sudo vault operator unseal
Unseal Key (will be hidden):
Error unsealing: Put "https://127.0.0.1:8200/v1/sys/unseal": http: server gave HTTP response to HTTPS client
The issue was resolved by removing "sudo" usage
Related
I'm building a WebApp with Node- & ExpressJS. Currently I'm trying to connect my app to our company's Keycloak with the keycloak-connect module. I configured it as mentioned in different tutorials and it works (atleast mostly).
When I connect to my WebApp, I receive the keycloak login screen and the login procedure is successful (session created on keycloak). After the login procedure and the redirect I receive an "Access denied" error and in the logs "Could not obtain grant code: unable to get local issuer certificate".
WebApp runs on port 443 with valid certificates
I've googled everything I could and tried following solutions:
-- Disable rejecting unauthorized TLS --
Disabled TLS Rejection for unauthorized certificates with the node envorinment variable:
process.env.NODE_TLS_REJECT_UNAUTHORIZED = 0;
Works but isn't very secure...
Log.
-- Add an extra CA certificate --
Installed dotenv module and set following env variable in .env file:
NODE_EXTRA_CA_CERTS='/etc/pki/tls/cert.pem' (& ca-bundle.crt)
Included it in app.js with "require('dotenv').config();", doesn't work... Also tried to set it as a system environment variable with export.
It stands behind a proxy but I also configured express to trust all proxies with "app.set('trust proxy', true);".
-- Versions --
Node - v16.13.1
Express - ~4.16.1
Keycloak-connect - ^16.1.1
I've seen this problem on many different pages and they're mostly not fully resolved... Would be nice to find a solution for this problem.
Thanks in advance! :)
Yannic
Well I've found a solution and it works perfectly!
This comment on a GitHub issue describes, how to send ca files with the HTTPS server from NodeJS.
You can enter your ca files / bundles in an array:
const trustedCa = [
'/etc/pki/tls/certs/ca-bundle.crt',
'/etc/pki/tls/cert.pem'
];
Then read them with fileSync and set them as the globalAgent.options.ca option for the HTTPS server:
https.globalAgent.options.ca = [];
for (const ca of trustedCa) {
https.globalAgent.options.ca.push(fs.readFileSync(ca));
}
And that's all that needs to be done! Now I can login via Keycloak and it successfully redirects me to my WebApp without any errors.
Hopefully this helps.
Yannic
I have a backend API on port 3000 using an SSL certificate. I have it hooked up to my frontend and whenever it tried to query the API I get 'connection reset'. When I try to curl https://example.com:3000/ping, it returns the expected pong. But when I try to curl the same URL not from within my EC2 ssh, curl returns LibreSSL SSL_connect: SSL_ERROR_SYSCALL. Where is the problem? Is it in the SSL cert or in something I'm not catching?
I have an existing ssl certificate through LetsEncrypt for my domain. On the same server as my site I have an express app running at port :8080. Before adding the SSL to the domain I was able to make requests to http://domainname:8080.com. Now that the domain making the requests is https it obviously can't make those requests. If I instead make requests to https://domainname:8080.com, I get no response and instead get a timeout error.
I have attempted to curl -X -POST on the server manually and it returns (35) gnutls_handshake() failed: The TLS connection was non-properly terminated. If I however run the same command pointing to the non https domain it executes correctly. I also tried installing the https modules for express and pointing it to the same certs I'm using for the domain. For all my effort I cannot get this to work. What am I missing here? I want to make requests to a port on the same server that is serving my app.
Setup a reverse proxy in my nginx site config from the domain to the ip address the express server was running on. This solved all the issues I was having.
I have an API running with express using https. For testing, I've been using tinycert.org for the certificates, which work fine on my machine.
I'm using docker to package up the app, and docker-machine with docker-compose to run it on a digital ocean server.
When I try to connect with Chrome, I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH. When running this with curl, I get a handshake failure: curl: (35) SSL peer handshake failed, the server most likely requires a client certificate to connect.
I tried to debug with Wireshark's SSL dissector, but it hasn't given me much more info: I can see the "Client Hello" and then the next frame is "Handshake Failure (40)".
I considered that maybe node on the docker container has no available ciphers, but it has a huge list, so it can't be that. I'm unsure as to what's going on and how to remedy it.
EDIT
Here's my createServer() block:
let app = express();
let httpsOpts = {
key: fs.readFileSync("./secure/key.pem"),
cert: fs.readFileSync("./secure/cert.pem")
};
let port = 8080;
https.createServer(httpsOpts, app).listen(port);
I've had this problem for a really long time too, there's a weird fix:
Don't convert your certs to .pem; it works fine as .crt and .key files.
Add ca: fs.readFileSync("path to CA bundle file") to the https options.
It looks like your server is only sending the top certificate and the CA bundle file has the intermediate and root certificates which you'll need for non-browser use.
IMPORTANT! Reinstall or update node to the latest version.
You can use sudo apt-get upgrade if you're on Linux (it may take a while).
Re-download your certificate or get a new one.
If you are acting as your own certificate authority it could be not recognizing / trusting the certificate, so try testing your site on ssllabs.com.
If you're using the http2 API try adding allowHTTP1: true to the options.
I am making a request to a remote server using https and request, and getting a new error after updating node and request:
nes.get err: [Error: 140735207432576:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:../deps/openssl/openssl/ssl/s23_clnt.c:741:
I already have the protocol set to SSLv3, so I'm wondering why it appears to be using tlsv1.
https.globalAgent.options.secureProtocol = 'SSLv3_method';
I've also tried adding this to request's options:
secureProtocol: 'SSLv3_method'
This error did not occur with earlier versions of Node.js and request, but now with node v0.10.15 and request 2.26.0, it has surfaced. Any ideas? Thanks!
Update -- narrowed this down to something that changes between request 2.14.0 and 2.16.0. 2.14.0 works and 2.16.0 does not work.
Make sure you are making a secure request to the correct port.
I've received this error when attempting to make a secure request to port 80 instead of port 443.
I would fire up Wireshark to verify that the bits on the wire are what you think they should be.