First of all let me to say my knowledge of ssl and criptography protocols is very limited. Please be patient if I say something blatantly wrong :-) . Feel free to correct me!
I'm building a custom web server to be deployed inside an isolated local network; this is how I run my service (Python code):
ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_context.load_cert_chain(certfile='mykey.crt', keyfile='mykey.key')
... client connects to https port 443 ...
ssl_sock = ssl_context.wrap_socket(sock, server_side=True)
This is how I generated mykey.crt and mykey.key files:
$ openssl genrsa -des3 -out mykey.orig.key 2048
$ openssl rsa -in mykey.orig.key -out mykey.key
$ openssl req -new -key mykey.key -out mykey.csr
$ openssl x509 -req -days 3650 -in mykey.csr -signkey mykey.key -out mykey.crt
So far so good, my webserver works very well. But I have go past the "not secure" warning that Firefox rightfully shove in my face.
I'd like to install my self-signed certificate in the few clients that are going access my web server in order to permanently avoid the warning.
I followed every single certificate installation guide I was able to find but I absolutely cannot get Firefox (and Chrome) accept my certificate. And I get no error message whatsoever from the browsers.
I think I'm missing something in the certificate generation commands.
Somebody could help me?
Thanks a lot!
self-signed certificate can uses only for tests. You have to get the certificate from an 'Accredited certification authority'
2) check please : self-signed certificate need to has next data:
URL, address,
name,
email
3) you should use a certificate signed by a CA
Related
I created both client and server certificates:
# client
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out ssl/client.crt -keyout ssl/client.key
# server
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out ssl/server.crt -keyout ssl/server
Then with python I have the following:
import requests
response = requests.get(
"https://localhost:8080/",
verify="ssl/server.crt",
cert=("ssl/client.crt", "ssl/client.key")
)
I also have a gunicorn server running with the server self signed certificate.
The code snippet is throwing me the following error:
requests.exceptions.SSLError: HTTPSConnectionPool(host='localhost', port=8080): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:2633)')))
It is a self signed certificate so I am not sure what CA is it expecting.
tlsv1 alert unknown ca
The server is sending a TLS alert back since it cannot validate your client certificate - the certificate authority (ca) which signed the certificate is unknown to the server. You either need to disable client certificate validation in your server or (better) make the server trust your client certificate.
It is a self signed certificate so I am not sure what CA is it expecting.
A self-signed certificate is signed by itself, i.e. the CA is the certificate itself.
It looks like the server isn't able to validate your client certificate. If you're just using a pair of self-signed certificates for the client and server, then the server needs to also use the client's certificate as its CA, since it will attempt to validate it was signed by the CA - which in this case is the client.
I recently wrote a blog on deploying mTLS with self-signed certificates which might help you as it contains more details, specifically with how to configure the client and server. Check it out here: https://otterize.com/blog/so-you-want-to-deploy-mtls
I tried to run my Flask Application on localhost and as well as on my local network's IP address and it ran very well (without SSL).
However, when I tried to run the application with SSL then the web browsers didn't load the page and gives the error:
Your connection is not private : NET::ERR_CERT_INVALID
Methods I have tried but failed:
1. Using Self-signed .pem certificate (Subject Type=CA)
With generated certificate .pem, cert key, and configuring my flask app use it.
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
app.run(
host='192.168.1.127', port="8282", debug=True,
ssl_context=('cert.pem', 'key.pem'),
)
2. Using Self-signed .crt certificate
With generated certificate .crt, cert key, and configuring my flask app use it.
$ openssl genrsa -des3 -out server.key 1024
$ openssl req -new -key server.key -out server.csr
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
app.run(
host='192.168.1.127', port="8282", debug=True,
ssl_context=('server.crt', 'server.key')
)
3. Run Flask with ssl_context='adhoc'
```
app.run(
host='192.168.1.127', port="8282", debug=True,
ssl_context='adhoc'
)
```
I am trying to build a system where multiple raspberry pi are located at different rooms of the house but they are connected to the same home network.
There is the main computer on the same network which acts as a Controller and to implement the system successfully I need to make requests from the controller system to all the Raspberry PI over HTTPS.
Its working.
The message connection not private is misleading, what is actually happening is that the connection is encrypted with a certificate that is not in your chain of trust. Even if it was, I doubt the browser would accept a certificate for an IP address.
In any case, your connection is indeed encrypted.
You don't shoe the additional details. But you can try to add the generated certificate to your system's chain of trust.
I am trying to secure a dask distributed system using TLS but the scheduler throws "TypeError: TLS expects a 'ssl_context' argument of type ssl.SSLContext (perhaps check your TLS configuration?) Instead got None" when I run dask-ssh over some local to the network machines.
This is for a dask distributed system that is created using dask-ssh to initialize it. All of the computers in the hostfile.txt are local to the network and file server. I use the same 2 files created with the openssl tool for all machines. Using default TCP there are no issues. I think I am either making the TLS certificates incorrectly, or assigning them in the Dask config incorrectly. I have done a fair amount of googling of this error and I have no idea what could be the issue
Here is how I am generating the certificates:
openssl req -newkey rsa:4096 -nodes -sha256 -x509 -days 3650 -nodes -out /MyFakeDirectory/certs/myca.pem -keyout /MyFakeDirectory/private/mykey.pem
Leaving every asked question after that blank.
Here are all the relevant assignments I have inside of my dask config located at: .config/dask/distributed:
default-scheme: tls
.
.
.
require-encryption: True
tls:
ca-file: /MyFakeDirectory/Certs/certs/myca.pem
scheduler:
key: /MyFakeDirectory/Certs/private/mykey.pem
cert: /MyFakeDirectory/Certs/certs/myca.pem
worker:
key: /MyFakeDirectory/Certs/private/mykey.pem
cert: /MyFakeDirectory/Certs/certs/myca.pem
client:
key: /MyFakeDirectory/Certs/private/mykey.pem
cert: /MyFakeDirectory/Certs/certs/myca.pem
ciphers:
ECDHE-ECDSA-AES128-GCM-SHA256
I've followed this link to build a simple file server with SSL.
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
httpd = HTTPServer(('localhost', 4443), BaseHTTPRequestHandler)
# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
httpd.socket = ssl.wrap_socket (httpd.socket, keyfile="key.pem", certfile='cert.pem', server_side=True)
httpd.serve_forever()
I have created a certificate successfully, key.pem and cert.pem file paths are cool and I can start the server using python server.py. I am asked for a password, enter it, then it freezes for a bit and then it seems to run.
However, when I enter some URL such as https://localhost:4443/index.html I get 500 Unsupported method GET. Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation. Do I need to do something more to make my server serve the current directory? Until now I have just used python -m http.server 8000 (SimpleHTTPServer when on Mac.) I am using Python 3.
This is an will stay local so don't worry about the PEM files and the server script being exposed through it (if it worked!). I am also okay with the certificate being untrusted and instructed Chrome to visit the page anyway. I just need it to allow me to access camera without having to deploy my app somewhere with a legit cert.
From the docs:
class http.server.BaseHTTPRequestHandler(request, client_address, server)
This class is used to handle the HTTP requests that arrive at the server. By itself, it cannot respond to any actual HTTP requests; it must be subclassed to handle each request method (e.g. GET or POST).
Try using SimpleHTTPRequestHandler instead, eg,
httpd = socketserver.TCPServer(('localhost', 4443), SimpleHTTPRequestHandler)
I have set up a web2py environment on a linux server using the 'one step production deployment' descriped in the web2py document.
Now I can go to my website by typing my domain name into a web browser, except now it is untrusted by the browser.
Then I got a ssl certificate that I want to add to my server.
So my question is how to add ssl certificate after using the one step deployment?
I searched online, but most tutorial is to setup every thing from scratch.
If you look into the one-step-production-deployment script, you can see that it generated a self-signed cert:
echo "creating a self signed certificate"
echo "=================================="
openssl genrsa 1024 > /etc/apache2/ssl/self_signed.key
chmod 400 /etc/apache2/ssl/self_signed.key
openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/apache2/ssl/self_signed.key > /etc/apache2/ssl/self_signed.cert
openssl x509 -noout -fingerprint -text < /etc/apache2/ssl/self_signed.cert > /etc/apache2/ssl/self_signed.info
And let Apache use it:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/self_signed.cert
SSLCertificateKeyFile /etc/apache2/ssl/self_signed.key
# ...
So I think what you need to do is changing the path above to your new cert.