please help me on this error
Did as in the bellow link,
[https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125872/sophos-firewall-integrate-sophos-firewall-with-azure-ad#mcetoc_1etvmh9lj1]
openssl x509 -req -extensions client_server_ssl -extfile azureAD-eku.conf -in azureADldapssl.csr -CA azureADca.pem -CAkey azureADca.key -CAcreateserial -out azureADcert.crt -days 365
(Can't open "azureAD-eku.conf" for reading, No such file or directory
30370000:error:80000002:system library:BIO_new_file:No such file or directory:crypto\bio\bss_file.c:67:calling fopen(azureAD-eku.conf, r)
30370000:error:10000080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:75:)
I need to Integrate Sophos Firewall with Azure AD
I Tried to reproduce the same in my environment to Integrate Sophos Firewall with Azure AD.
Follow the below steps to integrate Sophos Firewall with Azure AD
Download and install Open SSL here
Once install the Open SSL set the path in environment variables.
Path:C:\Program Files\OpenSSL-Win64\bin
Check the Open SSL install status by checking the version, like below.
Now generate a certificate and private key using below cmd.
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
Successfully created Certificate and Key, the cert.pem & key.pem will be saved to the Open SSL Terminal directory.
Ex: C:\Users\your username
You need to configure the firewall to use the Certificate and Key, which you created earlier with Open SSL.
1.Now log in to the Sophos firewall interface.
2. You can navigate to the Certificates option and upload the created cert.pem and key.pem files.
Now configure the firewall to use Azure AD authentication.
Create an application in Azure AD, like below.
Azure Portal > Azure Active Directory > App registrations >Manage > New registration.
Note: Enter the firewall's URL in the "Sign-on URL" field.
You can fetch the Application ID, like below.
Azure AD portal > App registrations > Overview
Now add the Azure AD Authentication on firewall by providing the Application ID and URL of Azure AD instance
You can also refer Sophos Community : Sophos Firewall: Integrate Sophos Firewall with Azure AD
Related
Is anybody using Azure AD B2C and Google Play who has selected the "Let Google manage and protect your app signing (recommended)" option?
I don't know how to follow the Azure portal directions on "Generating a production Signature Hash" in this circumstance. The instructions are to run this command:
keytool -exportcert -alias SIGNATURE_ALIAS -keystore PATH_TO_KEYSTORE | openssl sha1 -binary | openssl base64
I don't have a SIGNATURE_ALIAS or PATH_TO_KEYSTORE in this case.
Here is the solution, which I found here.
Go to the app in the Google Play Console and in the Release section of the menu options you will see:
The main screen will show:
Download the certificate and run this in the directory of the downloaded certificate:
openssl x509 -inform der -in deployment_cert.der -outform der | openssl sha1 -binary | openssl base64
I have created a socketcluster nodejs app. I followed their official docs to deploy the service to Google K8s Engine. However the ingress service is not running up and complains about :
Error:googleapi: Error 400: The SSL key is too large., sslCertificateKeyTooLarge
I tried following certificates:
4048 Key size certificate from Let'sEncrypt
2048 Key size using cert created using Open SSL.
Both of them result the the same error.
Do any one know how do I resolve this? And where do I get proper certificate for enabling TLS?
IIRC, only RSA-2048 and ECDSA P256 keys are supported:
openssl genrsa -out PRIVATE_KEY_FILE 2048
openssl ecparam -name prime256v1 -genkey -noout -out PRIVATE_KEY_FILE
I also struggled due to this error on using Letsencrypt certs with 4096bit private key to a GKE ingress - even creating the secret worked fine for [1].
Finally overcame with editing "/etc/letsencrypt/cli.ini"
rsa-key-size = 2048
issued new certificate, keyfile and put those into secret.
[1] https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
On Cloud Shell, GCP with "openssl" and "gcloud", I tried to create a self-managed SSL certificate first running this command below to create "myCert.crt" and "myKey.key":
openssl req -new -newkey rsa:4096 -x509 -days 365 -nodes -out myCert.crt -keyout myKey.key
Then, ran this command below to create the self-managed SSL certificate "mycert" using "myCert.crt" and "myKey.key":
gcloud compute ssl-certificates create mycert --certificate=myCert.crt --private-key=myKey.key
But I got a similar error to yours:
ERROR: (gcloud.compute.ssl-certificates.create) Could not fetch
resource:
The SSL key is too large.
So I changed "rsa:4096" to "rsa:2048" then ran the first command again:
// "4096" is changed to "2048"
openssl req -new -newkey rsa:2048 -x509 -days 365 -nodes -out myCert.crt -keyout myKey.key
Then, ran the second command again:
gcloud compute ssl-certificates create mycert --certificate=myCert.crt --private-key=myKey.key
Finally, I could create the self-managed SSL certificate "mycert":
Created
[https://www.googleapis.com/compute/v1/projects/myproject-923743/global/sslCertificates/mycert].
NAME: mycert TYPE: SELF_MANAGED CREATION_TIMESTAMP:
2022-01-22T07:22:26.058-08:00 EXPIRE_TIME:
2023-01-22T07:22:08.000-08:00 MANAGED_STATUS:
In my Azure Linux web app, I'm trying to perform an API call to an external provider, with a certificate. That call fails, while it's working fine when deploying the same code on a Windows app service plan. The equivalent cURL command line is:
curl --cert-type p12 --cert /var/ssl/private/THUMBPRINT.p12 -X POST https://www.example.com
The call fails with the following error:
curl: (58) could not load PKCS12 client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
The issue is caused by OpenSSL 1.1.1d, which by defaults requires a security level of 2, and my certificate is signed with SHA1 with RSA encryption:
openssl pkcs12 -in THUMBPRINT.p12 -nodes | openssl x509 -noout -text | grep 'Signature Algorithm'
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption
On a normal Linux VM, I could edit /etc/ssl/openssl/cnf to change
CipherString = DEFAULT#SECLEVEL=2
to security level 1, but on an Azure Linux web app, the changes I make to that file are not persisted..
So my question is: how do I change the OpenSSL security level on an Azure web app? Or is there a better way to allow the use of my weak certificate?
Note: I'm not the issuer of the certificate, so I can't regenerate it myself. I'll check with the issuer if they can regenerate it, but in the meantime I'd like to proceed if possible :)
A call with Microsoft support led me to a solution. It's possible to run a script whenever the web app container starts, which means it's possible to edit the openssl.cnf file before the dotnet app in launched.
To do this, navigate to the Configuration blade of your Linux web app, then General settings, then Startup command:
The Startup command is a command that's ran when the container starts. You can do what you want, but it HAS to launch your app, because it's no longer done automatically.
You can SSH to your Linux web app, and edit that custom_startup.sh file:
#!/usr/sh
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
# run the dotnet website
cd /home/site/wwwroot
dotnet APPLICATION_DLL_NAME.dll
The relevant doc can be found here: https://learn.microsoft.com/en-us/azure/app-service/containers/app-service-linux-faq#built-in-images
Note however that the Startup command is not working for Azure Functions (at the time of writing May 19th, 2020). I've opened an issue on Github.
To work around this, I ended up creating custom Docker images:
Dockerfile for a webapp:
FROM mcr.microsoft.com/appsvc/dotnetcore:3.1-latest_20200502.1
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
Dockerfile for an Azure function:
FROM mcr.microsoft.com/azure-functions/dotnet:3.0.13614-appservice
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
I'm trying to automate my infrastructure using puppet with Azure.
I've created my puppet master using puppet enterprise VM from gallery on Azure. After that, I've generated a certificate running the following commands:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout cert.pem -out cert.pem
sudo openssl x509 -inform PEM -in cert.pem -outform DER -out cert.cer
Then, I've uploaded my cert file to Azure Management Portal and finally, I've create a VM with the following command:
puppet azure_vm create --management-certificate /tmp/cert.pem --azure-subscription-id=xxxxxx --image 0b11de9248dd4d87b18621318e037d37__RightImage-Ubuntu-12.04-x64-v13.4 --location 'west us' --vm-name puppetslave --vm-user xxxx --password xxxxx --puppet-master-ip 23.102.xxx.xxx
Finally, I've exported my private key using PuttyGen and I'm using it to connect to my new linux vm. Unfortunately, I'm getting the following error:
server refused out key
And I don't know why. I'm stuck at this point and don't know how to proceed.
I'm using OpenSSL to avoid pay for it. In my server is runing IIS 8 and Windows Server 2012.
I created my certificate this way:
Used IIS to create a certificate request
Used the following command to create a RSA private key
openssl genrsa -des3 -out cakey.pem 2048
After that I used this command to generate a certificate
openssl req -new -key cakey.pem -x509 -days 1825 -extensions v3_ca -out ca.crt
Finally I signed the certificate request using this:
openssl x509 -req -days 365 -in certreq.txt -CA ca.crt -CAkey cakey.pem -CAcreateserial -out iis.cer
But when I navigate to the website I get an "error" telling me that this is an "Untrusted certificate": The security certificate presented by this website was not issued by a trusted certificate authority.
What you get from OpenSSL tool is a self signed certificate. Of course it is not trusted by any browser, as who can say you are worth the trust.
Please buy a certificate if you want to set up a public web site. That's something you must pay, just like the public domain name.
Instead, if you are hosting an internal web site for your company, there are ways to set up your own CA, such as using Microsoft Active Directory Certificate Services.
Updated in 2018: Today there are more options to get free certificates, such as Let's Encrypt. Check them out and make good use of them.
Did you install your CA certificate into your browser before trying to visit the IIS server running the certificate you generated under the CA hierarchy? Here's some information about that step.