Trying to sort out an LDAPs connection over windows / PHP:
I have .pfx certificate available to me and an LDAP(s) configuration requirement running on Windows 2012R2 / IIS 8.5. I currently have a folder structure: C:\OpenLDAP\sysconf and within here is my LDAP.Conf file with an entry:
TLS_CACERT c:\openldap\sysconf\XXX.pfx
The pfx file is encrypted so I am assuming I need to 'install' the certificate on the IIS server.
I have the required password for the chain but I'm a little fuzzy on exactly where / process for installing the certificate on the IIS Server for this particular requirement.
Can anyone explain / guide me as to how to complete this side of it ?
Very Very appreciated in advance for your help
You can import/install the pfx (private key & certificate archive) for the ActiveDirectory services using Microsoft management console.
You need to launch MMC then import the certificate by selecting
File->Add or remove snap-in->select Certificates->click add(to add it
to the selected snap-ins)->click ok->select service account , then
selecting local computer then selecting active directory
service->finish.
This site will guide you through your configuration:
A complete and step by step info is given
https://www.digicert.com/ssl-certificate-installation-microsoft-active-directory-ldap-2012.htm
You can verify your Ldap configuration by importing the public certificate to your personal certificate store through MMC or by just double clicking it and following the wizard then use ldp tool to verify the SSL connectivity.
Related
We're using the Docusign RestAPI (PHP SDK) from our app and it works great. Authentication mode is JWT. I want to use all the code I've written on a different subdomain, but I get this error:
API call to https://account.docusign.com/oauth/token failed: SSL certificate problem: unable to get local issuer certificate
Both domains, my-domain.com and new.my-domain.com have SSL certs installed. What do I do now? What have I missed?
The DocuSign public certificates page lists all certificates.
Scroll down and look for this:
Install the certificate on your server where you are running the code from.
Do you have the standard set of trusted root certs installed in PHP?
This article may help you.
SOLVED: the new subdomain was operating on a different version of PHP. I added the cert paths to that php.ini file and it works as it should now.
I have a PHP application on Apache 2.4 server with installed mySql server and PHPmyAdmin.
To do some tests for educational purposes I need to enable SSL / TLS both on the PHP WEB application and on PHPmyAdmin.
all tests are performed on a local network between two computers, so there is the problem of generating certificates, but I followed this guide:
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
I generated the certificate of the certification authority that I installed on both machines of the local network (the server and the client), and the 3 files needed by Apache:
server.crt (server signed certificate)
server.csr (certificate signing request)
server.key (private key)
following the guide I then enabled TLS 1.3 on the PHP application successfully.
Now I should repeat the thing on phpMyAdmin and enable SSL. I've read that I need to add these directives to the config.inc.php file:
$cfg['Servers'][$i]['ssl'] = true
$cfg['Servers'][$i]['ssl_cert']
$cfg['Servers'][$i]['ssl_key']
$cfg['Servers'][$i]['ssl_ca']
The first must be set TRUE, while the others require the path of the certificates. Can I use the same certificates I use for the app?
I tried to do it: for the certificate of the CA, I exported it, converted it to .pem, put it in a folder in c: and entered the path in ssl_ca, for the signed certificate of the server, I simply converted it to .pem and entered the path, while the keys I left it like this and entered the path.
However, phpmyAdmin gives me an error:
mysqli::real_connect(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificat e verify failed
Happens because I don't use the csr file?
Thanks!
I am using magento community edition 2.2 on wamp on windows server 2016. Whenever I am trying to Sign in to sync your Magento Marketplace purchases through System > Web Setup Wizard > System Config using the private and public keys taken from magento market place, I am getting the error:
"SSL certificate problem: unable to get local issuer certificate"
I tried solutions provided in some of the other threads in this forum to download cacert.pem and do the following settings in the php.ini
curl.cainfo = "C:\wamp64\bin\php\php7.1.9\cacert.pem" (this is where I put the cacert.pem file). It did not work!!
Other threads advice to put the self certified certificate in a convenient directory and specify the name with path for "curl.cainfo" and "openssl.cafile".
The issue is that I am not using self certified certificate. I have bought a commercial certificate, where they have given two files a certificate and a certificate chain file. Along with the key file I used to create the request, I have successfully installed configured apache to get https for the website.
The question is, how to get rid of the above error ""SSL certificate problem: unable to get local issuer certificate". The answers in the threads are all for the self signed certificates, where I am having a commercially purchased certificate (with multiple files)
I am using php 7.1.9 on wamp 3.1.0 magento CE 2.2.0
Please Advice....
You must have received the root and the intermediate certificate along with the main certificate.
The error states that its unable to verify the certificate uptil the root certificate. Rename the CACert.pem file with .crt extension . Also change the extension of the public key to .crt. Now, verify Whether the ISSUES BY of public key is the ISSUED TO of cartcert.pem is same. if its not the same then the intermediate in the cacert.pem is incorrect.
So sorry to bother everyone, I'm new to PostgreSQL, but my project requires me to build an automation system that connects to a server running PostgreSQL server. Long story short, let's just say I am required to perform a data insertion/manipulation from a Web Form into the server via PHP pg_connect(). The Web Form is located locally in /var/www/html/web_form.html and calls to a PHP script that performs the data insertion,
<form name="some_name" action="script.php" method="POST">
so the data insertion is done to a local server.
I'm using a Raspberry Pi 3 to simulate the "server" (as so not to "disturb" the true running server during such an early development). The Raspberry Pi is running a Raspbian Stretch distro. Well, it was originally Jessie, but then I decided to involve the Stretch repo from
deb http://mirrordirector.raspbian.org/raspbian/ stretch main contrib non-free rpi
with a priority of 100. It also has postgresql-9.6.3 (from Stretch), php7.0.19-1 (also from Stretch), and apache2.4.25 (from official Raspbian). Please do note that the Stretch repo do replaces A LOT of Jessie's official stable packages, and also known to be "not quite stable" itself, so it might also be the source of the problem.
I can access the database in the server from remote computers, whether using direct psql, Python (psycopg2), or even the exact same Web Form via PHP (tried from remote computer), so it will mostly won't be because of PDO problems (I've checked phpinfo() , but feel free to give advice on this, since I don't really understand PDO myself). On local, I can access the database via psql, but not local access via PHP (pg_connect).
I've meddled with this problem for hours now in vain. Please help me.
Here's my Raspberry Pi's configurations:
1.
A snippet of the PHP code:
$conn_str="host=localhost port=5432 dbname=my_db_name user=my_user_name password=my_password";
$db = pg_connect($conn_str);
if(!$db){
$errormessage=pg_last_error();
echo "Error 0: " . $errormessage;
exit();
}
Please mind that this same code has perfectly worked on another computer. I've succeeded to perform data insertion when the Web Form is located in a remote computer accessing the said server, or when the Web Form is accessing the remote computer's own local PostgreSQL server, but not when it is done in this particular problem server. When running in browser, it only shows:
Error 0:
the result when running in console:
PHP Warning: pg_connect(): Unable to connect to PostgreSQL server: FATAL: password authentication failed for user "raspiserver"
FATAL: password authentication failed for user "raspiserver" in php shell code on line 1
I also have tried to change host=localhost to host=127.0.0.1 or host=0.0.0.0. I'm sure that the error came from that block of code, since that block is already on the first lines in my PHP code, while the other error reporting codes I put, each has distinct Error X: number.
2.
The PostgreSQL configurations:
For the pg_hba.conf content :
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local my_db_name my_user_name 127.0.0.1/32 md5
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
# local replication postgres peer
#host replication postgres 127.0.0.1/32 md5
#host replication postgres ::1/128 md5
#host all all 0.0.0.0/0 md5
host another_db_name my_user_name 192.168.52.0/24 trust
host my_db_name my_user_name 192.168.52.0/24 trust
I already tried to comment/uncomment LINE 7, or change both LINE 7 and 8 to either md5 , trust , or password . I also have tried to remove 127.0.0.1/32 from LINE 7, or change it to 127.0.0.0/24 or 0.0.0.0/0 . And, yes, I did performed
sudo /etc/init.d/postgresql reload
sudo /etc/init.d/postgresql restart
(even sudo reboot) for every change I've made.
For the postgresql.conf content :
I already set listen_addresses = '*' and password_encryption = on , with the rest remained unchanged.
3.
Firewall :
sudo iptables -L -n doesn't show any entries :
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
What is wrong with my configurations?
Are Stretch the cause?
Or is it because the implementation of PostgreSQL-9.6?
I've already googled here and there, but most of the solutions only advice to change the pg_hba.conf to trust , or assume that the user name is not exist.
I'm desperate, please help.
(Please do mind that I don't know anything regarding PHP, PostgreSQL, Apache, or server, so please don't expect that I really know what I've done so far. Please do analyze everything.... Also, English is not my native, so I might mixed around some "jargons" here and there (if any).... Sorry for that... )
This particular declaration in pg_hba.conf is incorrect:
# TYPE DATABASE USER ADDRESS METHOD
local my_db_name my_user_name 127.0.0.1/32 md5
because when the TYPE field is local, the line must have 4 fields, not 5: there is no ADDRESS field because it doesn't apply to Unix domain sockets (which is what local really means), only to TCP connections (which are declared with TYPE being host or hostssl)
When you reload PostgreSQL with a pg_hba.conf with this line, it will fail with
LOG: invalid authentication method "127.0.0.1/32"
but you will see that only if looking in the server log. As a result of the failure, it will ignore your new version of pg_hba.conf.
Anyway this other line already in your file
host all all 127.0.0.1/32 md5
probably does what you want. In this case just remove the offending line, reload again, and check the server log for a message indicating the success of the reload.
I want to get SSL certificate for my webpage that chat with each other. I also using AES 265 hashing algorithm for dealing more secure with my webpage data and using sha512 for password hashing. But i don't know how to get SSL certificate in industrial level. I tried with many of giving free SSL websites but i still haven't got that. What is Server signature? and how i get that? thanks
This is really a server admin question, not a programming issue.
You can either do a self signed certificate, or get one from a certificate authority.
Self signed certificates are secure, BUT many times programming languages don't like them OR when you connect to something using them you need to tell the function that self-signed is OK.
That said, if you want a "real" certificate you may want to look at Let's Encrypt - https://en.wikipedia.org/wiki/Let%27s_Encrypt
You need to create your own keystore for setting up SSL enabled one.
After you create your own Keystore it has to be signed by the Certificate Authority for example, Go Daddy or GlobalSign.
But for testing purpose, you need to create self-signed certificate using Keytool which comes with your JDK or JRE (C:\Program Files\Java\jdk1.8.0_60\bin\keystool.exe).
You can create self-signed certificate using below command:
keytool - genkey -dname "CN=SERVER_NAME, OU=ABC, O=company.com, L=Morrisville, S=NC, C=US" -alias myalias -keyalg RSA -validity 365 -keysize 2048 -keystore keystore.jks -storepass password -keypass password
Here, storepass and keypass should be same for avoiding some confusions.
Now, after creating your own keystore.jks, its time for server configuration.
I am considering that you are using Apache tomcat or if you are using some other server, you can find server configurations very easily over other tutorials.
You need to edit two files: server.xml and setenv.sh/bat
1) Go to $CATALINA_HOME/conf --> Here you will find server.xml and now you have to edit the port information so that communication will go through SSL enabled port. You need to create one more connector other than default 8080 port like below:
<Connector
port="33380" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="500"
compressableMimeType="application/json,application/atom+xml,application/xml"
compression="on"
maxKeepAliveRequests="-1"
connectionTimeout="20000"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/keystore/keystore.jks" keystorePass="password"
clientAuth="false" sslProtocol="TLS"/>
Here, specify the path of the generated keystore file for keystoreFile attribute and keystorepass equals to the password that you have chosen while creating the keystore file.
2) Go to $CATALINA_HOME/bin --> Here you will find setenv.sh/bat files.
Here, you need to specify the keystore password and path of the keystore file.
Add these server environment variables inside JAVA_OPTS
-Djavax.net.ssl.keyStore=../../../keystore/keystore.jks -Djavax.net.ssl.keyStorePassword=password
I hope this will give some direction to you for configuration purpose.