Showing posts with label X509v3. Show all posts
Showing posts with label X509v3. Show all posts

Add a CA certificate to GitLab running in a podman container

Adding a CA certificate to GitLab which is running in a podman container (also works with docker containers, just replace podman with docker):

  1. Login to the podman container 
  2. Copy/install the CA certificates (in this case Digi-Issuing-CA01-G3.pem & Digi-Root-CA01-G3.pem)
  3. Restart the podman container

Example

euprdgitlab655:~ #
euprdgitlab655:~ # podman exec -it gitlab /bin/bash
root@ad24f5df0102:/#
root@ad24f5df0102:/#
root@ad24f5df0102:/# ls /etc/gitlab/
gitlab-secrets.json gitlab.rb ssh_host_ecdsa_key ssh_host_ecdsa_key.pub ssh_host_ed25519_key ssh_host_ed25519_key.pub ssh_host_rsa_key ssh_host_rsa_key.pub ssl trusted-certs
root@ad24f5df0102:/#
root@ad24f5df0102:/# ls /etc/gitlab/trusted-certs/
07ac5923.0 Digi-Issuing-CA01-G2.pem Digi-Root-CA-G2.pem e0c0effb.0
root@ad24f5df0102:/#
root@ad24f5df0102:/# ls -lah /etc/gitlab/trusted-certs/
total 8.0K
drwxr-xr-x 2 root root 101 Mar 27 12:44 .
drwxrwxr-x 4 root root 250 Oct 15 2024 ..
lrwxrwxrwx 1 root root 19 Mar 27 12:44 07ac5923.0 -> Digi-Root-CA-G2.pem
-rw-r--r-- 1 root root 2.6K Sep 14 2021 Digi-Issuing-CA01-G2.pem
-rw-r--r-- 1 root root 2.3K Sep 14 2021 Digi-Root-CA-G2.pem
lrwxrwxrwx 1 root root 24 Mar 27 12:44 e0c0effb.0 -> Digi-Issuing-CA01-G2.pem
root@ad24f5df0102:/#
root@ad24f5df0102:/#
root@ad24f5df0102:/# vi /etc/gitlab/trusted-certs/Digi-Root-CA-G3.pem
root@ad24f5df0102:/# vi /etc/gitlab/trusted-certs/Digi-Issuing-CA-G3.pem
root@ad24f5df0102:/#
root@ad24f5df0102:/# ls -lah /etc/gitlab/trusted-certs/
total 16K
drwxr-xr-x 2 root root 158 Jul 14 10:16 .
drwxrwxr-x 4 root root 250 Oct 15 2024 ..
lrwxrwxrwx 1 root root 19 Mar 27 12:44 07ac5923.0 -> Digi-Root-CA-G2.pem
-rw-r--r-- 1 root root 2.3K Jul 14 10:16 Digi-Issuing-CA-G3.pem
-rw-r--r-- 1 root root 2.6K Sep 14 2021 Digi-Issuing-CA01-G2.pem
-rw-r--r-- 1 root root 2.3K Sep 14 2021 Digi-Root-CA-G2.pem
-rw-r--r-- 1 root root 1.9K Jul 14 10:16 Digi-Root-CA-G3.pem
lrwxrwxrwx 1 root root 24 Mar 27 12:44 e0c0effb.0 -> Digi-Issuing-CA01-G2.pem
root@ad24f5df0102:/#
root@ad24f5df0102:/# exit
exit
euprdgitlab655:~ #
euprdgitlab655:~ #
euprdgitlab655:~ #
euprdgitlab655:~ # podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ad24f5df0102 reg.subdomain.domain.tld/gitlab/gitlab-ee:18.0.3-ee.0 /assets/wrapper 3 months ago Up 3 weeks (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:2222->22/tcp gitlab
aa22bdf8c33a docker.io/library/nginx:1.27.5 nginx -g daemon o... 3 months ago Up 3 weeks 0.0.0.0:8443->8443/tcp nginx
euprdgitlab655:~ #
euprdgitlab655:~ # podman stop gitlab
WARN[0010] StopSignal SIGTERM failed to stop container gitlab in 10 seconds, resorting to SIGKILL
gitlab
euprdgitlab655:~ # podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ad24f5df0102 reg.subdomain.domain.tld/gitlab/gitlab-ee:18.0.3-ee.0 /assets/wrapper 3 months ago Up 2 seconds (starting) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:2222->22/tcp gitlab
aa22bdf8c33a docker.io/library/nginx:1.27.5 nginx -g daemon o... 3 months ago Up 3 weeks 0.0.0.0:8443->8443/tcp nginx
euprdgitlab655:~ #
 euprdgitlab655:~ #

[...] *wait* [...]

euprdgitlab655:~ #
 euprdgitlab655:~ # podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ad24f5df0102 reg.subdomain.domain.tld/gitlab/gitlab-ee:18.0.3-ee.0 /assets/wrapper 3 months ago Up 7 minutes (healthy) 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:2222->22/tcp gitlab
aa22bdf8c33a docker.io/library/nginx:1.27.5 nginx -g daemon o... 3 months ago Up 3 weeks 0.0.0.0:8443->8443/tcp nginx
euprdgitlab655:~ #
at No comments:
Labels: , , ,

List FortiGate Certificates via CLI - CA certificates and local Certificates


You can either use the GUI of the FortiGate to list all certificates, or use the CLI. Either using the commands:

Using the "get" command

config vdom
edit root   #<--- your management vdom/your vdom of choice
get vpn certificate ca

 FGT50E00000000 (root) #
FGT50E00000000 (root) # get vpn certificate ca
== [ Fortinet_Wifi_CA ]
name: Fortinet_Wifi_CA
== [ Fortinet_CA ]
name: Fortinet_CA
== [ ACCVRAIZ1 ]
name: ACCVRAIZ1
== [ AC_RAIZ_FNMT-RCM ]
name: AC_RAIZ_FNMT-RCM
== [ Actalis_Authentication_Root_CA ]
name: Actalis_Authentication_Root_CA
[...]


Using the "show" command

The show command might not be very helpful, because it does not necessarily show all certificates:

 FGT50E00000000 (root) #
FGT50E00000000 (root) # show vpn certificate ca
config vpn certificate ca
end
FGT50E00000000 (root) # show full-configuration vpn certificate ca
config vpn certificate caend

 FGT50E00000000 (root) # show full-configuration | grep -f 'vpn certificate ca'
config vpn certificate ca <---
end
FGT50E00000000 (root) #

Using the "fnsysctl" command

Using the fnsysctl command might be helpful:

FGT50E00000000  #
FGT50E00000000 # fnsysctl ls -la /etc/cert/local/
drwxr-xr-x    2 0    0   Wed Dec 25 21:43:14 2019        0 .
drwxr-xr-x    6 0    0   Wed Sep 18 20:39:27 2019        0 ..
-rw-------    1 0    0   Wed Sep 18 20:35:46 2019     2250 root_2020jan_sub.domain.tld.cer
-rw-------    1 0    0   Wed Sep 18 20:35:46 2019     1704 KEY-FILE
-rw-------    1 0    0   Wed Sep 18 20:35:46 2019     1407 root_Fortinet_CA_SSL.cer
-rw-------    1 0    0   Wed Sep 18 20:35:47 2019     1704 KEY-FILE
-rw-------    1 0    0   Wed Sep 18 20:35:47 2019     1419 root_Fortinet_CA_Untrusted.cer
-rw-------    1 0    0   Wed Sep 18 20:35:47 2019     1704 KEY-FILE
-rw-------    1 0    0   Wed Sep 18 20:35:47 2019     4285 root_Fortinet_Factory.cer
-rw-------    1 0    0   Wed Sep 18 20:35:47 2019     1679 KEY-FILE[...]
FGT50E00000000  #
FGT50E00000000  # fnsysctl ls -la /etc/cert/ca
drwxr-xr-x    2 0    0   Wed Dec 25 21:41:28 2019        0 .
drwxr-xr-x    6 0    0   Wed Sep 18 20:39:27 2019        0 ..
-rw-------    1 0    0   Wed Sep 18 20:35:55 2019      119 ca_bundle_ver
-rw-------    1 0    0   Tue Jan 14 20:06:15 2020 1972 root_AC_RAIZ_FNMT-RCM.cer
-rw-------    1 0    0   Tue Jan 14 20:06:15 2020 2772 root_ACCVRAIZ1.cer
-rw-------    1 0    0   Wed Sep 18 20:35:55 2019     2041 root_ACEDICOM_Root.cer
-rw-------    1 0    0   Tue Jan 14 20:06:15 2020 2049 root_Actalis_Authentication_Root_CA.cer
-rw-------    1 0    0   Tue Jan 14 20:06:14 2020 1521 root_AddTrust_External_Root.cer[...]
at No comments:
Labels: , , , ,

Use OpenSSL to decrypt private key

Use OpenSSL to decrypt private key

openssl rsa -in *encrypted-key-file* -out *decrypted-key-file*

Example:

Encrypted private key file: /etc/ssl/private/sub.domain.tld_201908.enc.key 
New decrypted private key file: /etc/ssl/private/sub.domain.tld_201908.key 

root@eulinxhost119:/etc/ssl/private#
root@eulinxhost119:/etc/ssl/private# openssl rsa -in ./sub.domain.tld_201908.enc.key -out sub.domain.tld_201908.key
Enter pass phrase for ./sub.domain.tld_201908.enc.key:
writing RSA key
root@eulinxhost119:/etc/ssl/private#
root@eulinxhost119:/etc/ssl/private#

Opening the old encrypted private key: File starts with:
-----BEGIN ENCRYPTED PRIVATE KEY----- 

 Opening the new unencrypted private key: File starts with:
-----BEGIN RSA PRIVATE KEY-----

Use OpenSSL to verify the private key

openssl rsa -in certkey.key –check

Example:

root@eulinxhost119:/
root@eulinxhost119:/etc/ssl/private# openssl rsa -in sub.domain.tld_201908.key -check
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
root@eulinxhost119:/
root@eulinxhost119:/

OpenSSL documentation and examples

OpenSSL man-page: https://www.openssl.org/docs/manmaster/man1/openssl.html
OpenSSL examples: https://wiki.openssl.org/index.php/Command_Line_Utilities
at No comments:
Labels: , ,

FortiGate default configuration does not verify the LDAP server identity - CVE-2019-5591

I have found a vulnerability in all FortiOS versions, including the current 5.4/5.6/6.0/6.2 branches. The issue has been fixed in 6.0.3/6.2.1 by using the new feature "server-identity-check":
 

The vulnerability is in the LDAPS connection of the FortiGate to a LDAP-Server. The FortiGate does not properly check the certificate sent from the LDAP-Server, allthough the correct CA certificate is configured. More details will be published later.

Fortinet PSIRT-team responded quickly, has acknowledged the issue, told me that some one else also reported the issue, assigned CVE-2019-5591 to it and released the following PSIRT advisory: https://fortiguard.com/psirt/FG-IR-19-037

Solution:


Update to FortiOS 6.0.3+ or 6.2.1+ and set the following option:


config user ldap
edit ldap-server
set server-identity-check enable

 
at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)

Monitor UniFi WLAN Access Point with PRTG with SNMPv3 Auth+Encrypted

This is a tiny guide howto monitor your UniFi wireless accesspoint, in this case a Unifi U7 pro with SNMPv3 with AES-Encryption and SHA-Auth...