Why the certificate is rejected despite it being installed? - certificate

When accessing a URL in my LAN using the web browser, I get a certificate error message:
In Firefox:
Warning: Potential Security Risk Ahead
In Internet Explorer:
This site is not secure
I download the certificate and import it using Windows Powershell as admin:
> certutil -addstore -enterprise -f "Root" .\certificate.pem
Root "Trusted Root Certification Authorities"
Signature matches Public Key
Certificate "Certificate" added to store.
CertUtil: -addstore command completed successfully.
The issue isn't solved.
If I ping to the IP address, I get a response. However, if I telnet to the IP:port using Putty, I get a pop-up window with the following error message:
Remote side unexpectedly closed network connection
How can I get my computer to accept the certificate?

Related

How to fix EF Core migration "The certificate chain was issued by an authority that is not trusted"

Connection String:
Data Source=<server>,<port>;Initial Catalog=<database>;User Id=<username>;
Password=<password>?;MultipleActiveResultSets=true;Encrypt=True;
TrustServerCertificate=false;Integrated Security=false;Trusted_Connection=true;
Connection Timeout=30;
My connection string contains:
TrustServerCertificate=false
and I get this error:
A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)
When I have a connection string with this:
TrustServerCertificate=true
I get:
Login failed for user '<username>'. // <-- real username removed
The EF Core 7.0 breaking changes addresses this. https://learn.microsoft.com/en-us/ef/core/what-is-new/ef-core-7.0/breaking-changes
There are three ways to proceed:
Install a valid certificate on the server. Note that this is an
involved process and requires a obtaining a certificate and ensuring
it is signed by an authority trusted by the client.
If the server has a certificate, but it is not trusted by the
client, thenTrustServerCertificate=True to allow bypassing the normal
trust mechanims.
Explicitly add Encrypt=False to the connection string.
I received same error when try a "Scaffold" command into a Nuget Console. The version Of Microsoft.EntityFrameworkCore.Tools and Microsoft.EntityFrameworkCore.SQLServer was 7.0.0.
Then I downgrade this two package to the 6.0.9 version and all works fine.

git update version error: curl: (60) SSL certificate problem: self signed certificate in certificate chain

I try to update git version in AzureDevOps agent server by command git update-git-for-windows
but get an error:
PS C:\Program Files\Git> git update-git-for-windows
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
PS C:\Program Files\Git> git update-git-for-windows
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I have a RootCA.crt in the config:
[user]
name = tfsbuild
email = tfsbuild#XXX
[http]
sslCAInfo = C:/Users/tfsbuild/RootCA.crt
EDIT:
The Solution is:
add CURL_CA_BUNDLE to user variables with the special certificate.

Dumping mongodb error: error dialing cluster0-shard-00-00.fklgt.mongodb.net:27017: SSL errors: SSL routines:ssl3_get_server_certificate:certificate

I usually dump my mongodb database using this command and it works perfectly:
mongodump --uri mongodb+srv://name:password#cluster0.fklgt.mongodb.net/database_name --archive="dump-copy-name" --forceTableScan
However, I have been trying to dump different databases and it just keeps logging this:
2021-06-21T18:43:39.206+0100 error dialing
cluster0-shard-00-00.fklgt.mongodb.net:27017: SSL errors: SSL
routines:ssl3_get_server_certificate:certificate verify failed
Any idea what's going-on?
The mongodump tool does not implicitly trust your system certificate store. You will need to pass it the root CA certificate so that it can validate the cluster's certificate.
To find out which certificate is the root, use openssl:
openssl s_client -connect cluster0-shard-00-00.fklgt.mongodb.net:27017
The output should include a certificate chain section like:
---
Certificate chain
0 s:/C=US/ST=New York/L=New York/O=MongoDB, Inc./CN=*.mongodb.com
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
(this is an example, test with your cluster to get the real certificates)
The highest numbered certificate in the chain should be the root. Once you have that, google for the CN part (in my example that was "DigiCert SHA2 Secure Server CA"), and you should find a link to download the certificate.
The root should be one of the two listed here: https://docs.atlas.mongodb.com/reference/faq/security/#hard-coded-certificate-authority
Once you have the root certificate in .pem format, use the command line option --sslCAFile=<filename> to pass it to mongodump.

psql Client Certificate Chain

I'm trying to set up a PostgreSQL db server with ssl. Or more specifically, I've successfully set up the server and ssl is working... as long as there are no intermediate certificates. It's not working if there is an intermediate cert.
Background / Setup:
I have a root CA.cert.
I used the CA to sign an intermediate.csr and create an intermediate.cert.
I used the intermediate.cert to sign a postgres.csr and create a postgres.cert.
The CA.cert, postgres.key and postgres.cert have been installed on the server.
The CA.cert has been set as a trusted certificate.
postgresql.conf has been modified to point to the above files.
I used the intermediate.cert to sign a client_0.csr and create a client_0.cert.
I used the CA.cert to sign a client_1.csr and create a client_1.cert.
I create a client chain.cert: cat client_0.cert intermediate.cert > chain.cert
Proper extensions have been used, both client certs have their common name set to the (username) of the db being connected to.
Fun, aka The Problem.
psql "sslmode=require hostname=(host) db=(db) sslcert=client_1.cert sslkey=client_1.key" -U (username): Great success!
psql "sslmode=require hostname=(host) db=(db) sslcert=client_0.cert sslkey=client_0.key" -U (username): alert unknown ca. This is expected, client_0.cert is not signed by CA.cert.
psql "sslmode=require hostname=(host) db=(db) sslcert=chain.cert sslkey=client_0.key" -U (username): alert unknown ca. Uh oh.
Confusion
Documentation for connecting to a postgresql instance with ssl enabled and intermediate certificates present:
In some cases, the client certificate might be signed by an
"intermediate" certificate authority, rather than one that is directly
trusted by the server. To use such a certificate, append the
certificate of the signing authority to the postgresql.crt file, then
its parent authority's certificate, and so on up to a certificate
authority, "root" or "intermediate", that is trusted by the server,
i.e. signed by a certificate in the server's root.crt file.
https://www.postgresql.org/docs/9.6/static/libpq-ssl.html
I have also tried cat-ing the full chain, client inter ca > chain , nothing doing.
Question
What have I done wrong here?
Thank you,

puppet master not signing certificate

I am using puppet with cobbler and I am having a problem with certificate signing. I have configured so that cobbler will revoke the puppet client certificate when a puppet managed machine is reinstalled. The revoking part runs just fine and puppetmaster listed out a the new client certificate, but puppetmaster failed to sign it, thus puppet client failed to run.
This is the output when I listed all the certificates on puppet master:
# puppet cert list -a
+ "spacewalk" (SHA256) E3:63:F1:9A:10:1E:AD:20:72:DA:17:0E:0F:EB:F5:2B:9E:7E:26:80:8D:58:2E:28:A2:2D:68:01:F7:BD:A8:B3 (alt names: "DNS:puppet", "DNS:puppet.playground.local", "DNS:spacewalk")
- "p1.playground.local" (SHA256) CD:AD:3E:04:04:C0:84:88:A0:67:F7:56:57:F1:67:82:43:31:CE:37:71:10:01:AD:15:DE:5A:0E:2E:7C:63:DE (unable to get local issuer certificate)
This is the error when I ran puppet agent -t on puppet client:
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run
This is the error when I try to get the master to sign the certificate:
# puppet cert sign p1.playground.local
Error: Could not find certificate request for p1.playground.local
This is the error after running puppet agent -t, upon revoking the certificate:
# puppet agent -t
info: Creating a new SSL key for p1.playground.local warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for p1.playground.local
info: Certificate Request fingerprint (md5): 65:F0:6D:8D:66:89:57:13:11:A6:DD:02:DF:DC:C1:7B warning: peer certificate won't be verified in this SSL session
err: Could not request certificate: Could not intern from s: nested asn1 error Exiting; failed to retrieve certificate and waitforcert is disabled
I removed the /var/lib/puppet/ssl directory at the client, rerun puppet agent -t and I got the same error as above.
Finally I tried to remove the /var/lib/puppet/ssl directory on both master and client, regenerate the certificates and all is good. Even though I can just remove the ssl directory everytime before I start with the auto installation, but it would be great if I don't have to do it manually.
Any help is appreciated.
Thanks.