Closed juju4 closed 1 year ago
juju4
commented
1 year ago Quick check
CptOfEvilMinions
commented
1 year ago Generate Let's encrypt cert for Graylog team
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/graylog.blueteamvillage.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/graylog.blueteamvillage.com/privkey.pem
This certificate expires on 2023-10-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.root@ip-172-16-22-20:/home/ubuntu# sudo certbot certonly --standalone --preferred-challenges http -d splunk.blueteamvillage.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for splunk.blueteamvillage.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/splunk.blueteamvillage.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/splunk.blueteamvillage.com/privkey.pem
This certificate expires on 2023-10-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.Splunk and Graylog done.
juju4
commented
1 year ago Last I believe, securityonion (more needed because moving from x.teleport.blueteamvillage.com to x.blueteamvillage.com)
Review AWS Network rules to allow from Internet to port 80+443 for so, found the issue: aws sg rule 0.0.0.0/32 was selected instead of 0.0.0.0/0. certificate update
$ openssl s_client -showcerts -servername securityonion.blueteamvillage.com -connect securityonion.blueteamvillage.com:443 </dev/null
CONNECTED(00000003)
depth=0 C = US, CN = securityonion, L = Salt Lake City, ST = Utah
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, CN = securityonion, L = Salt Lake City, ST = Utah
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = US, CN = securityonion, L = Salt Lake City, ST = Utah
verify return:1
---
Certificate chain
0 s:C = US, CN = securityonion, L = Salt Lake City, ST = Utah
i:C = US, CN = securityonion, L = Salt Lake City, ST = Utah
-----BEGIN CERTIFICATE-----
MIIGEDCCA/igAwIBAgIIXPfQWGpszlYwDQYJKoZIhvcNAQELBQAwTTELMAkGA1UE
BhMCVVMxFjAUBgNVBAMMDXNlY3VyaXR5b25pb24xFzAVBgNVBAcMDlNhbHQgTGFr
ZSBDaXR5MQ0wCwYDVQQIDARVdGFoMB4XDTIzMDgwNTIyMTY1OFoXDTI1MTEwMjIy
MTY1OFowTTELMAkGA1UEBhMCVVMxFjAUBgNVBAMMDXNlY3VyaXR5b25pb24xFzAV
BgNVBAcMDlNhbHQgTGFrZSBDaXR5MQ0wCwYDVQQIDARVdGFoMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAvQyssxD+ZsW31Hyi1LuHDmIBPZDqP4WThO4I
exGROUSs0sXu/Lw2b5+jrNoAI9faChMyrVD/kZmRdAl98bqZVt35nxfpVM0lcMUt
s71vGXsjytEqcAlXsex4lKmcb8dHiwDbax2kfexjDF+zTndmJZpLRTIMhq7pfGx+
Ncv8oBVnqWJC37eNCq0AGMrP/t+riSTmCeRZAUTqDQfOPCFC6DSwgj11HQXvDxuW
npKc3ApXSaFM3F6dGvd7nKce5Xa7iXAzOEkKT7H9gJVxE6rt6GLL9bFBSUB/kz9V
6AeFI4wvo82JtOGY9zMMlzIwI7br71YSjOWCdBP0TLqKRx5rJxYeDFfoy9hBnW5f
d0QJoIL47eRosMWCtnQ8pVU2JqZyYVq39Qk5a+V8VqXZWiqP/6Z4TsLQQQ+ZJlpY
ttMo84oNxgVIcr6SVSKeafTR2b5eKQlscwdiXrH8YFKS5UUmnwHhFak4GJKWbXHV
F7b34Xm6L6iE6mDVlTMx1U11QG03lgfAWFFahrwBLe1e8+VnO/sY1LDYO8uW9/47
CJ1wrvucmMB9Fn69KiDq4zQUjHVnnOZfBeTMSEaVUbRmCK2cBrDMgdDKJkZl2ux2
cXe/4ymySFabd2+kUz7gwdcFkXrOS/s64UeuOow1LAIEi4iZDlxr7zd5M/I0XTOh
AhkiCY0CAwEAAaOB8zCB8DAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFIDAT
BgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUElyFP5uvtyoJr9XRIYG5g5M6
hNMwfAYDVR0jBHUwc4AUDXxoEmnhZhmE/pu5gjeb797BLBahUaRPME0xCzAJBgNV
BAYTAlVTMRYwFAYDVQQDDA1zZWN1cml0eW9uaW9uMRcwFQYDVQQHDA5TYWx0IExh
a2UgQ2l0eTENMAsGA1UECAwEVXRhaIIIfxcoQAAn4EswHgYDVR0RBBcwFYINc2Vj
dXJpdHlvbmlvbocErBAWFzANBgkqhkiG9w0BAQsFAAOCAgEAiQLLWBNhsvuYLDXc
zXKfx5HoizJIta9kvLg5RW3vvldXppxIKwrE1/valcyz5Xp7SEAPB/XYXWvQgJk8
l74EQarLj8LdgJOnMEAaj/ANLN3l56e2BWdU6sYOoNTSeUb02oDoY30pos/7zATz
DHCsrXCg22vmkvib3jqwa2U/5YtkQAsfG7XitrL1V62gOKgg5D0bFVyJtFFHlFMa
7QuGQxrGIWxir+9LY+TbX5zbIXLtPRX7s+9tISb2AmJMIJvAngg09H51a7Dw8dzJ
5zhTr1in/Q1khM+baHtg2tQ2roCHWZ6ewdinC1AtkhgqaUKz/jTc72KDCDMZDojz
Ezjsn5HcUhrqPtCyk7E0n2DmByg8MELzhZdUZG730/Dva6mDGY0yttk2JgFezOsl
695C1nnGNV5UrA0Rn5sZ7M/lFLvH+Y7D11H6saTcPD9tzSdKufZZgWxYbMHkxHkx
6LeYEEtuRJ7WiHHEnjyU9AwP8C4ODVn9hDe8kkESbHNyxcBGcvaIaMLGNlC+yobk
Omp/dbDwtjnOHaImjW/FSbZeTaddzuuGJ/9zdLHiULndsTjInoZaw1ZeLRaRpkXc
HrIbL9xeylKzVyPfu6M29zUta78Gs/e3Tl8DC5P3gQvu4cds6IsCjYpc2eK3lsiB
8An/dj9hnVBIbQ2lKESD5FBrH7g=
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, CN = securityonion, L = Salt Lake City, ST = Utah
issuer=C = US, CN = securityonion, L = Salt Lake City, ST = Utah
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2505 bytes and written 418 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 818FBF8D6305F64F06BCB80B5077273126EA8C9071FF5FA43D1ED199884021AF
Session-ID-ctx:
Master-Key: C1AC3E24D72902CA33BF01FE7DD7B48D44FB0595AB080FBFAA3E0E6DAFA2210E22AB461E4679A1A54E93364612D6E06F
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - 3e 90 77 3a bb cb 52 dd-77 20 2b aa 17 0f ff 39 >.w:..R.w +....9
0010 - fc 05 f0 94 9b 14 bf c4-ed 66 e2 eb 38 4b 28 aa .........f..8K(.
0020 - 28 aa 5b 39 ee e9 35 5f-1d 65 a9 7b f9 ce 1b 33 (.[9..5_.e.{...3
0030 - d8 b1 aa f0 b1 a1 ee ea-c4 84 1e 5b 7c 80 1d 9a ...........[|...
0040 - e1 c7 29 84 af bb 77 57-36 22 97 50 41 8a 10 ae ..)...wW6".PA...
0050 - 88 77 3c ec c2 2d b0 70-ff 8e 81 99 e2 eb 56 b7 .w<..-.p......V.
0060 - 1d 94 66 7d c6 09 64 8d-cf 6d 9e e8 55 d5 15 73 ..f}..d..m..U..s
0070 - 70 ce fa 70 5b 16 b9 5d-33 59 0a 1c 2b f1 8e ea p..p[..]3Y..+...
0080 - 95 cb d4 6f eb 3b b9 5b-d4 13 79 78 18 88 24 f1 ...o.;.[..yx..$.
0090 - c9 ea 6a d5 4f 06 f9 aa-92 a7 24 0a 93 c9 55 53 ..j.O.....$...US
00a0 - c7 1e 45 d3 88 48 6d 12-69 c1 18 92 c9 01 c2 31 ..E..Hm.i......1
00b0 - 41 ad 0d 29 7d 5a ee c0-9b e8 78 e9 41 7e 51 e6 A..)}Z....x.A~Q.
00c0 - be 65 69 35 c1 da a0 cf-9e c8 bb 5c 55 81 26 9d .ei5.......\U.&.
00d0 - 90 b3 a5 18 c2 69 03 42-06 23 2e 60 c5 ab 44 cb .....i.B.#.`..D.
Start Time: 1691390133
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
---
DONE
$ openssl x509 -in /etc/pki/managerssl.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6699052048898117206 (0x5cf7d0586a6cce56)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, CN = securityonion, L = Salt Lake City, ST = Utah
Validity
Not Before: Aug 5 22:16:58 2023 GMT
Not After : Nov 2 22:16:58 2025 GMT
Subject: C = US, CN = securityonion, L = Salt Lake City, ST = Utah
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:bd:0c:ac:b3:10:fe:66:c5:b7:d4:7c:a2:d4:bb:
87:0e:62:01:3d:90:ea:3f:85:93:84:ee:08:7b:11:
91:39:44:ac:d2:c5:ee:fc:bc:36:6f:9f:a3:ac:da:
00:23:d7:da:0a:13:32:ad:50:ff:91:99:91:74:09:
7d:f1:ba:99:56:dd:f9:9f:17:e9:54:cd:25:70:c5:
2d:b3:bd:6f:19:7b:23:ca:d1:2a:70:09:57:b1:ec:
78:94:a9:9c:6f:c7:47:8b:00:db:6b:1d:a4:7d:ec:
63:0c:5f:b3:4e:77:66:25:9a:4b:45:32:0c:86:ae:
e9:7c:6c:7e:35:cb:fc:a0:15:67:a9:62:42:df:b7:
8d:0a:ad:00:18:ca:cf:fe:df:ab:89:24:e6:09:e4:
59:01:44:ea:0d:07:ce:3c:21:42:e8:34:b0:82:3d:
75:1d:05:ef:0f:1b:96:9e:92:9c:dc:0a:57:49:a1:
4c:dc:5e:9d:1a:f7:7b:9c:a7:1e:e5:76:bb:89:70:
33:38:49:0a:4f:b1:fd:80:95:71:13:aa:ed:e8:62:
cb:f5:b1:41:49:40:7f:93:3f:55:e8:07:85:23:8c:
2f:a3:cd:89:b4:e1:98:f7:33:0c:97:32:30:23:b6:
eb:ef:56:12:8c:e5:82:74:13:f4:4c:ba:8a:47:1e:
6b:27:16:1e:0c:57:e8:cb:d8:41:9d:6e:5f:77:44:
09:a0:82:f8:ed:e4:68:b0:c5:82:b6:74:3c:a5:55:
36:26:a6:72:61:5a:b7:f5:09:39:6b:e5:7c:56:a5:
d9:5a:2a:8f:ff:a6:78:4e:c2:d0:41:0f:99:26:5a:
58:b6:d3:28:f3:8a:0d:c6:05:48:72:be:92:55:22:
9e:69:f4:d1:d9:be:5e:29:09:6c:73:07:62:5e:b1:
fc:60:52:92:e5:45:26:9f:01:e1:15:a9:38:18:92:
96:6d:71:d5:17:b6:f7:e1:79:ba:2f:a8:84:ea:60:
d5:95:33:31:d5:4d:75:40:6d:37:96:07:c0:58:51:
5a:86:bc:01:2d:ed:5e:f3:e5:67:3b:fb:18:d4:b0:
d8:3b:cb:96:f7:fe:3b:08:9d:70:ae:fb:9c:98:c0:
7d:16:7e:bd:2a:20:ea:e3:34:14:8c:75:67:9c:e6:
5f:05:e4:cc:48:46:95:51:b4:66:08:ad:9c:06:b0:
cc:81:d0:ca:26:46:65:da:ec:76:71:77:bf:e3:29:
b2:48:56:9b:77:6f:a4:53:3e:e0:c1:d7:05:91:7a:
ce:4b:fb:3a:e1:47:ae:3a:8c:35:2c:02:04:8b:88:
99:0e:5c:6b:ef:37:79:33:f2:34:5d:33:a1:02:19:
22:09:8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
12:5C:85:3F:9B:AF:B7:2A:09:AF:D5:D1:21:81:B9:83:93:3A:84:D3
X509v3 Authority Key Identifier:
keyid:0D:7C:68:12:69:E1:66:19:84:FE:9B:B9:82:37:9B:EF:DE:C1:2C:16
DirName:/C=US/CN=securityonion/L=Salt Lake City/ST=Utah
serial:7F:17:28:40:00:27:E0:4B
X509v3 Subject Alternative Name:
DNS:securityonion, IP Address:172.16.22.23
Signature Algorithm: sha256WithRSAEncryption
89:02:cb:58:13:61:b2:fb:98:2c:35:dc:cd:72:9f:c7:91:e8:
8b:32:48:b5:af:64:bc:b8:39:45:6d:ef:be:57:57:a6:9c:48:
2b:0a:c4:d7:fb:da:95:cc:b3:e5:7a:7b:48:40:0f:07:f5:d8:
5d:6b:d0:80:99:3c:97:be:04:41:aa:cb:8f:c2:dd:80:93:a7:
30:40:1a:8f:f0:0d:2c:dd:e5:e7:a7:b6:05:67:54:ea:c6:0e:
a0:d4:d2:79:46:f4:da:80:e8:63:7d:29:a2:cf:fb:cc:04:f3:
0c:70:ac:ad:70:a0:db:6b:e6:92:f8:9b:de:3a:b0:6b:65:3f:
e5:8b:64:40:0b:1f:1b:b5:e2:b6:b2:f5:57:ad:a0:38:a8:20:
e4:3d:1b:15:5c:89:b4:51:47:94:53:1a:ed:0b:86:43:1a:c6:
21:6c:62:af:ef:4b:63:e4:db:5f:9c:db:21:72:ed:3d:15:fb:
b3:ef:6d:21:26:f6:02:62:4c:20:9b:c0:9e:08:34:f4:7e:75:
6b:b0:f0:f1:dc:c9:e7:38:53:af:58:a7:fd:0d:64:84:cf:9b:
68:7b:60:da:d4:36:ae:80:87:59:9e:9e:c1:d8:a7:0b:50:2d:
92:18:2a:69:42:b3:fe:34:dc:ef:62:83:08:33:19:0e:88:f3:
13:38:ec:9f:91:dc:52:1a:ea:3e:d0:b2:93:b1:34:9f:60:e6:
07:28:3c:30:42:f3:85:97:54:64:6e:f7:d3:f0:ef:6b:a9:83:
19:8d:32:b6:d9:36:26:01:5e:cc:eb:25:eb:de:42:d6:79:c6:
35:5e:54:ac:0d:11:9f:9b:19:ec:cf:e5:14:bb:c7:f9:8e:c3:
d7:51:fa:b1:a4:dc:3c:3f:6d:cd:27:4a:b9:f6:59:81:6c:58:
6c:c1:e4:c4:79:31:e8:b7:98:10:4b:6e:44:9e:d6:88:71:c4:
9e:3c:94:f4:0c:0f:f0:2e:0e:0d:59:fd:84:37:bc:92:41:12:
6c:73:72:c5:c0:46:72:f6:88:68:c2:c6:36:50:be:ca:86:e4:
3a:6a:7f:75:b0:f0:b6:39:ce:1d:a2:26:8d:6f:c5:49:b6:5e:
4d:a7:5d:ce:eb:86:27:ff:73:74:b1:e2:50:b9:dd:b1:38:c8:
9e:86:5a:c3:56:5e:2d:16:91:a6:45:dc:1e:b2:1b:2f:dc:5e:
ca:52:b3:57:23:df:bb:a3:36:f7:35:2d:6b:bf:06:b3:f7:b7:
4e:5f:03:0b:93:f7:81:0b:ee:e1:c7:6c:e8:8b:02:8d:8a:5c:
d9:e2:b7:96:c8:81:f0:09:ff:76:3f:61:9d:50:48:6d:0d:a5:
28:44:83:e4:50:6b:1f:b8$ sudo mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.20230807
$ sudo mv /etc/pki/managerssl.key /etc/pki/managerssl.key.20230807
$ sudo so-nginx-stop
$ sudo certbot certonly --standalone --non-interactive --register-unsafely-without-email --agree-tos --preferred-challenges http -d securityonion.blueteamvillage.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for securityonion.blueteamvillage.com
Waiting for verification...
Challenge failed for domain securityonion.blueteamvillage.com
http-01 challenge for securityonion.blueteamvillage.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: securityonion.blueteamvillage.com
Type: connection
Detail: 18.189.61.176: Fetching
http://securityonion.blueteamvillage.com/.well-known/acme-challenge/cLX7stMcoO4A_ID9YSVMm_q0KNpMIKOPBMclEpcVM48:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
# https://github.com/Security-Onion-Solutions/securityonion/discussions/2883
$ sudo iptables -A INPUT --proto tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT --proto tcp --dport 443 -j ACCEPT
$ sudo certbot certonly --standalone --non-interactive --register-unsafely-without-email --agree-tos --preferred-challenges http -d securityonion.blueteamvillage.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for securityonion.blueteamvillage.com
Waiting for verification...
Challenge failed for domain securityonion.blueteamvillage.com
http-01 challenge for securityonion.blueteamvillage.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: securityonion.blueteamvillage.com
Type: connection
Detail: 18.189.61.176: Fetching
http://securityonion.blueteamvillage.com/.well-known/acme-challenge/R1trkHXN-TN_CbZY-w1Kjp-DRS-oJyQxvuM-xjoeBuo:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
$ sudo -s
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
$ sudo certbot certonly --standalone --non-interactive --register-unsafely-without-email --agree-tos --preferred-challenges http -d securityonion.blueteamvillage.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for securityonion.blueteamvillage.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/securityonion.blueteamvillage.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/securityonion.blueteamvillage.com/privkey.pem
Your cert will expire on 2023-11-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
$ sudo cp /etc/letsencrypt/live/securityonion.blueteamvillage.com/fullchain.pem /etc/pki/managerssl.crt
$ sudo cp /etc/letsencrypt/live/securityonion.blueteamvillage.com/privkey.pem /etc/pki/managerssl.key
$ sudo reboot
$ sudo so-statusClosing as completed and Defcon31 ended.
SIEM SSL Cert Renewal Prep