Check certificate revocation status in Spring-WS - certificate
I implemented spring-ws application with validation of incoming request by signature action. It works correctly but I would like to enable revocation status verification of certificate by CRL file. But the incoming request always ends with an error java.security.cert.CertPathValidatorException: Could not determine revocation status caused by sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
What I noticed that the CRL could not be verified by sun.security.provider.certpath.DistributionPointFetcher#verifyCRL method because DistributionPoint of CRL has not value true for indirect_crl attribute and then it tried to find another key that might be able to sign CRLs vouching for given cert.
What does it mean?
Implementation of the web-service
#Bean
public KeyStoreCallbackHandler securityCallbackHandler() {
KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();
callbackHandler.setPrivateKeyPassword(wsSecurityProperties.privateKeyPassword());
return callbackHandler;
}
#Bean
public Wss4jSecurityInterceptor securityInterceptor() throws Exception {
Wss4jSecurityInterceptor securityInterceptor = new Wss4jSecurityInterceptor();
securityInterceptor.setValidationActions("Signature");
Merlin crypto = (Merlin) getCryptoFactoryBean().getObject();
securityInterceptor.setValidationSignatureCrypto(crypto);
securityInterceptor.setValidationCallbackHandler(securityCallbackHandler());
securityInterceptor.setEnableRevocation(true);
return securityInterceptor;
}
#Bean
public Properties cryptoProperties() {
var prop = new Properties();
// CRL file
prop.setProperty("org.apache.ws.security.crypto.merlin.x509crl.file", crlLocation);
// keystore contains public certificate
prop.setProperty("org.apache.ws.security.crypto.merlin.file", keyStoreLocation);
prop.setProperty("org.apache.ws.security.crypto.merlin.keystore.password", "changeit");
// trustStore contains rootCA and intermediate
prop.setProperty("org.apache.ws.security.crypto.merlin.truststore.file", trustStoreLocation);
prop.setProperty("org.apache.ws.security.crypto.merlin.truststore.password", "changeit");
prop.setProperty("org.apache.wss4j.crypto.provider", Merlin.class.getName());
return prop;
}
#Bean
public CryptoFactoryBean getCryptoFactoryBean() {
CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean();
cryptoFactoryBean.setConfiguration(cryptoProperties());
return cryptoFactoryBean;
}
What I tried so far is to check the revocation status manually but the result is the same.
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
// load RootCA
X509Certificate cerRootCa;
try (InputStream in = new FileInputStream(locationRootCa)) {
cerRootCa = (X509Certificate) certificateFactory.generateCertificate(in);
}
// load Intermediate
X509Certificate cerCaCCS1;
try (InputStream in = new FileInputStream(locationIntermediate)) {
cerCaCCS1 = (X509Certificate) certificateFactory.generateCertificate(in);
}
// load user certificate
X509Certificate cerUser;
try (InputStream in = new FileInputStream(locationUserCertificte)) {
cerUser = (X509Certificate) certificateFactory.generateCertificate(in);
}
// load CRL file
CertStore store = null;
try (InputStream in = new FileInputStream(locationCRL)) {
Set<CRL> certSet = new HashSet<>();
X509CRL crl = (X509CRL) certificateFactory.generateCRL(in);
certSet.add(crl);
store = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certSet));
assertTrue(crl.isRevoked(cerUser)); // it is revoked, which is correct
}
Set<TrustAnchor> hashSet = new HashSet<>();
hashSet.add(new TrustAnchor(cerCaCCS1, null));
hashSet.add(new TrustAnchor(cerRootCa, null));
var pkixParams = new PKIXBuilderParameters(hashSet, new X509CertSelector());
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
PKIXRevocationChecker rc = (PKIXRevocationChecker) cpb.getRevocationChecker();
rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.PREFER_CRLS, PKIXRevocationChecker.Option.NO_FALLBACK));
pkixParams.addCertPathChecker(rc);
pkixParams.addCertStore(store);
pkixParams.setRevocationEnabled(false);
var certPath = certificateFactory.generateCertPath(Arrays.asList(cerUser, cerCaCCS1));
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
validator.validate(certPath, pkixParams); // ERROR: could not determine revocation status
DEBUG -Djava.security.debug=certpath
certpath: PKIXCertPathValidator.engineValidate()...
certpath: X509CertSelector.match(SN: 731c01746a4b6813
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
Subject: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA)
certpath: X509CertSelector.match returning: true
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
certpath: Constraints: DSA keySize < 1024
certpath: Constraints set to keySize: keySize < 1024
certpath: Constraints: EC keySize < 224
certpath: Constraints set to keySize: keySize < 224
certpath: Constraints: MD2
certpath: Constraints: MD5
certpath: Constraints: RSA keySize < 1024
certpath: Constraints set to keySize: keySize < 1024
certpath: Constraints: SHA1 jdkCA & usage TLSServer
certpath: Constraints set to jdkCA.
certpath: Constraints usage length is 1
certpath: Constraints: SHA1 usage SignedJAR & denyAfter 2019-01-01
certpath: Constraints usage length is 1
certpath: Constraints set to denyAfter
certpath: DenyAfterConstraint read in as: year 2019, month = 1, day = 1
certpath: DenyAfterConstraint date set to: Tue Jan 01 01:00:00 CET 2019
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 - Subject: C=SK, ST=Poprad, L=Poprad, O=XXX, OU=Common Components System, CN=CA CCS 1
certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA256withRSA, [
Variant: generic
Anchor: [
Trusted CA cert: [
[
Version: V3
Subject: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
Signature Algorithm: SHA512withRSA, OID = 1.2.840.113549.1.1.13
Key: Sun RSA public key, 4096 bits
params: null
modulus: ???
public exponent: 65537
Validity: [From: Mon Nov 27 17:34:03 CET 2017,
To: Thu Nov 25 17:34:03 CET 2027]
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
SerialNumber: [ 731c0174 6a4b6813]
Certificate Extensions: 5
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4F 6E AE 18 71 95 DE 3F A0 1D F5 AA 24 E7 99 11 On..q..?....$...
0010: CE BC DA B6 ....
]
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: no limit
]
[3]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.50887.1.2]
[] ]
]
[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[5]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4F 6E AE 18 71 95 DE 3F A0 1D F5 AA 24 E7 99 11 On..q..?....$...
0010: CE BC DA B6 ....
]
]
]
Algorithm: [SHA512withRSA]
Signature:
???
]
Cert Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
Cert Subject: C=SK, ST=Poprad, L=Poprad, O=XXX, OU=Common Components System, CN=CA CCS 1
Key: RSA
Date: Fri Nov 04 17:16:56 CET 2022
]
certpath: KeySizeConstraints.permits(): RSA
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage...
certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified.
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1, maxPathLength = 2
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT
certpath: PolicyChecker.processPolicies() policiesCritical = false
certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true
certpath: PolicyChecker.processPolicies() processing policy: 1.3.6.1.4.1.50887.1.2
certpath: PolicyChecker.processParents(): matchAny = false
certpath: PolicyChecker.processParents(): matchAny = true
certpath: PolicyChecker.processParents() found parent:
anyPolicy ROOT
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = anyPolicy ROOT
1.3.6.1.4.1.50887.1.2 CRIT: false EP: 1.3.6.1.4.1.50887.1.2 (1)
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking validity:Fri Nov 04 17:16:56 CET 2022...
certpath: validity verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA; subject: C=SK, ST=Poprad, L=Poprad, O=XXX, OU=Common Components System, CN=CA CCS 1; serial#: 4850766695757291669
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
certpath: RevocationChecker.check: checking cert
SN: 4351629b fce8a095
Subject: C=SK, ST=Poprad, L=Poprad, O=XXX, OU=Common Components System, CN=CA CCS 1
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
certpath: RevocationChecker.checkCRLs() ---checking revocation status ...
certpath: RevocationChecker.checkCRLs() possible crls.size() = 1
certpath: RevocationChecker.verifyPossibleCRLs: Checking CRLDPs for C=SK, ST=Poprad, L=Poprad, O=XXX, OU=Common Components System, CN=CA CCS 1
certpath: DistributionPointFetcher.verifyCRL: checking revocation status for
SN: 4351629b fce8a095
Subject: C=SK, ST=Poprad, L=Poprad, O=XXX, OU=Common Components System, CN=CA CCS 1
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
certpath: RevocationChecker.checkCRLs() approved crls.size() = 0
certpath: RevocationChecker.verifyWithSeparateSigningKey() ---checking revocation status...
certpath: RevocationChecker.buildToNewKey() starting work
certpath: RevocationChecker.buildToNewKey() about to try build ...
certpath: SunCertPathBuilder.engineBuild([
[
Trust Anchors: [[
Trusted CA cert: [
[
Version: V3
Subject: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
Signature Algorithm: SHA512withRSA, OID = 1.2.840.113549.1.1.13
Key: Sun RSA public key, 4096 bits
params: null
modulus: ???
public exponent: 65537
Validity: [From: Mon Nov 27 17:34:03 CET 2017,
To: Thu Nov 25 17:34:03 CET 2027]
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
SerialNumber: [ 731c0174 6a4b6813]
Certificate Extensions: 5
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
???
]
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen: no limit
]
[3]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.50887.1.2]
[] ]
]
[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[5]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
???
]
]
]
Algorithm: [SHA512withRSA]
Signature:
???
]
]
Initial Policy OIDs: any
Validity Date: Fri Nov 04 17:16:56 CET 2022
Signature Provider: null
Default Revocation Enabled: false
Explicit Policy Required: false
Policy Mapping Inhibited: false
Any Policy Inhibited: false
Policy Qualifiers Rejected: true
Target Cert Constraints: RejectKeySelector: [
X509CertSelector: [
Subject: C=SK,ST=Poprad,L=Poprad,O=XXX,CN=Root CA
matchAllSubjectAltNames flag: true
Key Usage: KeyUsage [
Crl_Sign
]
][Sun RSA public key, 4096 bits
params: null
modulus: ???
public exponent: 65537]]
Certification Path Checkers: [[]]
CertStores: [[java.security.cert.CertStore#5bdc6be6, java.security.cert.CertStore#5595b4b3]]
] Maximum Path Length: 5
]
)
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4351629bfce8a095
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
Subject: C=SK, ST=Poprad, L=Poprad, O=XXX, OU=Common Components System, CN=CA CCS 1)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 1553cecfabe305c9
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, OU=Common Components System, CN=CA CCS 1
Subject: C=SK, ST=Slovakia, L=Poprad, O=OTest, OU=Test, CN=CNTest, CN=UIDTest)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA
certpath: X509CertSelector.match(SN: 731c01746a4b6813
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
Subject: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: X509CertSelector.match(SN: 4351629bfce8a095
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
Subject: C=SK, ST=Poprad, L=Poprad, O=XXX, OU=Common Components System, CN=CA CCS 1)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 1553cecfabe305c9
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, OU=Common Components System, CN=CA CCS 1
Subject: C=SK, ST=Slovakia, L=Poprad, O=OTest, OU=Test, CN=CNTest, CN=UIDTest)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: SunCertPathBuilder.engineBuild: 2nd pass; try building again searching all certstores
certpath: SunCertPathBuilder.buildForward()...
certpath: SunCertPathBuilder.depthFirstSearchForward(C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA, State [
issuerDN of last cert: null
traversedCACerts: 0
init: true
keyParamsNeeded: false
subjectNamesTraversed:
[]]
)
certpath: ForwardBuilder.getMatchingCerts()...
certpath: ForwardBuilder.getMatchingEECerts()...
certpath: X509CertSelector.match(SN: 4351629bfce8a095
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
Subject: C=SK, ST=Poprad, L=Poprad, O=XXX, OU=Common Components System, CN=CA CCS 1)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 1553cecfabe305c9
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, OU=Common Components System, CN=CA CCS 1
Subject: C=SK, ST=Slovakia, L=Poprad, O=OTest, OU=Test, CN=CNTest, CN=UIDTest)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts()...
certpath: ForwardBuilder.getMatchingCACerts(): the target is a CA
certpath: X509CertSelector.match(SN: 731c01746a4b6813
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
Subject: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA)
certpath: X509CertSelector.match returning: true
certpath: RejectKeySelector.match: bad key
certpath: X509CertSelector.match(SN: 4351629bfce8a095
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, CN=Root CA
Subject: C=SK, ST=Poprad, L=Poprad, O=XXX, OU=Common Components System, CN=CA CCS 1)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 1553cecfabe305c9
Issuer: C=SK, ST=Poprad, L=Poprad, O=XXX, OU=Common Components System, CN=CA CCS 1
Subject: C=SK, ST=Slovakia, L=Poprad, O=OTest, OU=Test, CN=CNTest, CN=UIDTest)
certpath: X509CertSelector.match: subject DNs don't match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
Related
Extract data from a text file using Powershell
I have a file in the below format. Need to extract some data depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 verify error:num=20:unable to get local issuer certificate verify return:1 depth=2 C = US, O = Amazon, CN = Amazon Root CA 1 verify return:1 depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon verify return:1 depth=0 CN = abc.xyz.com verify return:1 --- Certificate chain 0 s:CN = abc.xyz.com i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 13 00:00:00 2022 GMT; NotAfter: Oct 11 23:59:59 2023 GMT 1 s:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon i:C = US, O = Amazon, CN = Amazon Root CA 1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Oct 22 00:00:00 2015 GMT; NotAfter: Oct 19 00:00:00 2025 GMT 2 s:C = US, O = Amazon, CN = Amazon Root CA 1 i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT --- Server certificate -----BEGIN CERTIFICATE----- From the Certificate chain section, I need to extract all lines containing s:, i: and v: to a new file. I tried with the following Get-Content "input.txt" | Select-String -pattern '(s:.*)|(i:.*)|(v:.*)' | Out-File "output.txt" and I get the below extract in the output file 0 s:CN = abc.xyz.com i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon v:NotBefore: Sep 13 00:00:00 2022 GMT; NotAfter: Oct 11 23:59:59 2023 GMT 1 s:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon i:C = US, O = Amazon, CN = Amazon Root CA 1 v:NotBefore: Oct 22 00:00:00 2015 GMT; NotAfter: Oct 19 00:00:00 2025 GMT 2 s:C = US, O = Amazon, CN = Amazon Root CA 1 i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority v:NotBefore: Sep 2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT Everything is as expected, but the text G2 always gets extracted on a new line rather than being in continuation of the previous line. Not sure what I am missing here.
GitHub API Download Link expires before it hits the limit
When I do get Download Link usining GitHub API and I want to download artifact it gets straight to the Artifact has expired.
echo "ALLMODS_URL = $(curl -v -H "Accept: application/vnd.github+json" -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -L "https://api.github.com/repos/repo/repo/actions/artifacts/124384712/zip")"
curl -v -O $ALLMODS_URL
The Github Log:
+ curl -v -H Accept: application/vnd.github+json -H Authorization: token *** -L https://api.github.com/repos/repo/repo/actions/artifacts/124384712/zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 140.82.114.5:443...
* Connected to api.github.com (140.82.114.5) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2456 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
* start date: Mar 16 00:00:00 2022 GMT
* expire date: Mar 16 23:59:59 2023 GMT
* subjectAltName: host "api.github.com" matched cert's "*.github.com"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x400008b650)
} [5 bytes data]
> GET /repos/repo/repo/actions/artifacts/124384712/zip HTTP/2
> Host: api.github.com
> user-agent: curl/7.74.0
> accept: application/vnd.github+json
> authorization: token ***
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 410
< server: GitHub.com
< date: Mon, 24 Oct 2022 17:48:11 GMT
< content-type: application/json; charset=utf-8
< content-length: 134
< x-github-media-type: github.v3; format=json
< x-ratelimit-limit: 1000
< x-ratelimit-remaining: 999
< x-ratelimit-reset: 1666637291
< x-ratelimit-used: 1
< x-ratelimit-resource: core
< access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
< access-control-allow-origin: *
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 0
< referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
< content-security-policy: default-src 'none'
< vary: Accept-Encoding, Accept, X-Requested-With
< x-github-request-id: 0400:1C3C:8DAF00E:12259BA9:6356CFDB
<
{ [134 bytes data]
100 134 100 134 0 0 429 0 --:--:-- --:--:-- --:--:-- 448
* Connection #0 to host api.github.com left intact
+ echo ALLMODS_URL = {
"message": "Artifact has expired",
"documentation_url": "https://docs.github.com/rest/reference/actions#download-an-artifact"
}
ALLMODS_URL = {
"message": "Artifact has expired",
"documentation_url": "https://docs.github.com/rest/reference/actions#download-an-artifact"
}
+ curl -v -O
curl: no URL specified!
curl: try 'curl --help' or 'curl --manual' for more information
Error: Process completed with exit code 2.
PS:Have been trying to use action there for downloading artifacts but it fails for me because Permission Denied
HTTP response 401 after trying to update github branch protection via curl
Purpose of the following bash script should be setting of branch protection using curl. I am getting error 401, I am sure my credentials used in the script are correct. Is there something wrong about the way the authorization is set? (actual credentials are not copied from the original script)
#!/bin/bash
OAUTH2_TOKEN=""
OWNER=""
REPO=""
curl https://api.github.com/repos/${OWNER}/${REPO}/branches/main/ \
-X PUT \
-H "Authorization: Token ${OAUTH2_TOKEN}" \
-H "Accept: application/vnd.github+json" \
-vv \
-d '{
"protection": {
"enabled": true,
"required_status_checks": {
"strict": true,
"contexts": []
"enforcement_level": "everyone",
"contexts": [
"default"
]
}
}
}' \
| json protection
Log (actual values for owner, repo and token replaced):
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 140.82.113.6:443...
* TCP_NODELAY set
* Connected to api.github.com (140.82.113.6) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2456 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
* start date: Mar 16 00:00:00 2022 GMT
* expire date: Mar 16 23:59:59 2023 GMT
* subjectAltName: host "api.github.com" matched cert's "*.github.com"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x5560a79d52f0)
} [5 bytes data]
> PUT /repos/owner/repo/branches/main/ HTTP/2
> Host: api.github.com
> user-agent: curl/7.68.0
> authorization: Token ""
> accept: application/vnd.github+json
> content-length: 256
> content-type: application/x-www-form-urlencoded
>
} [5 bytes data]
* We are completely uploaded and fine
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 401
< server: GitHub.com
< date: Mon, 26 Sep 2022 15:25:24 GMT
< content-type: application/json; charset=utf-8
< content-length: 90
< x-github-media-type: github.v3; format=json
< x-ratelimit-limit: 60
< x-ratelimit-remaining: 59
< x-ratelimit-reset: 1664209524
< x-ratelimit-used: 1
< x-ratelimit-resource: core
< access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
< access-control-allow-origin: *
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 0
< referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
< content-security-policy: default-src 'none'
< vary: Accept-Encoding, Accept, X-Requested-With
< x-github-request-id: 843E:270E:8439F7:10EBE61:6331C464
<
{ [90 bytes data]
100 346 100 90 100 256 273 778 --:--:-- --:--:-- --:--:-- 1054
* Connection #0 to host api.github.com left intact
Centos8 Thunderbird no outgoing connection
i face the following problem.
OS: CentOS 8.1.1911
Mail Client: thunderbird-68.7.0-1.el8_1.x86_64
Mail Provider: gmx.net
If i try to sent an mail the thunderbird doesn't connect to the network interface. Telnet does.
telnet mail.gmx.net 465
Trying 212.227.17.190...
Connected to mail.gmx.net.
Escape character is '^]'.
^CConnection closed by foreign host.
So, firewall is open on my computer and in the router.
With wireshark i can see the connection from telnet goes over my internet connection. But thunderbird doesn't show up there.
With strace i face a problem, in a loop:
recvmsg(4, {msg_namelen=0}, 0) = -1 EAGAIN (Die Ressource ist zur Zeit nicht verfügbar)
recvmsg(4, {msg_namelen=0}, 0) = -1 EAGAIN (Die Ressource ist zur Zeit nicht verfügbar)
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=10, events=POLLIN}, {fd=34, events=POLLIN}], 4, 0) = 0 (Timeout)
recvmsg(4, {msg_namelen=0}, 0) = -1 EAGAIN (Die Ressource ist zur Zeit nicht verfügbar)
recvmsg(4, {msg_namelen=0}, 0) = -1 EAGAIN (Die Ressource ist zur Zeit nicht verfügbar)
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=10, events=POLLIN}, {fd=34, events=POLLIN}], 4, 0) = 0 (Timeout)
recvmsg(4, {msg_namelen=0}, 0) = -1 EAGAIN (Die Ressource ist zur Zeit nicht verfügbar)
recvmsg(4, {msg_namelen=0}, 0) = -1 EAGAIN (Die Ressource ist zur Zeit nicht verfügbar)
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=10, events=POLLIN}, {fd=34, events=POLLIN}], 4, 0) = 0 (Timeout)
recvmsg(4, {msg_namelen=0}, 0) = -1 EAGAIN (Die Ressource ist zur Zeit nicht verfügbar)
recvmsg(4, {msg_namelen=0}, 0) = -1 EAGAIN (Die Ressource ist zur Zeit nicht verfügbar)
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=10, events=POLLIN}, {fd=34, events=POLLIN}], 4, 0) = 0 (Timeout)
recvmsg(4, {msg_namelen=0}, 0) = -1 EAGAIN (Die Ressource ist zur Zeit nicht verfügbar)
recvmsg(4, {msg_namelen=0}, 0) = -1 EAGAIN (Die Ressource ist zur Zeit nicht verfügbar)
poll([{fd=4, events=POLLIN}, {fd=5, events=POLLIN}, {fd=10, events=POLLIN}, {fd=34, events=POLLIN}], 4, -1^C) = ? ERESTART_RESTARTBLOCK (Interrupted by signal)
strace: Process 103995 detached
How to proceed?
Where can i check further why thunderbird doesn't connect to my internet connection?
Any advise is welcome.
BR Dirk
"notify" is not getting called in Keepalived
I have these setting in the keepalived.conf file but when I stop the HAProxy service it's not executing the notify script but when I restart the keepalived service it's getting executed every time. Here are the details,
HAProxy: 1.8.8
Keepalived: 2.0.18
OS: Ubuntu 18.04
Python: 2.7
Cloud Service Provider: Hetzner
/etc/keepalived/keepalived.conf
vrrp_script chk_haproxy {
# Requires keepalived-1.1.13
script "/usr/bin/pkill -0 haproxy" # cheaper than pidof
interval 2 # check every 2 seconds
weight 2 # add 2 points of priority if OK
}
vrrp_instance real {
interface eth0
state MASTER
virtual_router_id 51
priority 101 # 101 on primary, 100 on secondary
virtual_ipaddress {
11.23.10.19/32 dev eth0 label eth0:1
}
track_script {
chk_haproxy
}
notify "/etc/keepalived/master.sh"
#notify_backup "/etc/keepalived/master.sh"
#notify_fault "/etc/keepalived/master.sh"
}
/etc/keepalived/master.sh
#!/bin/bash
export API_TOKEN='<api_token>'
export MASTER_SERVER_ID='<master_server_id>'
export BACKUP_SERVER_ID='<backup_server_id>'
BASE_API='https://api.hetzner.cloud/v1'
FLOATING_IP_ID='<floating_ip_id>'
INSTANCE="Load-Balancer-Master"
if [ "$HOSTNAME" = "$INSTANCE" ]; then
SERVER_ID=$BACKUP_SERVER_ID # switch to the backup server if
# master gets down
else
SERVER_ID=$MASTER_SERVER_ID # vice-versa
fi
echo "Server ID: " $SERVER_ID
HAS_FLOATING_IP=$(curl -H "Authorization: Bearer $API_TOKEN" -s 'https://api.hetzner.cloud/v1/servers/'$SERVER_ID|python -c "import sys,json; print( True if json.load(sys.stdin)['server']['public_net']['floating_ips'] else False)")
echo "Has Floating Ip: " $HAS_FLOATING_IP
if [ $HAS_FLOATING_IP = "False" ]; then
n=0
while [ $n -lt 10 ]
do
python /usr/local/bin/assign-ip $FLOATING_IP_ID $SERVER_ID && break
n=$((n+1))
sleep 3
done
fi
/usr/local/bin/assign-ip
#!/usr/bin/python
import os
import sys
import requests
import json
api_base = 'https://api.hetzner.cloud/v1'
def usage():
print('{0} [Floating IP] [Server ID]'.format(sys.argv[0]))
print('\nYour Hetzner API token must be in the "API_TOKEN"'
' environmental variable.')
def main(floating_ip_id, server_id):
payload = {'server': server_id}
headers = {'Authorization': 'Bearer {0}'.format(os.environ['API_TOKEN']),
'Content-type': 'application/json'}
url = api_base + "/floating_ips/{0}/actions/assign".format(floating_ip_id)
r = requests.post(url, headers=headers, data=json.dumps(payload))
resp = r.json()
if resp['action']['error']:
print('{0}: {1}'.format(resp['action']['command'], resp['error']['message']))
sys.exit(1)
else:
print('Moving IP address to server: {0} with status:{1}'.format(server_id, resp['action']['status']))
if __name__ == "__main__":
if 'API_TOKEN' not in os.environ or not len(sys.argv) > 2:
usage()
sys.exit()
main(sys.argv[1], sys.argv[2])
When I stop the HAProxy server using sudo service haproxy stop and check the status I get this response,
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2019-09-28 22:12:57 IST; 1s ago
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Process: 26434 ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, stat
Process: 26423 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=0/SU
Main PID: 26434 (code=exited, status=143)
Sep 28 00:44:18 Load-Balancer-Master haproxy[26434]: Proxy nginx_pool started.
Sep 28 00:44:18 Load-Balancer-Master haproxy[26434]: Proxy nginx_pool started.
Sep 28 00:44:18 Load-Balancer-Master systemd[1]: Started HAProxy Load Balancer.
Sep 28 22:12:57 Load-Balancer-Master haproxy[26434]: [WARNING] 270/004418 (26434) : Exiting Master pr
Sep 28 22:12:57 Load-Balancer-Master haproxy[26434]: [ALERT] 270/004418 (26434) : Current worker 2643
Sep 28 22:12:57 Load-Balancer-Master haproxy[26434]: [WARNING] 270/004418 (26434) : All workers exite
Sep 28 22:12:57 Load-Balancer-Master systemd[1]: Stopping HAProxy Load Balancer...
Sep 28 22:12:57 Load-Balancer-Master systemd[1]: haproxy.service: Main process exited, code=exited, s
Sep 28 22:12:57 Load-Balancer-Master systemd[1]: haproxy.service: Failed with result 'exit-code'.
Sep 28 22:12:57 Load-Balancer-Master systemd[1]: Stopped HAProxy Load Balancer.
and in the /var/log/syslog I get this,
Sep 28 18:35:41 Load-Balancer-Master systemd[1]: Started Session 114 of user driveu.
Sep 28 18:42:57 Load-Balancer-Master systemd[1]: Stopping HAProxy Load Balancer...
Sep 28 18:42:57 Load-Balancer-Master systemd[1]: haproxy.service: Main process exited, code=exited, status=143/n/a
Sep 28 18:42:57 Load-Balancer-Master systemd[1]: haproxy.service: Failed with result 'exit-code'.
Sep 28 18:42:57 Load-Balancer-Master systemd[1]: Stopped HAProxy Load Balancer.
Sep 28 18:42:57 Load-Balancer-Master Keepalived_vrrp[26884]: Script `chk_haproxy` now returning 1
Sep 28 18:42:57 Load-Balancer-Master Keepalived_vrrp[26884]: VRRP_Script(chk_haproxy) failed (exited with status 1)
Sep 28 18:42:57 Load-Balancer-Master Keepalived_vrrp[26884]: (real) Changing effective priority from 103 to 101
But the notify script does not get called and the floating ip does not get assigned to the BACKUP instance. As I am really new to Keepalived could anyone please help me to fix this issue?
Update: I have solved this problem
The interface should be the private network and have to specify the private ips of the MASTER and the BACKUP using unicast_src_ip and unicast_peer. The Modified setting is here,
vrrp_script chk_haproxy {
# Requires keepalived-1.1.13
script "/usr/bin/pkill -0 haproxy" # cheaper than pidof
interval 2 # check every 2 seconds
weight 2 # add 2 points of priority if OK
}
vrrp_instance real {
interface ens10 # changed it from eth0
state MASTER
virtual_router_id 51
priority 101 # 101 on primary, 100 on secondary
unicast_src_ip 192.168.0.3
unicast_peer {
192.168.0.2
}
authentication {
auth_type PASS
auth_pass password
}
virtual_ipaddress {
11.23.10.19/32 dev eth0 label eth0:1
}
track_script {
chk_haproxy
}
notify "/etc/keepalived/master.sh"
#notify_backup "/etc/keepalived/master.sh"
#notify_fault "/etc/keepalived/master.sh"
}