Using elasticsearch 7.9.3 with TLS security. I can connect to it via python, curl and openssl using the ca certificates I generated.
# These work, but this is a fake domain name
openssl s_client -connect node0:9200 -CAfile /etc/elasticsearch/certs/ca.pem
curl --cacert /etc/elasticsearch/certs/ca.crt -u "elastic:$ELASTIC_PASS" 'https://node0.elastic.test.com:9200/_cat/health'
# Node / elasticdump is not happy
$ elasticdump --input=./account_mapping.json --output="https://elastic:$ELASTIC_PASS#node0.elastic.test.com:9200/account" --type=mapping
Thu, 19 Nov 2020 21:28:50 GMT | starting dump
Thu, 19 Nov 2020 21:28:50 GMT | got 1 objects from source file (offset: 0)
Thu, 19 Nov 2020 21:28:50 GMT | Error Emitted => unable to verify the first certificate
Thu, 19 Nov 2020 21:28:50 GMT | Error Emitted => unable to verify the first certificate
Thu, 19 Nov 2020 21:28:50 GMT | Total Writes: 0
Thu, 19 Nov 2020 21:28:50 GMT | dump ended with error (get phase) => Error: unable to verify the first certificate
$ npm config set cafile /etc/elasticsearch/certs/ca.pem
# same result
Thu, 19 Nov 2020 21:28:50 GMT | dump ended with error (get phase) => Error: unable to verify the first certificate
$ elasticdump --input=../account_mapping.json --output="https://elastic:$ELASTIC_PASS#node1.elastic.test.com:9200/account" --type=mapping --output-ca=/etc/elasticsearch/certs/ca.pem
# same result
Other posts suggested running with NODE_TLS_REJECT_UNAUTHORIZED=0, but that did not fix the problem in this case.
It works if you provide tlsAuth AND output-ca flags.
$ elasticdump --input=./account_mapping.json --output="https://elastic:$ELASTIC_PASS#node0.elastic.test.com:9200/account" --type=mapping --tlsAuth --output-ca=/etc/elasticsearch/certs/ca.pem
Related
The first type of error occurs when I run the listener on my Windows 10 using a terminal (powershell). The listener (remixd) starts OK then when I go to connect to the browser session I get the following:
PS C:\Windows\System32> remixd -s D:\zz210201_shared_folder --remix-ide https://remix.ethereum.org
[WARN] You may now only use IDE at https://remix.ethereum.org to connect to that instance
[WARN] Any application that runs on your computer can potentially read from and write to all files in the directory.
[WARN] Symbolic links are not forwarded to Remix IDE
Wed Feb 03 2021 18:29:11 GMT+0700 (Indochina Time) Remixd is listening on 127.0.0.1:65520
setup notifications for D:\zz210201_shared_folder
Error: Error: EPERM: operation not permitted, lstat 'D:\System Volume Information'
When I use the desktop version I get the following errors when trying to make the connection.
Wed Feb 03 2021 18:13:57 GMT+0700 (Indochina Time) Remixd is listening on 127.0.0.1:65520
Wed Feb 03 2021 18:14:14 GMT+0700 (Indochina Time) Connection from origin package://6fd22d6fe5549ad4c4d8fd3ca0b7816b.mod rejected.
Wed Feb 03 2021 18:14:15 GMT+0700 (Indochina Time) Connection from origin package://6fd22d6fe5549ad4c4d8fd3ca0b7816b.mod rejected.
Wed Feb 03 2021 18:14:29 GMT+0700 (Indochina Time) Connection from origin package://6fd22d6fe5549ad4c4d8fd3ca0b7816b.mod rejected.
Wed Feb 03 2021 18:14:30 GMT+0700 (Indochina Time) Connection from origin package://6fd22d6fe5549ad4c4d8fd3ca0b7816b.mod rejected.
Wed Feb 03 2021 18:18:31 GMT+0700 (Indochina Time) Connection from origin https://remix.ethereum.org rejected.
Wed Feb 03 2021 18:18:32 GMT+0700 (Indochina Time) Connection from origin https://remix.ethereum.org rejected.
Not sure how to proceed to get it working. Any clues appreciated.
Fix Remixd EPERM error
npm uninstall -g remixd
npm install -g #remix-project/remixd --force
I'm quite new to OpenWRT and I'm facing some problems here.
I set up the OpenVPN server on a Ubuntu using OpenVPN Access Server web GUI, and correspondingly I got the client profile client.ovpn. Also I enabled "Google Authenticator Multi-Factor Authentication". When I configured as a client using client.ovpn, it worked perfectly on my phone, my other PC, but it just failed when I tried to start a client on OpenWRT on my router.
According to https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-linux/, I used openvpn --config client.ovpn --auth-user-pass --auth-retry interact to start a connection, and I was prompted for a username and a password, which makes sense, but then I was never prompted for the authenticator code. Actually when I looked at the response, it did ask me for a code, but I never had a place to enter it. Instead, it asked to enter the username again, thus dropping into a loop. See below: (the forth line from the bottom)
root#OpenWrt:/etc/openvpn# openvpn --config client_gui.ovpn --auth-retry interac
t
Mon Mar 9 19:01:18 2020 Unrecognized option or missing or extra parameter(s) in client_gui.ovpn:124: static-challenge (2.4.7)
Mon Mar 9 19:01:18 2020 OpenVPN 2.4.7 mipsel-openwrt-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Mar 9 19:01:18 2020 library versions: mbed TLS 2.16.3, LZO 2.10
Enter Auth Username:london
Enter Auth Password:
Mon Mar 9 19:01:24 2020 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Mon Mar 9 19:01:24 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Mar 9 19:01:24 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Mar 9 19:01:24 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Mar 9 19:01:24 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.8.222:1194
Mon Mar 9 19:01:24 2020 Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Mar 9 19:01:24 2020 UDP link local: (not bound)
Mon Mar 9 19:01:24 2020 UDP link remote: [AF_INET]192.168.8.222:1194
Mon Mar 9 19:01:24 2020 TLS: Initial packet from [AF_INET]192.168.8.222:1194, sid=fb509f08 f4ae8b1f
Mon Mar 9 19:01:24 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Mar 9 19:01:24 2020 VERIFY OK: depth=1, CN=OpenVPN CA
Mon Mar 9 19:01:24 2020 VERIFY OK: nsCertType=SERVER
Mon Mar 9 19:01:24 2020 VERIFY OK: depth=0, CN=OpenVPN Server
Mon Mar 9 19:01:24 2020 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384, 2048 bit key
Mon Mar 9 19:01:24 2020 [OpenVPN Server] Peer Connection Initiated with [AF_INET]192.168.8.222:1194
Mon Mar 9 19:01:25 2020 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Mon Mar 9 19:01:25 2020 AUTH: Received control message: AUTH_FAILED,CRV1:R,E:PG_09HT0rZcjdFd6GnA:bG9uZG9u:Enter Authenticator Code
Mon Mar 9 19:01:25 2020 SIGUSR1[soft,auth-failure] received, process restarting
Mon Mar 9 19:01:25 2020 Restart pause, 5 second(s)
Enter Auth Username:
How can I solve this problem? Is there anything to be modified in client.ovpn? Thank you!
In 18.04, Create a file userpass in same directory as client.ovpn.
Userpass should contains 2 lines
username in first line
password in second line
and save the file, open new terminal, Execute the script.
openvpn --config client.ovpn --auth-user-pass userpass --auth-retry interact
In 16.04
Execute the following code
sudo -s
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt-get update
apt-get dist-upgrade
Create a file userpass in same directory as client.ovpn.
Userpass should contains 2 lines
username in first line
password in second line
and save the file, open new terminal, Execute the script.
openvpn --config client.ovpn --auth-user-pass userpass --auth-retry interact
I am using the ssh2 node module to connect via ssh to a server. After which I run a command to list print ques and put them into an array, the command is lpstat -o.
When I use putty and ssh into a server and run this command, I get data returned like this:
LABEL008-2287 printeng 1024 Tue 08 Oct 2019 08:30:20 AM CDT
LABEL008-2288 printeng 1024 Tue 08 Oct 2019 08:30:20 AM CDT
LABEL002-2292 printeng 1024 Tue 08 Oct 2019 10:05:11 AM CDT
LABEL002-2293 printeng 1024 Tue 08 Oct 2019 10:05:11 AM CDT
However, when I use nodejs and run the command the data comes at times comes inconsistently (cut off) like this:
LABEL008-2287 printeng 1024 Tue Oct 8 08:30:20 2019
LABEL008-2288 printeng 1024 Tue Oct 8 08:30:20 2019
LABEL002-2294 printeng 1024 Tue Oct 8 10:05:12 2019
LABEL002-2298 printeng 1024 Tue Oct 8 10:05:12
2019
LABEL008-2299 printeng 1024 Tue Oct 8 10:05:15 2019
LABEL008-2300 printeng 1024 Tue Oct 8 10:05:17 2019
This is troublesome as I am needing to split the data by new line '\n\' and put it into an array which I am achieving like so:
}).on('data', function(data) {
const myArray = data.toString().split('\n');
I am not sure if this is an issue or limitation with the node module itself or if I am missing an option or configuration with how the data stream should be handled.
I use the ESB with many different proxies.
One of them is sending the messages to other proxy endpoints. All the proxies are in the ESB.
At the moment those Endpoint Proxies are not secured. I like to use scenario1 as security for them.
But how can I send the message to those Endpoints. That means: How can I add a security header with username and password in my proxy configuration so that I can authenticate may be with user "admin" and password "admin"?
As I understand, you need to secure the proxy and forward it to an unsecured back-end service.
For this, you can try following steps from the WSO2 ESB Management Console. I tried this from WSO2 ESB 4.7.0
Add a pass through proxy service.
View the proxy from Service Dashboard.
Click on "Security" for the service.
Select "Yes" for "Enable Security?"
Select "UsernameToken" and click Next. The Scenario 1 as you mentioned. This will be using WS-Security standard with Username Token.
You can select "admin" group here and click on "Finish"
Now the security will be enabled for your service.
The proxy service now needs authentication and you can use "admin" user now. (Or any user you have added).
If you are using a Java client, it might be easier to use Axis2 with Rampart module engaged. There are many examples of this.
See following links.
http://blog.facilelogin.com/2008/11/security-policy-with-rampart.html (This has a simple client)
http://blog.thilinamb.com/2009/08/securing-web-service-with-username.html
I tested this using SoapUI. You can pass username and password from request properties.
Your request will be similar to following.
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "POST /services/SimpleStockQuoteService.SimpleStockQuoteServiceHttpsSoap12Endpoint HTTP/1.1[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Accept-Encoding: gzip,deflate[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Content-Type: application/soap+xml;charset=UTF-8;action="urn:getQuote"[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Content-Length: 1195[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Host: isurup-ThinkPad-T530:8243[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "Connection: Keep-Alive[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "User-Agent: Apache-HttpClient/4.1.1 (java 1.5)[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "[\r][\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "<soap:Envelope xmlns:ser="http://services.samples" xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsd="http://services.samples/xsd">[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <soap:Header><wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Timestamp wsu:Id="TS-63"><wsu:Created>2013-08-20T19:45:32Z</wsu:Created><wsu:Expires>2013-08-20T21:08:52Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken wsu:Id="UsernameToken-62"><wsse:Username>admin</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">WG8iV7vik8QqZkzlaIabWg==</wsse:Nonce><wsu:Created>2013-08-20T19:45:32.861Z</wsu:Created></wsse:UsernameToken></wsse:Security></soap:Header>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <soap:Body>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <ser:getQuote>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <ser:request>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " <xsd:symbol>WSO2</xsd:symbol>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " </ser:request>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " </ser:getQuote>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> " </soap:Body>[\n]"
Wed Aug 21 01:15:32 IST 2013:DEBUG:>> "</soap:Envelope>"
Update
If the back-end service is also secured, you can refer following blog post.
http://soasecurity.org/2012/11/05/how-to-invoke-secured-backend-service-using-wso2-esb/
In the calling proxy service you can configure a property as follows,
<property name="Authorization"
expression="fn:concat('Basic ', base64Encode('admin:admin'))"
scope="transport"
type="STRING"/>
With this, the basicAuth header will be set, in the request to the called proxy service.
Hope this helps.
You can simply use curl to invoke the secured proxy service like below.
curl -k --basic -u admin:admin https://localhost:8243/services/PoxSecurityProxy.POXSecurityProxyHttpsSoap11Endpoint/echoString?in=Chanaka
In your scenario, you need to invoke a secured backend ( another proxy service) using a proxy service. To do this you will need to write security policies. Refer [1] blog post.
[1] http://soasecurity.org/2012/11/05/how-to-invoke-secured-backend-service-using-wso2-esb/
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I tried the method with different parameter
I have password.
Here below password is mypassword
1)
root$ echo mypassword || openvpn client.conf.ovpn
the result was display:
mypassword
2)
root$ openvpn client.warriors.conf.ovpn || echo mypassword
the result was display:
Thu Jun 28 00:00:00 2012 us=757575 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Enter Private Key Password:
(still need to enter password manualy )
I don't want to have to enter the password manually. How can I achieve this?
3)
DUDE
After running the script it exit out with following:
Fri Jun 29 11:56:59 2012 us=707916 cf_max = 0
Fri Jun 29 11:56:59 2012 us=707925 cf_per = 0
Fri Jun 29 11:56:59 2012 us=707934 max_clients = 1024
Fri Jun 29 11:56:59 2012 us=707944 max_routes_per_client = 256
Fri Jun 29 11:56:59 2012 us=707953 auth_user_pass_verify_script = '[UNDEF]'
Fri Jun 29 11:56:59 2012 us=707963 auth_user_pass_verify_script_via_file = DISABLED
Fri Jun 29 11:56:59 2012 us=707973 ssl_flags = 0
Fri Jun 29 11:56:59 2012 us=707982 port_share_host = '[UNDEF]'
Fri Jun 29 11:56:59 2012 us=707992 port_share_port = 0
Fri Jun 29 11:56:59 2012 us=708001 client = ENABLED
Fri Jun 29 11:56:59 2012 us=708010 pull = ENABLED
Fri Jun 29 11:56:59 2012 us=708020 auth_user_pass_file = '[UNDEF]'
Fri Jun 29 11:56:59 2012 us=708032 OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
Fri Jun 29 11:56:59 2012 us=708131 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Enter Private Key Password:
Fri Jun 29 11:56:59 2012 us=726649 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jun 29 11:56:59 2012 us=726805 WARNING: file 'client-team-20110222.key' is group or others accessible
Fri Jun 29 11:56:59 2012 us=727136 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Fri Jun 29 11:56:59 2012 us=875611 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Jun 29 11:56:59 2012 us=876742 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Fri Jun 29 11:56:59 2012 us=876777 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Jun 29 11:56:59 2012 us=876788 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Jun 29 11:56:59 2012 us=876810 Local Options hash (VER=V4): 'd902a8f8'
Fri Jun 29 11:56:59 2012 us=876825 Expected Remote Options hash (VER=V4): '7e078940'
Fri Jun 29 11:56:59 2012 us=877124 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Fri Jun 29 11:56:59 2012 us=877145 Attempting to establish TCP connection with [AF_INET]89.105.130.193:444 [nonblock]
Fri Jun 29 11:57:00 2012 us=877280 TCP connection established with [AF_INET]89.105.130.193:444
Fri Jun 29 11:57:00 2012 us=877337 Socket Buffers: R=[87380->131072] S=[16384->131072]
Fri Jun 29 11:57:00 2012 us=877353 TCPv4_CLIENT link local: [undef]
Fri Jun 29 11:57:00 2012 us=877364 TCPv4_CLIENT link remote: [AF_INET]89.105.130.193:444
Fri Jun 29 11:57:00 2012 us=877568 TLS: Initial packet from [AF_INET]89.105.130.193:444, sid=c5d843bc e9f3e6ab
Fri Jun 29 11:57:04 2012 us=105788 VERIFY OK: depth=1, /C=IE/ST=NA/L=DUB/O=ABC.OpenVPN/OU=server-terminus/CN=terminus/emailAddress=ops#abc.com
Fri Jun 29 11:57:04 2012 us=106189 VERIFY OK: nsCertType=SERVER
Fri Jun 29 11:57:04 2012 us=106202 VERIFY OK: depth=0, /C=IE/ST=NA/O=abc.OpenVPN/OU=server-terminus/CN=terminus/emailAddress=ops#abc.com
root#bond$
exit in this way is it normal.
In my openvpn.conf:
...
askpass /etc/openvpn/jdoe.pass <<< new line here
ca /etc/openvpn/jdoe_ca.crt
cert /etc/openvpn/jdoe.crt
key /etc/openvpn/jdoe.key
...
The file /etc/openvpn/jdoe.pass just contains the password.
You can chmod this file to 600.
This method save my life... ;-)
Ubuntu 12.04.4 LTS
OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 13 2014
How about storing it into a file and using --askpass /your/file? --askpass option was added in OpenVPN version 2.0-beta20, Maverick has version 2.1.0-3ubuntu1.
Try a shell script such as:
#!/usr/bin/expect -f
spawn openvpn client.warriors.conf.open
match_max 100000
expect "*?assword:*"
send -- "mypassword"
send -- "\r"
expect eof
You'll need to chmod +x this, you can also set it as an environment variable so you don't have to type out the directory.
Looks like they got this script to work: https://unix.stackexchange.com/questions/9055/establish-openvpn-tunnel-in-bash-script
I think you just swipe | and || operator.
| plug standard output o the previous command to standard input of the next command.
|| launch second command only if first command fail (exit code != 0).
this command should work.
root$ echo mypassword | openvpn client.conf.ovpn