certificates | private certificate authority & ACME server | TLS library
kandi X-RAY | certificates Summary
kandi X-RAY | certificates Summary
step-ca is an online certificate authority for secure, automated certificate management. It's the server counterpart to the step CLI tool.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of certificates
certificates Key Features
certificates Examples and Code Snippets
Community Discussions
Trending Discussions on certificates
QUESTION
Why kubectl cluster-info is running on control plane and not master node And on the control plane it is running on a specific IP Address https://192.168.49.2:8443 and not not localhost or 127.0.0.1 Running the following command in terminal:
- minikube start --driver=docker
π minikube v1.20.0 on Ubuntu 16.04 β¨ Using the docker driver based on user configuration π minikube 1.21.0 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v1.21.0 π‘ To disable this notice, run: 'minikube config set WantUpdateNotification false'
π Starting control plane node minikube in cluster minikube π Pulling base image ... > gcr.io/k8s-minikube/kicbase...: 358.10 MiB / 358.10 MiB 100.00% 797.51 K β minikube was unable to download gcr.io/k8s-minikube/kicbase:v0.0.22, but successfully downloaded kicbase/stable:v0.0.22 as a fallback image π₯ Creating docker container (CPUs=2, Memory=2200MB) ... π³ Preparing Kubernetes v1.20.2 on Docker 20.10.6 ... βͺ Generating certificates and keys ... βͺ Booting up control plane ... βͺ Configuring RBAC rules ... π Verifying Kubernetes components... βͺ Using image gcr.io/k8s-minikube/storage-provisioner:v5 π Enabled addons: storage-provisioner, default-storageclass π Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
- kubectl cluster-info
Kubernetes control plane is running at https://192.168.49.2:8443 KubeDNS is running at https://192.168.49.2:8443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
...To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
ANSWER
Answered 2021-Jun-15 at 12:59The Kubernetes project is making an effort to move away from wording that can be considered offensive, with one concrete recommendation being renaming master to control-plane. In other words control-plane and master mean essentially the same thing, and the goal is to switch the terminology to use control-plane exclusively going forward. (More info in this answer)
The kubectl command is a command line interface that executes on a client (i.e your computer) and interacts with the cluster through the control-plane.
The IP address you are seing through cluster-info is the IP address through which you reach the control-plane
QUESTION
We are programmatically creating PDF using our in house lib (C++) by adding all the required objects so that PDF readers can render them properly. Currently we are enhancing the lib to support digital signatures in PDF. Our users will use USB token or Windows certificates to sign the PDF. On studying raw PDF file with digital signature, we were able to make sense of all the objects except for the contents of Sig type object.
...ANSWER
Answered 2021-Jun-10 at 16:48Ok, the signature container is embedded correctly.
But there are issues with the signature container itself:
Both in the
SignedData.digestAlgorithmscollection and in theSignerInfo.digestAlgorithmvalue you have used the OID of SHA1withRSA, but that is a full signature algorithm, not the mere digest algorithm SHA1 expected there.Then the SHA1 hash of the signed bytes is BB78A402F7A537A34D6892B83881266501A691A8 but the hash you signed is 90E28B8A0D8E48691DAFE2BA10A4761FFFDCCD3D. This might be because you hash buffer2 and
buffer2 has empty contents data (/Contents <>)
The hex string delimiters '<' and '>' also belong to the contents value and, therefore, must also be removed in buffer2.
Furthermore, your signature is very weak:
- It uses SHA1 as hash algorithm. SHA1 meanwhile has been recognized as too weak a hash algorithm for document signatures.
- It doesn't use signed attributes, neither the ESS signing certificate nor the algorithm identifier protection attribute. Many validation policies require such special attributes.
QUESTION
So I've a bit of a problem relating to Mongo and SSL Certificates. NOT hosting the mongo instance (other answers aimed at self-hosters).
The error am getting is:
...ANSWER
Answered 2021-Jun-14 at 13:31Mongo Atlas recently changed root certificates from IdenTrust to ISRG. They rotate certificates every 45 days. Your cluster started to use new root CA on the last scheduled rotation.
Something like this should tell you what CN is being used:
QUESTION
I have an OpenID Connect server (OpenIDdict) and an asp.net core webapp in containers behind a TLS termination proxy. In production, all communication between the webapp and the OIDC server can go through the 'outside', based on their public names. However, in development, I'm using self signed certificates that aren't trusted by the containers running the apps, only by my host pc. Because of that, in development, the webapp can redirect the browser to the OIDC server just fine, but when it, for instance, needs to call the token endpoint, it will fail, because the certificate isn't trusted.
A possible solution would be to have the server to server communication go through the internal container network, but I haven't been able to get that to work. Is there a way to make the asp.net core OpenID Connect middleware use a different url (and protocol) for server to server communication?
Another solution would be to install the self signed certificates in the containers, but because that's only needed in development, it seems bad practice to burden the images with that. Is that assessment correct?
I'm hoping I'm missing the most obvious solution. Any ideas?
...ANSWER
Answered 2021-Jun-14 at 12:33This is what I ended up doing:
- I added a custom domain to the hosts file of my pc, pointing to itself.
- Using openssl, I created a rootDevCA.crt and added it to the trusted root on my pc and in all the container images.
- With that root certificate, I signed a new certificate for the custom domain and supplied that (including its key) to the proxy.
As long as I keep the key file for the root certificate far away from my source code, there should be no security issues.
QUESTION
Right now I am developing web which has ability to connect thermal printer. I am using angular framework, and I successfully connect the thermal printer with USB using library ng-thermal-printer. But I want to my web also being able to connect thermal printer via web bluetooth which is BLE (Bluetooth Low Energy). As far as I know, BLE has specification in term of GATT and has services and characteristics in it.
The progress I did so far, I can connect and send a value to the thermal printer device in a Service and a Characteristic, let's say Service with UUID AS and Characteristics with UUID AC, using my android phone with the help of application named nRF Connect. Targeting Service AS and send hexadecimal value at charateristic AC make me successfully print something on the thermal paper.
But there is a problem. After knowing the right service and characteristic. I implemented it in my project. But, my chrome browser console showed error:
- Origin is not allowed to access any service... and it told me to add optionalServices when requestiDevice()
- After I added Service AS in property optionalServices, the console showed error DOMException: Connection failed for unknown reason. The errors showed both in chrome PC and chrome android.
NB:
- I have enabled Experimental Web Platform features on chrome
- I have enabled Use the new permissions backend for Web Bluetooth on chrome
- I have enabled Allow invalid certificates for resources loaded from localhost. on chrome
- I have enabled Enable new USB backend on chrome
- I have used https.
Additional question. is bluetooth connection that application nRF Connect used different from BLE? if so, why it displays services and characteristics?
...ANSWER
Answered 2021-Jun-14 at 07:34I'd recommend you try sending those hex values directly from the about:bluetooth-internals page and see if you can reproduce the connection error from there as well. See https://web.dev/bluetooth/#tips
If so, check out https://www.chromium.org/developers/how-tos/file-web-bluetooth-bugs to learn how to properly file a chromium bug so that the team can fix the underlying issue.
If not, could you share your JS code so that we can help you diagnose what could be going wrong in your code?
QUESTION
when i'm try to clone repository by command
...ANSWER
Answered 2021-May-14 at 14:40Setting GIT_SSL_NO_VERIFY works for me:
QUESTION
How SSL works is well know as it's quite widely used and described well every where. In short - SSL involves
- Verifying server authenticity by client by verifying the servers X.509 certificate.
- Then arriving at a symmetric key using diffie-hellman key exchange algorithm.
But I am not sure what happens withsecurity.protocol=SASL_SSL. Clients and Server communication of few technologies like Kafka etc rely on this security protocol as one of the option. Here I am worried about the point 1 above. If i get a wrong broker address (as a trick ) from some one, does SASL_SSL verify the server certificate or not is my question. If it does, then I can be sure that the received broker is not genuine and my application will not publish or subscribe to messages from this server and my data is safe.
Edit 1: Following @steffen-ullrich answer and comments And little more dig, i see below. Looks like the certificate validation is happening when used through chrome and probably its loaded in the cacerts too. So the java code is able to authenticate the server.. so seems ok..
Edit 2: Right the certificates DST and ISRG are preloaded in the JDK 11 cacerts, so the client is able to authenticate the server as commented by Stephen.
...ANSWER
Answered 2021-Jun-13 at 02:57What you are asking is related to another configuration please read the following description.
ssl.endpoint.identification.algorithm The endpoint identification algorithm used by clients to validate server host name. The default value is https. Clients including client connections created by the broker for inter-broker communication verify that the broker host name matches the host name in the brokerβs certificate. Disable server host name verification by setting ssl.endpoint.identification.algorithm to an empty string. Type: string Default: https Importance: medium
QUESTION
I'm having trouble deployed an hostNameBinding with a certificate at the same time with this code:
...ANSWER
Answered 2021-Jun-12 at 12:21you need to use module.
There's example with function app: https://github.com/Azure/bicep/tree/main/docs/examples/301/function-app-with-custom-domain-managed-certificate
QUESTION
kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.0", GitCommit:"cb303e613a121a29364f75cc67d3d580833a7479", GitTreeState:"clean", BuildDate:"2021-04-08T21:16:14Z", GoVersion:"go1.16.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"clean", BuildDate:"2021-05-12T14:12:29Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"linux/amd64"}
ANSWER
Answered 2021-Jun-12 at 02:54I notice that you're connecting to https://mydomain.dev, but passing a host header for a different domain. My guess would be that curl is sending an SNI request for a mydomain.dev cert; since networking-ns-cert will acquire wildcard certs for *..my domain.dev, it's possible that the server doesn't have a cert matching the SNI request, and closes the TCP connection.
Try using the -kvv options to curl (instead of -v) to print more verbose debugging information and bypass some SSL errors. Since you have DNS and certs set up, I'd try:
curl -kvv https://helloworld-go.default.mydomain.dev
QUESTION
I have Zookeeper and Apache Kafka servers running on my Windows computer. The problem is with a Spring Boot application: it reads the same messages from Kafka whenever I start it. It means the offset is not being saved. How do I fix it?
Versions are: kafka_2.12-2.4.0, Spring Boot 2.5.0.
In Kafka listener bean, I have
...ANSWER
Answered 2021-Jun-10 at 15:19Your issue is here enable.auto.commit = false. If you are not manually committing offset after consuming messages, You should configure this to true
If this is set to false, after consuming messages from Kafka, there is no feedback to Kafka whether you read or not. Then after you restart your consumer it will send messages from the start. If you enable this, your consumer make sure it will automatically send your last read offset to Kafka. Then Kafka saved that offset in __consumer_offsets topic with your consumer group_id, topic you consumed and partition.
Then after you restart the consumer, Kafka read your last position from __consumer_offsets topic and send from there.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install certificates
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
