the AWS Powershell SAML code below works without problems on all windows workstations but on all windows servers we get this error:
Use-STSRole : Credential generation from SAML authentication failed.
+ CategoryInfo : InvalidOperation: (Amazon.PowerShe...seSTSRoleCmdlet:UseSTSRoleCmdlet) [Use-STSRole], InvalidOperationException
+ FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.STS.UseSTSRoleCmdlet
powershell code:
Clear-AWSCredentials
Set-DefaultAWSRegion eu-west-1
$ADFSendpoint=Set-AWSSamlEndpoint -Endpoint "https://adfs.mycompany.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices" -StoreAs ADFSendpoint
Set-AWSSamlRoleProfile -EndpointName $ADFSendpoint -StoreAllRoles
Set-AWSCredentials -ProfileName "123456789012:role/MyRole"
$RoleArn = "arn:aws:iam::123456789012:role/MyRole"
$CredentialAws = (Use-STSRole -RoleArn $RoleArn -RoleSessionName
"MySession").Credentials
$CredentialAws
Get-S3Bucket
This is maddening - they are otherwise identically set up, and the ADFS endpoint still works fine in a browser on the servers, but NOT in Powershell.
This used to work recently on the servers but I am unable to find out why it stopped working.
The issue is resolved.
Fiddler revealed a certificate problem (see below) and it turned out that there was two versions of root certificate "Starfield Class 2 Certification Authority" - the version on the workstations expires 2034 and the version on the servers expires 2024 - so both should be valid, but still the 2024 version shows chain with warning and the 2034 version shows chain with no warning.
So the AWS Powershell endpoint sts.amazonaws.com must have had its certificate chain changed recently to cause this symptom.
Evt. google for Powershell script to save SSL certificate to a file for a site like sts.amazonaws.com.
-----fiddler output-----
Session #6: The server (sts.amazonaws.com) presented a certificate that did not validate, due to RemoteCertificateChainErrors.
0 - A certificate chain could not be built to a trusted root authority.
1 - The revocation function was unable to check revocation for the certificate.
2 - The revocation function was unable to check revocation because the revocation server was offline.
ISSUER: CN=Amazon, OU=Server CA 1B, O=Amazon, C=US
Related
When a web project is created, Visual Studio automatically generates a SSL certificate and prompts you to install it. Everything works fine.
That certificate has now expired and I cannot figure out how to get it to re-generate one and start the process over again. I've tried deleting all existing localhost certificates from the certificate store and deleting secrets.json, but nothing seems to force it to re-start the generation process.
I finally figured it out.
For anyone else who runs into this, the steps to fix it are:
All localhost certificates must be deleted in certificate manager. They can be found in Personal and Trusted Root
The secrets.json file must be deleted. This can be found in \Users\[user]\AppData\Roaming\Microsoft\UserSecrets\
In powershell, re-run dotnet dev-certs https --trust to create and install a new one with the prompt to trust
It will work after this again.
From Visual Studio 2022 > Tools > Nuget Package Manager > Package Manager Console
When the Package Manager Console display appears at the bottom, then type the command below
PM > dotnet dev-certs https --clean
//Cleaning HTTPS development certificates from the machine. A prompt might get displayed to confirm the removal of some of the certificates.
//HTTPS development certificates successfully removed from the machine.
PM > dotnet dev-certs https -t
//Trusting the HTTPS development certificate was requested.A confirmation prompt will be displayed if the certificate was not previously trusted.Click yes on the prompt to trust the certificate.
//Successfully created and trusted a new HTTPS certificate.
PM > dotnet dev-certs https --check
//A valid certificate was found: C40087E6CA2F2A811F3BF78E3C5FE6BA8FA2XXXX - CN = localhost - Valid from 2023 - 01 - 27 23:21:10Z to 2024 - 01 - 27 23:21:10Z - IsHttpsDevelopmentCertificate: true - IsExportable: true
//Run the command with both--check and --trust options to ensure that the certificate is not only valid but also trusted.
I am new to Openstack. I installed Openstack using Packstack in my CentOS machine. When I try to login using the default keystone_admin credentials, it showed a server error.
Here is my keystone.log file. Can somebody help?
2020-05-07 03:13:57.097 2303 WARNING keystone.server.flask.application [req-8c75dc88-73f3-4605-8a6b-3ba515d9fd84 3a3280ddae08412ab1145c193b587161 - - default -] Authorization failed. The request you have made requires authentication. from 192.168.225.30: Unauthorized: The request you have made requires authentication.
2020-05-07 03:13:57.235 2300 WARNING keystone.common.rbac_enforcer.enforcer [req-d1a5e980-617f-48d4-8322-40b0aa068140 3a3280ddae08412ab1145c193b587161 - - default -] Deprecated policy rules found. Use oslopolicy-policy-generator and oslopolicy-policy-upgrade to detect and resolve deprecated policies in your configuration.
Link to picture
try to find any rc files in your /root folder.
the file name is similar with openrc or adminrc
$ .openrc
$ try some openstack command
and it will succeed.
I'm unable to setup an SSL connection between Filebeat and Elasticsearch.
My knowledge is lacking when it comes to SSL. I'm using X-Pack to generate a certificate using the certutil command. bin/xpack/certutil ca generates a certificate authority under the name elastic-stack-ca.p12.
Then
$ bin/x-pack/certutil cert --ca elastic-stack-ca.p12
Which I believe creates a certificate signed by that CA. This results in the file elastic-certificates.p12. From here I'm clueless.
I tried testing to see if the certificates work by setting up a HTTPS connection to ES.
I put
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /path/to/elastic-certificates.p12
xpack.security.http.ssl.certificate: /path/to/elastic-certificates.p12
xpack.security.http.ssl.certificate_authorities: [ "/path/to/elastic-stack-ca.p12" ]
However, this brings up quite a few errors one of them being
caught exception while handling client http traffic, closing connection
When I add the https IP and the CA in Kibana it fails to connect with ES.
I would like to know how to successfully set up https. Also how can a SSL connection be established between two servers. One containing Filebeat, but no X-Pack and the receiving server with ES on it alongside X-Pack installed.
After adding those SSL settings in your elasticsearch.yml, you also need to add the password to the Elasticsearch keystore and truststore. You should've set a password when you ran the certutil command. You can do that with:
$ echo password | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.transport.ssl.keystore.secure_password
$ echo password | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.transport.ssl.truststore.secure_password
Make sure you restart Elasticsearch after making these changes.
I have just installed an intermediate & primary SSL certificate on my VPS. Everything is working well, except when I make a cfhttp call:
<cfhttp url="https://advert.establishmindfulness.com/ad-zone-1/?categoryid=1" method="get" result="adzone" />
<cfdump var="#adzone#" />
From https://app.establishmindfulness.com to https://advert.establishmindfulness.com. These 2 subdomains are on the same server, and I am using a wildcard SSL certificate:
*.establishmindfulness.com
That covers all sub domains.
VPS environment
OS: Windows 2008R2 with IIS7
Application server: Lucee 4.5.2.018 final
Servlet Container: Apache Tomcat/8.0.28
Java: 1.8.0_66 (Oracle Corporation) 64bit
Do I need to install the intermediate.crt & primaryssl.crt into my keystore cacerts? Is this the problem?
I tried just installing the certificate.cer that I grabbed from Internet Explorer, but maybe this is the wrong approach?
I still get the error:
Error Detail
Unknown host: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
OK. For anyone who comes across this issue, instead of having to spend several hours pulling your hair out, I managed to get the connection to work:
This is taken from the following link:
https://groups.google.com/forum/#!topic/lucee/BPm8vYdgkPQ
Thank you Dominic Watson
I've just tried this and got it working:
Log in to Lucee server admin and navigate to "SSL Certificates"
Enter your host name "establishmindfulness.com" in the Host field (without the quotes)
Hit "list" button
Hit "install" button
That's it. The cfhttp call started working.
I am having k8s cluster on centos7.2 with 1 master and 2 slaves. The cluster is working fine as far as it is serving on port 8080 but when I tries to secure Kube-API server by using certificates, I felt into the above error after restarting the kube-apiserver service and it is continuously writing this error in my log file at /var/log/messages.
kube-apiserver is started as-
KUBE_API_ADDRESS="--bind-address=0.0.0.0"
KUBE_API_PORT="--secure-port=6443"
KUBELET_PORT="--kubelet-port=10250"
KUBE_ETCD_SERVERS="--etcd-servers=http://kube-master:2379"
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16"
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"
KUBE_ALLOW_PRIV="--allow-privileged=true"
KUBE_API_TLS_CERT_FILE="--tls-cert-file=/home/abc/server.cert"
KUBE_API_TLS_PRIVATE_KEY_FILE="--tls-private-key- file=/home/abc/server.key"
KUBE_API_TOKEN_AUTH_FILE="--token-auth-file=/home/abc/token.csv" </br>
I am accessing API server using kubectl command as
kubectl --v=4 --server="https://$ip:6443" --certificate-authority="./ca.crt" --token="abcdTOKEN1234" get nodes
After that I am getting following error-
2930 helpers.go:153] Connection error: Get https://$ip:6443/api: x509: certificate signed by unknown authority
2930 helpers.go:96] Unable to connect to the server: x509: certificate signed by unknown authority
I performed same steps on ubuntu 14.04 and are working fine. I am not able to figure out where exactly I'm missing. Can anyone knows where I am wrong ? Thanks in advance.