I'm now setting up libreswan server - client.
Basically, I'm trying to follow a procedure described here.
https://kifarunix.com/setup-ipsec-vpn-server-with-libreswan-on-centos-8/
I created client certificate which is aaa.bbb.p12 from the server machine using pk12util command.
And copied to client machine and import using ipsec import aaa.bbb.p12
ipsec import aaa.bbb.p12 was successful.
But I don't know where this file stored when ipsec import command was executed.
Is there any way I can browse this certificate file using a certain command?
I found something but not perfect.
I copied aaa.bbb.p12 and used ipsec command like below.
# ipsec import ./aaa.bbb.p12 --nssdir /etc/ipsec.d/certsdb
Then, I can see the certificate using the command below.
# certutil -L -d sql:/etc/ipsec.d/certsdb
But I still have one more problem.
If I import one more certificate file such as aaa.ccc.p12.
Then, it is imported but it does not display certificate's name.
Even though I imported aaa.bbb.p12 and aaa.ccc.p12 but the command below shows only aaa.bbb twice.
# certutil -L -d sql:/etc/ipsec.d/certsdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
aaa.bbb u,u,u
aaa.bbb u,u,u
Related
I am using Windows...
When I run the following curl command through gitbash it works fine:
curl --cacert ca.crt --key client.key --cert client.crt "https://myurl"
However, if I try to run the same command in command prompt or Powershell, I get this error:
curl: (58) schannel: Failed to import cert file client.crt, last error is 0x80092002
What do I need to do to get the command working in Command Prompt or Powershell?
Windows version of curl.exe is not configured to work with openssl but git's is.
So to make sure whenever I typed 'curl' into a command prompt, it was using git's version of curl I added the path to git's curl (C:\Program Files\Git\mingw64\bin) in system environment variables and moved it right to the top…so it find’s git’s curl before it finds window’s curl.
After then restarted the command prompt it resolved the issue.
You are providing your client certificate in the wrong format. curl requires the certificate in the PEM format (source):
-E/--cert <certificate[:password]>
(SSL) Tells curl to use the specified certificate file when getting a file with
HTTPS or FTPS. The certificate must be in PEM format. If the optional password
isn't specified, it will be queried for on the terminal. Note that this option
assumes a "certificate" file that is the private key and the private
certificate concatenated! See --cert and --key to specify them independently.
If curl is built against the NSS SSL library then this option can tell curl the
nickname of the certificate to use within the NSS database defined by the
environment variable SSL_DIR (or by default /etc/pki/nssdb). If the NSS PEM
PKCS#11 module (libnsspem.so) is available then PEM files may be loaded. If you
want to use a file from the current directory, please precede it with "./"
prefix, in order to avoid confusion with a nickname.
If this option is used several times, the last one will be used.
Your certificate might be in the DER format or contain a whole certificate chain instead of your single client certificate.
in the manpage of curl, it is described that on Windows, it uses schannel provider by default (which itself uses the windows store). I am on the same errand now :-) trying to find a way to pass the certs from the command line and from local files.
Perhaps try importing the certs into the Windows store.
On our Windows 2019 server we have two curl.exe.
By default, the version 7.83.1 was summoned.
The issue was solved by using the version 7.54.1 and adding the full path to access it.
Im trying to copy files over SSH, im using the same SSH Service Connection and it's just fine with other SSH tasks but copying files seems to run into trouble, Heres what it looks when i monitor for user logins
sshd[32240]: Accepted publickey for azurePPL1 from 13.69.175.211 port 1984 ssh2: ECDSA SHA256:0...
and this seems to be fine but it's not?
heres the error Azure Pipelines is throwing
Error: Failed to connect to remote machine. Verify the SSH service connection details. Error: Cannot parse privateKey: Unsupported key format.
Now i wouldve suspected my SSH Service Connection configuration but since other ssh work im not sure what it could be
Any help is appreciated
Using the same SSH Service Connection and it's just fine with other
SSH tasks but copying files seems to run into trouble
Since it's all work for other SSH task to use the same SSH Service Connection just Copy Files over SSH has failed, it means there's no error on your SSH key pair and connection. In fact, the issue relevant with the parser which used in Copy Files over SSH task.
See the function about the script of the copy file task which open source in github: function run in CopyFileOverSSH.ts, and the definition of class SshHelper: sshhelper.ts. In fact, the Copy Files over SSH task uses Ssh2 npm package for the SSH connection and verify, the error message you are facing is coming from there. For the copy file task itself, it does not do any key parsing.
About key parsing, see this source function: keyParser.js. Locate to line 1447, you will see that it is the error message you received in the task of Azure Devops.
As I know, from the task v0.148 is using ssh2 library v0.8, but now ssh2 library has been updated into v0.8.5.
So to solve this issue Please regenerate the key pair with the command ssh-keygen -t rsa -m PEM, to force ssh-keygen to export as PEM format. Thus the key can work in the copy file task.
Its now clear that the Azure Task is using an old version of ssh2
where Ed25519 keys are not supported which results in this issue so ill just have to use RSA for now.
I have created VSTO Addin project which is signed using a Password protected PFX certificate and added the project to VSTS,
Now while building I get an error as failed to import certificate, to fix that I need to import PFX certificate, so as suggested on different SO posts and microsoft support, I am trying to import certificate using sn tool as follows,
I had created an .cmd(bat) file which has following commands,
C:
cd C:\Program Files (x86)\Microsoft SDKs\Windows\v8.0A\bin\NETFX 4.0 Tools\
sn -i "%1\Sixmod5PFX\Sixmod5Certificate.pfx" VS_KEY_BD774ABB8BB29878
and added Run batch script task to build definition before MSBuild step,
but as we know when we run this command on local machine, it prompts for a password which user can enter,
Same thing happens on VSTS and fails, as it don't get password.
Is there any way to solve this.
You need to setup a private build agent (e.g. Deploy an agent on Windows), then install PFX certificate manually on that agent machine (as run the command on local machine and specify password in prompt window)
I was wondering if anyone has tried using teamcity's command line builder to perform ssh remote login.
Right now, I would like to automate some testing on a QNX neutrino OS which is currently unsupported by teamcity. As a work around, I setup a ssh server on the target qnx machine so i could ssh and sftp the executables in.
Firstly, the source are compiled on Windows XP using qnx's compiler (based on g++). Followed by sftp-ing the executables into qnx neutrino.
Next, using ssh, script the login to remotely start the test apps and send the results back to the remote agent for publishing.
The batch script I created works well standalone, however, after hooking it up on the remote agent, it fails to login ssh and hangs indefinitely at the following command:
ssh -l "./.sh"
Notes:
I have added the remote agent's RSA public key in the QNX .ssh/authorized keys file, automatic login is working.
Is there a need to add the teamcity server's RSA public key in too?
Anyone has any idea on this problem?
I had a few weird problems with key-based SSH logins on QNX related to file permissions for the keys in .ssh. and permissions of parent folders (/home/username and /root).
Add
LogLevel DEBUG3
to /etc/openssh/sshd_config, make sure syslog is configured and is logging sshd output, restart sshd and try again - it will most likely complain about something.
Also, ssh -l "./.sh" makes no sense - -l is used to specify the user name, something is off there.
I am attempting to import a Certificate into the Current User -> Personal store using the command line: "importpfx -f [certificate name.p12] -p [password] -t USER -s Personal".
It works, but for reasons I don't understand there are now two Personal stores under the Current User, and the imported certificate is in the new Personal store.
When I try to connect to the website of [a well-known money transfer service], it fails. However, if I manually import the certificate using MMC into the original Personal store, it works.
My question is: How can I force IMPORTPFX to import the certificate into the original Personal store, and how can I delete the new Personal store?
Context:
I need to do a silent import of certificates on 3000+ remote point-of-sale Windows XP devices, so it needs to be a silent install via PSEXEC (SysInternals).
Thank you. Pieter.
“Personal” is a just friendly name of the certificate store which is internally identified as My. You need to use
importpfx -f [certificate name.p12] -p [password] -t USER -s My