Develop Reference

Use openvpn client on a docker container

I'm trying to make a docker container which uses OpenVPN to connect to my private internet access VPN and to download some data from a web server, but when i try to connect to PIA i get an error:
2022-12-07 12:08:03 [oslo403] Peer Connection Initiated with [AF_INET]**.***.***.***:1198
2022-12-07 12:08:03 sitnl_send: rtnl: generic error (-101): Network unreachable
2022-12-07 12:08:03 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
2022-12-07 12:08:03 Exiting due to fatal error
I've tried to create a /dev/net/tun device manually:
RUN mkdir -p /dev/net && mknod /dev/net/tun c 10 200 && chmod 600 /dev/net/tun
But then i get this error:
2022-12-07 12:12:35 sitnl_send: rtnl: generic error (-101): Network unreachable
2022-12-07 12:12:35 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
2022-12-07 12:12:35 Exiting due to fatal error
Everything is running as root so that is not the issue.
Here is my complete dockerfile:
FROM alpine
RUN apk update && apk add bash openvpn wget unzip
# This section downloads PIA's configuration and adds login information to it.
RUN mkdir /vpn
RUN echo "********" > /vpn/login.txt
RUN echo "********" >> /vpn/login.txt
RUN wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
RUN unzip openvpn.zip -d /vpn
RUN sed -i "s/auth-user-pass/auth-user-pass \/vpn\/login.txt/" /vpn/*
# Here is my attempted fix for the problem
RUN mkdir -p /dev/net && mknod /dev/net/tun c 10 200 && chmod 600 /dev/net/tun
ENTRYPOINT [ "openvpn", "/vpn/norway.ovpn" ]
I would love some help with this. Really all I want is an example where you use openvpn with docker to for example
curl api.ipify.org

You need to add this argument to the docker command:
--cap-add=NET_ADMIN
Network changes done by OpenVPN require extra permissions provided by the NET_ADMIN capability.

Insert or Update self-signed cert into Docker Container

I am aware, self signed cert should be written in docker file etc:
FROM mcr.microsoft.com/dotnet/aspnet:5.0-buster-slim AS base
WORKDIR /app
COPY <my path>/<cert name>.crt /usr/local/share/ca-certificates/<cert name>.crt
RUN update-ca-certificates
I decided to remove the above mentioned line of codes (line 2 and 3) and intend to install the crt as follows:
In the power shell
docker cp <location of the .crt> <image id>:/usr/local/share/ca-certificates/<filename>.crt
Go to the docker image's CLI and, in /app, run
update-ca-certificates
And then restart the affected container.
I tried to curl the link. I encounter this error:
curl: (77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
What are steps I've missed? I also have install the .pfx in the trusted root and the container is running in Linux.
Also anyone mind sharing how one updates their crt in docker container when the crt is about to expiry?

Git clone from gitlab fails on linux, while working in Windows git bash

I'm new to Linux, just installed Lubuntu and faced the problem -
when i'm trying to clone my remote work repo from my company's git:
$ sudo git clone https://path/to/repo.git
I keep on receiving error:
Cloning into 'repo'...
fatal: unable to access 'https://path/to/repo.git/': server certificate verification failed. CAfile: none CRLfile: none
I know it's mentioning certificates, but i do not have any. And before, i worked on windows and was able to simply git clone this repo without any certs.

This error means that the git client cannot verify the integrity of the certificate chain or root. The proper way to resolve this issue is to make sure the certificate from the remote repository is valid, and then added to the client system.
Update list of public CA
The first thing I would recommend is to simply update the list of root CA known to the system as show below.
# update CA certificates
sudo apt-get install apt-transport-https ca-certificates -y
sudo update-ca-certificates
This may help if you are dealing with a system that has not been updated for a long time, but of course won’t resolve an issue with private certs.
Fetch certificates, direct connection
The error from the git client will be resolved if you add the certs from the remote git server to the list of locally checked certificates. This can be done by using openssl to pull the certificates from the remote host:
openssl s_client -showcerts -servername git.mycompany.com -connect git.mycompany.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem
This will fetch the certificate used by “https://git.mycompany.com”, and copy the contents into a local file named “git-mycompany-com.pem”.
Fetch certificates, web proxy
If this host only has access to the git server via a web proxy like Squid, openssl will only be able to leverage a squid proxy if you are using a version of OpenSSL 1.1.0 and higher. But if you are using an older version of OpenSSL, then you will need to workaround this limitation by using something like socat to bind locally to port 4443, and proxy the traffic through squid and to the final destination.
# install socat
sudo apt-get install socat -y
# listen locally on 4443, send traffic through squid "squidhost"
socat TCP4-LISTEN:4443,reuseaddr,fork PROXY:squidhost:git.mycompany.com:443,proxyport=3128
Then in another console, tell OpenSSL to pull the certificate from the localhost at port 4443.
openssl s_client -showcerts -servername git.mycompany.com -connect 127.0.0.1:4443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem
Add certificate to local certificate list
Whether by proxy or direct connection, you now have a list of the remote certificates in a file named “git-mycompany-com.pem”. This file will contain the certificate, its intermediate chain, and root CA certificate.
The next step is to have this considered by the git client when connecting to the git server. This can be done by either adding the certificates to the file mentioned in the original error, in which case the change is made globally for all users OR it can be added to this single users’ git configuration.
** Adding globally **
cat git-mycompany-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt
** Adding for single user **
git config --global http."https://git.mycompany.com/".sslCAInfo ~/git-mycompany-com.pem
Which silently adds the following lines to ~/.gitconfig
[http "https://git.mycompany.com/"]
sslCAInfo = /home/user/git-mycompany-com.pem
Avoid workarounds
Avoid workarounds that skip SSL certification validation. Only use them to quickly test that certificates are the root issue, then use the sections above to resolve the issue.
git config --global http.sslverify false
export GIT_SSL_NO_VERIFY=true

I know there is an answer already. Just for those who use a private network, like Zscaler or so, this error can occur if your rootcert needs to be updated. Here a solution on how this update can be achieve if using WSL on a Windows machine:
#!/usr/bin/bash
# I exported the Zscaler certifcate out of Microsoft Cert Manager. It was located under 'Trusted Root Certification > Certificates' as zscaler_cert.cer.
# Though the extension is '.cer' it really is a DER formatted file.
# I then copied that file into Ubuntu running in WSL.
# Convert DER encoded file to CRT.
openssl x509 -inform DER -in zscaler_cert.cer -out zscaler_cert.crt
# Move the CRT file to /usr/local/share/ca-certificates
sudo mv zscaler_cert.crt /usr/local/share/ca-certificates
# Inform Ubuntu of new cert.
sudo update-ca-certificates

Adding a fedora repository and including the gpgkey (dnf)

i have a Linux system where dnf packet manager is installed but no package sources are enabled.
So i created a directory "/etc/yum.repos.d" in this directory i have the files fedora.repo, fedora-updates.repo and fedora-updates-testing.repo.
However whenever i try to do dnf -update -v i get the following error message:
DNF version: 1.1.9 Cannot download 'https://packages.grafana.com/oss/rpm': Cannot download repomd.xml: Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://packages.grafana.com/oss/rpm/repodata/repomd.xml [error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none]. Cannot download 'https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=i386': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=i386 [SSL certificate problem: unable to get local issuer certificate]. Fehler: Failed to synchronize cache for repo 'updates'
I think the error is due to the non existant gpgkey-files. In the .repo file there is the following line: gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-releasever-$basearch
But this directory doesn't exist in my system.
So my question is, where or how do I get those gpgkey-files?

Cannot run peer because cannot init crypto

I want to run the facbar-samples on windows10,reference the http://hyperledger-fabric.readthedocs.io/en/latest/write_first_app.html but get the error:
$ ./startFabric.sh
orderer.example.com is up-to-date
couchdb is up-to-date
peer0.org1.example.com is up-to-date
cli is up-to-date
2017-07-05 08:17:06.550 UTC [main] main -> ERRO 001 Cannot run peer because
cannot init crypto, missing /etc/hyperledger/fabric/C:/Program
Files/Git/etc/hyperledger/msp/users/Admin#org1.example.com/msp folder
some that I have installed:
$ npm -v
5.0.4
$ node -v
v6.11.0
$ curl -V
curl 7.54.0 (x86_64-w64-mingw32) libcurl/7.54.0 OpenSSL/1.0.2l zlib/1.2.11
libssh2/1.8.0 nghttp2/1.23.1 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2
HTTPS-proxy Metalink
$ docker --version
Docker version 17.06.0-ce, build 02c1d87
$ docker-compose --version
docker-compose version 1.14.0, build c7bdf9e3
$ git --version
git version 2.13.1.windows.2
Please help ,Thanks.

This is a problem with mingw64 which is messing with the filepaths.
The solution is to set the following environment variable before running startFabric.sh :
export MSYS_NO_PATHCONV=1
A fix was just submitted to fabric to do that for you so if you pull the latest version from the master branch it should work. Otherwise, just set that variable and that should solve your problem.
Arnaud

The problem is incorrect path to certificates (look for windows path string between /fabric and /etc)
/etc/hyperledger/fabric/C:/ProgramFiles/Git/etc/hyperledger/msp/users/Admin#org1.example.com/msp
You can try next :
add path to certificate as environment variable to docker compose file at peer section
start network using docker-compose -f "path_to_file"
manually run instructions in startFabric.sh at peer and cli.
then you can successfully run node query.js for testing network work

The double // in the path will fix this. Update in all the places where docker exec command used
for e.g. MSPCONFIGPATH=//etc/hyperledger....
Also certificates have to be generated before you could get your network running

Do this ./byfn.sh -m down first and then run ./byfn.sh generate then ./byfn.sh -m up

This may happen possibly when the network.sh is set to down. So, try bringing it up with the -ca flags and check. Worked for me.

Before you run the fabcar-samples, I think that you have to execute some steps from the "Building Your First Network" chapter. It seems that you haven't got the required certificates to start the network. Also, you should generate the genesis block, the channel configuration transaction and the anchor peers.
You can do it by executing the ./byfn.sh -m generate command. For more information: http://hyperledger-fabric.readthedocs.io/en/latest/build_network.html#generate-network-artifacts

I faced the same using Fabric 2.2's Test-Network. To resolve,
Start docker again
Set FABRIC_CFG_PATH, CORE_PEER_TLS_ENABLED, CORE_PEER_LOCALMSPID, CORE_PEER_TLS_ROOTCERT_FILE, CORE_PEER_ADDRESS and CORE_PEER_MSPCONFIGPATH again
Run your queries from the test-network sub-directory.