How to configure https server to prevent connect with revoked certificate
Solved: add to https options crl property - certificate revokation list
crl: fs.readFileSync(path.join('public', "ca-crl.pem"))
Related
I set http.sslbackend=schannel and imported my self-signed certificate into windows 10 (Personal | Certificates) pane in MMC. Now, I'm trying to clone a repository hosted on a server configured with the self-signed certificate.
As far as I understood as long as having the certificate in windows (explained above) git should not complain about the certificate. This is not the case. whenever I try to clone I'm getting:
unable to access https://server.com/project.git : schannel: SEC_E_UNTRUSTED_ROOT (0X80090325) - THE CERTIFICATE CHAIN WAS ISSUED BY AN AUTHORITY THAT IS NOT TRUSTED.
What am I missing here?
Need help!!! . I have an https request and need to intercept it, read values and forward the same ssl request to the destination. I have all the required crt, key, CA with me. I am aware that Haproxy ACL does not work with L4 layer but I'm trying to find a workaround to decrypt the message, read the message, encrypt it again and forward. The reason for reading message is to using ACL i need to read the path difference in carious request and route the request to different servers accordingly. I am trying to intercept the client request to server, the request by default is SSL and server is expecting an SSL request
ssl crt: created a new user with new crt-key pair and used Certificate Signing Requests of server to authenticate it against CA in server
The scenario is that I have an incoming SSL request which I'm capturing into frontend of haproxy with the server certificate, while forwarding that request to a test webserver I am able to see that it has changed from HTTPS to HTTP. Now when I try re-encrypt it, the original destination is not able to accept the request since it is not SSL, I have tried to add the certs in the backend but not useful. Please check my current Haproxy config and please help if possible. I am not an expert in Network communication/ Encryption/ HaProxy.
frontend test
bind IP:6443 ssl crt <location>
option httplog
mode http
default_backend testback
backend testback
mode http
balance roundrobin
option http-check
server <host> IP:6443 check fall 3 rise 2 ssl verify required ca-file <loc> crt <loc>
To verify my certicates are valid and connecting:
openssl s_client -connect :6443 -cert myuser.crt -key myuser.key -CAfile ca.crt
Output:
SSL handshake has read 1619 bytes and written 2239 bytes
Verification: OK
So no problem with Certicates i presume, problem while using Ha proxy for connection
Error:
Unable to connect to the server: x509: certificate specifies an incompatible key usage
Ha proxy error:
2021-08-12T14:45:36.930478+02:00 parasilo-27 haproxy[21562]: :34672 [12/Aug/2021:14:45:36.927] server/1: SSL handshake failure
2021-08-12T14:45:37+02:00 localhost haproxy[21562]: :34674 [12/Aug/2021:14:45:37.438] server/1: SSL handshake failure
To sum up what was analyzed in the comments, as asked. Perhaps it will be useful to somebody someday.
Haproxy's config turned out to be correct, but generated certificates had wrong extended key usage (X509v3 extension).
Command to list extended key usage:
openssl x509 -in /path/to/cert.pem -noout -ext extendedKeyUsage
Often, when bought on internet, it shows X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication. Original Poster used self-signed, self-generated certificates and his certificate used on haproxy's frontend had only TLS Web Client Authentication, where frontend requires TLS Web Server Authentication if this extensions is used at all.
That resulted in the error message:
Error: kubectl get po: Unable to connect to the server: x509: certificate specifies an incompatible key usage
As a consequence haproxy logged SSL handshake failure without any more details, as is its habit.
After adding TLS Web Server Authentication to certificate in haproxy's frontend section and TLS Web Client Authentication to certificate in haproxy's backend section Original Poster reported success.
Is there any way to validate certificates against a CA, similar to the command "openssl verify -CAfile"?
I need to do this to bypass the HTTPS check Node JS with rejectUnauthorized: true, because with selfsigned certificates already realized that it is virtually impossible to authenticate the client with SSL.
I have public key certificate and private key and I have uploaded both keys in AWS cloudfront service.
I have tried to configure cloudfront and select custom SSL certificate and clicked on "YES EDIT" button. I received the below error message:
"com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The specified SSL certificate doesn't exist in the IAM certificate store, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: c169e804-ef21-11e4-a864-99c1866d5c97)"
Please give advice on above error.
You don't "create" it. The certificate chain is made up of one or more additional "intermediate" certificates provided by the certificate authority that generated your certificate.
I have a https client that is using ssl to connect to an apache server.
When the client try to connect to the apache server via https I got the following error:
SSL Library Error: 336151570 error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Subject CN in certificate not server name or identical to CA!?
what could be the problem and how to solve it?
Subject CN in certificate not server name or identical to CA!?
Your certificate does not match the host nameyou access. Check your site against [SSLLabs](
https://www.ssllabs.com/ssltest/analyze.html).