I want to search a user using ldapsearch, but the hosting provider gave me a certificate from the CA. I added that certificate in my ldapconf.
Before executing the ldapsearch command I am running openssl as follows
openssl s_client -connect hostname -CAfile /certificate.pem
After connecting via openssl, I execute the following command in another terminal
ldapsearch -h hostname -p portno -D uid=mailid#domain.con, dc=global,dc=example,dc=net
Now I want to know, is there any way to use the certificate while executing the ldapsearch command?
This should be doable by performing:
env LDAPTLS_CACERT=/certificate.pem ldapsearch -h hostname -p portno -D uid=mailid#domain.con, dc=global,dc=example,dc=net
although, I'd use:
env LDAPTLS_CACERT=/certificate.pem ldapsearch -H ldaps://hostname:portno/ -D uid=mailid#domain.con, dc=global,dc=example,dc=net
to ensure that it tries with ldaps, rather than heuristics.
If you're getting errors still, you can add -ZZ which will give better error messages.
An obvious gotcha is using an expired cert, the second most obvious gotcha is not using the same name in the request as you've got in the certificate. You can read the server cert using openssl s_client -connect hostname:portno - there will be a line reading something like:
subject=/C=IE/CN=hostname.domain.local
you have to ensure that the ldapsearch request's hostname matches the hostname as listed in the CN=... item. If it doesn't match then you'll not be able to connect (this is simple cert validation, if there are alternative names then you can try: openssl x509 -text -noout -in /certificate.pem | grep DNS)
A final caveat is that Mac OSX does not respect the LDAPTLS_CACERT environment variable. You have to import the cert into the keychain (I don't know of a workaround for OSX in this case).
Related
I have the job of converting some bash scripts to run on Node in an AWS Lambda. The scripts encode and decode some files. As the files are used externally I have to keep the encryption unchanged.
The files are encrypted with the command
openssl -e -aes-256-cbc -base64 -salt -in $filein -out $fileout -k $key
and decrypted with
openssl -d -aes-256-cbc -base64 -salt -in $filein -out $fileout -k $key
I've tried just wrapping the openssl calls but openssl is no longer installed in the Node Lambda runtime.
I've tried using the node:crypto module and searching stackoverflow but don't really understand enough about encryption and how openssl works to have a chance of writing any code. For example I can't work out how to get the iv to use when decrypting the file.
So is it possible to reproduce these openssl commands with node?
My backup plan is to build a container or Lambda Layer containing SSL and use one of the SSL wrappers but I'd prefer not to do that if I can help it.
I am running a bunch of shell scripts which uses the properties in config.properties file.. it has database connection details, passwords.. etc.,
I just want to encrypt the passwords.. so that when someone looks at the properties file they shouldn't be able to use it.
Also I don't want to change the permissions on the file, I want only the passwords to be encrypted
I know there are few ways.. like using java or using any encryption algorithm but I don't want to use java.
I am running the shell scripts on CentOS.. sample scripts looks like below..
config.properties
DatabaseHostName=test_host
DatabasePort=4898
DatabaseUserName=test_user
# MY DB Password here is visible.. I want to encrypt this
DatabasePassword=password123
script.sh
#sourcing the above properties file here
source ./config.properties
export PGPASSWORD=${DatabasePassword}
psql -h ${DatabaseHostName} -p ${DatabasePort} ${DatabaseUserName} -c "select * from table_name;"
my both files are under the same folder
Here's the problem, whatever encryption you put in the file, you'd need to be able to reverse in the script. So anyone who can see the script can figure out how to decode the passwords.
command encrypt:
echo 'hoge' | openssl rsautl -encrypt -inkey ~/.ssh/id_rsa > pass.rsa
command decrypt:
openssl rsautl -decrypt -inkey /root/.ssh/id_rsa -in pass.rsa
config modify:
DatabasePassword=S03EXE -> DatabasePassword=$(openssl rsautl -decrypt -inkey ~/.ssh/id_rsa -in pass.rsa)
I have the vagrant virtual machine running.
I can ssh into it using ssh vagrant#192.168.0.28 then it ask me the pass phrase for the private key , which I can enter and then it logs me in.
but if I use:
ansible all -m ping
then I get this:
192.168.0.28 | FAILED => FAILED: ssh moor#192.168.0.28:22 : Private key file is encrypted
To connect as a different user, use -u <username>.
How can I enter pass phrase in ansible?
I tried ansible -k but it says authentication failed.
Try using ssh as the transport. Generally, Ansible uses paramiko which is not as friendly for interactive sessions:
ansible all -c ssh -m ping
If that doesn't work, I didn't see anything on running Ansible with an ssh key pass phrase on the documentation or in the code, so you might have to remove it with something like this:
openssl rsa -in private_key_with_pass_phrase -out private_key_without_pass_phrase
i have tried
cd ~/.ssh/
openssl rsa -in id_rsa -out id_rsa_without_pass_phrase
and got error
unable to load Private Key
routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
solution was to run this command:
cd ~/.ssh/
ssh-keygen -p -f id_rsa -m PEM
How can I grab the root SSL certficate, together with any intermediates, to a file from a given url? Ideally through some linux shell compatible commandline, but manually will do if I have to. Update: Interactively, using Chrome, if I examine a certificate I can optionally export it. And there's a way to grab the entire chain, if applicable. So now I'm only looking for a scriptable method.
Background:
mono nuget.exe install ./packages.config -o ./packages
will install project packages on ubuntu, as long as the required certificates are installined in the machine's Trust store. In part, it's done like this:
$ certmgr -ssl https://nugetgallery.blob.core.windows.net
This command, with the -ssl option, grabs the certificate and any intermediates from the specified url, and requires user confirmation. I'm trying to automate server builds, so I'd like to get the certificates added without requiring user confirmation.
I've tried piping the response into the command - i.e.:
$ echo "Yes" | certmgr -ssl https://nugetgallery.blob.core.windows.net
That doesn't work. I've tried to export the certficates to a file, so I can add them to my build project, but mono certmgr hasn't implemented 'put' yet.
Assuming openssl is installed, this commandline:
echo | openssl s_client \
-showcerts \
-connect nugetgallery.blob.core.windows.net:443 2>&1 |
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
produces a file that contains all three certificates involved in this chain.
Thanks to this answer to this question: Using openssl to get the certificate from a server for the solution to get the chain. The following commands will get the saved certificates loaded into the Trust store.
openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b
certmgr -add -c -m Trust ./cert.p7b
I'm trying to create a self-signed certificate for a test web server running Sun Webserver 6.1 using certutil. I am open to using keytool or openssl if someone has better instructions which work with Sun Webserver.
Here are the commands that I use:
certutil -S -P "https-myWebapp-" -d . -n myCA -s "CN=myWebserver.com CA,OU=myCompany,C=US" -x -t "CT,CT,CT" -m 102 -v 301 -5
and I select option 5 - SSL CA and "yes" to the critical extension question. The CA is created successfully. Now that I have created the certificate authority, I try to sign the actual cert with the following command:
certutil -S -P "https-myWebapp-" -d . -n myServer -s "CN=myWebserver.com,C=US" -c myCA -t "u,u,u" -m 102 -v 300 -5
At the certutil prompt, I select option 1 to create a SSL server with critical extensions enabled. This produces the following error:
certutil: could not obtain certificate from file: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
What did I do wrong? I think that I may have a failed SSL certificate, but I get the following when running certutil -L -d . -P "https-myWebapp-"
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
myCA CTu,Cu,Cu
In the second command, I needed to change the -m property to a new serial id number.
That fixed the error message and created the certificate.