I'm unable to setup an SSL connection between Filebeat and Elasticsearch.
My knowledge is lacking when it comes to SSL. I'm using X-Pack to generate a certificate using the certutil command. bin/xpack/certutil ca generates a certificate authority under the name elastic-stack-ca.p12.
Then
$ bin/x-pack/certutil cert --ca elastic-stack-ca.p12
Which I believe creates a certificate signed by that CA. This results in the file elastic-certificates.p12. From here I'm clueless.
I tried testing to see if the certificates work by setting up a HTTPS connection to ES.
I put
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /path/to/elastic-certificates.p12
xpack.security.http.ssl.certificate: /path/to/elastic-certificates.p12
xpack.security.http.ssl.certificate_authorities: [ "/path/to/elastic-stack-ca.p12" ]
However, this brings up quite a few errors one of them being
caught exception while handling client http traffic, closing connection
When I add the https IP and the CA in Kibana it fails to connect with ES.
I would like to know how to successfully set up https. Also how can a SSL connection be established between two servers. One containing Filebeat, but no X-Pack and the receiving server with ES on it alongside X-Pack installed.
After adding those SSL settings in your elasticsearch.yml, you also need to add the password to the Elasticsearch keystore and truststore. You should've set a password when you ran the certutil command. You can do that with:
$ echo password | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.transport.ssl.keystore.secure_password
$ echo password | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.transport.ssl.truststore.secure_password
Make sure you restart Elasticsearch after making these changes.
Related
System:
Maxscale 2.5.9
Ubuntu 20.04
In order to access the Web AdminGUI my maxsclale.cnf file looks like this:
[maxscale]
threads=auto
admin_host=0.0.0.0
admin_secure_gui=1
admin_auth=1
admin_enabled=1
admin_gui=1
admin_ssl_key=/etc/ssl/certs/maxscale-key.pem
admin_ssl_cert=/etc/ssl/certs/maxscale-cert.pem
admin_ssl_ca_cert=/etc/ssl/certs/ca-certificates.crt
[...all other configuration..]
With this configuration I can access the Web-AdminGUI on port 8989 from the internal ip address (not 127.0.0.1) by browser.
The SSL key/certs are self-signed .
BUT
When using the command line like:
maxctrl list servers
I get the following error:
Error: Error: socket hang up
When I remove or comment out the lines with the admin_ssl_XXX parameters and restart maxscale, command line works again, but of course the Web-AdminGUI does not.
I tried with various SSL certificate creations (also the one that is listed on the mariadb.com-Website
https://mariadb.com/docs/security/encryption/in-transit/create-self-signed-certificates-keys-openssl/#create-self-signed-certificates-keys-openssl),
the issue remains.
No errors in the maxscale.log whatsoever.
What is the best way to debug this issue?
Or do you have by any chance the right answer at hand?
YOUR help is greatly appreciated!
BR. Martin
You should use maxctrl --secure to encrypt the connections used by it.
Since you are using self-signed certificates, you have to also specify the CA certificate with --tls-ca-cert=/etc/ssl/certs/ca-certificates.crt if it's not installed in the system certificate store.
In addition, you probably need to use --tls-verify-server-cert=false to disable any warnings about self-signed certificates.
When I try and retrieve the most up-to-date SSL cert info from a url on my Centos7 machine I keep getting some sort of old cached result.
example curl:
curl --insecure -v https://www.google.com 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
I know for a fact, and even Chrome knows, that my expiry is in the future, but the curl request always returns the old cert which has expired.
Is there some sort of cache on the machine itself?
Issue looks to be around bad configurations of Microsoft IIS servers, and potentially any ISA's sitting in front of them.
Unless you fully remove, and reboot the server that you've updated a new SSL cert onto, there will still be intances of that server sending out the previous (expired) SSL Cert so you will never see the latest one.
Am trying to use SQLMap with https but when i try
"C:\Python27\sqlmap>sqlmap.py -u https://localhost:8774/App/console/index.jsp --force-ssl" it returns
"Can't establish SSL Connection".
So it there any way that i can pass SSL certificate to SQLMap?
Environment Details:
OS: Windows 10
Python: 2.7
SQLMap: 1.4.2.42
Refer to attached image for more details.
remove https:// from 'u' paremeter, just put:
-u localhost:8774/App/console/index.jsp
A simple solution for that is to set up a proxy listener like Burp Suite, browse over to the site with the bad SSL certificate and Trust it.
After that, you can include the following option in your SQLMap command:
--proxy="http://PROXY-IP:PROXY-PORT"
where proxy ip is generally 127.0.0.1 and proxy port 8080.
I setup my own landing page on my server with Nginx on top of it. I follow digital ocean 'How to' to get SSL certificat for it.
Now I finish to setup a Wordpress for my wife. Everything working well on plain HTTP but if I try to redo the process with let's encrypt : sudo certbot --nginx -d pamelajoa.com -d www.pamelajoa.com cerbot try to challenge the server but find out that there is already a certificat for my own website:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: pamelajoa.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
XXX.YYY.acme.invalid
from [2001:41d0:8:6d9b::1]:443. Received 2 certificate(s), first
certificate had names "gfelot.xyz, www.gfelot.xyz"
Domain: www.pamelajoa.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
XXX.YYY.acme.invalid
from [2001:41d0:8:6d9b::1]:443. Received 2 certificate(s), first
certificate had names "gfelot.xyz, www.gfelot.xyz"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Once again my own web site works on HTTPS and the WP works on HTTP so I don't think it's coming for my Nginx conf.
Any Idea ?
Found a solution that worked for me by using this option in your command :
--preferred-challenges http-01
or you may try to use this one :
--preferred-challenges http
Full command here :
sudo certbot --nginx --preferred-challenges http-01 -d www.kaokeb.com
Full post for this solution in this thread :
https://community.letsencrypt.org/t/expired-certification/60185/23
We are using centos7 .If tried the below way with pem file included scp works but when pem file is removed its not working. Code was working earlier without pem file . After We moved to a different web server we are having Host key verification failed issues.
scp -i/home/centos/sshkeys/test.pem root#77.79.77.72:/usr/local//2016/Aug/31/ggea98c0-6f0f-11e6-86d9-2573a2e556aa.wav /var/www/html/tmp/ggea98c0-6f0f-11e6-86d9-2573a2e556aa.wav
Maybe your key was registered in ~/.ssh/config or it was your default key in ~/.ssh ? Check on the old server ?
Edited:
For example this is what I put in ~/.ssh/config
Host myserver
Hostname 52.100.100.100
User ubuntu
IdentityFile ~/dev/application/server-key.pem
It allow me to connect simply by ssh myserver. Maybe it was something like this that you had on your server.