Questions tagged [openssl]
OpenSSL: The Open Source Toolkit for SSL and TLS
1,629
questions
0
votes
0
answers
24
views
OpenDKIM Isn't building with OpenSSL correctly [migrated]
I am trying to build OpenDKIM from source. For some reason, the build is not supporting SHA-256, even when the OpenSSL version I am building with uses SHA-256. How is this possible ?
I run:
./...
- 13
0
votes
0
answers
16
views
kex_exchange_identification or banner exchange causing time out issue while ssh into amazon ec2
I am trying to ssh into a amazon linux 2023. My colleague can log in fine using the same private key. It seems like it initially connects then times out. This is the command and output:
% ssh -i my-...
- 131
1
vote
1
answer
36
views
Bash script with "openssl req -new -key server.key -out server.csr -config server_openssl.cnf --passin pass:password"
I am writing a bash script that will generate a root certificate and a server certificate. The root certificate generation works, but the server certificate prompts me for input - however since this ...
- 139
1
vote
1
answer
34
views
Bash script with openssl req -new -key rootCA.key -out rootCA.csr -config rootCA_openssl.cnf --passin pass:password
I am generating a root certificate with a bash script.
I have a rootCA_openssl.cnf file with the configuration data:
rootCA_openssl.cnf
[ req ]
distinguished_name = req_distinguished_name
...
- 139
1
vote
0
answers
103
views
wget / openssl : Unable to locally verify the issuer's authority
I have wildcard certificate (*.example.com) from DigiCert
Have following files in the zip file from DigiCert portal
DigiCert Global Root G2.pem
DigiCertCA.crt
star_example_com.crt
TrustedRoot.crt
I ...
- 101
0
votes
0
answers
24
views
How to check OpenSSL: alert internal error, handshake failure for CA
Context is our Mosquitto broker, running on a certain domain. User can connect via TLS only.
We are using a self-signed certificate for this purpose, because we want to sign client certificates by ...
- 125
1
vote
1
answer
105
views
Postfix: Mail servers of certain providers are unable to send mail to my Postfix server / insufficient security / SSL alert number 71
There is big German email hoster (web.de) whose mail servers are not able to send mails to my self-hosted Postfix server. I found similar reports, but the published solutions always were misconfigured ...
- 299
0
votes
1
answer
316
views
How to use 'openssl s_server ...'
OS: Lubuntu 20.04 desktop (inside Virtualbox)
What happened
I've been using php -S 0.0.0.0:8080 -t /path/to/app/ to provide a simple web server.
But now I need to test my web app over https, and was ...
- 1
0
votes
0
answers
84
views
Enabling FIPS mode in MySQL Server 8.036+ on Windows
I'd like to enable the FIPS mode of my MySQL 8.0.36 community server instance running on Windows. I know the ssl_fips_mode option has been deprecated as of MySQL 8.0.34 but it should still work in ...
- 1
1
vote
1
answer
1k
views
OpenVPN "error=CA signature digest algorithm too weak"
After upgrading our OpenVPN server from Debian Buster to Bookworm, which also upgraded OpenVPN from 2.4.7 to 2.6.3, we're now getting this when any client tries to connect:
error=CA signature digest ...
- 427
0
votes
0
answers
51
views
OpenWISP -- inputing a certification authority
We're trying to set up OpenWISP using a paid-for wildcard (*.ngv.com.au) SSL certificate. The certificate comes to us as a ZIP of these files:
AAACertificateServices.crt
...
2
votes
1
answer
124
views
What happens if the startdate of a CA is later that the startdate of a X509 certificate signed by it?
I am in the process of extending the lifetime of a private CA creating a new certificate with the same name, serial number, private/public keys, etc. The only change would be the "startdate" ...
- 273
0
votes
0
answers
155
views
Apache ( 2.4.58) compiling fails after Openssl upgrade to 3.2.1. on Amazon Linux 2
Apache ( 2.4.58) compiling fails after Openssl upgrade to 3.2.1. on Amazon Linux 2, Could you please help me on this.
Error:
/var/tmp/httpd-2.4.58/support/ab.c:2319: undefined reference to `...
0
votes
0
answers
293
views
curl: (60) SSL: unable to obtain common name from peer certificate
I'm trying to create self-signed certificates for my webserver but it's not going well. The title is the error message curl gives me when I run
curl --noproxy "*" https://example.com
(with ...
0
votes
1
answer
142
views
Unable to enable specific cipher suites in Nginx
I have a piece of hardware with an outdated list of default cipher suites. We update that list via configuration, but to get the configuration it first needs to talk to a provisioning server.
I've ...
- 974
0
votes
0
answers
377
views
TLS negotiation gets stuck at Client Hello
We are working with a HTTPS endpoint hosted in the UK on an Azure Application Gateway.
So far, all location in the UK and wider have been able to access it.
A specific client site in Singapore cannot ...
- 129
0
votes
0
answers
80
views
Free ipa errors when using SAN in certificate request
When I try to sign a CSR for a device and include the SAN ip attribute it errors with the following.
ERROR: invalid 'csr': IP address in subjectAltName (x.x.x.x) unreachable from DNS names
my IPA ...
- 303
0
votes
0
answers
75
views
How to add certificates to an existing PKCS#7 bundle (p7b) file?
I have a PKCS#7 bundle (p7b file) that holds many public S/MIME certificates, and I need two more certificates in the bundle.
Is there a way to add these certificates using openssl (or possibly ...
- 227
0
votes
1
answer
447
views
Nginx 1.25.3 on docker TLSv1 is not working
I have nginx 1.25.3 on docker, not the Alpine version. The underlying OS is Ubuntu 22.
When the TLS 1 protocols are configured like this:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
The ...
- 97
0
votes
0
answers
805
views
Verify return code: 21 unable to verify the first certificate
I'm encountering an issue on my Ubuntu server when attempting to establish an email connection from the frontend application. The error message I receive reads: "Verify return code: 21 unable to ...
0
votes
1
answer
417
views
Importing SSL certificate in browser does not prevent the secure warning
I have an embedded device (ESP32) that runs an HTTPS server.
I generated the certificates in this way:
openssl req -newkey rsa:2048 -nodes -keyout prvtkey.pem -x509 -days 3650 -out cacert.pem -subj &...
- 163
1
vote
1
answer
2k
views
Use openssl 3 to create a self-signed certificate just like what "New-SelfSignedCertificate" can
First of all, I did googling about openssl, such as this one, and also tried dozens of time on creating a valid self-signed certificate.
But I guess asking on serverfault would be much quicker.
My ...
- 83
0
votes
2
answers
108
views
In Postfix, Should SSL FQDN Matches with myhostname or mydomain field in /etc/postfix/main.cf?
Quoted from the documentation:
myhostname
The internet hostname of this mail system. The default is to use the fully-qualified domain name (FQDN) from gethostname(), or to use the non-FQDN result ...
- 203
0
votes
0
answers
433
views
TLS cipher suites ordering
I have nginx configured to use ssl_ciphers PROFILE=SYSTEM;.
And I have Alma Linux configured to use the DEFAULT crypto policy:
~$ update-crypto-policies --show
DEFAULT
From the RHEL 9 documentation:
...
- 193
2
votes
1
answer
267
views
openssl ignores intermediate certificate in pkcs12 file
After creating a new S/MIME certificate, I am stuck with creating a valid PKCS #12 file that is accepted by most mail clients:
$ openssl verify smime.pfx
CN = [email protected], emailAddress = mail@...
-1
votes
1
answer
3k
views
OpenSSL 1.0.2 SHA1 requirement causing HTTPS compatibility error with Microsoft Edge 119 ERR_SSL_PROTOCOL_ERROR [closed]
I encountered the problem described in this Thread but with the Microsoft Edge browser version 119, which has been published on November 2, 2023.
The problem only seems to occur on webserver instances ...
1
vote
0
answers
803
views
Dovecot: SSL not working (no suitable signature algorithm), other daemons work just fine
I try to secure my Dovecot with SSL/TLS using Letsencrypt certificates. Dovecot immediately closes any TLS connection and reports the confusing error "no suitable signature algorithm" in the ...
- 299
1
vote
1
answer
2k
views
keytool error: java.security.cert.CertificateParsingException: signed fields invalid
I have a X509 certificate pem file I got from Mongo Atlas. I'm trying to import it into the keystore like so:
keytool -importcert -file X509-cert.pem -alias myalias -keystore mykeystore.p12 -storetype ...
- 139
0
votes
1
answer
277
views
Configure OpenVPN with existing certificate
I want to configure OpenVPN with available certificates, without using easy-rsa.
I use openssl to generate private.key and csr.csr. Then I use opensource CA EJBCA to authenticate csr and create a ...
- 1
0
votes
1
answer
171
views
installed homebrew openssl library not found when building MongoDb PHP driver on Mac
Similar to this questioner, due to a 502 Bad Gateway error, following the PHP docs I am attempting to build the PHP Mongo driver from scratch, using a modified ./config step
./configure --with-mongodb-...
- 123
0
votes
2
answers
326
views
Is it possible to hide a binary file from the system
A VPS on Centos 7 came with a very old version of openssl. I built and installed a newer version of openssl. (details below) This newer openssl was only installed in order to upgrade to a much newer ...
- 103
3
votes
1
answer
955
views
OpenVPN Revoke a certificate without the CRT file with Easy RSA
I'm confused, I have an OpenVPN server on Debian. The previous system administrator who was in charge of this server deleted the user certificates (.crt file) with the command "rm -f example.crt&...
- 33
0
votes
0
answers
358
views
openssl crash on nginx building ubuntu 22.04
trying this on ubuntu 22.04
sudo ./configure --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-zctdR4/nginx-1.18.0=. -flto=auto -ffat-lto-objects -flto=auto -ffat-lto-objects -fstack-protector-...
2
votes
2
answers
8k
views
How to restart openssl on debian
I have made some changes in openssl.cnf and wants to restart service. Normally I would just restart machine for changes to take effect but I don't want to restart machine. Tried sudo systemctl restart ...
- 783
4
votes
6
answers
16k
views
HTTPS compatibility issue with Chrome 116/117 ERR_SSL_PROTOCOL_ERROR
I'm having error ERR_SSL_PROTOCOL_ERROR since 2 day on my website for some reason.
Browsers tested
Windows Chrome 117.0.5938.132 : ERR_SSL_PROTOCOL_ERROR
Android Chrome 117.0.5938.61 : ...
- 212
1
vote
1
answer
264
views
Warning with sending emails from Thunderbird to Postfix using its own CA
I'm asking for help because I simply don't have the strength anymore, I've spent a lot of time and I'm still left with an unsolved puzzle.
My problem: I keep getting "Wrong Site" warnings ...
- 31
0
votes
0
answers
108
views
Install old OpenSSL 0.9.8 on MacOS 13.2, make error
for compatibility purpose of some functionalities and old softwares I need to install OpenSSL0.9.8 on a modern MacOS machine.
I downloaded the source archive from: https://www.openssl.org/source/old/0....
3
votes
1
answer
4k
views
TLS 1.0 broken with newer Debian/OpenSSL
I'm migrating a server running Debian 10 to a server running Debian 12 (and a 6.x kernel), and the last thing that doesn't seem to be working is TLS 1.0, which I've been trying to figure out.
I'm ...
- 234
1
vote
0
answers
669
views
How to convert a DER private key to PEM
I have a private key that is in binary format. I'm not sure if this is DER format but I need to convert it to PEM.
I'm using openssl with this command:
openssl rsa -inform DER -outform PEM -in test....
- 111
0
votes
1
answer
189
views
Have you got a worked example of using Postgres through ODBC with openssl and the Progress DataDirect Linux driver?
I am new to openssl configuration, Postgres, and the Progress DataDirect ODBC driver, and I am trying to set this up. I have Postgres working in a container, set up with
tjcw:~$ openssl req -new -x509 ...
- 99
1
vote
1
answer
2k
views
Configure QUIC and HTTP/3 in Ubuntu
I want to install and configure nginx-1.19.0 with HTTP/3 support on Ubuntu 22.04. OpenSSL version is 3.0.2. I was surfing in internet but I didn't find something straight forward to guide me how to ...
- 11
1
vote
1
answer
189
views
AWX error X509 using custom EE image with pyopenssl
I'm currently setting up an AWX platform hosted on K8s cluster to get a proper UI + features for multi-user purpose.
Context :
I created an EE image pushed on a Nexus repository that AWX use in order ...
- 373
0
votes
1
answer
486
views
SSL Certificate loading error in postgresql.conf file during restart
openssl genrsa -out root.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
chown postgres:postgres server.*
...
0
votes
0
answers
486
views
CA-Certificate and Server Certificate are expired! - openVPN - Server <--> Client(x)
I am hosting an openVPN-Service to connect ~30 IoT-Clients directly to my Server. I have forgoten to extend the lifetime of the self-signed ca.cert and the server.crt. Now my openVPN-Clients could not ...
- 3
0
votes
0
answers
36
views
self signed for a site accessible through VPN
I'd like to know if what I'm doing is right or is there another way to do this?
I have this site that is accessible through VPN and i'd like the end users not to see the "not secured" ...
- 11
0
votes
1
answer
340
views
self signed certificate for a site that can only be access through VPN
I read a lot of articles about self signed certificates and I'm not exactly sure if I'm getting near to what I want to actually achieve.
I'm trying to implement a self signed certificate so that the ...
- 11
0
votes
0
answers
1k
views
[Microsoft][ODBC Driver 17 for SQL Server] SSL Provider: [error:0A000102:SSL routines::unsupported protocol] in PHP Laravel on macOS using Brew
I'm encountering an issue while trying to connect to a SQL Server database using PHP Laravel on macOS with Brew. I'm receiving the following error message:
[Microsoft][ODBC Driver 17 for SQL Server] ...
0
votes
0
answers
648
views
ValueError: Invalid version. The only valid version for X509Req is 0
I'm trying to renew the SSL but I got this error:
SSL Error 1
SSL Error 2
I already tried sudo pip3 install pyOpenSSL and sudo pip3 install cryptography==40.0.1, uninstalled it, and installed it again,...
- 1
0
votes
1
answer
184
views
Identify SSL certificate type for apache configuration
I have SSL certificate files:
Root2023.crt
t1.crt
t1.pem
t1.pk8
on my apache How can I determine which of these files should be used for SSLCertificateFile, SSLCertificateKeyFile, and ...
- 151
0
votes
2
answers
519
views
curl with --cacert fails on almalinux8 but works on ubuntu
We try this:
curl -v --cacert cert.pem https://example.com/path.asmx
on ubuntu its working, we're getting:
successfully set certificate verify locations:
* CAfile: cert.pem
CApath: /etc/ssl/...
- 3