I am trying to connect to an AWS RDS instance using SSL but I keep getting this error:
mysqli_real_connect(): Unable to set private key file
What im doing is this:
Generate key pairs in AWS, keep private key.
Use OpenSSL to get the cert.pem using this command and the private key that I got from AWS: openssl req -newkey rsa:2048 -nodes -keyout private-key-generated-by-AWS.pem -x509 -days 365 -out certificate.pem
I downloaded the cacert.pem from this website: https://curl.haxx.se/docs/caextract.html
Here is my code:
mysqli_ssl_set($con,"sshconn.pem","certificate.pem","cacert.pem",NULL,NULL);
if (!mysqli_real_connect($con,"myAWSendpoint","username","password","DBname"))
{
die("Connect Error: " . mysqli_connect_error());
}
mysqli_close($con);
?>
I am pretty sure I am not setting my private key correctly but I don't know what I'm doing wrong, any suggestions? Thank you!
AWS RDS uses server side authentication, not client side. You'll need to the master password once you setup the SSL connection or whatever users you have provisioned inside the DB or IAM users.
https://dev.mysql.com/doc/refman/5.6/en/using-encrypted-connections.html
A root certificate that works for all regions can be downloaded at https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem
Intermediates are here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com
--ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-verify-server-cert
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport
Related
I have a remote server with a MariaDB DB that only accepts SSL connections for a certain user, and have generated some self-signed SSL certificates using the following
# Create CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem
# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600
-nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
(taken from https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html)
I filled in the details for each certificate as follows
Country Name: GB
Locality Name: Company Town
Organization Name: Company Name
Common Name: DEV CA, DEV Server, DEV Client (respectively)
and left all the other fields left blank
The remote server has the following in my.cnf
[mariadb]
ssl-ca=/path/to/ca.pem
ssl-cert=/path/to/server-cert.pem
ssl-key=/path/to/server-key.pem
I can connect from my local machine's command line by including the following in its my.cnf
[client]
ssl-ca=/path/to/ca.pem
ssl-cert=/path/to/client-cert.pem
ssl-key=/path/to/client-key.pem
I can create a PDO connection from my local machine using the following
$pdo = new PDO(
'mysql:host=xxx.xxx.xxx.xxx;dbname=database_1',
'database_user',
'database_password',
[
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,
PDO::MYSQL_ATTR_SSL_KEY => '/path/to/client-key.pem',
PDO::MYSQL_ATTR_SSL_CERT => '/path/to/client-cert.pem',
PDO::MYSQL_ATTR_SSL_CA => '/path/to/ca.pem',
]
);
Unfortunately, if I remove the line
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,
I get an Internal Server Error and the following shows up in my MAMP PRO apache error log
… FastCGI: incomplete headers (0 bytes) received from server …
I get no errors in my PHP error log
I can only assume something goes wrong with the certificate verification,
have I missed something? and/or
is it safe to leave PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT set to false?
When a client validates the server certificate, following will be checked
signature
certificate validity period includes the current time
certificate is not revoked (part of CRL)
host name matches CN or alternative name(s)
root ca
PDO with mysqlnd uses PHP streams, which checks the CN field only, but not Subject Alternative Names field(s). According to your code you specify an IP address to connect for, but not a name.
Unfortunately PHP also doesn't offer an additionally method for checking the sha finger print of peer certificate.
See also:
RFC 5280
PHP Bug 71845
is it safe to leave PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT set to
false?
For the most part, if access to your server is secure it is safe, although not recommended, to do this.
The reasons this is failing is that a TLS(SSL) Certificate is granted to a host access address, where the host access address is the IP Address or the Hostname, not the physical host machine. So your Common Name should be either the IP address of the server or the Hostname; whichever is used is what you must use to connect to the Server.
So, as your connecting to the host xxx.xxx.xxx.xxx (from 'mysql:host=xxx.xxx.xxx.xxx;dbname=database_1'), the Common Name on your certificate needs to be xxx.xxx.xxx.xxx
We are trying to sign the PAN no. with Digital Signature. We are taking the PAN No. in in.txt file but we are getting error -
Warning: openssl_pkcs7_sign(): error creating PKCS7 structure!
openssl_pkcs7_sign(realpath("in.txt"), "out.txt",
'file://'.realpath('digitalsign.cer'),
'file://'.realpath('private_key.pem'),
array (), PKCS7_NOSIGS
);
Kindly suggest what we can do to resolve this issue.
I think your digital certificate and the Private key is an issue. Kindly create the Digital Certificate and Private Key with below command.
openssl req -x509 -days 365 -newkey rsa:1024 -keyout enc_key.pem -out selfcert.pem
Then after that use that certificate and private key and that will work for you. It worked for me and if still you face issue do comment.
I'm new to creating telegram bots and I really don't know where to start.
Only thing I know about is PHP.
Making it simple I have a VPS with Windows Server 2008 R2 installed on it and I've made a self-signed certificate using
openssl req -newkey rsa:2048 -sha256 -nodes -keyout server.key -x509 -days 365 -out server.pem -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=YOURDOMAIN.EXAMPLE"
Then I converted PEM to CER using
openssl x509 -inform PEM -in server.pem -outform DER -out server.cer
I'v had WAMP server installed and set it to work with server.cer & server.key as certificate and key then I'v tested the HTTPS(443) and it worked.
Then I installed a REST client on the chrome and sent URL of the bot.php and PEM file as multipart form data as the official documentation said.
Now I get this error:
{
ok: false,
error_code: 400,
description: "Error: Bad webhook: Posix Error: Success: getaddrinfo: Name or service not known"
}
and ... I'm here now ! :| asking you for help
What is the problem and how should I solve this
Thanks in advance :)
NOTE: I don't have a domain I'm using my VPS's IP
Telegram requires valid ssl certificate for your domain.
I will tell how I solved this.
You can use NGROK that can expose local ip to the internet with temporary domain and https enabled.
Link to install - https://ngrok.com/
After you install it, just run in your console:
ngrok http 127.0.0.1:8003
(ofc use ip and port of from your WAMP configuration)
and you will get a free temporary domain (it will look like https://f9eb2f08.ngrok.io) with https enabled.
Then set url with your new domain as a telegram webhook_url and bot's requests will go to your local server as long as NGROK is running.
I'm having some problems connecting to a SOAP Service at https://test.salesforce.com. I use the Toolkit-for-PHP v20.0 (https://github.com/developerforce/Force.com-Toolkit-for-PHP) which is based on PHP's native SoapClient.
Software:
MacOS 10.8
Macports 2.1.2
PHP 5.3.15
OpenSSL 1.0.1_c
The only error message I receive after 30 seconds (timeout?) is:
[SoapFault]
Could not connect to host
Strangely, connecting to http://test.salesforce.com (without SSL) or connecting to https://login.salesforce.com (with SSL) works as expected.
I even managed to log into https://test.salesforce.com using soapUI.
So my guess is there has to be some certification/handshake problem but i can't figure out how to get a more detailed error message or how to change anything about the toolkit setup.
I searched google, stackoverflow and the SalesForce discussion boards but nobody seems to have this specific sandbox+SSL problem.
Does anyone have a clue how to debug this problem?
OK, i think it's an issue with macports' openssl binary. Apparently the handshake fails because my client is attempting a SSLv2/SSLv3 handshake which the server does not understand.
openssl s_client -connect test.salesforce.com:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
[...end...]
Same command with forced SSLv3:
openssl s_client -ssl3 -connect test.salesforce.com:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 O = VeriSign Trust Network, OU = "VeriSign, Inc.", OU = VeriSign International Server CA - Class 3, OU = www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
verify error:num=20:unable to get local issuer certificate
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
[...and so forth...]
Not really sure what to make out of this... the SalesForce toolkit-for-php uses PHP's native SoapClient and I don't know how to force it to use SSLv3.
This is a known bug of the latest versions of macports' port of openssl 1.0.1:
http://trac.macports.org/ticket/33715
Possible solution: install an older openssl version, in this case openssl 1.0.0h:
cd /opt/local/src
sudo svn checkout -r 90715 http://svn.macports.org/repository/macports/trunk/dports/devel/openssl
cd openssl
sudo port install
Taken from:
https://trac.macports.org/wiki/howto/InstallingOlderPort
http://trac.macports.org/ticket/33715#comment:30
I got two certificate files from the provider, one in a .cer-format and one in a .p7b-format. I then converted the p7b-certificate to a p12-certificate. With this certificate I'm able to connect to the wsdl from my browser.
Then I proceeded to convert that certificate to .pem-format, using some instructions I found on this site.
openssl pkcs12 -clcerts -nokeys -out test.pem -in mycert.p12
openssl pkcs12 -nocerts -out key.pem -in mycert.p12
then combing the cert with the key using the following command:
cat test.pem key.pem > cert.pem
Heres my construct for the web service class:
public function __construct() {
$wsdl_url = 'https://url.to/web_service?wsdl';
$pass = 'passphrase';
$cert = 'cert.pem';
try {
$this->client = new SoapClient($wsdl_url, array('local_cert' => $cert, 'passphrase' => $pass));
} catch(SoapFault $e) {
print_r($e);
}
}
And here is the error:
SSL operation failed with code 1. OpenSSL Error messages: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca in /var/www/html/..
Trying to verify the certificate using:
openssl verify cert.pem
gives me the following error:
error 20 at 0 depth lookup:unable to get local issuer certificate
I've also tried creating the .pem-certificate using the following openssl command:
openssl pkcs12 -in mycert.p12 -out mycert.pem
Verifying this gives me OK, but PHP gives me the following error:
Unable to set local cert chain file `mycert.pem'; Check that your cafile/capath settings include details of your certificate and its issuer
I'm assuming it should be possible to make it work somehow, as I am able to access the wsdl through my browser, by using the .p12-certificate. But I'm not able to locate a solution as to how I should proceed.
Thanks in advance.
I think you have a few problems here. Firstly, I don't think your options for the local certificate are being used by the constructor for the SoapClient object. The options array does not support SSL config options. Secondly, given that the options you're supplying to the SoapClient are not being used Open SSL is complaining about the certificate on the remote host being a self certified certificate.
I think it should be possible to get around this but without playing with the code I can't be sure on all of the options. I think you need to create a custom stream context using stream_context_create() to set the SSL options you need (have a look at http://ca.php.net/stream_context_create and the context options for SSL). This can then be passed to the SoapClient object as the stream_context option in the config array. Using the stream_context you can set the various SSL options that you need and these will override the defaults.
I'm sorry I can't be more precise on the options you need to set. Hopefully playing around with the stream context will solve your issue.
I am thinking that it is unable to find the root certificate that issued the certificate that you were provided with.
Certificates are normally signed and issued by a signing authority, and your client needs to know the public key of the signing authority. If your certificate is a self signed certificate then it won't matter.
To check
openssl x509 -text -noout -in key.pem
Check the output and look for Issuer. If the issuer is not the same as the CN of the certificate then you need a root certificate from the signing authority that provided your certificate.
You can normally grab it by using a browser to open your wsdl address and checking the certificate chain and exporting the root certificate from the hierarchy tab.
Where you save it in your situation I am not sure, but there will be something to point to a trust store of some type.