SSL Certificate configuration for WSO2 API 3.2 - wso2-api-manager

I'm currently trying to configure our WSO2 API Manager 3.2 to use our SSL certificate.
I followed the documentation "Creating a New Keystore" and "Configuring Keystores in API Manager".
I have updated the deployment.toml file:
[server]<br>
hostname = "myserver001.internal.net"
....
[keystore.tls]
file_name = "myKeystore.jks"
type = "JKS"
password = "secretpassword"
alias = "myserver001.internal.net"
key_password = "secretpassword"
[keystore.primary]
file_name = "wso2carbon.jks"
type = "JKS"
password = "wso2carbon"
alias = "wso2carbon"
key_password = "wso2carbon"
The servername is set to myserver001.
The domain name myserver001.internal.net is set in the host file.
After restarting the WSO2 APIM server an exception message is thrown:
SSLException: hostname in certificate didn't match:
<localhost> != <myserver001.internal.net> OR <myserver001.internal.net>
Does anyone knows what I have to change additionally, to come around this error or where I can find additional documentation?
Any help is appreciated

Looks this is due to the missing service_url of TM/Event hub config. So can you add/update the following config?
[apim.throttling]
...
service_url = "https://myserver001.internal.net:9443/services/"

I was in the exact same situation :
Migration from v2.6.0 to v3.2.0
Valid certificate
SSLException: hostname in certificate didn't match
I tried a lot of things, but after a lot of researches, I'd say that there is two possibilities :
It's a bug
It's a documentation problem, and we have to edit more things to make our certificate work
I believe that you changed the Dhttpclient.hostnameVerifier to another value than "AllowAll". See the doc about hostname verification.
It's just a workaround and it's probably not that secure, but you'll have to put back the default value for Dhttpclient.hostnameVerifier to avoid this error :
service wso2am-3.2.0 stop
nano /usr/lib/wso2/wso2am/3.2.0/bin/wso2server.sh
-Dhttpclient.hostnameVerifier=AllowAll \
service wso2am-3.2.0 start

Related

Configure grafana-loki output plugin

i'm trying to use the grafana-loki output plugin in fluent-bit but it seems impossible to configure with tls.
i had a working configuration running with the loki plugin like this :
[OUTPUT]
Name loki
Match *
Host my-collector-url-for-loki
Port 443
Http_User m-user
Http_Passwd some-token-value
Labels job=fluentbit
auto_kubernetes_labels on
Tls On
Tls.verify On
but the problem with this output plugin was that the logs are not showing correctly on grafana, i think a filter or parser needs to be configured for it or maybe the plugin is just meant for loki not grafana/loki, i just don't know and i got tired of trying to figure out why. So i switched to the grafana-loki plugin and the logs looked perfect on grafana but i only had it working without authentication.
this is my setup with grafana-loki output plugin
[Output]
Name grafana-loki
Match *
Url https://url-to-my-logs-collector
TenantID ""
BatchWait 1
BatchSize 1048576
Labels {job="test-fluent-bit"}
RemoveKeys kubernetes,stream
AutoKubernetesLabels false
LabelMapPath /fluent-bit/etc/labelmap.json
LineFormat json
LogLevel warn
# everything prior to this line is working successfully
# trying to set authentication here "this part doesn't work"
Tls On
Tls.verify On
Http_User m-user
Http_Passwd some-token-value
Problem with this setup, i always get a 403 forbidden http status. I'm having trouble figuring out how to set authentication on this plugin. Does anyone have a working configuration for this type of setup?
Authentication worked for me using this plugin using like below:
[Output]
Name grafana-loki
Match *
Url https://${user_loki}:${pass_loki}#lurl-to-my-logs-collector
BatchWait 1s
BatchSize 102400
TenantID ""
(...)
TLS, http.user and http.passwd options are not support, as far as I could understand, by this plugin.

cert manager is failing with Waiting for dns-01 challenge propagation: Could not determine authoritative nameservers

I have created cert-manager on aks-engine using below command
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml
my certificate spec
issuer spec
Im using nginx as ingress, I could see txt record in the azure dns zone created my azuredns service principle, but not sure what is the issue on nameservers
I ran into the same error... I suspect that it's because I'm using a mix of private and public Azure DNS entries and the record needs to get added to the public entry so letsencrypt can see it, however, cert-manager performs a check that the TXT record is visible before asking letsencrypt to perform the validation... I assume that the default DNS records cert-manager looks at is the private one, and because there's no TXT record there, it gets stuck on this error.
The way around it, as described on cert-manager.io is to override the default DNS using extraArgs (I'm doing this with terraform and helm):
resource "helm_release" "cert_manager" {
name = "cert-manager"
repository = "https://charts.jetstack.io"
chart = "cert-manager"
set {
name = "installCRDs"
value = "true"
}
set {
name = "extraArgs"
value = "{--dns01-recursive-nameservers-only,--dns01-recursive-nameservers=8.8.8.8:53\\,1.1.1.1:53}"
}
}
The issue for me, was that I was missing some annotations in the ingress:
cert-manager.io/cluster-issuer: hydrantid
kubernetes.io/tls-acme: 'true'
In my case I am using hydrantid as the issuer, but most people use letsencrypt I guess.
I had similar error when my certificate was stuck in pending and below is how i resolved it
kubectl get challenges
urChallengeName
then run the following
kubectl patch challenge/urChallengeName -p '{"metadata":{"finalizers":[]}}' --type=merge
and when u do get challenges again it should be gone

How can I skip ssl certificate verification on HTTPS connection using the OpenEdge.Net Libraries?

I am trying to to do a POST to an API endpoint using Openedge.
I have installed the ssl certificate of the place i am requesting from but the https request fails, telling me it can't find the ssl certificate of that place (in my /usr/dlc/certs).
"_errors": [
{
"_errorMsg": "ERROR condition: Secure Socket Layer (SSL) failure. error code -54: unable to get local issuer certificate: for 85cf5865.0 in /usr/dlc/certs (9318) (7211)",
"_errorNum": 9318
}
]
So, i have resorted to doing an insecure request, like curl does it with the --insecure or wget does it with "no-check-certificate"
I am using the OpenEdge.Net Libraries on OpenEdge 11.6
creds = new Credentials('https://xxxx.com', 'usersname', 'password').
oPayload = NEW JsonObject().
oRequestBody = new String('CustomerReference=xxx&NoOfParcelsToAdd=2').
oRequest = RequestBuilder:Post('https://xxxxx.com/endpoint', oRequestBody)// Add credentials to the request
:UsingBasicAuthentication(creds)
:ContentType('application/x-www-form-urlencoded')
:AcceptJson() :Request.
oResponse = ClientBuilder:Build():Client:Execute(oRequest).
I want to know, for this OpenEdge.Net Libraries is there a tag that i can put in order to skip the checking of the certificate?
I don't know of any option to skip verification but I do know that a common source of that error is that your certificate authority is not in $DLC/certs. The default list of certificate authorities is fairly narrow.
USING OpenEdge.Net.HTTP.IHttpClientLibrary.
USING OpenEdge.Net.HTTP.Lib.ClientLibraryBuilder.
DEFINE VARIABLE oLib AS IHttpClientLibrary NO-UNDO.
oLib = ClientLibraryBuilder:Build()
:sslVerifyHost(NO)
:Library.
oHttpClient = ClientBuilder:Build()
:UsingLibrary(oLib)
:Client.

failed to launch Openstack instance: 'authentication required' when trying to create port

I'm trying to deploy Openstack Icehouse on Ubuntu Server 14.04 by following the official document. But after Keystone\Nova\Neutron\Glance were deployed, when I tried to launch a CirrOS instance by
nova boot -nic ... -image ... -flavor ...
, it failed.
The log in Nova client shows that:
The Neutron client(Yes, it's neutron. I guess there are interactions between them in booting) tried to connect with Neutron server to create a port on tenant's network.
But Neutron client set up the token-getting request using {username:neutron, password:REDACTED} to Keystone server and used that token to request for creating port to Neutron server.
Finally, the Neutron Server decided that that's an authentication problem.
I'm sure that I requested to create instance using tenant 'demo''s info($OS_TENANT_NAME, $OS_USERNAME, $OS_PASSWORD, $OS_AUTH_URL were properly set with 'demo''s value) by
source demoopenrc.sh
with demo's credential in that file.
Is that something wrong in the Neutron client's configuration or booting process? I paste a part of the neutron.conf here:
the Keystone setting
[keystone_authtoken]
auth_uri = http://controller:5000
auth_host = controller
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = neutron
admin_password = neutronpass
signing_dir = $state_path/keystone-signing
Since the Neutron client used 'neutron' user's credential for token getting, is there something wrong in this part?
The problem has been solved after nearly a month. For anyone still interested in this problem, please visit here

Why is the netsh http add sslcert throwing error from Powershell ps1 file?

I am trying to add an sslcert using netsh http from within a powershell ps1 file, but it keeps throwing errors:
$guid = [guid]::NewGuid()
netsh http add sslcert ipport=0.0.0.0:443 certhash=5758B8D8248AA8B4E91DAA46F069CC1C39ABA718 appid={$guid}
'JABnAHUAaQBkAA' is not a valid argument for this command.
The syntax supplied for this command is not valid. Check help for the correct syntax.
Usage: add sslcert [ipport=]<IP Address:port>
[certhash=]<string>
[appid=]<GUID>
[[certstorename=]<string>
[verifyclientcertrevocation=]enable|disable
[verifyrevocationwithcachedclientcertonly=]enable|disable
[usagecheck=]enable|disable
[revocationfreshnesstime=]<u-int>
[urlretrievaltimeout=]<u-int>
[sslctlidentifier=]<string>
[sslctlstorename=]<string>
[dsmapperusage=]enable|disable
[clientcertnegotiation=]enable|disable]
Parameters:
Tag Value
ipport - IP address and port for the binding.
certhash - The SHA hash of the certificate. This hash
is 20 bytes long and specified as a hex
string.
appid - GUID to identify the owning application.
certstorename - Store name for the certificate. Defaults
to MY. Certificate must be stored in the
local machine context.
verifyclientcertrevocation - Turns on/off verification of revocation
of client certificates.
verifyrevocationwithcachedclientcertonly - Turns on/off usage of
only cached client
certificate for revocation checking.
usagecheck - Turns on/off usage check. Default is enabled.
revocationfreshnesstime - Time interval to check for an updated
certificate revocation list (CRL). If this
value is 0, then the new CRL is updated
only if the previous one expires. (in
seconds)
urlretrievaltimeout - Timeout on attempt to retrieve certificate
revocation list for the remote URL.
(in milliseconds)
sslctlidentifier - List the certificate issuers that can
be trusted. This list can be a subset of
the certificate issuers that are trusted
by the machine.
sslctlstorename - Store name under LOCAL_MACHINE where
SslCtlIdentifier is stored.
dsmapperusage - Turns on/off DS mappers. Default is
disabled.
clientcertnegotiation - Turns on/off negotiation of certificate.
Default is disabled.
Remarks: adds a new SSL server certificate binding and corresponding client
certificate policies for an IP address and port.
Examples:
add sslcert ipport=1.1.1.1:443 certhash=0102030405060708090A0B0C0D0E0F1011121314 appid={00112233-4455-6677-8899
-AABBCCDDEEFF}
I might be wrong, but I believe it has something to do how I go about specifying the appid GUID in my powershell script file. Could someone please help me solve the error?
It's a problem with the way Powershell parses cmd commands.
This will execute the command successfully:
$guid = [guid]::NewGuid()
$Command = "http add sslcert ipport=0.0.0.0:443 certhash=5758B8D8248AA8B4E91DAA46F069CC1C39ABA718 appid={$guid}"
$Command | netsh
The reason for the error is that the curly braces have to be escaped each with a backtick (`).
The following command will work from the PowerShell commandline:
This will work from the PowerShell commadline:
$AppId = [Guid]::NewGuid().Guid
$Hash = "209966E2BEDA57E3DB74FD4B1E7266F43EB7B56D"
netsh http add sslcert ipport=0.0.0.0:8000 certhash=$Hash appid=`{$Guid`}
The important details are to escape each { } with a backtick (`).
If netsh raises an error 87 try appending certstorename my
There is no need to use variables. Its just for sake of convenience.
Below code will work, & here is used for invoke program with parameters, and "appid={$guid}" make it pass string value.
& netsh http add sslcert ipport=0.0.0.0:443 certhash=5758B8D8248AA8B4E91DAA46F069CC1C39ABA718 "appid={$guid}"

Resources