Trying to consume secured REST API using WSO2 EI which is having three certificates (‘abc.key’, ‘xyz.pem’ and ‘ryz.crt’)
Using keytool command able to import wyr.crt and xyz.pem certificates but not able to install abc.key certificate.I guess because of that receiving below error when hit the service:
ERROR {org.apache.synapse.transport.passthru.TargetHandler} - I/O error: General SSLEngine problem {org.apache.synapse.transport.passthru.TargetHandler}
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:237)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:271)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:410)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:255)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:293)
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501)
... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 23 more
Can somebody help me how to import abc.key certificates into WSO2 EI or i am missing anything?
when i tried importing using keytool giving below message:
///security>keytool -import -alias abc -file "/home/security/abc.key" -keystore client-truststore.jks -storepass wso2carbon
keytool error: java.lang.Exception: Input not an X.509 certificate
With curl able access the rest service, same thing need to do with WSO2.
sample:
curl -i -N -X POST \
https://xxxx/xxxx-xx-xxxx \
--key ../abc.key \
--cacert ../xyz.pem \
--cert ../ryz.crt \
--header 'Authorization: Bearer xxxxxxxxxxxxxxx' \
-H 'Content-Type: xxx/xxxx' \
-d '{
"some body
}'
Related
I followed this tutorial to setup Keycloak and create user but the response for the step of Generating Access Tokens With Keycloak's API 404. I'm using Keycloak version 18.0.0
In the logs of keycloak I found this error
2022-06-12 23:59:57,177 DEBUG [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-3) Error response 404: javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for full path: http://localhost:8080/auth/realms/test/protocol/openid-connect/token
From keycloak 17+ there are changes in resource or token URIs. Try removing auth from your request URL.
If you are using Keycloak version < 17
curl -k -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=your-client" -d "username=some-user" -d "password=hardpassword" -d "grant_type=password" -X POST http://localhost:8080/auth/realms/yourrealm/protocol/openid-connect/token
If you are using Keycloak version > 17
curl -k -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=your-client" -d "username=some-user" -d "password=hardpassword" -d "grant_type=password" -X POST http://localhost:8080/realms/yourrealm/protocol/openid-connect/token
You did set in Headers instead of Body.
Move the Key & Values to Body.
You can verify Token URL by click "OpenID Endpoint Configuration" link
It will show Token URL
I have a java application developed in play framework. I know that we can use keystore to serve data through https for the play application.
I obtained a certificate of Let’s Encrypt using certbot for my domain. Then i made a pkcs12 file using openssl command and a keystore using keytool.
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.p12 -CAfile cert.pem -caname root -passout pass:somepassword
keytool -importkeystore -srckeystore cert_and_key.p12 -srcstoretype pkcs12 -destkeystore keyStore.jks -deststoretype jks -storepass somepassword
I then pointed my play app to the keystore as follows on the application.conf file
play.server.https.keyStore.path = “/etc/letsencrypt/live/test.onlinemanpower.com/keyStore.jks”
play.server.https.keyStore.type = “JKS”
play.server.https.keyStore.password = “somepassword”
When i run the application it runs without a hitch. But when I open the application where it needs to validate through https I get following error:
[^[[31merror^[[0m] p.c.s.NettyServer - cannot load SSL context
java.lang.reflect.InvocationTargetException: null
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at play.core.server.ssl.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:96)
at play.core.server.ssl.ServerSSLEngine$.createSSLEngineProvider(ServerSSLEngine.scala:32)
at play.core.server.NettyServer.liftedTree1$1(NettyServer.scala:91)
at play.core.server.NettyServer.play$core$server$NettyServer$$sslEngineProvider$lzycompute(NettyServer.scala:90)
at play.core.server.NettyServer.play$core$server$NettyServer$$sslEngineProvider(NettyServer.scala:89)
at play.core.server.NettyServer$$anonfun$channelSink$1.apply(NettyServer.scala:158)
Caused by: java.lang.Exception: Unable to find HTTPS keystore at “/etc/letsencrypt/live/test.onlinemanpower.com/keyStore.jks”
at play.core.server.ssl.DefaultSSLEngineProvider.createSSLContext(DefaultSSLEngineProvider.scala:56)
at play.core.server.ssl.DefaultSSLEngineProvider.(DefaultSSLEngineProvider.scala:24)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at play.core.server.ssl.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:96)
at play.core.server.ssl.ServerSSLEngine$.createSSLEngineProvider(ServerSSLEngine.scala:32)
at play.core.server.NettyServer.liftedTree1$1(NettyServer.scala:91)
at play.core.server.NettyServer.play$core$server$NettyServer$$sslEngineProvider$lzycompute(NettyServer.scala:90)
The keystore file exists on the said location. I have tried giving the permission 777 just to check and it still does not work.
Any idea what I am missing on this?
I used this tool in this link to generate a self-signed certificate for a Windows webserver.
The command to generate the cert is like following
New-SelfSignedCertificateEx -Subject "CN=192.168.56.111" -SAN "192.168.56.111" -IsCA $true -EKU "Server Authentication", "Client Authentication" -KeyLength 2048 -KeySpec "Signature" -KeyUsage "DigitalSignature" -FriendlyName "192.168.56.111" -NotAfter $([datetime]::now.AddYears(5)) -StoreLocation "LocalMachine" -Exportable
After installing the certificate with IIS, and add the certificate to the trusted root CA store in a Windows 10 client, I was able to browse the website with no certificate errors.
However when I try to do the same in a ubuntu 18.04 client by installing the cert to the CA certs store and test using cURL, it doesn't work
Install cert to Ubuntu ca-certificates
openssl s_client -connect 192.168.56.111:443 -showcerts > out.txt
#then use vim to edit out.txt and save the cert to 192.168.56.111.crt
sudo cp 192.168.56.111.crt /usr/local/share/ca-certificates
sudo update-ca-certificates
Test the connection using cURL
curl https://192.168.56.111
And got the error message
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
When adding the cert to the Chrome Certifiates store, Chrome shows NET::ERR_CERT_INVALID
So my question is, why does it work in Windows client but not in Ubuntu 18.04? I can't see any error indicating what's wrong with the certificate in Ubuntu so I'm stuck at the moment.
Your openssl command is not correct:
jonathan.muller#jonathan-muller-C02ZC4EPLVDQ$ openssl s_client -connect drylm.org:443 -showcerts
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = blog.drylm.org
verify return:1
---
Certificate chain
0 s:/CN=blog.drylm.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgISA0xYp5ZHU+NGF1EW/RcUuV0fMA0GCSqGSIb3DQEBCwUA
...
you have a lot of noise in the output.
Here is how to extract the certificate:
echo | openssl s_client -connect 192.168.56.111:443 2>/dev/null | openssl x509 > 192.168.56.111.pem
and you can copy this pem file to the truststore.
Edit:
I just made the exercise by creating a self sign certificate on this website
in my shell:
john#kona$ curl https://test.drylm.org
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
then
john#kona$ echo | openssl s_client -connect test.drylm.org:443 2>/dev/null | openssl x509 > test.drylm.org.crt
sudo cp test.drylm.org.crt /usr/local/share/ca-certificates/
john#kona$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Adding debian:test.drylm.org.pem
done.
done.
and finally:
john#kona$ curl https://test.drylm.org
Path : ~
No more error message with curl.
I'm trying to set up an ssl connection to a mongodb instance I have running in a container on my machine and keep running into,
nioEventLoopGroup-2-4, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I created a self signed .pem for mongo with,
openssl req -x509 -newkey rsa:4096 -keyout mongo.key -out mongo.crt -days 365 -nodes
cat mongo.key mongo.cert > mongo.pem
Moved those into a folder, mounted it as a bind volume in my container and added
--sslMode requireSSL --sslPEMKeyFile /etc/boundfolder/mongo.pem
to the mongo startup. I can connect to this with the mongo client.
I am setting up my mongo client in scala like so,
val hostConf = ClusterSettings.builder().hosts(List(new ServerAddress(hostName)).asJava).build()
val clientSettings = MongoClientSettings.builder()
.streamFactoryFactory(NettyStreamFactoryFactory())
.clusterSettings(hostConf)
val withTLS = clientSettings.sslSettings(
SslSettings.builder()
.enabled(true)
.invalidHostNameAllowed(true)
.build())
MongoClient(withTLS.build())
Lastly, I created a keystore with,
keytool -importcert -trustcacerts -file mongo.crt -keystore mongo.keystore
and am starting the application with the following parameters,
-Djavax.net.ssl.keyStore=/path/to/mongo.keystore -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.debug=SSL
I'm pretty sure the issue is either what, or how, I'm adding the self signed cert to the keystore. Thanks for any help you can give.
I am currently testing with EJBCA while having a problem in accessing the administration page.
The EJBCA-4.0.13 is running on CentOS 6.2, with apache-ant-1.8.4, jboss-5.1.0-GA, mysql and mysql-connector-java. Installation is OK and no error occured in the jboss server log and I can access the EJBCA public web page with the url: https://:8443/ejbca. While I cannot access the administration page(https://:8443/ejbca/adminweb) with this information:
Authorization Denied
Cause: Your certificate is revoked or cannot be located in the database.
Any idea will be appreciated!
This is done in LocalCertificateStoreSessionBean.authenticate method. This could mean that you have not properly generated SuperAdmin certificate, or it is revoked, timed out or is issued by another CA that EJBACA's AdminCA.
Check your superadmin.p12 with:
openssl pkcs12 -nokeys -in ./superadmin.p12 -out superadmin.pem
openssl x509 -in ./superadmin.pem -text