SSL problems

[thyrymn]

Either I'm not understanding the help file or I can't get past the --sslcert routine in the Listener:

~/Cartero/bin# ./cartero -debug Listener -p 80 -W /tmp/qa/qa -s --sslcert /root/Cartero/bin/ -K new.cert.key WebServer on SSL mode needs a cert path [ --sslcert ]. /root/Cartero/lib/cartero/commands/listener.rb:182:in setup' /root/Cartero/lib/cartero/command.rb:81:inblock in method_added' /root/Cartero/lib/cartero/cli.rb:190:in block in run' /root/Cartero/lib/cartero/cli.rb:184:ineach' /root/Cartero/lib/cartero/cli.rb:184:in run' ./cartero:52:in

'

[mrbrutti]

Hey @thyrymn it should be something like:

~/Cartero/bin# ./cartero -debug Listener -p 80 -W /tmp/qa/qa -s -C /root/Cartero/bin/file.cer -K /root/Cartero/bin/new.cert.key

[thyrymn]

./cartero -debug Listener -p 443 -W /tmp/qa/qa -s --sslcert /root/Cartero/bin/new.cer -K new.cert.key WebServer on SSL mode needs a cert path [ --sslcert ]. /root/Cartero/lib/cartero/commands/listener.rb:182:in setup' /root/Cartero/lib/cartero/command.rb:81:inblock in method_added' /root/Cartero/lib/cartero/cli.rb:190:in block in run' /root/Cartero/lib/cartero/cli.rb:184:ineach' /root/Cartero/lib/cartero/cli.rb:184:in run' ./cartero:52:in

'

[mrbrutti]

OK, now we are talking ! :-) Let me figure out what is going on here. I haven't use this option a lot, since a good way to handle this as well is to use Apache and/or my favorite option is Cloudflare SSL service to get valid HTTPs certs that are free.

[thyrymn]

I made the certs with openssl.

[mrbrutti]

@thyrymn Do you mind sharing exactly what you did w/ openssl, so I can replicate your issue ?

[mrbrutti]

Problem fixed. Updating changes.

[mrbrutti]

@thyrymn can you check fixes ?

[mrbrutti]

I found some interesting code on the net, I changed it and I used this code to create the Certs to test the app and it works now. I am going to add the script to Cartero, so it is easy to test SSL things in the future.

require 'rubygems'
require 'openssl'

key = OpenSSL::PKey::RSA.new(2048)
public_key = key.public_key
puts "[*] - Generating Private key (private.key)"
File.open("/tmp/private.key", "w") {|x| x << key.to_s}

subject = "/C=US/O=Cartero/OU=Cartero/CN=Cartero"

cert = OpenSSL::X509::Certificate.new
cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
cert.not_before = Time.now
cert.not_after = Time.now + 365 * 24 * 60 * 60
cert.public_key = public_key
cert.serial = 0x0
cert.version = 2

ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = cert
ef.issuer_certificate = cert
cert.extensions = [
  ef.create_extension("basicConstraints","CA:TRUE", true),
  ef.create_extension("subjectKeyIdentifier", "hash"),
  # ef.create_extension("keyUsage", "cRLSign,keyCertSign", true),
]
cert.add_extension ef.create_extension("authorityKeyIdentifier",
                                       "keyid:always,issuer:always")

cert.sign key, OpenSSL::Digest::SHA256.new
puts "[*] - Generating Certificate (cert.pem)"
File.open("/tmp/cert.pem", "w") {|x| x << cert.to_pem}

[thyrymn]

It loads with my certs now, something elsa is wrong, not sure if it is me or Cartero now. Working....

[mrbrutti]

Let me know, because I was able to get it running and it worked on Chrome + Safari. Clearly it complained about self-sign cert, but it worked.

[thyrymn]

i used the code above, when loading the cert, catero wants a pem passphase. it seems lame, but i can't figure out what the passphase is from the code:

vkey.pem Puma starting in single mode...

• Version 2.11.3 (ruby 2.2.1-p85), codename: Intrepid Squirrel
• Min threads: 4, max threads: 16
• Environment: production
• Listening on ssl://0.0.0.0:443?key=/root/Cartero/bin/privkey.pem&cert=/tmp/cert.pem Use Ctrl-C to stop Enter PEM pass phrase:

[mrbrutti]

The ruby code above to create keys, does NOT create a passphrase. So it should not ask for a Private key. Can you try w/ that code ? it stores keys on /tmp/private.key and /tmp/cert.pem The key is asking is for your private key. If you setup your private key with a passphrase, it will obviously ask for it. :+1:

[thyrymn]

got it. pathing problems between cartero installs. Cleaned them all up now so I only have one.