lukebakken
commented
4 years ago Please provide the exact command you ran to use this project to generate certificates with a password.
Closed joseliber closed 4 years ago
lukebakken
commented
4 years ago Please provide the exact command you ran to use this project to generate certificates with a password.
joseliber
commented
4 years ago I'm using the same command as provided by the documentation:
~$ git clone https://github.com/michaelklishin/tls-gen.git
Cloning into 'tls-gen'...
remote: Enumerating objects: 24, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 393 (delta 11), reused 13 (delta 5), pack-reused 369
Receiving objects: 100% (393/393), 100.44 KiB | 864.00 KiB/s, done.
Resolving deltas: 100% (226/226), done.
~$ cd tls-gen/basic/
~/tls-gen/basic$ make PASSWORD=somepass
python3 profile.py regenerate --password "somepass" \
--common-name laptop \
--client-alt-name laptop \
--server-alt-name laptop \
--days-of-validity 3650 \
--key-bits 2048
Removing /home/joseliber/tls-gen/basic/testca
Removing /home/joseliber/tls-gen/basic/result
Removing /home/joseliber/tls-gen/basic/server
Removing /home/joseliber/tls-gen/basic/client
Will generate a root CA and two certificate/key pairs (server and client)
...snip...It seems to be regenerating the cert, even when I have erased the folder and cloned again.
Testing with openssl (should have asked for password instead of printing the key):
~/tls-gen/basic$ openssl pkey -in result/server_key.pem
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDbP0oCXET3iP1D
...snip...Testing with a wrong password:
~/tls-gen/basic$ openssl pkey -passin pass:testing -in result/server_key.pem
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDbP0oCXET3iP1D
...snip...Thanks for the information. This is a bug. We'd be happy to accept a pull request to fix it.
I opened #22 with some ideas for a fix but it doesn't quite work.
joseliber
commented
4 years ago I'm almost done with the fix. Will provide a PR in the weekend.
lukebakken
commented
4 years ago @joseliber thank you, we will watch for it.
lukebakken
commented
4 years ago @joseliber please see the "Project Updates" section. I made sure to mention your contribution -
https://www.rabbitmq.com/blog/2020/06/30/this-month-in-rabbitmq-may-2020-recap/
joseliber
commented
4 years ago Thanks for the mention @lukebakken I'm happy that our contribution (you are a co-author :) ) helped other projects as well.
Regards, José.
Hi @michaelklishin , I've found your application via RabbiMQ TLS docs.
I'm using the
basicprofile to generate server/client certs with passwords. While testing the RMQ configuration, I purposefully left the key password option commented so I could find out the behavior/error messages from RMQ server when a user forgets to set that option correctly. To my surprise, the server worked correctly and clients could connect via TLS without issues or error messages.I searched the web for instructions on how to check passwords on openssl certificate keys, and found link1, link2.
I've tried the openssl tests and the certificate key was always displayed in stdout, even when supplying a wrong password.
Could you please provide some clarifications on whether I'm doing this wrong or maybe tls-gen is missing something to set passwords on the
basicprofile?Regards, José.