Background
I'm trying to run mongo locally in the same way that production will run, with full ssl verification enabled. Mongo is complaining about the certs being self-signed, but I'm specifying a ca.crt file, that I think should be treated as a root cert to validate against. If that's reasonable, then I think either my mongo config, or the cert generation is not correct.
SSL keys/certs/pem
To create the ssl stuff I'm running the following
#!/bin/sh
# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "/emailAddress=dev#gmail.com"
# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "/emailAddress=dev#gmail.com"
# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Create server PEM file
cat server.key server.crt > server.pem
# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "/emailAddress=dev#gmail.com"
# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt
# Create client PEM file
cat client.key client.crt > client.pem
Mongo DB config
The mongo config I'm then running with (inside docker), is the following. (Where /data/mongo is the location generated to above).
net:
port: 27017
ssl:
mode: requireSSL
CAFile: /data/mongo/ca.crt
PEMKeyFile: /data/mongo/server.pem
allowInvalidHostnames: true
setParameter:
enableLocalhostAuthBypass: true
and running via
mongo --config config/location
Connecting to mongo
I then try to connect to the server using the mongo command line as follows.
mongo --ssl --sslPEMKeyFile /data/mongo/client.pem --sslCAFile /data/mongo/ca.crt
And get the following output
MongoDB shell version: 3.2.14
connecting to: test
2017-07-19T20:12:31.456+0000 I NETWORK [initandlisten] connection accepted from 127.0.0.1:60516 #1 (1 connection now open)
2017-07-19T20:12:31.461+0000 E NETWORK [conn1] SSL peer certificate validation failed: self signed certificate
2017-07-19T20:12:31.461+0000 I NETWORK [conn1] end connection 127.0.0.1:60516 (0 connections now open)
2017-07-19T20:12:31.461+0000 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate
2017-07-19T20:12:31.461+0000 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate :
connect#src/mongo/shell/mongo.js:229:14
#(connect):1:6
exception: connect failed
Got it! Basically it needed more data in the subject line, or CN needed to be ROOTCA for the CA. Anyone that could comment on why would be appreciated.
#!/bin/sh
prefix="/C=CN/ST=GD/L=city/O=company"
# Generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "${prefix}/CN=ROOTCA"
# Generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj "${prefix}/CN=127.0.0.1"
# Sign the server cert
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Create server PEM file
cat server.key server.crt > server.pem
# Generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj "${prefix}/CN=127.0.0.1"
# Sign the client cert
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out client.crt
# Create client PEM file
cat client.key client.crt > client.pem
Some related resources if anyone is having similar troubles
Answer was found/taken from
https://www.mongodb.com/blog/post/secure-mongodb-with-x-509-authentication
https://raw.githubusercontent.com/tjworks/mongoscripts/master/x509/setup-x509.sh
An stack exchange ticket almost identical to mine can also be found at
https://dba.stackexchange.com/questions/151251/mongodb-error-self-signed-certificate-in-certificate-chain?newreg=20bca440682842c085a8764dd7c91e96
Related
For testing purposes, I need a revoked PEM certificate.
So I created a certificate:
Generate CSR & KEY: openssl req -new -newkey rsa:4096 -nodes -keyout test.key -out test.csr
Generate PEM and self-sign with KEY: openssl x509 -req -sha256 -days 365 -in test.csr -signkey test.key -out test.pem
When I try to revoke with openssl -revoke a get an error variable lookup failed
How can I revoke this certificate?
I am using Kong 10.x with datastore postgresql 9.6.
I want to establish ssl connection between kong and it's datastore postgresql.
But I get the following errors:
Postgresql Error:
LOG: could not accept SSL connection: tlsv1 alert unknown ca
Error from kong:
/usr/local/share/lua/5.1/kong/cmd/migrations.lua:34: [postgres error] could not retrieve current migrations: [postgres error] connection refused
Below are my Kong and Postgresql Configurations:
Kong:
# Kong configuration file
# DATASTORE
database = postgres
pg_host = 10.0.1.191
pg_port = 5432
pg_user = kong
pg_password = kong
pg_database = kong
pg_ssl = on
pg_ssl_verify = on
# DEVELOPMENT & MISCELLANEOUS
lua_ssl_trusted_certificate = /opt/postgres_ssl/postgresql.crt # Absolute path to the certificate
Postgresql:
pg_hba.conf:
hostssl all all 10.0.1.191/32 md5 clientcert=1
postgresql.conf:
listen_addresses = '10.0.1.191'
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ca_file = 'root.crt'
Certificate Generation Procedure:
openssl genrsa -passout pass:mypass -des3 -out server.key 1024
openssl rsa -passin pass:mypass -in server.key -out server.key
chmod 400 server.key
openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=IN/ST=Maharastra/L=Mumbai/O=Development/CN=10.0.1.191'
cp server.crt root.crt
openssl genrsa -passout pass:iotadmin -des3 -out postgresql.key 1024
openssl rsa -in postgresql.key -out postgresql.key -passin pass:mypass
openssl req -new -key postgresql.key -days 3650 -out postgresql.csr -subj '/C=IN/ST=Maharastra/L=Mumbai/O=Development/CN=kong'
openssl x509 -req -in postgresql.csr -CA root.crt -CAkey server.key -out postgresql.crt -CAcreateserial
The error message says that Kong doesn't trust the CA which signed the certificate of the database. This doesn't surprise much, because it only knows the latter, but not the certificate of the CA.
Try using the root certificate for your lua_ssl_trusted_certificate config entry and it should work:
lua_ssl_trusted_certificate = /path/to/your/root.crt
I am trying this for the past week. I dont know where I am going wrong. I want to setup a MDM server that dont have static IP. I have a DNS resolvable name for the server. I have the identity.key and identity.csr for which I created the MDM vendor certificate. I wrote a following .bat file to generate other certificates
echo 1. Creating Certificate Authority (CA)
echo For 'Common Name' enter something like 'MDM Test CA
openssl req -new -x509 -extensions v3_ca -keyout cakey.key -out cacert.crt -days 365
echo 2. Creating the Web Server private key and certificate request
echo For 'Common Name' enter your server's DNS Name
openssl genrsa 2048 > server.key
openssl req -new -key server.key -out server.csr
echo 3. Signing the server key with the CA. You'll the CA passphrase from step 1.
openssl x509 -req -days 365 -in server.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out server.crt -extfile .\server.cnf -extensions ssl_server
echo 4. Signing the identity key with the CA. You'll the CA passphrase from step 1.
echo Give it a passphrase. You'll need to include that in the IPCU profile
openssl x509 -req -days 365 -in identity.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out identity.crt
openssl pkcs12 -export -out identity.p12 -inkey identity.key -in identity.crt -certfile cacert.crt
I used the identity.p12 file and created a encoded plist file for which push notification certificate is created. I also create a MDM profile in IPCU with the identity.p12 file. When I try to install the MDM profile, the mobile console says "Certificate in the server is invalid" and in the server it says SSL handshake failed and the server gets hanged.
What might be the issue?
In server.cnf -> subjectAltName I gave a parameter named DNS with DNS resolvable name and removed the IP. Now it is working fine.
I want to create a MDM server to manage my iOS devices. I have enrolled in iOS Enterprise Developer program. And executed the following openSSL commands
"1. Creating Certificate Authority (CA)"
openssl req -new -x509 -extensions v3_ca -keyout cakey.key -out cacert.crt -days 365
"2. Creating the Web Server private key and certificate request"
openssl genrsa 2048 > server.key
openssl req -new -key server.key -out server.csr
"3. Signing the server key with the CA. You'll the CA passphrase from step 1."
openssl x509 -req -days 365 -in server.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out server.crt -extfile ./server.cnf -extensions ssl_server
"4. Creating the device Identity key and certificate request"
openssl genrsa 2048 > identity.key
openssl req -new -key identity.key -out identity.csr
"5. Signing the identity key with the CA. You'll the CA passphrase from step 1."
openssl x509 -req -days 365 -in identity.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out identity.crt
openssl pkcs12 -export -out identity.p12 -inkey identity.key -in identity.crt -certfile cacert.crt
"6. Generating keys and certs for plist generation"
openssl req -inform pem -outform der -in identity.csr -out customer.der
I uploaded the generated identity.csr and got an MDM certificate.
With customer.der, AppleWWDRCA.cer, AppleIncRootCertificate.cer, MDM.cer (obtained from iOS Enterprise Developer) and with Identity.p12 I created a Java code to generate encoded plist file. I used this file and got APNSPushCert. It worked fine.
Now the problem is that the IP address of the computer got changed and I don't want to create the new MDM Vendor certificate.
As I understand the only place I mention the IP is server.cnf. I changed the IP in server.cnf and executed all the commands except 4. I placed the identity.key and identity.csr in the same folder before executing. Now every thing works fine but when I upload the encoded plist file for getting APNSPushCert site says Certificate Signature Verification failed.
I really don't understand what went wrong.
This is something to do with the SSL certificate you are using. It always validates the common name in the device side. You have to use either you domain name or the ip address of your server under common name of SSL certificate. Make sure it doesnt change. If it changes binding it to a DNS will work.
I tried to copy the same .der (costomer.der) file too and recompiled the program again. Now it is working fine. Also, I used DNS resolvable name as URI. Now all these are working fine.
My Configuration Profile with MDM Payload not getting installed using IPCU,I have a P12 file, Did the P12 file have any relationship with the check-in server? And how to deploy a MDM check-in server to solve the problem?
Yes, the identity.p12 should related to your server.Your server link must start with "https"
If you are using self-signed ssl then,While generating self-signed ssl certificate in server side,generate identity.p12 certificate and this certificate you need to use in identity section of IPCU and use the same password also.
These few lines you can use to generate the idendtity.p12
//Creating the device Identity key and certificate request
openssl genrsa 2048 > identity.key
openssl req -new -key identity.key -out identity.csr
//Signing the identity key with the CA.
//Give it a passphrase. You'll need to include that in the IPCU profile.
openssl x509 -req -days 365 -in identity.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out identity.crt
openssl pkcs12 -export -out identity.p12 -inkey identity.key -in identity.crt -certfile cacert.crt
To deploy the server go through MDM_Protocol pdf in which sample server details is there.