Having an application that runs with an insecure certificate results in an error from k6.
time="2017-11-29T14:15:16Z" level=warning msg="Request Failed" error="Put https://xxxxxxx: x509: certificate signed by unknown authority"
You need to add the insecureSkipTLSVerify: true in options or add the --insecure-skip-tls-verify flag.
https://docs.k6.io/docs/options
Related
I was trying to prune some users from my nats server by doing:
nsc push --system-account SYS -u nats://localhost:4222 -P
but I got the following error:
server nats-comm-2 responded with error: delete accounts request by SOME_KEY_VALUE failed - delete must be enabled in server config
The meaning of the error is pretty obvious, when I examine the help documentation for nsc push -P:
Only works with nats-resolver enabled nats-server. Mutually exclusive of account-removal/diff
But I'm not sure how to enable this in my nats server config. How do I allow for account pruning?
I found documentation in the resolver section, here, showing that I could add allow_delete: true to the config, but as the YAML format is in camel-case, I had to modify it to be allowDelete: true instead.
nats:
auth:
enabled: true
resolver:
type: full
allowDelete: true
I'm running a version 6 puppet on a utility node and when I try to connect to the puppet master from the puppet agent I get this error.
[root#utility ~]# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=utility.example.com]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=utility.example.com]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=utility.example.com]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=utility.example.com]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=utility.example.com]
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=utility.example.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Also, the certificate on the puppet agent does not show on the puppet master when I run puppet cert list --all
Warning: `puppet cert` is deprecated and will be removed in a future release.
(location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:370:in `run')
Since the agent is not issuing a certificate-signing request, it must already have a signed certificate. But it seems not to be a certificate that the master recognizes, therefore the master will not accept it. Possibly the agent does not accept the master's cert, either.
The master refusing service to an unrecognized agent is exactly what one would expect and want if an unauthorized node attempted to retrieve a catalog. The agent refusing to complete a connection to the master is exactly what one would expect and want if an agent's catalog request were delivered to an imposter posing as the master.
But if an authorized agent is having such a problem requesting a catalog from a genuine master that it should recognize, then you have a trust failure. This might happen, for example, if the agent's original master were replaced with a new one, or if Puppet were removed from the master and then re-installed.
If indeed that master has no cert for the agent in question, then you should be able to resolve the issue by shutting down the agent (if it is running as a daemon), then clearing out its certificates so that it generates a new one on its next run. The Puppet docs describe how this can be done (you should need only step 3, "Clear and regenerate certs for Puppet agents", and only for the affected agent).
I'm unable to setup an SSL connection between Filebeat and Elasticsearch.
My knowledge is lacking when it comes to SSL. I'm using X-Pack to generate a certificate using the certutil command. bin/xpack/certutil ca generates a certificate authority under the name elastic-stack-ca.p12.
Then
$ bin/x-pack/certutil cert --ca elastic-stack-ca.p12
Which I believe creates a certificate signed by that CA. This results in the file elastic-certificates.p12. From here I'm clueless.
I tried testing to see if the certificates work by setting up a HTTPS connection to ES.
I put
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /path/to/elastic-certificates.p12
xpack.security.http.ssl.certificate: /path/to/elastic-certificates.p12
xpack.security.http.ssl.certificate_authorities: [ "/path/to/elastic-stack-ca.p12" ]
However, this brings up quite a few errors one of them being
caught exception while handling client http traffic, closing connection
When I add the https IP and the CA in Kibana it fails to connect with ES.
I would like to know how to successfully set up https. Also how can a SSL connection be established between two servers. One containing Filebeat, but no X-Pack and the receiving server with ES on it alongside X-Pack installed.
After adding those SSL settings in your elasticsearch.yml, you also need to add the password to the Elasticsearch keystore and truststore. You should've set a password when you ran the certutil command. You can do that with:
$ echo password | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.transport.ssl.keystore.secure_password
$ echo password | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.transport.ssl.truststore.secure_password
Make sure you restart Elasticsearch after making these changes.
I'm using open source chef12 server and I have created a private certificate for chef-server rather using self signed certificate. As i got error while using private certificate as below for "knife ssl check":
WARNING: There are invalid certificates in your trusted_certs_dir.
OpenSSL will not use the following certificates when verifying SSL connections:
c:/Users/test/.chef/trusted_certs/server.test.com.crt: unable to get local issuer certificate
I followed steps given in "https://docs.chef.io/server_security.html" for private certificate adding server.crt and root.crt and configured the nginx server. But when i tried "knife ssl fetch" it downloaded server.crt and root.crt seperately in trusted_certs folder and getting the same error for "knife ssl check" again.
Please help me how to configure chef-server with private cert without error.
I am developing a website with Symfony2 on a localhost[Wamp] running on Windows, I need for login to the sitewith HWIOAuthBundle[facebook, Google] but everytime when I click on login I get this error message:
SSL certificate problem: unable to get local issuer certificate
How I can avoid this message for the moment?
Download the file http://curl.haxx.se/ca/cacert.pem
and add this to your php.ini
curl.cainfo="path/to/your/cacert.pem"
and restart your server !
(see this answer)
download curl ca cert:
http://curl.haxx.se/ca/cacert.pem
export CURL_CA_BUNDLE="cacert.pem"