We are deploying a console application based batch files to send emails. We take the content from the standard input and then pass it to Bmail and MgSMTP server.
Now we want to add a DKIM signature to the email. Since the app is written in batch, the only way to sign hashes is using openssl.exe.
I already have the bodyhash and the headerhash hashed with sha1 and encoded in base64.
The question is: How can I dkim sign emails?
Well, after some research I found very useful this:
OpenSSL C++ RSA sign is different from command line sign
echo "%headerhash%" | openssl rsautl -sign -inkey key.pem -out tempfile.pem
Related
I'm trying to configure SSL for Google Cloud's App Engine.
You can upload your own custom SSL certificate + private key in GCP (see screenshot).
I'm using Cloudflare for DNS, and would like to use the "Full (strict)" SSL policy in Cloudflare. This would mean I have to add a certificate and key, created by Cloudflare, in GCP (in same screenshot).
I've managed to convert the private key to a valid (PEM) format that GCP will accept. The only thing not working is the Certificate part.
When entering both certificate and key in GCP, upon clicking upload, the following error is returned:
The certificate data is invalid. Please ensure that the private key and public certificate match.
After some googling, I found the following resources on GCP's documentation, explaining I need a have the full certificate-chain uploaded in the certificate field. So next thing I tried, is to concat my certificate from cloudflare together with the root certificate of cloudflare itself, as explained in the GCP docs.
So I ran the following command to create this chain:
cat domain.crt cloudflare-root-ca.crt > concat.crt
... and uploaded that one in GCP in the certificate field.
That didn't work either, even while the checksums of both private key and the certificate-chain match as explained by GCP docs, by running:
openssl x509 -noout -modulus -in concat.crt | openssl md5
openssl rsa -noout -modulus -in myserver.key.pem | openssl md5
...and comparing the md5 outputs.
So now I'm completely without Idea's. GCP's error messages are limited to the one above, and one other saying your PK is not a valid format.
Same problems when trying via CLI (gcloud)
When trying this process through the cli gcloud, we get the same errors.
Trying the following command:
gcloud app ssl-certificates create --display-name example.com --certificate ./cloudflare-concat.crt --private-key cloudflare-pk.key
...yields the following error:
ERROR: (gcloud.app.ssl-certificates.create)
INVALID_ARGUMENT: Invalid certificate.
`CertificateRawData` must contain a PEM encoded x.509 public key certificate, with header and footer included,
and an unencrypted PEM encoded RSA private key, with header and footer included and with size at most 2048 bits.
The requested private key and public certificate must match.
Any help on uploading a valid certificate (from Cloudflare) and private key in GCP is much appreciated.
Update 1
I found this (cached) paged describing all the root and intermediate certs of Cloudflare. I've tried a couple of them to concatenate agains my domain cert, but no luck so far. It's also not clear which one to use...
Update 2
I've beginning to think that this won't work, ever. Because I'm using an 'Origin Certificate' from Cloudflare, I believe this is a self-signed cert from Cloudflare itself, meaning that App Engine won't ever recognize this as valid.
The reason I think this is the case, is because I tried to use the cfssl tool from cloudflare to 'create a bundle-cert' automatically. The response I get from running
cfssl bundle -cert domain.crt
Returns the following result:
[INFO] bundling certificate for {Country:[] Organization:[CloudFlare, Inc.] OrganizationalUnit:[CloudFlare Origin CA] Locality:[] Province:[] StreetAddress:[] PostalCode:[] SerialNumber: CommonName:CloudFlare Origin Certificate Names:[{Type:2.5.4.10 Value:CloudFlare, Inc.} {Type:2.5.4.11 Value:CloudFlare Origin CA} {Type:2.5.4.3 Value:CloudFlare Origin Certificate}] ExtraNames:[]}
{"code":1220,"message":"x509: certificate signed by unknown authority"}
Extra info
I'm using a free Cloudflare subscription.
Everything works fine when using the 'flexible' setting from Cloudflare,
But I would like to use the 'full (strict)' setting
I discovered a recent blogpost, describing how to solve this.
After following the steps described, the certificate was accepted in Google Cloud, and everything worked for the 'full (strict) ssl' option in cloudflare!
In short: it involved a bit of tweaking the keys, by manually adding 'RSA' to it, as described in the blogpost.
See this link:
https://blog.woohoosvcs.com/2019/11/running-google-app-engine-behind-cloudflare/
EDIT:
This is probably the same end-result as using the shell commands as described by #Andrei
Can you please verify you are using free Cloudflare or paid Cloudflare account.
Because if you are free using than I think SSL strict is not going to work make it flexible and redirect all HTTP request to https request.
When trying to "Add a new SSL certificate" using App Engine's Settings tab that was generated with Let's Encrypt via Google App Engine's console results in a dialog error and a 400 response to the POST request.
Error
"The SSL certificate provided could not be inserted."
A previously generated (about 2 months ago - not yet expired of course) SSL key/certificate via the exact same method is inserted just fine - but any newly generated one does not. I attempted both traditional Let's Encrypt and the relatively new Certbot method. Also tried multiple subdomains, naked domains, singular domains and each results in the same error.
I've seen several people spec that --rsa-key-size 2048 solved the same issue, but I've tried specifying that as well (even though it is the default for Certbot as is). Other answers have been "waiting 2 hours and now its working" - looking for a real solution as unreliable inserts and expired certs can become a real pain.
If you use certbot in Apache it defaults to 4096. So force key length to 2048.
certbot-auto --rsa-key-size 2048
From docs [https://certbot.eff.org/docs/using.html]
This creates PEM certificates in /etc/letsencrypt/live/example.net
Convert to RSA (change the url in cmd to your site).
sudo openssl rsa -inform pem -in /etc/letsencrypt/live/example.net/privkey.pem -outform pem > rsaprivatekey.pem
Above command is from this blog post http://blog.seafuj.com/lets-encrypt-on-google-app-engine. This also explains how to setup your webapp2 webserver.
Go to App Engine > Settings > SSL Certificates
Upload fullchain.pem
Upload rsaprivatekey.pem
The file upload button works fine - no need to paste unless its more secure.
I ran into similar problems as well a few weeks ago when trying to upload my new certificate using the same recipe I successfully used before.
What worked for me in the end was:
copy-pasting the entire content of the certificate file into the box marked Or paste the public key certificate in the box below:
and,
copy-pasting just the full key at the end of my private key .pem file into the box marked Or paste the RSA private key in the box below: (though I don't exactly recall if I included the leading -----BEGIN RSA PRIVATE KEY----- and tailing -----END RSA PRIVATE KEY----- lines or not).
I (kinda blindly) made several attempts for each of the 2 copy-paste operations with whatever crossed my mind - the success/failure feedback is immediate.
Side note - you may want to also double-check your certificate, in my case the 1st certificate file I managed to upload successfully was an incomplete one (missing intermediate entities), which appeared to be working fine from my desktop, but was failing when browsing from Android, I had to re-generate another one. I used digicert to confirm the problem and verify the 2nd certificate (following suggestions from an SO answer, of course ;)
I had this problem. I had generated the certificates in the Google Cloud Shell.
I was first trying to use the fullchain.pem, but this did not work.
/etc/letsencrypt/live/mydomain.com/cert.pem
I issued
sudo less /etc/letsencrypt/live/whysaurus.com/cert.pem
in the google cloud shell, and uploaded that as the pem 509 cert in appengine, and then it was accepted.
I need to create a PKCS7 signature for some data using my Python app running on Google App Engine (GAE). More specifically, I am trying to create a PKCS7 signature of an Apple Passbook pass manifest; the Passbook pass requires the PKCS7 signature file to be present in order to be a complete and valid pass.
I have spent almost a week researching and trying to no avail.
I can successfully create the signature using openssl command line on my local PC with:
openssl smime -binary -sign -certfile WWDR.pem -signer certificate.pem -inkey key.pem -in manifest.json -out signature -outform DER
I can also successfully create the signature using M2Crypto library on my local PC with:
from M2Crypto import BIO, SMIME, X509
s = SMIME.SMIME()
s.load_key('identity.pem') # my certificate and private key
x509 = X509.load_cert('WWDR.pem') # Apple's intermediate certificate
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
p7 = s.sign(bio_manifest, SMIME.PKCS7_DETACHED | SMIME.PKCS7_BINARY)
pkcs7_buffer = BIO.MemoryBuffer()
p7.write_der(pkcs7_buffer)
f = open('signature', 'w')
f.write(pkcs7_buffer.read())
f.close()
However, M2Crypto is a wrapper to OpenSSL which is not supported on GAE.
GAE supports the pycrypto library, but it doesn't seem this library has support for PKCS7 signing.
I've also looked at tlslite, which is a pure python implementation and therefore should be supported on GAE, but it also doesn't seem to have support for PKCS7 signing.
I'm looking for guidance from anyone that has been able to successfully create a PKCS7 signature on GAE. If you could point me to a pure python library or any other solution, I'd really appreciate it.
Otherwise, I feel like I've reached the boundary of what is possible with GAE and will be looking to move my app to another platform. I'm a bit flabbergasted that it has been this difficult and that GAE doesn't support the openssl library given the importance of data security; it appears they aren't serious about providing a web app service that offers support for anything beyond the basics. Unless (hopefully) I've missed the obvious.
Thanks for any help!
Can any one tell me about the HTTPS authentication using ssl .I have a crt file .What are the files required to authenticate HTTPS . I am using CURl . Any example program in c language to authenticate HTPPS using CURl is highly appreciable..
Thanks in advance.
I'm assuming you're talking about libcurl, and you've looked at the example here. That uses a PEM file: from the docs for CURLOPTSSLCERTTYPE, the supported formats are PEM and DER: your CRT file might be in DER format, so try the code from the sample.
If you have a valid .crt client certificate that doesn't get successfully interpreted as a DER format file you can convert it to PEM format.
I use google app engine trying to add ssl for custom domain. I use naked domain. After "PEM encoded X.509 public key certificate" and "Unencrypted PEM encoded RSA private key" uploaded. "The SSL certificate provided could not be inserted." is returned. I use https://www.sslchecker.com check private key/ssl match. It matches. What's wrong? I use key size "RSA 2048", nothing wrong ordering the concatenated certificates. Thank you.
I spent a long time working with this error and found a solution for my problem here:
http://qiita.com/yogurito/items/550b50b262418e93da22
If I understand correctly, the key file needed to be without a password, so running:
openssl rsa -in appengine.key -out appengine-nopass.key
provided a key that GAE liked.