
What else should I do?
I'm thinking on probaly create other cert to use from Linux hosts.
Is it feasible to create another self-signed cert with OpenSSL for IIS ver 8 and import it to IIS?.
Any ideas are welcome, cheers.
ANSWERING TO MYSELF
It was not a Linux container issue, it is a certificate issue in the web server (IIS), because we are using self-signed certificates and in this way the cert will be always an invalid certificate. Self-signed certs works okay on Windows OS side, doesn't matter the invalid error. Of course self-signed certs are just for a test environment or so.
From Linux OS when you are trying to pull packages from NuGet you will get the error below, because:
1) The cert is indeed invalid, and
2) because apparently there is not an option to ignore an invalid certificate from Linux side.
The SSL connection could not be established, see inner exception.
The remote certificate is invalid according to the validation procedure.
The solution is you are working in a corporate environment, is to request to System Administrator a proper signed certificate, for that you generate a CSR from your web server, in my case IIS, then pass it to them, so they will send you back a .cer file to install in that web server.
The other option that I was trying to do but I couldn't due to the limitations of my corporate environment, is to create a fake CA (with OpenSSL), then you sign the CSR's yourself to have some valid certificates for your Dev or test environment.
Apologizes for answering this myself, but I believe it is worth to share my findings.
Hope it helps.
I had a similar problem. Docker build would not restore my nugets.
Unable to load the service index for source https://api.nuget.org/v3/index.json.
The SSL connection could not be established, see inner exception.
Authentication failed because the remote party has closed the transport stream.
(On a Mac running Catalina)
I turned off Fiddler and then it all worked again.
I have a webdav server on my linux machine with SSL authentication. I can mount this webdav at localhost, at remote linux machine and also at remote MacOS machine. It ask to accept the certificate and it mount.
Now I am trying to mount at windows 10. First, windows does not show any certificate to be accept. I transfer the certificate created on some remote linux machine like this: echo -n | openssl s_client -connect 145.117.144.230:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/irods/ssl/145.117.144.230.crt and installed at the windows 10. I have installed at local machine for all users. The Certificate store I have used was "Trusted Root Certification Authorities". I also have used "Intermediate Certification Authorities". All that I use shows that the certificated was imported successfully. So I try to map the network drive https://ugp-repmed.fedora20.ebiocloud.amc.nl with credentials user/pass and show this message:
The mapped network drive could not be created because the following error has occurred: Mutual Authentication failed. The server's password is out of date at the domain controller.
If I try to connect through the browser I can accept the certificate and I can access, but read-only. I need to map the network drive and this error is stucking me. Does anybody know how to solve? Thanks
Is the authenticaton to the WebDAV server BASIC or DIGEST? With Windows 10 I believe the redirector only support DIGEST unless you modify the registry.
Try setting a DWORD BasicAuthLevel in HKLM\SYSTEM\CurrentControlSet\Services\WebClient\Parameters to "1"
Values are 0 (default) - 2
0 - Basic authentication disabled
1 - Basic authentication enabled for Secure Sockets Layer (SSL) shares only
2 or greater - Basic authentication enabled for SSL shares and for non-SSL shares