I am trying to start WAS service and I got this error from Event Viewer.
Windows Process Activation Service (WAS) is stopping because it encountered an error. The data field contains the error number.
So then I checked the error from iis.log file
[04/21/2020 11:31:00] [ ***** IIS 10.0 Component Based Setup ***** ]
[04/21/2020 11:31:00] .\inetsrv\iissetup.exe /keygen
[04/21/2020 11:31:00] Created NetFrameworkConfigurationKey key containter
[04/21/2020 11:31:00] Created NetFrameworkConfigurationKey user key
[04/21/2020 11:31:00] Set ACLs on NetFrameworkConfigurationKey
[04/21/2020 11:31:00] Failed to create iisCngConfigurationKey key container (result=0x80090009)
[04/21/2020 11:31:00] < !!FAIL!! > Failed to create the iisCngConfigurationKey key container (result=0x80090009)
[04/21/2020 11:31:00] < !!FAIL!! > Generating IIS CNG Configuration Key Container (result=0x80090009)
[04/21/2020 11:31:00] < !!FAIL!! > Key Generation result=0x80090009
[04/21/2020 11:31:00] [ End of IIS 10.0 Component Based Setup ]
I went to to my RSA machine keys folder: C:\Users\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
I understand I am supposed to back up and delete the three old RSA machine keys (1) NetFrameworkConfigurationKey (2) iisWasKey (3) iisConfigurationKey, however I only can find NetFrameworkConfigurationKey in my RSA folder that I backed up and deleted the file.
This is why you can see in iis.log error that it already created NetFrameworkConfigurationKey but not iisWasKey nor iisConfigurationKey
What I am looking in my RSA folder only contains two files which are NetFrameworkConfigurationKey (d6d986f09a1ee04e24c949879fdb506c_) and another file that I do not know what it is (5402d5bd55de56397226e45a085a4bbc_)
I could not find iisWasKey file contains (76944fb33636aeddb9590521c2e8815a_) and iisConfigureationKey file contains (6de9cb26d2b98c01ec4e9e8b34824aa2_) in my RSA folder.
Are they somewhere else or am I supposed to import the rest of keys?
Thanks
Try Following Commands
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WAS\Parameters /v GenerateKeys /f
net start w3svc
This allowed the keys to be regenerated and the IIS AppPools could then be started.
Source: https://social.technet.microsoft.com/Forums/en-US/103c6224-52ee-41de-aa77-1a7e437e55ce/iis-on-win10-dp-wont-start-after-1903-feature-update#:~:text=%22Failed%20to%20create%20iisCngConfigurationKey%20key%20container%22%20%22Failed%20to,need%20to%20delete%2C%20such%20as%20the%20following%20one.#:~:text=%22Failed%20to%20create%20iisCngConfigurationKey%20key%20container%22%20%22Failed%20to,need%20to%20delete%2C%20such%20as%20the%20following%20one.
Related
I build my v 1.1.1 nodes from source and cannot find the logs when I run the executable - logs in user friendly format are supposed to generate in the $ROOT directory, according to the configuration settings here https://docs.chain.link/chainlink-nodes/v1/configuration#logging but without $ROOT set and with $ROOT set, no logs are appearing.
(They should show in ~/.chainlink - which is autogenned and has the secret in it when chainlink runs)
Not sure why there are no logs?
I also tried this by setting $ROOT to another directory ( ~/chainlinlops ) when I restarted the server still no logs (tho the secret file was generated there )
In your .env set LOG_TO_DISK=true
I have integrated my self hosted Gitlab with Hashicorp vault. I have followed the steps here https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/ and tried to run the pipeline.
I am receiving the certificate error while running the pipeline.
Error writing data to auth/jwt/login: Put "https://vault.systems:8200/v1/auth/jwt/login": x509: certificate signed by unknown authority
My .gitlab yml file -
Vault Client:
image:
name: vault:latest
entrypoint:
- '/usr/bin/env'
- 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
before_script:
script:
- export VAULT_ADDR=https:/vault.systems:8200/
- export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=staging jwt=$CI_JOB_JWT)"
- export PASSWORD="$(vault kv get -field=password kv/project/staging/db)"
- echo $PASSWORD
If i use -tls-skip-verify flag then it works fine.
Do i need to place the self signed server certificate somewhere on the vault server or gitlab server?
Please let me know if anyone has any ideas on this one?
The containers that are managed by the docker/kube executor must be configured to trust the self-signed cert(s). You can edit the config.toml for your runner to mount in the trusted certs/CA roots to GitLab CI job containers
For example, on Linux-based docker executors:
[[runners]]
name = "docker"
url = "https://example.com/"
token = "TOKEN"
executor = "docker"
[runners.docker]
image = "ubuntu:latest"
# Add path to your ca.crt file in the volumes list
volumes = ["/cache", "/path/to-ca-cert-dir/ca.crt:/etc/gitlab-runner/certs/ca.crt:ro"]
See the docs for more info.
I was able to solve this by using this variable VAULT_CACERT in my gitlab.yml file :
- export VAULT_CACERT=/etc/gitlab-runner/certs/ca.crt. The certificate path here is the path of the mounted container which we specify during the start of container.
Posting this so if anyone is looking for it, this is the solution. :)
Error writing data to auth/jwt/login: Put "https://vault.systems:8200/v1/auth/jwt/login": x509: certificate signed by unknown authority
The error you're receiving is being returned from Vault, so it's Vault that you need to get to accept that certificate. There's a decent note on how to do it in the Deployment Guide. (I used to work for HashiCorp Vault so I knew where to dig it up.)
You can use -tls-skip-verify in your vault command vault kv get -tls-skip-verify -field=password kv/project/staging/db , or if you have vault's ca-cert you have to export CA CERT path by setting VAULT_CACERT to the right path .
I'm having trouble finding a certificate by thumbprint in a windows service that's running in a docker container. I'm very new to Docker and I appreciate it if someone can point me to the right direction.
Verified the thumbprint being searched is correct.
I've tried to manually install the cert to the container:
Import-PfxCertificate -FilePath C:\cert.pfx -CertStoreLocation Cert:\LocalMachine\Root -Exportable -Password $Secure_String_Pwd
Verified it is installed in the right location.
I've tried to give "Everyone" FullControl access to the private key.
This is the code in the windows service that tries to find the cert. I'm getting 0 in results from certStore.Certificates.Find() function. This is returning one result when run in a VM with the same certificate installed.
X509Store certStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
certStore.Open(OpenFlags.ReadOnly);
var certs = certStore.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, true);
if (certs.Count == 0)
throw new CryptographicException("Could not find requested certificate.");
DockerFile:
FROM mcr.microsoft.com/dotnet/framework/runtime:4.7.1-windowsservercore-ltsc2016
COPY ["Services", "C:/Services"]
COPY ["Cert.pfx", "C:/"]
COPY ["AddUserToCert.ps1", "C:/"]
RUN sc create NLPEngineService binpath= "c:/Services/Service.exe c:/Services/Service.exe.config" start= auto
Docker Commands:
docker build -t testservice-docker .\
docker run -it testservice-docker cmd
I am trying to make my wso2 server on my VPS secure, so I ordered a certificate as prescribed by my provider Hostnet.nl, than created and added a keystore as described by wso2 on https://www.yenlo.com/blog/setting-up-wso2-with-a-valid-certificate. Last step was to modify carbon.xml, in which I added my keystore
<KeyStore>
<!-- Keystore file location-->
<Location>${carbon.home}/repository/resources/security/MijnWSO2sleutelwinkel.jks</Location>
<!-- Keystore type (JKS/PKCS12 etc.)-->
<Type>JKS</Type>
<!-- Keystore password-->
<Password>mypassword</Password>
<!-- Private Key alias-->
<KeyAlias>mijnWSO2sleutelwinkel</KeyAlias>
<!-- Private Key password-->
<KeyPassword>mypassword</KeyPassword>
</KeyStore>
Upon restarting the VPS and WSO2 the keystore did not appear in /carbon in the list of keystores. I was able to add it manually by uploading the keystore file and the SSL_CA file of the intermediary party, Hostnet. Looks fine in Carbon's list of keystores, but after restarting the VPS and WSO2, the keystore does not get loaded. In the startup script of WSO2 I only see wso2carbon getting loaded:
[2018-05-22 15:24:27,106] INFO - ClientConnFactoryBuilder HTTPS Loading Identity Keystore from : repository/resources/security/wso2carbon.jks
[2018-05-22 15:24:27,122] INFO - ClientConnFactoryBuilder HTTPS Loading Trust Keystore from : repository/resources/security/client-truststore.jks
[2018-05-22 15:24:27,128] INFO - ClientConnFactoryBuilder customSSLProfiles configuration is loaded from path: /usr/local/opt/wso2am-2.2.0/repository/resources/security/sslprofiles.xml
[2018-05-22 15:24:27,128] INFO - ClientConnFactoryBuilder HTTPS Loading custom SSL profiles for the HTTPS sender
[2018-05-22 15:24:27,129] INFO - ClientConnFactoryBuilder HTTPS Loading Identity Keystore from : repository/resources/security/wso2carbon.jks
[2018-05-22 15:24:27,130] INFO - ClientConnFactoryBuilder HTTPS Loading Trust Keystore from : repository/resources/security/client-truststore.jks
[2018-05-22 15:24:27,132] INFO - ClientConnFactoryBuilder HTTPS Custom SSL profiles initialized for 1 servers
[2018-05-22 15:24:27,133] INFO - PassThroughHttpSSLSender Pass-through HTTPS Sender started...
And no further mentions of SSL or my own keystore at all.
What am I missing?
I followed the instructions given in the same link -
https://www.yenlo.com/blog/setting-up-wso2-with-a-valid-certificate
I am able to find all of the files to change the .jks except for the last reference -
./security/secret-conf.properties:21:#keystore.identity.location=repository/resources/security/wso2carbon.jks
I am installing the cert on a APIM 2.2 server, is this file deprecated in this new version?
When I run pm2 deploy development setup I get the following error. Which is strange because this key has no password set.
Enter passphrase for key '/Users/spongebob/.ssh/dev.pub':
Permission denied (publickey,keyboard-interactive).
setup paths failed
Deploy failed
I have created a key pair with no password, and trasnfered it to my development machine like so:
ssh-copy-id -i ~/.ssh/virtualbox_dev -o "IdentityFile /Users/spongebob/.ssh/dev" -f dev#192.168.0.17
I can log into SSH fine with no password:
ssh -o 'IdentityFile /Users/spongebob/.ssh/dev' 'dev#192.168.0.17'
Last login: Sun May 27 12:39:57 2018 from 192.168.0.11
I have added this key as a deployment key to Github as this is a private repo (and also added the virtualbox_dev key just incase). And tested whether it works ...
Hi MyUsername/blue-mask-api! You've successfully authenticated, but GitHub does not provideshell access.
And here is my deployment configuration (I have this in package.json):
"deploy": {
"development": {
"key": "/Users/spongebob/.ssh/dev.pub",
"user": "dev",
"host": "192.168.0.17",
"ref": "origin/master",
"path": "/home/dev/",
"repo": "git#github.com:MyUsername/blue-mask-api.git",
"post-deploy": "echo 999999999999",
"ssh_options": [
"StrictHostKeyChecking=no",
"PasswordAuthentication=no"
]
}
It's confusing because it's asking for a password and there isn't one set. And when I leave it blank I still get permission denied.
Enter passphrase for key '/Users/spongebob/.ssh/dev.pub':
It appears that you're trying to use the wrong key file. The file with the ".pub" extension is the public key file. The corresponding file without the ".pub" extension is the private key file. When you run an ssh client to connect to a remote server, you have to provide the private key file to the ssh client. The contents of the public key file are stored on the server (github in this case), where it's used by the ssh server software to confirm that this key can be accepted for authentication.
You ought to have a private key file with the same name as the public file, except without the ".pub" extension:
"development": {
"key": "/Users/spongebob/.ssh/dev",
^^^--note no .pub