I have nginx for my maven repository with basic authorization.
My build.sbt has:
credentials += Credentials("maven repository", "rep.com", "sbt", "password")
resolvers ++= Seq(
"maven repository" at "http://rep.com:8080/"
)
but, sbt can't found module because sbt doesn't use basic authorization.
My nginx logs looks like:
012/07/22 20:02:21 [error] 3338#0: *14 no user/password was provided for basic authentication, client: 8.32.39.29, server: rep.com, request: "HEAD /some/cool_2.9.1/0.1-SNAPSHOT/cool_2.9.1-0.1-SNAPSHOT.pom HTTP/1.1", host: "rep.com:8080"
I don't wanna to publish artifacts through nginx. Basic auth need only for restricted access to artifacts.
How I can restrict access and working with repository in sbt?
What about adding the following to your ~/.ivy2/.credentials:
realm=maven repository
host=rep.com:8080
user=username
password=password
and then use Credentials(Path.userHome / ".ivy2" / ".credentials")
you need to ensure that your realm is configured correctly: curl http://rep.com:8080 -vv 2>&1 | egrep "realm|host" (I might be mistaken, but 'host' may have to match the host header, i.e. rep.com:8080, not just rep.com).
hth
I had the same problem with an SVN repository which uses basic AUTH.
This post and the one alluded to above got me the answer which I summarise below.
As alluded to above its all about getting the realm correct:
In build.sbt i set my resolver as follows:
resolvers += {
Credentials.add("<realm>", "<svnhost?", "<username>", "<password>")
Resolver.url("name", url("http://<svnhost>/<path>/"))(Resolver.ivyStylePatterns)
}
To find the realm value which is the first param for Credentials.add, i did
curl http://<svn host> -v
and used the Basic Realm value reported in the WWW-Authenticate header:
WWW-Authenticate: Basic realm="<realm>"
Hope this helps.
Don't know if it works, but just try adding the basic auth in the URL:
resolvers ++= Seq(
"maven repository" at "http://username:password#rep.com:8080/"
)
Related
Error in jfrog-cli : The following error was received while trying to encrypt your password
The config command tried to encrypt your Artifactory password using an incorrect URL. Typically, it happens when the user provides JFrog platform URL as Artifactory URL and the opposite.
To fix it, you have 2 options:
Provide Artifactory URL using the --artifactory-url flag:
jfrog config add artifactory-server --artifactory-url="$ARTIFACTORY_URL" --user="$ARTIFACTORY_USER" --password="$ARTIFACTORY_PASSWORD" --interactive=false
Provide the base platform URL using --url flag:
jfrog config add artifactory-server --url="$JFROG_PLATFORM_URL" --user="$ARTIFACTORY_USER" --password="$ARTIFACTORY_PASSWORD" --interactive=false
For more information see JFrog Platform Configuration.
I'm currently trying to configure our WSO2 API Manager 3.2 to use our SSL certificate.
I followed the documentation "Creating a New Keystore" and "Configuring Keystores in API Manager".
I have updated the deployment.toml file:
[server]<br>
hostname = "myserver001.internal.net"
....
[keystore.tls]
file_name = "myKeystore.jks"
type = "JKS"
password = "secretpassword"
alias = "myserver001.internal.net"
key_password = "secretpassword"
[keystore.primary]
file_name = "wso2carbon.jks"
type = "JKS"
password = "wso2carbon"
alias = "wso2carbon"
key_password = "wso2carbon"
The servername is set to myserver001.
The domain name myserver001.internal.net is set in the host file.
After restarting the WSO2 APIM server an exception message is thrown:
SSLException: hostname in certificate didn't match:
<localhost> != <myserver001.internal.net> OR <myserver001.internal.net>
Does anyone knows what I have to change additionally, to come around this error or where I can find additional documentation?
Any help is appreciated
Looks this is due to the missing service_url of TM/Event hub config. So can you add/update the following config?
[apim.throttling]
...
service_url = "https://myserver001.internal.net:9443/services/"
I was in the exact same situation :
Migration from v2.6.0 to v3.2.0
Valid certificate
SSLException: hostname in certificate didn't match
I tried a lot of things, but after a lot of researches, I'd say that there is two possibilities :
It's a bug
It's a documentation problem, and we have to edit more things to make our certificate work
I believe that you changed the Dhttpclient.hostnameVerifier to another value than "AllowAll". See the doc about hostname verification.
It's just a workaround and it's probably not that secure, but you'll have to put back the default value for Dhttpclient.hostnameVerifier to avoid this error :
service wso2am-3.2.0 stop
nano /usr/lib/wso2/wso2am/3.2.0/bin/wso2server.sh
-Dhttpclient.hostnameVerifier=AllowAll \
service wso2am-3.2.0 start
Older Versions of Contao (till 4.3) working like expected with sending emails via sendmail.
After upgrade to Contao 4.9 I got some errors at Providers like 1u1 / ionos or mittwald.
The error in the logs sound like:
"Expected response code 220 but got an empty response"
Sending Mails from CLI of the Server (means if logged in via SSH) working like expected:sendmail test" |
/usr/sbin/sendmail -t -v -f sender#domain.com reciepient#otherOne.com
The solution is to add this to config/config.yml
swiftmailer:
default_mailer: default
mailers:
default:
url: '%env(MAILER_URL)%'
transport: sendmail
command: '/usr/sbin/sendmail -t -i'
After that, clear the Contao-Cache (e.g. via contao-manager.phar) and give it a try.
The reason for that issue is, that by default the swiftMailer use sendmail -bs as command, which means that sendmail run as standalone Service.
Depending at the way your provider configure it's sendmail, this will be the cause of the error.
If you update symfony/swiftmailer-bundle to version 3.5.0, then the default value used for the sendmail command will be read from the PHP configuration. See https://github.com/symfony/swiftmailer-bundle/pull/302
So provided the PHP configuration of your hosting environment contains the correct command in sendmail_path, sending emails should work without any changes.
I'm new in ASP.NET.
Environment:
Ubuntu 18.04
Visual Studio Code
.NET SDK 2.2.105
I'm in trouble with some command running.
I was reading tutorial at
https://learn.microsoft.com/ja-jp/aspnet/core/tutorials/razor-pages/razor-pages-start?view=aspnetcore-2.2&tabs=visual-studio-code
and ran this command:
dotnet dev-certs https --trust
I expect https://localhost should be trusted.
but I found the error message;
$ Specify --help for a list of available options and commands.
It seems that the command "dotnet dev-certs https" has no --trust options.
How to resolve this problem?
On Ubuntu the standard mechanism would be:
dotnet dev-certs https -v to generate a self-signed cert
convert the generated cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
copy localhost.crt to /usr/local/share/ca-certificates
trust the certificate using sudo update-ca-certificates
verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
verify if it's trusted using openssl verify localhost.crt
Unfortunately this does not work:
dotnet dev-certs https generates certificates that are affected by the issue described on https://github.com/openssl/openssl/issues/1418 and https://github.com/dotnet/aspnetcore/issues/7246:
$ openssl verify localhost.crt
CN = localhost
error 20 at 0 depth lookup: unable to get local issuer certificate
error localhost.crt: verification failed
due to that it's impossible to have a dotnet client trust the certificate
Workaround: (tested on Openssl 1.1.1c)
manually generate self-signed cert
trust this cert
force your application to use this cert
In detail:
manually generate self-signed cert:
create localhost.conf file with the following content:
[req]
default_bits = 2048
default_keyfile = localhost.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
commonName_max = 64
[req_ext]
subjectAltName = #alt_names
[v3_ca]
subjectAltName = #alt_names
basicConstraints = critical, CA:false
keyUsage = keyCertSign, cRLSign, digitalSignature,keyEncipherment
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
generate cert using openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
convert cert to pfx using openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
(optionally) verify cert using openssl verify -CAfile localhost.crt localhost.crt which should yield localhost.crt: OK
as it's not trusted yet using openssl verify localhost.crt should fail with
CN = localhost
error 18 at 0 depth lookup: self signed certificate
error localhost.crt: verification failed
trust this cert:
copy localhost.crt to /usr/local/share/ca-certificates
trust the certificate using sudo update-ca-certificates
verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
verifying the cert without the CAfile option should work now
$ openssl verify localhost.crt
localhost.crt: OK
force your application to use this cert
update your appsettings.json with the following settings:
"Kestrel": {
"Certificates": {
"Default": {
"Path": "localhost.pfx",
"Password": ""
}
}
}
While the answer provided by #chrsvdb is helpful it does not solve all problems. I still had issue with service-to-service communication (HttpClient - PartialChain error) and also you must reconfigure Kestrel to use your own certificate. It is possible to create a self-signed certificate and import it to the .NET SDK. All you need is to specify the 1.3.6.1.4.1.311.84.1.1 extension in the certificate.
After that the cert can be imported into .NET Core SDK and trusted. Trusting in Linux is a bit hard as each application can have it's own certificate store. E.g. Chromium and Edge use nssdb which can be configured with certutil as described John Duffy. Unfortunately the location to the nssdb maybe different when you install application as snap. Then each application has its own database. E.g. for Chromium Snap the path will be $HOME/snap/chromium/current/.pki/nssdb, for Postman Snap the will be $HOME/snap/postman/current/.pki/nssdb and so on.
Therefor I have created a script which generates the cert, trusts it for Postman Snap, Chmromium Snap, current user nssdb and on system level. It also imports the script into the .NET SDK so it will be used by ASP.NET Core without changing the configuration. You can find more informations about the script in my blog post https://blog.wille-zone.de/post/aspnetcore-devcert-for-ubuntu
In adition to crisvdb answer, I've several information to add and is the continuation of the walktrough. I don't comment because is pretty complex comment this, but before this answer take a look to crisvdb answer first and then return to continue.
Take the "in detail" crisdb answer.
You can make your cert in any folder, can be or can't be in the same folder of the app.
Take openssl verify -CAfile localhost.crt localhost.crt as not optional step, mandatory. It will help.
Do not recompile or touch the code meanwhile you are doing this, in order to get first scenario clean.
If you run sudo update-ca-certificates that will answer you in wich folder the certified should be copied.
In some distributions, as Raspbian for Raspberry Pi, CA certificates are located in /etc/ssl/certs as well as /usr/share/ca-certificates/ and in some cases /usr/local/share/certificates.
Do not copy the cert manually to trusted certs, run sudo update-ca-certificates after you copy the cert in the right folder. If it doesn't work (doesn't update or add any certificate) copy it to every folder possible.
If you use a password while making the certificate, you should use it in the appsettings.json
If you get this error:
Interop+Crypto+OpenSslCryptographicException: error:2006D002:BIO
routines:BIO_new_file:system lib
Take in consideration that error means "access denied". It can be because you don't have permissions or related.
7b) Could be also that the file is not found, I use the entire path in the config:
"Path": "/home/user/www/myfolder1/myapp/localhost.pfx",
After that, and if everything works, you could see a 500 error if you are using Apache or Apache2.
If you get the following error in the apache logs of the site:
[ssl:error] [remote ::1:yourport] AH01961: SSL Proxy requested for
yoursite.com:443 but not enabled [Hint: SSLProxyEngine] [proxy:error]
AH00961: HTTPS: failed to enable ssl support for [::1]:yourport
(localhost)
you must set in the VirtualHost the following configuration after SSLEngine On and before your ProxyPass
SSLProxyEngine on
After that, and if everything works, you could see a 500 error if you are using Apache or Apache2.
If you get the following error in the apache logs of the site:
[proxy:error] [client x.x.x.x:port] AH00898: Error during SSL
Handshake with remote server returned by /
[proxy_http:error] [client x.x.x.x:port] AH01097: pass request body failed to [::1]:port
(localhost) from x.x.x.x()
you must set in the VirtualHost the following configuration after SSLProxyEngine on and before your ProxyPass
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
UPDATE
If you are renovating this, and using the same names, take in consideration that you should remove your pem file from etc/ssl/certs
UPDATE 2
If it returns:
Unhandled exception. Interop+Crypto+OpenSslCryptographicException: error:2006D002:BIO routines:BIO_new_file:system lib
Check that your pfx file is on 755 permissions.
If appsettings.json seems to be don't load (on port 5000 by default or SQL or any configuration doesn't load or can't be read), take in consideration that the dotnet must be executed on the same directory where is appsettings.json
Looks like this is a known issue with dotnet global tools and that specific command is only available for MacOS and Windows. See this issue on github: Issue 6066.
It seems like there may be a work around for Linux users based on this SO post: ASP.Net Core application service only listening to Port 5000 on Ubuntu.
For Chrome:
Click "Not Secure" in address bar.
Click Certificate.
Click Details.
Click Export.
Run: certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n {FILE_NAME} -i {FILE_NAME}
Restart Chrome.
It looks like the following could help to trust the dotnet dev certs:
https://blog.wille-zone.de/post/aspnetcore-devcert-for-ubuntu/
Then you will see also in the browser that certificate is OK and valid for the next yeat.
Give it a try...
Good luck!
I am very new to nginx and lua .i have installed Openresty .
below is my code in nginx.conf file .
server{
location /hellolua {
default_type 'text/plain';
content_by_lua ' local name = ngx.var.arg_name or "Anonymous"
ngx.say("Hello, ", name, "!") ';
}
}
When i am running sudo service nginx start i am getting error Starting nginx: nginx: [emerg] unknown directive "content_by_lua" in /etc/nginx/nginx.conf:24
nginx: configuration file /etc/nginx/nginx.conf test failedt
Please let me know what i am missing .
It seems to me, as if you haven't installed the right module? ngx_lua (http://wiki.nginx.org/HttpLuaModule)
You mention OpenResty. Did you configure it with lua? If not, the guide is here(http://wiki.nginx.org/HttpLuaModule#Installation).
Quick resumé:
The ngx_openresty bundle can be used to install Nginx, ngx_lua, either one of the standard Lua 5.1 interpreter or LuaJIT 2.0, as well as a package of powerful companion Nginx modules. The basic installation step is a simple ./configure --with-luajit && make && make install.
You can manually compile ngx_lua into nginx too, the full guide is in the link too.
After comment-discussing - I removed the irrelevant part of the answer.
By default, OpenResty's nginx is installed into the path /usr/local/openresty/nginx/sbin/nginx. Your system's default nginx init configurations need an update to point to the right locations.