I'm trying to automate my infrastructure using puppet with Azure.
I've created my puppet master using puppet enterprise VM from gallery on Azure. After that, I've generated a certificate running the following commands:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout cert.pem -out cert.pem
sudo openssl x509 -inform PEM -in cert.pem -outform DER -out cert.cer
Then, I've uploaded my cert file to Azure Management Portal and finally, I've create a VM with the following command:
puppet azure_vm create --management-certificate /tmp/cert.pem --azure-subscription-id=xxxxxx --image 0b11de9248dd4d87b18621318e037d37__RightImage-Ubuntu-12.04-x64-v13.4 --location 'west us' --vm-name puppetslave --vm-user xxxx --password xxxxx --puppet-master-ip 23.102.xxx.xxx
Finally, I've exported my private key using PuttyGen and I'm using it to connect to my new linux vm. Unfortunately, I'm getting the following error:
server refused out key
And I don't know why. I'm stuck at this point and don't know how to proceed.
Related
We are trying to update an SSL certificate in our Azure Web App. Accordingly to the Private Certificate Requirements we need to use triple DES for a private key now. Here's are steps that I'm doing:
Generate private key on my PC using triple DES:
openssl genrsa -des3 -out privatekey.key 2048
Generate csr:
openssl req -new -key privatekey.key -out mycsr.csr
Re-key certificate on Godaddy Portal.
Using new crt-file generate a pfx:
openssl pkcs12 -export -out cert.pfx -inkey privatekey.key -in mycert.crt
Unfortunately, generated certificate is not accepted by Azure portal. I'm getting an error message "The password is incorrect, or the certificate is not valid".
Ubuntu 22.04 uses a yescrypt hashing algorythm. Try to generate the pfx on
I have created a socketcluster nodejs app. I followed their official docs to deploy the service to Google K8s Engine. However the ingress service is not running up and complains about :
Error:googleapi: Error 400: The SSL key is too large., sslCertificateKeyTooLarge
I tried following certificates:
4048 Key size certificate from Let'sEncrypt
2048 Key size using cert created using Open SSL.
Both of them result the the same error.
Do any one know how do I resolve this? And where do I get proper certificate for enabling TLS?
IIRC, only RSA-2048 and ECDSA P256 keys are supported:
openssl genrsa -out PRIVATE_KEY_FILE 2048
openssl ecparam -name prime256v1 -genkey -noout -out PRIVATE_KEY_FILE
I also struggled due to this error on using Letsencrypt certs with 4096bit private key to a GKE ingress - even creating the secret worked fine for [1].
Finally overcame with editing "/etc/letsencrypt/cli.ini"
rsa-key-size = 2048
issued new certificate, keyfile and put those into secret.
[1] https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
On Cloud Shell, GCP with "openssl" and "gcloud", I tried to create a self-managed SSL certificate first running this command below to create "myCert.crt" and "myKey.key":
openssl req -new -newkey rsa:4096 -x509 -days 365 -nodes -out myCert.crt -keyout myKey.key
Then, ran this command below to create the self-managed SSL certificate "mycert" using "myCert.crt" and "myKey.key":
gcloud compute ssl-certificates create mycert --certificate=myCert.crt --private-key=myKey.key
But I got a similar error to yours:
ERROR: (gcloud.compute.ssl-certificates.create) Could not fetch
resource:
The SSL key is too large.
So I changed "rsa:4096" to "rsa:2048" then ran the first command again:
// "4096" is changed to "2048"
openssl req -new -newkey rsa:2048 -x509 -days 365 -nodes -out myCert.crt -keyout myKey.key
Then, ran the second command again:
gcloud compute ssl-certificates create mycert --certificate=myCert.crt --private-key=myKey.key
Finally, I could create the self-managed SSL certificate "mycert":
Created
[https://www.googleapis.com/compute/v1/projects/myproject-923743/global/sslCertificates/mycert].
NAME: mycert TYPE: SELF_MANAGED CREATION_TIMESTAMP:
2022-01-22T07:22:26.058-08:00 EXPIRE_TIME:
2023-01-22T07:22:08.000-08:00 MANAGED_STATUS:
I have Virtual Box with Gitlab instance and I'm trying to register on the same machine gitlab-runner, during that I'm getting issue about IP Sans
VM: https://bitnami.com/stack/gitlab/virtual-machine
Process
I think verifying certificate is successful (please correct)
Also what I have done also
added "subjectAltName=IP:192.168.8.6" to /etc/ssl/openssl.cnf
Generated cert and key in /etc/gitlab-runner
Copied these 2 to: /etc/gitlab/trusted-certs/
Doing also solution from below also doesn't help
Gitlab-CI runner: ignore self-signed certificate
Any ideas how I can further debug? Any help appreciated
From this post
Step1 edit ssl configuration on the GitLab server (not the runner)
+sudo nano /etc/pki/tls/openssl.cnf
# find line
[ v3_ca ]
subjectAltName=IP:192.168.1.1 <---- Add this line. 192.168.1.1 is your GitLab server IP.
Step2 Re-generate self-signed certificate on the GitLab server (not the runner)
cd /etc/gitlab/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/gitlab/ssl/192.168.1.1.key -out /etc/gitlab/ssl/192.168.1.1.crt
sudo openssl dhparam -out /etc/gitlab/ssl/dhparam.pem 2048
sudo gitlab-ctl restart
Step3 Copy the new CA to the GitLab CI runner in /etc/gitlab-runner/certs/
Step4 Register your runner
gitlab-runner register --tls-ca-file="$CERTIFICATE"
this work for me.
For those errors like:
x509: certificate is not valid for any names, but wanted to match gitlab.example.com
x509: certificate relies on legacy Common Name field, use SANs instead
...
I am running gitlab server 15.7.1 docker container from my laptop (following The Official Install Guide - With docker-compose), and installed a gitlab runner at that laptop host too.
In my case, the self-signed certificate should be re-requested manually according with the following steps:
Entering the running gitlab container:
docker compose exec web bash
In container, copy the openssl.cnf to /etc/gitlab/ssl so that I can edit it from host machine:
cp /opt/gitlab/embedded/ssl/openssl.cnf /etc/gitlab/ssl/
At host, Modify openssl.cnf to add new line into v3_ca section:
subjectAltName=DNS:gitlab.example.com
NOTE that a DNS name needed instead of IP
In container, copy back the file:
cp /etc/gitlab/ssl/openssl.cnf /opt/gitlab/embedded/ssl/
In container, recreate x509 req and restart gitlab services to sign the gitlab server certificate again:
cd /etc/gitlab/ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/gitlab/ssl/gitlab.local.key -out /etc/gitlab/ssl/gitlab.local.crt
openssl dhparam -out /etc/gitlab/ssl/dhparam.pem 2048
gitlab-ctl restart
Now, gitlab-runner register should be ok.
gitlab-runner register --tls-ca-file="$CERTIFICATE"
Lucky to anyone.
I am trying to integrate with a 3rd party API using two way SSL authentication. The documention provided by them is for JAVA and I am using NodeJS. I am new to this and really grasping at straw here. In document it is mentioned to generate a self signed certificate and use private key of that certificate with the public cetificate from them to create a PKCS 12 file and use it to call the API.
Below is the excerpt from the documentation to
Create a self signed certificate
keytool -genkey -keyalg RSA -alias <aliasName>-keystore selfsigned.jks -validity <days> -keysize 2048
Import JKS to key store
KeyDBs could be any format PFX, JKS or P12. Listing the certificates from > the Keystores, Go to bin directory of Java library, It should have a Private-> Cert entry in the List of the certificates.
Keytool -list -v -keystore <Keystore Name>
If the KeyDB is not present create a Keydb using the Private key and Public Certificate provided through openSSL.
Create P12 from key
openssl pkcs12 -export -in mycert.crt -inkey <mykey.key> -out mycert.p12 -name tomcat -CAfile <myCA.crt> -caname root –chain
Create JKS from P12
keytool -v -importkeystore -srckeystore <key.p12> -srcstoretype PKCS12 -destkeystore <key.jks> -deststoretype JKS
To Verify: KeyDBs could be any format PFX, JKS or P12. Listing the certificates from the Keystores, Go to bin directory of Java library, It should have a Private-Cert entry in the List of the certificates.
Keytool -list -v -keystore <Keystore Name>
I am facing problem in creating the PKCS 12 file. I created self signed certificate using openssl (provided with git) via below mentioned commmands
Creating request and private key
openssl req -new -newkey rsa:2048 -nodes -keyout privatekey.key -out certificatereq.cer
Creating Certificate using the request and key
openssl x509 -req -days 365 -in certificatereq.cer -signkey privatekey.key -out selfsigned.crt
Upon creation of certificate I used it to create PKCS 12 file as mentioned in documentation above via below mentioned command
openssl pkcs12 -export -in selfsigned.crt -inkey privatekey.key -out outpkcs12file.p12 -name myname -CAfile thirdpartypublic.crt -caname mycaname -chain
but getting the error Error self signed certificate getting chain. I tried by installing the self signed certificate in my system also and getting the same error. If I remove the -chain (not sure what it does, but found few commands without -chain) agrument there is no output in terminal. The third party's certificate is CA signed.
I am trying to use push notifications through my nodejs server deployed in openshift rehat server. I could not find any documentation/discussion to generate apns certificate in openshift.
I tried generating a certificate, but getting an error while generating CSR using this command
openssl genrsa -out sz.key 2048
Error: unable to write 'random state'
e is 65537 (0x10001)
After some googling, I see one option is to use aerogear. But I want to use my own server to handle the notifications.
Is there any other option to generate a certificate in openshift server?
Thanks developercorey for your help. But i still see the error.
Finally generated certificate for my openshift server using this script
openssl x509 -in aps_production.cer -inform DER -out myProdCert.pem
The private key associated with the SSL certificate can be exported from the Keychain Access application on your Mac computer. - mykey.p12
openssl pkcs12 -in mykey.p12 -out myProdKey.pem -nodes -clcerts
openssl s_client -connect gateway.push.apple.com:2195 -cert myProdCert.pem -key myProdKey.pem
Hopefully this will help somebody.
Try this command:
HOME=~/app-root/data/ openssl genrsa -out sz.key 2048
Basically it is trying to write some temp data into your $HOME, but you can't write to that directory, so it won't work, but it does give somewhat of a cryptic error message.