I'm getting this error after purging lxd and reinstalling:
lxd_network.singlenode: Refreshing state... [id=singlenode]
Error: Unable to create client for remote [localhost]:
Get "https://127.0.0.1:5555/1.0":
x509: certificate signed by unknown authority (possibly because of
"x509: ECDSA verification failure" while trying to verify candidate
authority certificate "root#nimbus")
(Text wrapped for clarity)
This even happens after lxc remote add nimbus 127.0.0.1:5555 --accept-certificate --password=xxxxx.
The answer is: LXD caches the remote's cert in ~/.config/lxc/servercerts, so just remove the relevant file.
Related
I am trying to use requests module of Python3 to make an API call. I am using credentials that work when tried on same service from their web page. So credentials are verified.
Code that I am using:
#!/local/usr/bin/python3
import requests
url = "https://some.url.com/fol/something"
payload = "{'userName': \"user-name\", 'instanceName': \"instance-name\", 'password': \"user-password\", 'usersDomain': \"DOMAIN\"}"
headers = {'accept': 'application/json','content-type': 'application/json'}
response = requests.request("POST", url, data=payload, headers=headers, verify=False)
print(response)
Problem:
If I remove verify=False from line 7 I get ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749).
With verify=False (as in code above) I get following warning and response code is 401.
InsecureRequestWarning: Unverified HTTPS request is being made to host 'wifitracker.chartercom.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
<Response [401]>
What I have tried:
Tried using same code from different Linux servers with different Python and requests module version.
Tried ping {host} and nc -vz {host} 443 and both succeed. The API endpoint and Linux server from where I am trying to connect are both on the same network domain.
Tried adding verify="/etc/ssl/certs/ca-bundle.crt" and verify="/etc/ssl/certs/ca-bundle.trust.crt" as well as verify="/etc/ssl/certs" and verify="/etc/ssl/certs/". All these options don't cause any error/warning but the response code is still 401.
Used python module certifi and the found the installed certification authority budle and used it in the veryify= but I get ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)
Following suggestion by Steffen I tried openssl s_client -connect some.url.com:443 and result is (hope it's not too much):
USR--> openssl s_client -connect some.url.com:443
CONNECTED(00000003)
depth=2 C = <My Country Code>, O = <My Organization Name>, OU = <My Organization Name> Internal Tr<My Country Code>t Network, OU = (c) 2017 <My Organization Name> - For authorized <My Country Code>e only, CN = <My Organization Name> Root Certification Authority
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=<My Country Code>/ST=<My State>/L=<My City>/O=<My Organization Name>/CN=some.url.com
i:/DC=com/DC=url/DC=corp/CN=<My Organization Name> Issuing CA1
1 s:/DC=com/DC=url/DC=corp/CN=<My Organization Name> Issuing CA1
i:/C=<My Country Code>/O=<My Organization Name>/OU=<My Organization Name> Internal Tr<My Country Code>t Network/OU=(c) 2017 <My Organization Name> - For authorized <My Country Code>e only/CN=<My Organization Name> Root Certification Authority
2 s:/C=<My Country Code>/O=<My Organization Name>/OU=<My Organization Name> Internal Tr<My Country Code>t Network/OU=(c) 2017 <My Organization Name> - For authorized <My Country Code>e only/CN=<My Organization Name> Root Certification Authority
i:/C=<My Country Code>/O=<My Organization Name>/OU=<My Organization Name> Internal Tr<My Country Code>t Network/OU=(c) 2017 <My Organization Name> - For authorized <My Country Code>e only/CN=<My Organization Name> Root Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
<CHUNK OF TEXT>
-----END CERTIFICATE-----
subject=/C=<My Country Code>/ST=<My State>/L=<My City>/O=<My Organization Name>/CN=some.url.com
issuer=/DC=com/DC=url/DC=corp/CN=<My Organization Name> Issuing CA1
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6834 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is <SOME-ALHPA-NUMERIC-CHARACTERS>
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : <SOME-ALHPA-NUMERIC-CHARACTERS>
Session-ID: <SOMELONGALHPANUMERIC64CHARACTERS>
Session-ID-ctx:
Master-Key: <SOMELONGALHPANUMERIC96CHARACTERS>
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: <epoch_time>
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
I tried finding options (from here on SO and other resources) and think I have tried those but obviously I am still missing something.
What else can I try to make a successful API call (status code 200)? Could it be that I need ca cert from the API provider? (It's a security related application)
I am running Hyperledger Fabric with 4 peers of 1 organization, 1 orderer and 1 CA. All 4 peers are on different VMs, orderer and CA are running on different VMs. Chaincode is up and running on all the VMs. I want to setup client on a different VM, which can send transaction requests to the network. Using this code, I have changed the address of VM to my peer0.
I run the following 2 files first:
node enrollAdmin.js
node registerUser.js
I am getting the following error on running the last command:
Store path:/root/gopath/src/github.com/hyperledger/fabric-samples/fabcar/hfc-key-store
Successfully loaded admin from persistence
Failed to register: Error: fabric-ca request register failed with errors [[{"code":20,"message":"Authentication failure"}]]
I checked the logs of CA container on the . Container log is as follows:
2019/04/16 17:34:55 [DEBUG] Received request for /api/v1/register
2019/04/16 17:34:55 [DEBUG] Caller is using a x509 certificate
2019/04/16 17:34:55 [DEBUG] Failed to verify token based on new authentication header requirements: %!s(<nil>)
2019/04/16 17:34:55 [INFO] 192.168.1.22:44826 POST /api/v1/register 401 26 "Untrusted certificate: Failed to verify certificate: x509:
certificate signed by unknown authority (possibly because of
"x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com")"
I have copied the same generated crypto material on all the VMs, including the client. How to resolve this error?
UPDATE: When I place the client code on one of the VMs running peer containers, it works fine. Transactions are executed successfully.
I prepared multi-organization with Fabric CA environment by following tutorial. This tutorial itself was worked with no problem.
Deploying a Hyperledger Composer blockchain business network to Hyperledger Fabric (multiple
organizations)
https://hyperledger.github.io/composer/unstable/tutorials/deploy-to-fabric-multi-org.html
In this environment, I'm trying Fabric CA client commands on both ca_peerOrg1 and host environment. I copied tls crt, public key and private key from crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/ and tried following command, but I got error "x509: certificate is valid for ca.org1.example.com, not localhost".
linux1#fabric:~$ fabric-ca-client enroll --caname ca-org1 --tls.certfiles ca.crt --tls.client.certfile Admin#org1.example.com-cert.pem --tls.client.keyfile 0dbfd9d156b90331e6bc4a0529e07cb123f7de586935019499623062f182a8fa_sk -u https://admin:adminpw#localhost:7054
2017/12/19 16:34:35 [INFO] User provided config file: /home/linux1/fabric-ca/clients/admin/fabric-ca-client-config.yaml
2017/12/19 16:34:35 [INFO] generating key: &{A:ecdsa S:256}
2017/12/19 16:34:35 [INFO] encoded CSR
2017/12/19 16:34:35 [INFO] TLS Enabled
Error: POST failure [Post https://localhost:7054/enroll: x509: certificate is valid for ca.org1.example.com, not localhost]; not sending
POST https://localhost:7054/enroll
Authorization: Basic YWRtaW46YWRtaW5wdw==
{"hosts":["fabric"],"certificate_request":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBOzCB4wIBADBdMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xp\nbmExFDASBgNVBAoTC0h5cGVybGVkZ2VyMQ8wDQYDVQQLEwZGYWJyaWMxDjAMBgNV\nBAMTBWFkbWluMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI8Y4aR/YxeyMXIQ3\nHGydrTLaoI+6tZ57ho1uv6gNonbFfftE7lrdsIbL8d8QLimztDjtqkg6rk612nso\nD66M9aAkMCIGCSqGSIb3DQEJDjEVMBMwEQYDVR0RBAowCIIGZmFicmljMAoGCCqG\nSM49BAMCA0cAMEQCIH9u2w9xO43Ba5rJ1SCKgtEFfokj1DKhg2cHjnbu8ucEAiBn\nwZKjjSbQage+ElofYbgagWpuCFz0t57Zwycz22M00w==\n-----END CERTIFICATE REQUEST-----\n","profile":"","crl_override":"","label":"","CAName":"ca-org1"}
linux1#fabric:~$
How can I avoid this error ? When I'm looking at the tutorial, I realized that composer connection profile has configuration like "hostnameOverride": "ca.org1.example.com". I guess I need to do same kind for fabric-ca-client.
I have to give up using PE to set up my puppet master :( and I have been throw in the cold cruel Opensource Puppet world.
I have been trying to set up a opensource puppet master on a RHEL7 system. I am planning to do this a couple of times so wrote a very simple shell script. Here's the script:
#!/bin/sh
pc_rpm_name='puppetlabs-release-pc1'
pc_yum_repo_url="https://yum.puppetlabs.com/${pc_rpm_name}-el-7.noarch.rpm"
# set up puppet collection yum repo
rpm -Uvh $pc_yum_repo_url
yum -y install puppetserver
systemctl start puppetserver
/opt/puppetlabs/bin/puppet module install puppetlabs-puppetdb --version 5.1.2
I have a puppet master puppet class I wrote it is very simple:
class my_puppetmaster {
class { 'puppetdb': listen_address => %{::fqdn} }"
include puppetdb::master::config
}
I want to use hiera for my node classification so I have done this:
# pwd
/etc/puppetlabs/code/environments/production/manifests
# cat site.pp
hiera_include('classes')
I have also created this file:
# pwd
/etc/puppetlabs/code/environments/production/hieradata/nodes
# cat puppet_master.yaml
classes:
- my_puppetmaster
And here is my hiera.yaml file:
# pwd
/etc/puppetlabs/puppet
# head hiera.yaml
---
:backends:
- yaml
:hierarchy:
- "nodes/%{::trusted.certname}"
- "nodes/%{::role}"
...
I haven't gotten around to set up a custom fact yet. I figure I could testing out at the point by rebooting the system to give everything a good shake out and then running puppet agent -t and see what happens. When I run puppet agent -t on the puppet master I get this output:
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppet]
I guess I left something out of my set up script. So ... what did I miss?
Thanks
Red
I forgot to update my puppet.conf. I had "server = puppet" I need to change that to "server = fqdn of my puppet master"
I'm trying to connect my puppetmaster and my puppet client. I've been having trouble with the certificates. I was originally trying to use the puppetmaster's IP address (because we don't have DNS set up), but now I think I'll have to edit the hosts file when I set up a new machine to map puppet to its ip.
So once I do that, I'm still having issues. Some background: on the master, I had tried to get rid of the server certificate a few times and recreate a new one. I think that's causing the problem because the log is saying it was revoked. devtest is the puppet agent.
This is what happens when I try to test the agent.
[root#devtest puppet]# puppet agent --test --server puppet
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Could not retrieve fact='ipaddress', resolution='<anonymous>': Could not execute 'host devtest': command not found
Could not retrieve fact='ipaddress', resolution='<anonymous>': Could not execute 'host devtest': command not found
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
If I'm understanding the first error properly, it's saying the certificate presented by the master server for servername.mydomain.com has been revoked. (I've edited the log to remove the actual server name and domain).
So I want to have puppetmaster serve up a new certificate. I go onto it, and stop the Apache service (so it doesn't hold the certificate in memory).
I then delete the ssl folder, and try to regenerate the puppet certificate:
[ZachDev#mon puppet]$ sudo puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): 17:F7:19:23:E6:99:BD:DD:3D:E6:F1:DD:35:8A:A6:81:8D:96:7D:15:63:EC:51:21:65:96:D1:24:FA:97:1B:07
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for 10.128.119.155
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for 10.128.119.155
Info: Certificate Request fingerprint (SHA256): BE:C8:B9:FF:1F:7A:49:1F:4F:97:E4:37:A3:9E:12:19:6F:41:3B:DB:DE:CB:AA:03:D8:02:94:D1:68:49:13:9C
Notice: 10.128.119.155 has a waiting certificate request
Notice: Signed certificate request for 10.128.119.155
Notice: Removing file Puppet::SSL::CertificateRequest 10.128.119.155 at '/etc/puppet/ssl/ca/requests/10.128.119.155.pem'
Notice: Removing file Puppet::SSL::CertificateRequest 10.128.119.155 at '/etc/puppet/ssl/certificate_requests/10.128.119.155.pem'
Notice: Starting Puppet master version 3.6.2
^CNotice: Caught INT; calling stop
That worked. Now I restart Apache, and get an error. systemctl status httpd.service doesn't say anything useful, but /var/log/httpd/puppet-server-example.com_ssl_error.log does:
[Fri Aug 01 18:48:49.383002 2014] [ssl:warn] [pid 25661] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Aug 01 18:48:49.383028 2014] [ssl:warn] [pid 25661] AH01909: RSA certificate configured for servername.mydomain.com:8140 does NOT include an ID which matches the server name
[Fri Aug 01 18:48:49.383044 2014] [ssl:emerg] [pid 25661] AH02238: Unable to configure RSA server private key
[Fri Aug 01 18:48:49.383071 2014] [ssl:emerg] [pid 25661] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
At this point, I'm just guessing at what the config file settings should be. I assume some config files need to be changed -- either the Apache config or the Puppet config, but at this point I'm not sure what the right certificates are. I have certificates in /var/lib/puppet/ssl and in /etc/puppet/ssl.
There are multiple issues with your setup. You are indeed right that you need to
pick an FQDN for the master and make sure the agents can resolve it
via respective hosts file or
through dnsmasq
tell the master to use that name as its SSL CN
First, make sure the master uses the correct name. Add this to /etc/puppet/puppet.conf on the master:
[master]
certname=server.mydomain.com
Restart the master. It should sign a new certificate for itself (note how it considered 10.128.119.155 to be its name and used that as the CN - this is not sensible).
Next, make sure Apache uses this certificate instead of the CA certificate.
SSLCertificateFile /var/lib/puppet/ssl/certs/server.mydomain.com.pem
(You can make sure /var/lib/puppet/ssl is the correct path using puppet master --configprint ssldir).
Your master should now have a valid certificate to present. If an agent reaches it through its FQDN, the SSL handshake should succeed.