I am trying to get packages using Straight.el from my .emacs file. It uses gnu-tls.cli to fetch. Since, Emacs informed that connection failed, I ran the command from command prompt.
The following is error message I getting. Thanks in advance.
$ ./gnutls-cli --x509cafile nil -p 443 raw.githubusercontent.com
Resolving 'raw.githubusercontent.com'...
Connecting to '185.199.108.133:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `C=US,ST=California,L=San Francisco,O=GitHub\, Inc.,CN=*.github.io', issuer `C=US,O=DigiCert Inc,CN=DigiCert TLS RSA SHA256 2020 CA1', RSA key 2048 bits, signed using RSA-SHA256, activated `2022-03-18 00:00:00 UTC', expires `2023-03-21 23:59:59 UTC', SHA-1 fingerprint `8f0e792471c5a7d2a7467630c13cb72a13b001b2'
Public Key ID:
340d31153bfb96af64ef26fcc00cc8da0d2071d8
Public key's random art:
+--[ RSA 2048]----+
| .o. +oo. |
| .oE + . |
| . . o + |
| . + o o |
| S o |
| o o = . |
| . . ..X |
| +o+. |
| .*= |
+-----------------+
- Certificate[1] info:
- subject `C=US,O=DigiCert Inc,CN=DigiCert TLS RSA SHA256 2020 CA1', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2021-04-14 00:00:00 UTC', expires `2031-04-13 23:59:59 UTC', SHA-1 fingerprint `1c58a3a8518e8759bf075b76b750d4f2df264fcd'
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
Error setting the x509 trust file
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
Related
I found a pe file,when i check digital certificate,i found winxp can identity the digital cert,but win10 can not,virus total also show that this file is not signd
Is this a fake digital cert?
how to made this happen?
winxp info:
enter image description here
win10 info
enter image description here
Windows XP used SHA1 hashes in the signatures, which is not supported on 10:
Source:
The following table shows which OS's support SHA-1 and SHA-256 code signatures:
+---------------------+-------------------------------+------------------------------+
| Windows OS | SHA-1 | SHA-256 |
+---------------------+-------------------------------+------------------------------+
| XP SP3, Server 2003 | Yes | No (need KB968730, KB938397) |
| Vista, Server 2008 | Yes | No (need KB2763674) |
| 7, Server 2008 R2 | No (if signed after 1/1/2016) | Yes (with latest updates) |
| 8.1, Server 2012 R2 | No (if signed after 1/1/2016) | Yes |
| 10, Server 2016 | No (if signed after 1/1/2016) | Yes |
+---------------------+-------------------------------+------------------------------+
We recently renewed our code signing certificate which I also use for signing PowerShell modules.
The original certificate was from VeriSign which was acquired by DigiCert and they are now the CA. This causes our PowerShell modules update to fail because the old modules and the new modules were signed by different root CAs:
PackageManagement\Install-Package : Authenticode issuer 'CN=XXX, O=XXX, L=XXX, C=XXX' of the new module 'MODULE' with version '1.0.x'
from root certificate authority 'CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US' is not matching with the authenticode issuer 'CN=XXX, O=XXX, L=XXX, C=XXX' of the previously-installed module 'MODULE' with version '1.0.y' from root certificate authority 'CN=VeriSign Class 3
Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US'. If you still
want to install or update, use -SkipPublisherCheck parameter.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\2.2.4\PSModule.psm1:9807 char:50
+ ... talledPackages = PackageManagement\Install-Package #PSBoundParameters
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Exception
+ FullyQualifiedErrorId : AuthenticodeIssuerMismatch,Validate-ModuleAuthenticodeSignature,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage
Anyone has any idea how this can be solved?
Context: I have CSV files I'm outputting from SQL Server through BCP. I'm trying to securely transfer the files to a remote SFTP folder using WinSCP.
Details: When I execute the batch file below through powershell I raise an error 'Unknown command 'ssh-rsa' with the log file showing an exit code = 1 which is failure.
Here is what my synchronization file looks like...
option batch abort
option confirm off
open sftp://username:password#sftp.redacted.com -hostkey="ssh-rsa 2048 redacted=ssh-rsa 2048 redacted"
synchronize remote D:\redactedDaily_Reports\redacted_Catalog_New_Item /upload/redacted_catalog
exit
and & my batch file...
winscp.com /script=SyncTo_redacted_catalog.txt /log=D:\redacted_Daily_Reports\winscp_log_catalog.txt
pause
Here is a snippet of my powershell output and log file...
powershell output
. 2019-03-06 23:39:28.379 Access granted
. 2019-03-06 23:39:28.379 Opening session as main channel
. 2019-03-06 23:39:28.447 Opened main channel
. 2019-03-06 23:39:28.583 Started a shell/command
. 2019-03-06 23:39:28.583 --------------------------------------------------------------------------
. 2019-03-06 23:39:28.584 Using SFTP protocol.
. 2019-03-06 23:39:28.584 Doing startup conversation with host.
> 2019-03-06 23:39:28.584 Type: SSH_FXP_INIT, Size: 5, Number: -1
< 2019-03-06 23:39:28.769 Type: SSH_FXP_VERSION, Size: 95, Number: -1
. 2019-03-06 23:39:28.769 SFTP version 3 negotiated.
. 2019-03-06 23:39:28.769 Unknown server extension posix-rename#openssh.com="1"
. 2019-03-06 23:39:28.769 Supports statvfs#openssh.com extension version "2"
. 2019-03-06 23:39:28.769 Unknown server extension fstatvfs#openssh.com="2"
. 2019-03-06 23:39:28.769 We believe the server has signed timestamps bug
. 2019-03-06 23:39:28.769 We will use UTF-8 strings until server sends an invalid UTF-8 string as with SFTP version 3 and older UTF-8 strings are not mandatory
. 2019-03-06 23:39:28.769 Limiting packet size to OpenSSH sftp-server limit of 262148 bytes
. 2019-03-06 23:39:28.769 Getting current directory name.
. 2019-03-06 23:39:28.769 Getting real path for '.'
> 2019-03-06 23:39:28.769 Type: SSH_FXP_REALPATH, Size: 10, Number: 16
< 2019-03-06 23:39:28.837 Type: SSH_FXP_NAME, Size: 23, Number: 16
. 2019-03-06 23:39:28.837 Real path is '/'
. 2019-03-06 23:39:28.837 Startup conversation with host finished.
< 2019-03-06 23:39:28.837 Script: Active session: [1] redacted#sftp.redacted.com
> 2019-03-06 23:39:28.838 Script: ssh-rsa 2048 redacted
< 2019-03-06 23:39:28.838 Script: Unknown command 'ssh-rsa'.
. 2019-03-06 23:39:28.838 Script: Failed
. 2019-03-06 23:39:28.838 Script: Exit code: 1
. 2019-03-06 23:39:28.838 Closing connection.
. 2019-03-06 23:39:28.838 Sending special code: 12
. 2019-03-06 23:39:28.838 Sent EOF message
Questions:
Why am I raising this error & how do I fix it?
Is this error trying to tell me that I'm using an incorrect key-fingerprint -- If so, why is that the case when a) I obtained this key directly from the server when I connected successfully the first time and b) the log file appears to show the initial connection was successful?
Please help Any tips or recommendations greatly appreciated -- responses will probably reach a decent sized audience given that winscp is a pretty popular utility. I've done my research here, here, here, here, here, here and here & haven't found a suitable solution.
This is nonsense:
-hostkey="ssh-rsa 2048 redacted=ssh-rsa 2048 redacted"
(where have you seen such a strange syntax?)
It should be like:
-hostkey="ssh-rsa 2048 xxxxxxxxxxx...="
Though it does not really explain the error message you are getting – unless there are some special characters (like double quotes) in the redacted part.
In general, the easiest way is to have WinSCP GUI generate correct script template for you.
Or, if you want to go a manual way, see:
Where do I get SSH host key fingerprint to authorize the server?
Particularly the section "Automatic host key verification" (though you will want to read the article from the beginning).
I'm aware that you refer to this article yourself. But then I do not understand how you could have arrived to your strange syntax.
I am unable to see Glassfish's log in the eclipse console.
I have tried right-clicking on the GlassFish server in Servers -> Glassfish -> View log file but it shows me a file which ends with this:
2018-09-04T18:36:51.945+0100|Severe: The SSL certificate has expired: [
[
Version: V3
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 135786214035069526348186531221551781468391756233528066061569654028671100866720352830303278016129003918213826297308054231261658522889438712013757624116391437358730449661353175673177742307421061340003741057138887918110217006515773038453829253517076741780039735595086881329494037450587568122088113584549069375417
public exponent: 65537
Validity: [From: Sat Aug 22 17:41:51 BST 1998,
To: Wed Aug 22 17:41:51 BST 2018]
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
SerialNumber: [ 35def4cf]
Certificate Extensions: 7
[1]: ObjectId: 1.2.840.113533.7.65.0 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 0D 30 0B 1B 05 56 33 2E 30 63 03 02 06 C0 ..0...V3.0c....
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O3
0010: 98 90 9F D4 ....
]
]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[CN=CRL1, OU=Equifax Secure Certificate Authority, O=Equifax, C=US]
which does not change at all, whether I stop,restart,run a webapp on the GF server, etc, and if I actually look at the file (...\glassfish5\glassfish\domains\domain1\logs\server.log) I find that the content that it is showing is at around line 5400 and there are actually 8600 lines in the server.log file, so there are actually over 3000 lines in the server.log file than the last ones that are shown in eclipse. For example, the timestamp in the log extract is 18:36 but the current time is 21:21 and the current tail of hte file is this:
[2018-09-04T21:02:45.234+0100] [glassfish 5.0] [INFO] [AS-WEB-GLUE-00172] [javax.enterprise.web] [tid: _ThreadID=100 _ThreadName=Thread-23] [timeMillis: 1536091365234] [levelValue: 800] [[
Loading application [__admingui] at [/]]]
[2018-09-04T21:02:45.235+0100] [glassfish 5.0] [INFO] [NCLS-CORE-00022] [javax.enterprise.system.core] [tid: _ThreadID=100 _ThreadName=Thread-23] [timeMillis: 1536091365235] [levelValue: 800] [[
Loading application __admingui done in 2,175 ms]]
[2018-09-04T21:14:29.419+0100] [glassfish 5.0] [INFO] [] [] [tid: _ThreadID=30 _ThreadName=Thread-8] [timeMillis: 1536092069419] [levelValue: 800] [[
doGet - name=null]]
Furthermore, the server.log file, when I open it in Notepad++, maddeningly does not refresh when the file is modified. I have to reload it from disk to see changes in the file.
Consequently, the only way it seems that I can actually monitor this log file is by using a tail -f from cygwin.
Anyone have any ideas how to fix this, in particular how I can see glassfish's log output, including SOPs, in real time in eclipse? It works fine in Netbeans.
Thanks very much for any help.
EDIT
I have noticed that when I restart the server, in eclipse's console the server.log file is re-read, but always (it seems) only up to the same point: the bit where the severe warning about the SSL certificate expiry appears:
2018-09-04T23:27:33.879+0100|Info: visiting unvisited references
2018-09-04T23:27:34.425+0100|Severe: The SSL certificate has expired: [
[
Version: V3
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 135786214035069526348186531221551781468391756233528066061569654028671100866720352830303278016129003918213826297308054231261658522889438712013757624116391437358730449661353175673177742307421061340003741057138887918110217006515773038453829253517076741780039735595086881329494037450587568122088113584549069375417
public exponent: 65537
Validity: [From: Sat Aug 22 17:41:51 BST 1998,
To: Wed Aug 22 17:41:51 BST 2018]
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
SerialNumber: [ 35def4cf]
Certificate Extensions: 7
[1]: ObjectId: 1.2.840.113533.7.65.0 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 0D 30 0B 1B 05 56 33 2E 30 63 03 02 06 C0 ..0...V3.0c....
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O3
0010: 98 90 9F D4 ....
]
]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[CN=CRL1, OU=Equifax Secure Certificate Authority, O=Equifax, C=US]
Here, the server.log stops. No further content from the server.log file ever appears in eclipse's console.
What's strange, is that it - on a fresh glassfish install - initially isn't a problem and everything's logged as expected. But after a while, the log will become empty.
I finally found that removing the expired certificates from glassfish returns logging to normal.
What i did:
Figure out the aliases for the expired certificates. Run:
cd domains/<domain>/config
keytool -v -list -keystore cacerts.jks
For example you'll see that the equifax you've mentioned will resolve to the following alias: equifaxsecureca
Remove the certificate from your certs file: RUN:
keytool -delete -keystore cacerts.jks -alias equifaxsecureca -storePass changeit
For convenience, the below script is what i currently (28th july) use on glassfish & payara.
cd ${GLASSFISH_HOME}/glassfish/domains/domain1/config/ && \
for cert in "equifaxsecureca" "gtecybertrustglobalca" "utnuserfirstclientauthemailca" "deutschetelekomrootca2" "secomvalicertclass1ca" "valicertclass2ca" "entrustsslca" "certplusclass2primaryca" "certplusclass3pprimaryca" "utndatacorpsgcca" "utnuserfirstobjectca" "utnuserfirstobjectca [jdk]" "utnuserfirsthardwareca" "cert_45_deutsche_telekom_root_ca_245" "cert_29_certplus_class_2_primary_ca29" "cert_38_deutsche_telekom_root_ca_238" "utnuserfirsthardwareca [jdk]" "certplusclass3pprimaryca [jdk]" "certplusclass2primaryca [jdk]" "utnuserfirstclientauthemailca [jdk]"; \
do \
keytool -delete -keystore cacerts.jks -alias "$cert" -storePass changeit || echo "cert not present";\
done
keytool can be found in your jdk/bin folder.
The same applies to payara as well.
Received a keystore file fac_sign.p12 to get the production access with keystore password but when I view the details of the certificate there no alias name to get the certificate. Below is the result(copied just top lines) when I run the command
keytool -list -v -keystore usr/local/HIService/Keys/fac_sign.p12
-storetype PKCS12
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name:
Creation date: Jan 15, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=Specialist :7786786786, OU=Specialist, O=Specialist, L=MT HELEN, ST=VIC, C=AU
Issuer: CN=Medicare Australia Organisation Certification Authority, OU=Medicare Australia, O=GOV, C=AU
Serial number: 4abcd
Valid from: Wed Feb 19 12:40:07 EST 2014 until: Tue Feb 19 12:39:59 EST 2019
Certificate fingerprints:
MD5: 4C:B2:A4:6C:5D:B7:71:7A:35:4A:39:33:D7:87:64:93
SHA1: C7:46:01:A3:B9:A6:E4:D3:7E:5D:98:9D:D3:22:B9:7A:B6:D1:79:66
In java code below line of code is returning NULL because keystoreAlias=""
(KeyStore.PrivateKeyEntry) keystore.getEntry(keystoreAlias,new KeyStore.PasswordProtection(keystorePassword.toCharArray()));
Please suggest.
I had the same problem because OpenJDK 8/9 has a bug which prevents loading keys with empty aliases. But it's easy to change the alias using keytool.
keytool -changealias -alias "" -destalias "new-alias" -keystore ./keystore.p12
Open with "keystore explorer" (http://keystore-explorer.org/downloads.html), change alias field and save.