Hi guys, For anyone interested here is the solution for adding a certificate to work with LDAPS, when you are the client of LDAP:
keytool -import -storepass changeit -noprompt -alias xxx -keystore /usr/ lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64/jre/lib/security/cacerts -trustcacerts -file xxx Certificate was added to keystore Then you do c_rehash like it is described here: https://www.happyassassin.net/2015/01/14/trusting-additional-cas-in-fedora-rhel-centos-dont-append-to-etcpkitlscertsca-bundle-crt-or-etcpkitlscert-pem/ Thanks a lot Arvind for all the help. On Thursday, October 25, 2018 at 10:51:53 AM UTC+2, Nikos Skalis wrote: > > I would like to complement the diagnostics as i installed jrunscript: > > In addition to the below information: > > # jrunscript -e > 'print(javax.net.ssl.SSLSocketFactory.getDefault().createSocket("xxx40", > 636).startHandshake())' > > > > undefined > > > > # openssl s_client -connect xxx40:636 | openssl x509 -noout -text | grep > Subject: > > > > depth=1 C = AT, ST = Vienna, O = UPC, CN = cio.net, emailAddress = > [email protected] > > verify error:num=19:self signed certificate in certificate chain > > Subject: O=xxx, CN=xxxl40 > > > > Hi, >> >> This is how I import the certificate when there is no private key: >> >> # keytool -importcert -file uim.ip-spotlight.pem -keystore keystore >> -alias xxx40 >> Enter keystore password: >> Owner: [email protected], CN=cio.net, O=UPC, ST=Vienna, C=AT >> Issuer: [email protected], CN=cio.net, O=UPC, ST=Vienna, C=AT >> Serial number: c7f48113270982ef >> Valid from: Tue Sep 29 21:12:58 CEST 2009 until: Fri Sep 27 21:12:58 >> CEST 2019 >> Certificate fingerprints: >> MD5: D5:40:58:CF:C2:F7:88:CF:61:78:3E:18:A9:88:2C:79 >> SHA1: 8D:01:09:F0:4A:4F:2C:FA:AB:12:FC:6E:00:23:4B:87:B0:8C:B2:7D >> SHA256: 2E:40:60:D3:1C:82:AB:70:80:DF:BE:92:AC:20:58:FF:39:E3:70:B1:B3: >> FD:E8:C8:E3:A3:E8:0D:E7:2A:F5:18 >> Signature algorithm name: SHA1withRSA >> Subject Public Key Algorithm: 1024-bit RSA key >> Version: 3 >> >> >> Extensions: >> >> >> #1: ObjectId: 2.5.29.35 Criticality=false >> AuthorityKeyIdentifier [ >> KeyIdentifier [ >> 0000: 30 32 4D A0 5B 3D 0B 34 19 2C AA F2 DA 2D EF D4 02M.[=.4.,...-.. >> 0010: 2B 27 AE F8 +'.. >> ] >> [[email protected], CN=cio.net, O=UPC, ST=Vienna, C=AT] >> SerialNumber: [ c7f48113 270982ef] >> ] >> >> >> #2: ObjectId: 2.5.29.19 Criticality=false >> BasicConstraints:[ >> CA:true >> PathLen:2147483647 >> ] >> >> >> #3: ObjectId: 2.5.29.14 Criticality=false >> SubjectKeyIdentifier [ >> KeyIdentifier [ >> 0000: 30 32 4D A0 5B 3D 0B 34 19 2C AA F2 DA 2D EF D4 02M.[=.4.,...-.. >> 0010: 2B 27 AE F8 +'.. >> ] >> ] >> >> >> Trust this certificate? [no]: yes >> Certificate was added to keystore >> >> >> Warning: >> The JKS keystore uses a proprietary format. It is recommended to migrate >> to PKCS12 which is an industry standard format using "keytool >> -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype >> pkcs12". >> >> >> Then it says: >> >> sun.security.validator.ValidatorException: PKIX path building failed: sun >> .security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target >> >> The troubleshooting step above gives: >> >> # openssl s_client -connect xxx40:636 | sed -n '/Certificate >> chain/,/^---/p' >> depth=1 C = AT, ST = Vienna, O = UPC, CN = cio.net, emailAddress = >> [email protected] >> verify error:num=19:self signed certificate in certificate chain >> Certificate chain >> 0 s:/O=UPC/CN=xxx40 >> i:/C=AT/ST=Vienna/O=UPC/CN=cio.net/[email protected] >> 1 s:/C=AT/ST=Vienna/O=UPC/CN=cio.net/[email protected] >> i:/C=AT/ST=Vienna/O=UPC/CN=cio.net/[email protected] >> --- >> >> >> PS. I still cannot find out how to call `jrunscript` from JDK >> >> Could you please advise what/if am doing wrong ? >> >> >> On Wednesday, October 24, 2018 at 11:01:53 PM UTC+2, Nikos Skalis wrote: >>> >>> Hi Arvind, >>> >>> Thank you very much for the advice. >>> >>> JAVA_HOME is not set. And i am not able to see (after a lot of googling) >>> how i can install "jrunscript" or run it. >>> >>> Since the issue, seems to be confusing, i did a clean install of GoCD. >>> >>> go]# keytool -list -v -keystore keystore -storepass >>> serverKeystorepa55w0rd >>> >>> Keystore type: jks >>> >>> Keystore provider: SUN >>> >>> Your keystore contains 1 entry >>> >>> Alias name: cruise >>> >>> Creation date: Oct 24, 2018 >>> >>> Entry type: PrivateKeyEntry >>> >>> Certificate chain length: 1 >>> >>> Certificate[1]: >>> >>> Owner: OU=Cruise server webserver certificate, CN= >>> nl-ams02c-ispctl02.aorta.net >>> >>> Issuer: OU=Cruise server webserver certificate, CN= >>> nl-ams02c-ispctl02.aorta.net >>> >>> Serial number: 5ea8c241be3 >>> >>> Valid from: Thu Jan 01 01:00:00 CET 1970 until: Tue Oct 24 19:29:50 CEST >>> 2028 >>> >>> Certificate fingerprints: >>> >>> MD5: 38:EE:4A:E3:5D:91:24:A7:44:0F:01:E2:34:C7:18:93 >>> >>> SHA1: >>> 10:9B:AA:43:D8:11:42:49:C2:84:32:70:FB:6D:1D:0E:1F:26:D8:6A >>> >>> SHA256: >>> 51:D8:E3:6C:C3:17:39:A8:FE:AB:0E:FB:C0:13:31:1D:04:2F:51:F8:AC:84:80:4B:C8:AC:35:96:8E:40:AE:B4 >>> >>> Signature algorithm name: SHA512withRSA >>> >>> Subject Public Key Algorithm: 2048-bit RSA key >>> >>> Version: 1 >>> >>> ******************************************* >>> >>> ******************************************* >>> >>> Warning: >>> >>> The JKS keystore uses a proprietary format. It is recommended to migrate >>> to PKCS12 which is an industry standard format using "keytool >>> -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype >>> pkcs12". >>> >>> What is different in my case compared to what is described in >>> https://docs.gocd.org/current/installation/ssl_tls/custom_server_certificate.html >>> is that >>> the ca cert is used to make sure the (ldap) server is presenting the >>> right cert before i send my credentials to it >>> All we need to do is to import the cacert into the keystore >>> >>> keytool -importkeystore -srckeystore uim.ip-spotlight.pem -srcstoretype >>> PKCS12 -destkeystore keystore -srcalias 1 -destalias cruise -deststorepass >>> serverKeystorepa55w0rd -destkeypass serverKeystorepa55w0rd >>> >>> Importing keystore uim.ip-spotlight.pem to keystore... >>> >>> Enter source keystore password: >>> >>> keytool error: java.io.IOException: toDerInputStream rejects tag type 45 >>> >>> Taking a step back; can you advise what is the exact command to import >>> the cacert into the keystore ? >>> In order the connection to LDAP to work ? This is not described in the >>> docs. >>> >>> In non-java apps, you just point to the certificate and it works. >>> >>> >>> >>> On Wednesday, October 24, 2018 at 5:31:38 PM UTC+2, Aravind SV wrote: >>>> >>>> On Wed, Oct 24, 2018 at 12:43:06 +0200, Nikos Skalis wrote: >>>> > Seems to make progress, but now am getting a different error: >>>> > >>>> > Caused by: javax.net.ssl.SSLHandshakeException: >>>> > sun.security.validator.ValidatorException: PKIX path building failed: >>>> > sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>> find >>>> > valid certification path to requested target >>>> >>>> It's still a problem with the certificates and the chain. Still nothing >>>> to do with GoCD directly. >>>> >>>> What is the output of the command I mentioned last time? >>>> >>>> --- --- --- >>>> jrunscript -e >>>> 'print(javax.net.ssl.SSLSocketFactory.getDefault().createSocket("LDAP_SERVER_URL_YOU_ARE_USING", >>>> >>>> 636).startHandshake())' >>>> --- --- --- >>>> >>>> >>>> You can find out the certificates you have in your cacerts by doing >>>> this: >>>> >>>> --- --- --- >>>> echo 'changeit' | keytool -list -v -keystore $(find $JAVA_HOME -name >>>> cacerts) | grep 'Owner:' >>>> --- --- --- >>>> >>>> >>>> You can then find the cert chain used by your LDAP server by doing >>>> this: >>>> >>>> --- --- --- >>>> openssl s_client -connect LDAP_SERVER_URL_YOU_ARE_USING:636 | sed -n >>>> '/Certificate chain/,/^---/p' >>>> --- --- --- >>>> >>>> >>>> The certs in the chain (especially the last one in that chain) will >>>> need to be in the list returned by keytool. My guess is that it's not. >>>> >>>> >>>> As an example, google.com's root cert is not in my cacerts and so, >>>> Java is unable to connect to google.com, for me: >>>> >>>> --- --- --- >>>> $ openssl s_client -connect google.com:443 | sed -n '/Certificate >>>> chain/,/^---/p' >>>> Certificate chain >>>> 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com >>>> i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3 >>>> 1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3 >>>> i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign >>>> --- >>>> >>>> $ echo 'changeit' | keytool -list -v -keystore $(find $JAVA_HOME >>>> -name cacerts) | grep 'Owner:' | grep GlobalSign >>>> # Returns no matches. >>>> >>>> $ jrunscript -e >>>> 'print(javax.net.ssl.SSLSocketFactory.getDefault().createSocket(" >>>> google.com", 443).startHandshake())' >>>> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: >>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>> valid certification path to requested target >>>> at >>>> jdk.scripting.nashorn/jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:531) >>>> >>>> >>>> at >>>> jdk.scripting.nashorn/jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:448) >>>> >>>> >>>> at >>>> jdk.scripting.nashorn/jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:405) >>>> >>>> >>>> ... >>>> --- --- --- >>>> >>>> If I add that root cert, the one named GlobalSign, I'm sure Java will >>>> be able to connect. >>>> >>>> Cheers, >>>> Aravind >>>> >>>> PS: Make sure you're using the same Java version for GoCD that you're >>>> running locally (for JAVA_HOME, keytool, jrunscript, etc) >>>> >>> -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
