Google Cloud SQL supplies SSL certificates. I copied them individually onto MS word and used them as "path"
destination to the queries of mysql workbench. The connection fails. I have proper names: server-ca.pem; cbossl-key.pem and cbossl-cert.pem. Google in "access control" where new ssl is turned on, I used the name "cbossl-cert.pem". This is the same name given to the copy of ssl to my PC word. Kindly help me to identify my error in using ssl. The document suffix .doc - it is not
acceptable doc for the path designation? If so, how do I do?
MS Word doc format is not a valid format for SSL certificates and keys. MySQL clients expect these files to be as they are (Plain text with no formatting at all). My advice is
Create a new client key and cert on "SSL Certificates" section in the instance's "Access Control" tab on Developers Console.
Download the Client key ("Download client-key.pem"), the client ("Download client-cert.pem") and the server ("Download server-cert.pem") certificates and save them as they are into known locations.
Click on the "Restart and Close" button
Configure your MySQL workbench to use the files you downloaded at 2.
Related
Good afternoon everyone,
Question about Uploading file in FMS 16 but getting an Orange Security Lock.
I already installed the Filemaker Server 16 and install SSL Certificate and domain from Go Daddy.
Then try uploading an existing file in Filemaker Pro Advanced 16, after choosing local host and type the admin console credentials im getting the orange security lock and cant upload the file. (Attached image)
I read in another thread to reinstall FMS and it should change it to a green lock, but even after a fresh reinstall, it hasn't changed it to green.
I can verify the certificate is good, Am I missing something?
I already purchase SSL certificate and Domain in Go Daddy, yet im getting in webdirect an error "Certificate is not valid".
Thanks in advance for any advice.enter image description here
It looks you have entered IP address instead of domain name. That might be the reason for orange lock. SSL verifies the domain name, not IP address.
File Upload error says Encryption password is incorrect. You have enabled encryption on rest. Enter the correct encryption password. Once file uploaded, go to admin console, open the file. Enter the encryption password and save it. Hope, it fixes the issue.
The exact error is "Could not establish connection to "[server_name]": Remote host key has changed, port forwarding is disabled."
I recently "rolled back" a production environment's update by launching a new instance from a back up. This gives me a new server host key, as expected. Every other SSH connection tool I've used (WinSCP, FileZilla, Text Wrangler, Putty, Terminal, DBeaver, etc) has a notification of the change and lets you confirm the key yourself and verify it is valid (or not).
I cannot find that option in VS Code remote dev tools. It prompts to simply close or retry(same error, obviously). The "More actions" option doesn't give me anything but configuration file options, settings that I believe don't allow me to update the host key, and the documentation which to the best of my knowledge doesn't explain how to update the host key either.
I assume I'm missing something simple somewhere... any help is appreciated.
It was something simple. Found while trying to review the question.
"A supported OpenSSH compatible SSH client must also be installed." as listed in the system requirements of the documentation(linked in question). The key simply needs to be updated in said OpenSSH client before attempting the connection in Visual Studio again.
In this exact case it was as simple as going to [local_path]/.ssh/known_hosts and removing the old entry for the IP address and then attempting the connection again which now allows the verification of the new key.
remove the hostname's key
ssh-keygen -R "hostname"
To the people that close vote this post: it doesn't help if you don't comment why. We're all trying to learn here.
I want to have wildcard certificates for 2 domains of mine using Let's Encrypt. Here's what I did:
In Chrome it all works. In Firefox I get the error below:
So I tested here: https://www.ssllabs.com/ssltest/analyze.html?d=gamegorilla.net
I also checked this other post.
There's talk on making sure that "the server supplies a certificate chain to the client, only the domain certificate". I found validating the certificate chain here.
I then took these steps found here:
Open the Certificates Microsoft Management Console (MMC) snap-in.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, click the Certificates snap-in in the Available snap-ins list, click Add, and
then click OK.
In the Certificates snap-in dialog box, click Computer account, and then click Next.
In the Select computer dialog box, click Finish.
I already see "Let's Encrypt Authority X3" in the Intermediate Certification Authorities. So that should already be handling things correctly I'd presume.
How can I ensure the Let's Encrypt certificate chain is supplied to the client so it works in Firefox too?
UPDATE 1
Based on #rfkortekaas' suggestion I used "all binding identifiers" instead of supplying the search pattern. When Win-acme asked Please pick the main host, which will be presented as the subject of the certificate, I selected gamegorilla.net. After this gamegorilla.net now works in Firefox, however, on www.karo-elektrogroothandel.nl I now get an insecure certificate.
UPDATE 2
Alright, that seems to fix it. I do see that bindings for smtp/mail (e.g. smtp.gamegorilla.net) are now also added to IIS automatically:
Should I leave those or delete those mail+smtp records here?
Also, the certificate is now [Manual], does that mean I need to renew manually (which woud be weird since nowhere during the certificate creation steps did I see an option for auto-renewal):
The issue is that you only generate the certificate for www.gamegorilla.net and not gamegorilla.net if you select all binding identifiers instead of supplying the search pattern I think it should work.
To also get certificates for other names that are not hosted by IIS you cannot use the import from IIS function. You need to supply them all, starting with the common name.
After starting wacs select M for a new request and select option 2 for manual input. After that enter the comma separated list with the common name first: gamegorilla.net,www.gamegorilla.net,smtp.gamegorilla.net,karo-elektrogroothandel.nl,www.karo-elektrogroothandel.nl,smtpkaro-elektrogroothandel.nl (without any spaces). Or when you want to generate a wildcard certificate you can use: gamegorilla.net,*.gamegorilla.net,karo-elektrogroothandel.nl,*.karo-elektrogroothandel.nl.
Please be aware that for generating wildcard certificates you need to be able to use the DNS-01 challenge. The HTTP-01 challange doesn't support wildcard certificates.
For the certificate renewal you should run wacs --renew from time to time (for example via a schedules task).
I am trying to connect via SSL to a PostgreSQL using FireDac in Delphi. I have followed the instructions at the following site:
https://www.howtoforge.com/postgresql-ssl-certificates
I have created all the certificates. Configured the postgreql.conf as specified so it points to the required files. Copied the specified files to the client machine and installed the root.crt certificate.
Via FireDAC's connection params I have specified the following:
Params.values[SSL_ca']:=sslCertsPath+'root.crt';
Params.values['SSL_cert']:=sslCertsPath+'postgresql.crt.';
Params.values['SSL_key']:=sslCertsPath+'postgresql.key';
I am getting a connection error re invalid client certificate. I am not sure which certificate it is referring to and why it is invalid. Am I specifying the correct client certificates by way of the connection's params? If so, any suggestions as to why I may be getting the error please?
OpenSSL verify against the root.crt and postgresql.crt confirms the certificate is ok.
After over 3 weeks of frustration trying to set up PostgreSQL with SSL using FireDAC, I have finally figured out what the problem is and what the solution is.
For anyone wishing to connect using FireDAC, the howtoforge guide (see link in original post) works fine.
However, do not use the FireDAC parameters in my original post. PostgreSQL does not use them. You need to use the PGAdvanced parameter.
But even after figuring this out, I still could not get it to work for weeks until after testing I got an error message which finally made it clear what I was doing wrong. On Windows PostgreSQL strips out path delimiters unless you escape them (this is not mentioned in the PostgreSQL or FireDAC help files as far as I can see).
Below is an example of the correct way to connect using FireDac paramaters for ssl
Params.values['PGAdvanced']:='sslmode=verify-ca sslrootcert=C:\\ProgramData\\MWC\\Viewer\\Certs\\root.crt sslcert=C:\\ProgramData\\MWC\\Viewer\\Certs\\postgresql.crt sslkey=C:\\ProgramData\\MWC\\Viewer\\Certs\\postgresql.key';
If you don't wish to use a root certificate set sslmode to require.
I'm trying to sign an XPI on linux (no gui) using the NSS cert db (cert8.db and key3.db) i copied from another server of mine, on which I can sign XPI's just fine.
On the new box I can sign with a brand new test certificate ok, but when i try to use the old cert db, it complains with:
signtool: PROBLEM signing data (Unknown issuer)
Certutil lists the cert im trying to use with a * and the CA is present in there as well.
Is this cert db transferable between computers like this? Or are there any other files I have to setup?
TIA
Mike
im not sure if this is what you need, but here it is: http://www.mercille.org/snippets/xpiSigning.php
If the certificate chain has an intermediate CA that also needs to be there.
NSS is rather picky when it comes to the chain and also needs the certs to have been marked as trusted.