Problem creating a self signed certificate

[Valeriob]

Hi,

i'm using the following openssl command to create csr and key : 

openssl req -new -newkey rsa:4096 -nodes -sha256 -subj "/C=/ST=/L=/O=Valerio/OU=/CN=Valerio" -config config.txt -keyout key.txt -out csr.txt

with config.txt:

[req]
default_bits = 4096
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
[ req_ext ]
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth

then i sign it :

openssl x509 -req -in csr.txt -signkey key.txt -out server.crt

and export it to pfx :
openssl pkcs12 -export -out valerio.pfx -inkey key.txt -in server.crt

when i upload the .pfx file to ravendb wizard i get the following exception : 

"System.InvalidOperationException: Failed to load the uploaded certificate. Did you accidentally upload a client certificate? ---> Org.BouncyCastle.Security.EncryptionException: Server certificate from Setup Wizard must be defined with the following 'Enhanced Key Usages': Client Authentication (Oid 1.3.6.1.5.5.7.3.2) & Server Authentication (Oid 1.3.6.1.5.5.7.3.1)
↵   at Raven.Server.ServerWide.SecretProtection.ValidateKeyUsages(String source, X509Certificate2 loadedCertificate) in C:\Builds\RavenDB-4.1-Patch\41009\src\Raven.Server\ServerWide\SecretProtection.cs:line 729
↵   at Raven.Server.Web.System.SetupHandler.GetHosts() in C:\Builds\RavenDB-4.1-Patch\41009\src\Raven.Server\Web\System\SetupHandler.cs:line 459
↵   --- End of inner exception stack trace ---
↵   at Raven.Server.Web.System.SetupHandler.GetHosts() in C:\Builds\RavenDB-4.1-Patch\41009\src\Raven.Server\Web\System\SetupHandler.cs:line 463
↵   at Raven.Server.Routing.RequestRouter.HandlePath(RequestHandlerContext reqCtx) in C:\Builds\RavenDB-4.1-Patch\41009\src\Raven.Server\Routing\RequestRouter.cs:line 129
↵   at Raven.Server.RavenServerStartup.RequestHandler(HttpContext context) in C:\Builds\RavenDB-4.1-Patch\41009\src\Raven.Server\RavenServerStartup.cs:line 173"

I do not understand how to correctly generate a certificate with those attributes.

Thanks

Valerio

[if...@ravendb.net]

Hi Valerio,

Can you please check your pem certificate (.crt) to see if the correct extended key usage was added?

Trying to understand if the problem is with converting pem->pfx or if the problem was during generation of the pem.

openssl x509 -in server.crt -text -noout

If I test it on a valid certificate it shows:

 X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication

[Valeriob]

Exactly,

those properties are not present on the .crt file.

Valerio

[if...@ravendb.net]

Yes, generating a certificate using openssl config files is not easy and is out of scope for this mailing list.

By the way, this is why we build the automated Let's Encrypt certificate solution in the setup wizard.

I understand you want to use a self signed certificate. I'd say the easiest way to do that is to use our Windows script:

https://github.com/ravendb/ravendb/blob/v4.1/scripts/certificates/powershell/generate-server-cert.ps1

If you must use openssl, you can take a look at the linux scripts at:

https://github.com/ravendb/ravendb/tree/v4.1/scripts/certificates/bash

These scripts were meant for internal development, a while ago, and are not guaranteed to work.

Sincerely,

Iftah Ben Zaken

[Valeriob]

Thanks,

that's helped, it required too much openssl foo to do it myself :D

Valerio

[Valeriob]

Hi,

sorry to expand on this, but i'm really having hard time to use RavenDB with a self signed certificate from an azure web app.

I've created an Azure Linux Web App, when it tries to connect to the database url i get this error (more lines on the attached file): 

2019-03-27T10:18:30.582368417Z System.AggregateException: Failed to retrieve database topology from all known nodes.

2019-03-27T10:18:30.582484918Z https://default-db.francecentral.cloudapp.azure.com -> The SSL connection could not be established, see inner exception. -> The remote certificate is invalid according to the validation procedure. (The SSL connection could not be established, see inner exception.) ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

2019-03-27T10:18:30.582558719Z    at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)

It works if i run the web app on my pc (with user privileges) connecting to the same database, and i'm importing the certificate with this code : 

 var clientCertificate = new X509Certificate2("cluster.server.certificate.pfx", "pwd", X509KeyStorageFlags.UserKeySet);

Thanks for the help

Valerio

[Iftah Ben Zaken]

Can you try with X509KeyStorageFlags.MachineKeySet instead?

Iftah Ben Zaken Core Team Developer   /   Hibernating Rhinos LTD E-mail:    if...@ravendb.net Support:  sup...@ravendb.net Skype:  live:iftahbe

--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Valeriob]

Thanks Oren

i just tried again and i got the same error, i also tested with those flags  X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable

Valerio

[Iftah Ben Zaken]

Since you're using a self-signed certificate, did you add the CA to the server you are running on?

Because if you used our script ( https://github.com/ravendb/ravendb/blob/v4.1/scripts/certificates/powershell/generate-server-cert.ps1 ) on your dev machine it registered the CA for you.

But in the Azure server, this CA is unknown and that could be the reason why it fails the TLS handshake.

Iftah Ben Zaken Core Team Developer   /   Hibernating Rhinos LTD E-mail:    if...@ravendb.net Support:  sup...@ravendb.net Skype:  live:iftahbe

[Valeriob]

Hi Iftah,

thanks ! i think you are right, because removing the CA from my pc i was able to reproduce the problem.

Now the question is, how do i pass this CA to the Azure Linux Web Site ? I do not think this scenario is supported :(

https://stackoverflow.com/questions/41776109/installing-certificates-to-the-trusted-root-certificate-store-on-azure-web-apps

https://stackoverflow.com/questions/33884634/how-can-i-trust-an-active-directory-root-ca-certificate-in-an-azure-web-applicat

I tried to force it via System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => { return true; }; but i think that httpclient uses a different validation function, because i tried to throw an exception (instead of return true) and it's not fired.

Valerio

[Oren Eini (Ayende Rahien)]

Are you talking about RavenDB failing because of this? You need to customize the RavenDB HttpClient

Use RequestExecuter.RemoteCertificateValidationCallback

--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Oren Eini CEO   /   Hibernating Rhinos LTD Mobile:  +972-52-548-6969 Sales:  sa...@ravendb.net Skype:  ayenderahien Support:  sup...@ravendb.net

[Valeriob]

That's what i was looking for !

Thanks Oren, now it works!

Valerio