Sometimes, mostly at nighttime, our SSL certificates just stop working.
The error accompanying this fault is:
A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.
To solve this at the moment, we just change the SSL binding of the faulting website to a different site, save it and switch it back. That way, the certificate is picked up again and works (magic).
The question is: How can we prevent this from happening? Every time this happens (now twice in the last 6 months), the sites are down.
An article I found resolved the issue: https://techcommunity.microsoft.com/t5/iis-support-blog/error-hresult-0x80070520-when-adding-ssl-binding-in-iis/ba-p/377281
FYI, we have checked all three options.
If this error should come up again, I will post it here.
I too have had this problem. My server service was working fine for hours if in use but if left for 45 minutes without a call, it would get this error. So there was some sort of timeout or other expiry occurring. I wrote a utility to monitor my service, and of course that kept it alive. So I adjusted times, and found the period that let it fail. I re-examined all the web references I'd used, and found that re-reading the article at paulstovell.com it mentioned the PersistKeySet property. Changing my code which prepares the certificate to include this, so it is now like:
X509Certificate2 cert = new X509Certificate2(file, password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable);
has fixed the problem, and the certificate no longer expires or times out with the 0x8009030d error. And of course this makes sense, as the error is about there being no key, and persisting it is what is required.
http://paulstovell.com/blog/x509certificate2
by editing the permission on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys I have resolve the same issue thanks
Related
I am trying to use hash-buster and making requests from my server to database's of hash-buster.
and each time I get this error:
Hash function : MD5
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:849: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning
I am new in python 3 also in Ubuntu(19.04). Please help me about adding certificate in my server, actually I need a step by step guide to install and activate it (or whatever).
I found my certifications in my server: (etc/ssl/certs/ca-certificates.crt). Is it possible to use my own certifications?
I hope my questions is clear, please feel free to ask me questions to make it clearer.
I am trying to use hash-buster....
I'm assuming that you mean this project.
... Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. ...
The code contains the following line, which probably is the reason for this warning:
response = requests.get('https://www.nitrxgen.net/md5db/' + hashvalue, verify=False).text
So it is explicitly disabling certificate validation here with verify=False. Given that there are other HTTPS requests in the code and this one is the only one with certificate validation disabled, it is likely to work around a problem with the site.
And, the SSLLabs report for www.nitrxgen.net shows that that the site is not properly configured:
This server's certificate chain is incomplete. Grade capped to B.
This incomplete certificate chain causes requests to fail. To work around the broken site one need to either import the missing chain certificate in the trust store or have it explicitly trusted by the code.
Since there are many similar questions already I don't want to repeat all the details. See for example Python requests SSL error - certificate verify failed
, Python Requests getting SSLerror, SSL error with Python requests despite up-to-date dependencies for more.
A node/electron app gets deployed on the end user's machine. It tries to make an HTTPS request to a server. Depending on the user's network setup, this may work fine, or Node may throw the error "Unable to Get Local Issuer Certificate". As far as I understand, this happens when the client is behind a proxy with SSL interception or something similar.
I know SO and github are full of questions like this. But the only generic "solution" I could find is breaking SSL entirely either at process level:
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0
or at request level:
rejectUnauthorized: "false"
There's also the option to somehow specify the correct certificate when making the HTTP request. But it seems to almost require custom setup for every user and I haven't found any examples of doing it in a generic way.
1. Why is this issue specific to Node apps, while every other app on the computer works fine?
2. Can it be fixed in a general and cross-platform way?
So i'm running into a problem I suspect I shouldn't be having and having tried several things i'm seemingly at an impasse.
I am trying to integrate LinkedIn login with Stormpath and it seems the accounts get created and technically the user is logged in, the application does return one of two errors:
"Token is invalid" or "Invalid state token provided."
I checked my id and secret several times and the authorized callback urls etc but I'm not sure where else to actually check, some help would be appreciated.
To try further I did in fact clone https://github.com/stormpath/stormpath-express-react-example and run it, and everything else works fine but again LinkedIn login on this app doesn't work so I suspect its not my code (maybe, after years of coding I'm never really comfortable saying its not my code, but there you have it).
I have attached the screenshot of things in case my now very tired eyes are missing something. Can someone point me to my mistake please?
For reference, Omar and I looked through this problem and realized that his server was not running ntp, and the clock was running fast.
This meant that the signed token request generated by Stormpath's Express integration was sent to Stormpath's REST API with a different valid time interval than expected, and thus failed validation.
We fixed it by installing ntp and syncing the server's time.
I have been playing around with authentication-flows and noticed that when I restart the web server the URL's no longer work, they are all invalid. I walked through debugging but I am still a bit lost as to exactly why, though I have a lot of good reasons why it should happen (and I am sure you do also).
I want to make a service which will be distributed to multiple containers and when a request comes in any of them could serve it. As the solution stands right now, it looks like I will have to make modifications to make possible.
What exactly is making the URL invalid? and what changes could I make to make my proposed solution possible?
Thank you in advance.
In response to Ohard's comment:
1. Why the URL is invalid
Let me tell you how I get the error. I deploy the war, submit forgot password. Receive the email to reset my password then stop the war. When that happens my reset password page extracts the enc. I then stop and redeploy the war. After isend a rest request with the enc and a new password to the /rest/setNewPassword mapping, then receive:
09 Jan 2016 03:50:48,799 [http-nio-8082-exec-1] ERROR
web.rest.UserActionRestController - Failed to decrypt URL content
aX8uaOWkqAUQN2xOzlPAOHJjPZaxBwho7.yoMeUtMnJA
in ohadr\crypto\service\CryptoService.java there is an exception on line 261:
throw new CryptoException("Failed to decrypt URL content " +
based64EncryptedContent, e);
which I then use a break point to find:
java aes javax.crypto.BadPaddingException: Given final block not
properly padded
I am sure if you try to reproduce this issue, you will find the same results...
Note: when I do this without the re-deploy everything works great!
2. How to make auth-flows work as SaaS
There are three use cases I want this service to fulfil:
Currently, If I host a service and it goes down without a fail-over, people who have URL's will be unable to use their links when it comes back up. I want them to be able to use the links regardless.
(untested -- but will be soon) Similar to the second, If I host this service on multiple docker containers I believe that it will not be able to receive link that did not orginially come from its container, therefore containers could not share unsorted loads. It should be able to read any of the enc's and process it.
EDIT:
1. Why the URL is invalid
An even easier way to test this is just to submit a forgotten password, get the email and then stop the war. Redeploy it, then click the link. I got this stack trace:
https://drive.google.com/file/d/0Bwa-JXbjFUDueXVMWWJibjY2Zm8/view?usp=sharing
Don't worry about csrf it is not enabled.
1. Why the URL is invalid
As it looks like, the ICryptoUtil instance is re-created after you redoply the war.
CryptoService.java line 38:
return ContextLoader.getCurrentWebApplicationContext().getBean(ICryptoUtil.class);
I suggest for you to do a small test. Encrypt a string twice, now and after the redeploy and compare the results.
If you got 2 different results then your crypto is not capable to decrypt an encrypted string of another crypto instance.
#EdiZ is right.
To be more accurate, every time your web-app loads, Spring loads all the beans. Among them are Crypto's library beans, such as CryptoUtil and CryptoProvider, and if you look carefully you will notice on DefaultCryptoProvider.loadMasterKeys() that a new key is generated.
I believe that explains the behavior you see.
Currently, If I host a service and it goes down without a fail-over,
people who have URL's will be unable to use their links when it comes
back up. I want them to be able to use the links regardless
It seems to be a duplication of your first question; I think that the first issue will have to be resolved in order to make it work as you wish. If the server reboots, all the links become invalid - the users will have to click again on "forget password" (for example) and get a new link - it is for you to decide how big this deal is.
If I host this service and I do have a failover I assume the failover
will not be able to read URL that is not from it originally. It should
be able to read any of the enc's and process it.
I assume that you have to develop some more persistence, so the server can decrypt URLs that were not generated by it...
Hope that helps.
Fatal error: Uncaught CurlException: 60: Peer certificate cannot be authenticated with known CA certificates thrown in /home/ldr/public_html/src/base_facebook.php on line 886
See: http://ldr.x10.bz/examples/with_js_sdk.php
I've been getting this error for 2 days now and can't find any information on where it has come from? Why is the certificate known and is there a way for it to be unknown again?
It had been working for months previously, so not sure if the API has just updated but I've deleted everything and just uploaded the PHP SDK 3.1.1 but still no luck :(
I've read about disabling the peer verification but sounds like a bad idea (plus I know it works with it enabled). Probably accidentally unchecked a box somewhere- any ideas on how to restore it back to normal would be very appreciated :)
Thanks!
Certificates are verified against a truststore somewhere on your system. This truststore should be updated once in a while; e.g. Firefox and Windows do this when updating the software. The error is a bit unclear; it actually means your curl client gets a certificate for which it does not have a trusted (root) certificate.
You may want to visit that site with your favorite up to date browser and save the root certificate somewhere, then create a CA store with that single certificate in it. Of course it will fail if that one gets replaced or if the server chooses another certificate authority.
Possibly updating curl or the OpenSSL library may do the trick, try that first :).