For the sdkmanager use the following extra options:
sdkmanager --list --verbose --no_https --proxy=http --proxy_host=<proxy_host> --proxy_port=<proxy_port>Tag: https
How To Read RSA, X509, PKCS12 Certificates with OpenSSL?
Read RSA Private Key
RSA is popular format use to create asymmetric key pairs those named public and private key. We can use rsa verb to read RSA private key with the following command.
openssl rsa -in myprivate.pem -check
Read X509 Certificate
Another case reading certificate with OpenSSL is reading and printing X509 certificates to the terminal. We will use x509 version with the following command.
openssl x509 -in mycert.pem -text -noout
Print Certificate Purpose
X509 certificates also holds information about the purpose of the cerficate. This will be beneficial while using certificate to learn the creation aim of the certificate. We can print certificate purpose with the -purpose command like below.
openssl x509 -in mycert.pem -text -noout -purpose
Read Web Sites HTTPS TLS/SSL Certificates
We can read and print web sites HTTPS certificates with the s_client verb which is explained in this tutorial. We can print the SSL/TLS X509 certificate with the following command.
openssl s_client -showcerts -connect poftut.com:443
Read PKCS12 File
We can also read and print PKCS12 files which can be used store keys and related information. We will use pkcs12 verb like below.
openssl pkcs12 -info -in keystore.p12
Read Certificate Signing Request
Certificate signing requests are used to create required request in order to sign our certificate from certificate authority. After creating a Certificate Signing Request we should check the CSR with the following command where we can see all information provided by CSR.
openssl req -text -noout -verify -in myrequest.csr
How to trust self-signed certificate in cURL command line?
Problem:
I’ve created a self-signed certificate for foo.localhost using a Let’s Encrypt recommendation using this Makefile:
include ../.env
configuration = csr.cnf
certificate = self-signed.crt
key = self-signed.key
.PHONY: all
all: $(certificate)
$(certificate): $(configuration)
openssl req -x509 -out $@ -keyout $(key) -newkey rsa:2048 -nodes -sha256 -subj '/CN=$(HOSTNAME)' -extensions EXT -config $(configuration)
$(configuration):
printf "[dn]\nCN=$(HOSTNAME)\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:$(HOSTNAME)\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth" > $@
.PHONY: clean
clean:
$(RM) $(configuration)
I’ve then assigned that to a web server. I’ve verified that the server returns the relevant certificate:
$ openssl s_client -showcerts -connect foo.localhost:8443 < /dev/null
CONNECTED(00000003)
depth=0 CN = foo.localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = foo.localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=foo.localhost
i:/CN=foo.localhost
-----BEGIN CERTIFICATE-----
[…]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=foo.localhost
issuer=/CN=foo.localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1330 bytes and written 269 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: […]
Session-ID-ctx:
Master-Key: […]
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
[…]
Start Time: 1529622990
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
DONE
How do I make cURL trust it without modifying anything in /etc? --cacert does not work, presumably because there is no CA:
$ curl --cacert tls/foo.localhost.crt 'https://foo.localhost:8443/'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
The goal is to enable HTTPS during development:
- I can’t have a completely production-like certificate without a lot of work to enable DNS verification in all development environments. Therefore I have to use a self-signed certificate.
- I still obviously want to make my development environment as similar as possible to production, so I can’t simply ignore any and all certificate issues.
curl -kis likecatch (Exception e) {}in this case – nothing at all like a browser talking to a web server.
In other words, when running curl [something] https://project.local/api/foo I want to be confident that
- if TLS is configured properly except for having a self-signed certificate the command will succeed and
- if I have any issues with my TLS configuration except for having a self-signed certificate the command will fail.
Using HTTP or --insecure fails the second criterion.
Solution:
Following these steps should solve your issue:
- Download and save the self-signed certificate:
echo quit | openssl s_client -showcerts -servername "${API_HOST}" -connect "${API_HOST}":443 > cacert.pem - Tell the
curlclient about it:curl --cacert cacert.pem --location --silent https://${API_HOST}
Also one could use wget and ignore certificates with: wget --no-check-certificate https://${API_HOST}
Perl: Retrieving Query Parameters and Headers
Next, let’s play with those methods that retrieve input parameters from query string including request content, and request headers. Here is a simple example Perl CGI script: CGI-pm-Request-Info.pl:
#!c:/local/perl/bin/perl.exe
#- CGI-pm-Request-Info.pl
#- Copyright (c) 2014 HerongYang.com, All Rights Reserved.
use CGI;
$query = CGI->new();
$text = "";
#- Getting the request method
$text .= "Request method = ".$query->request_method()."\n";
#- Getting input data from the query string and from the data content
$text .= "Names and values from param():\n";
@names = $query->param();
foreach $name (@names) {
$text .= " $name = ".$query->param($name)."\n";
}
#- Getting request headers
$text .= "Names and values from http():\n";
@names = $query->http();
foreach $name (@names) {
$text .= " $name = ".$query->http($name)."\n";
}
print $query->header();
print $query->start_html(-title=>'CGI-pm-Request-Info.pl');
print $query->pre($text);
print $query->end_html();
Copy CGI-pm-Request-Info.pl to C:\local\apache\htdocs and browse to: http://localhost/CGI-pm-Request-Info.pl?name=joe&age=21&student
You should see the following result in the browser. The result looks good.
Request method = GET Names and values from param(): name = joe age = 21 student = Names and values from https(): HTTP_ACCEPT_ENCODING = gzip, deflate HTTP_CONNECTION = keep-alive HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q... HTTP_HOST = localhost HTTP_DNT = 1 HTTP_ACCEPT_LANGUAGE = en-US,en;q=0.5 HTTP_USER_AGENT = Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/2...
Error : getaddrinfo ENOTFOUND registry.npmjs.org registry.npmjs.org:443
Things to try:
- make sure you have internet connection:
ping 8.8.8.8 - make sure you have DNS resolver working:
ping www.google.com - make sure you can access registry.npmjs.org:
ping registry.npmjs.org - make sure you can connect via https.
Try in your browser: https://registry.npmjs.org/
Make sure you are trying to connect to:
registry.npmjs.org
and not to:
"registry.npmjs.org registry.npmjs.org:443"
if there is no error,try to clear cache
npm cache clean –force then try npm install
even you have any error
npm config set registry https://registry.npmjs.org/ then try npm install -g @angular/cli
Make https the Default when Page Loading
I am running a web site, from an Unbuntu 16 (LTS) server running on AWS EC2. I have set the following input rules for my security group on AWS
Type Protocol Port Range Source
HTTP TCP 80 0.0.0.0/0
SSH TCP 22 72.81.131.89/32
HTTPS TCP 443 0.0.0.0/0
On My Ubuntu server, I have set up SSL as described here. I have also edited /etc/apache2/ports.conf to be the following.
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80
Listen 8080
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
NameVirtualHost *:443
Listen 443
</IfModule>
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
I do not have a file, /etc/apache2/sites-enabled/000-default.conf.
I have created a file, /etc/apache2/httpd.conf, with the following content
<VirtualHost _default_:443>
ServerName example.com:443
SSLEngine on
SSLCertificateKeyFile /etc/apache2/ssl/example.com.key
SSLCertificateFile /etc/apache2/ssl/example.com.cert
ServerAdmin MYWEBGUY@localhost
DocumentRoot /var/www/html
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/errorSSL.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/accessSSL.log combined
</VirtualHost>
I have gone to /etc/apache2/ssl and entered
sudo openssl req -new -x509 -nodes -out example.com.crt -keyout example.com.key
That procedure worked without errors.
When I enter
sudo a2enmod ssl
I get
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
When I open my browser and enter
https://example.com
my web page opens with the green lock saying the site is secure. However, when I just enter
example.com
I get a regular http connection and a message saying the connection to the site is not secure.
How can I make https the default when the user just enters
example.com
Solution:
You need to force a redirect to the SSL site when a user hits the not-SSL site.
I will add a section like this:
<VirtualHost *:80>
ServerName www.example.com
Redirect / https://www.example.com/
</VirtualHost>
or better use a Rewrite rule to redirect all the requests to the SSL site:
RewriteEngine On
# This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
look at the apache wiki for further info
ansible: Failed to validate the SSL certificate
If you get the following error:
“msg”: “Failed to validate the SSL certificate for rpm.nodesource.com:443. Make sure your managed systems have a valid CA certificate installed. If the website serving the url uses SNI you need python >= 2.7.9 on your managed machine (the python executable used (/usr/bin/python) is version: 2.6.6 (r266:84292, Aug 18 2016, 15:13:37) [GCC 4.4.7 20120313 (Red Hat 4.4.7-17)]) or you can install the `urllib3`, `pyOpenSSL`, `ndg-httpsclient`, and `pyasn1` python modules to perform SNI verification in python >= 2.6. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: [Errno 1] _ssl.c:492: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure.”
It is because the managed node does not have python >= 2.7.10 you can resolve it by executing:
sudo yum install pyOpenSSL -y
sudo pip install urllib3 ndg-httpsclient pyasn1
A Passionate Techie 