Unable to use SSL Certificates in SQL Server on Linux

Hello everyone so here is the problem:

SQL Server 2019 installed on Ubuntu 20.04 (working before setting SSL certificates)

I was following the Official guide of Microsoft to secure my SQL server with SSL on Ubuntu 20.04.

I firstly tried using directly CA certificates created with Certbot and Let’s encrypt. I spend hours trying without any luck.

So I decided to try the tutorial as it was with self signed certificates following the guide AS IS without any change.

These are my commands:

root@racknerd:~# openssl req -x509 -nodes -newkey rsa:2048 -subj '/CN=beta.mydomain.com' -keyout mssql.key -out mssql.pem -days 365
Generating a RSA private key
................+++++
.......................................................................................+++++
writing new private key to 'mssql.key'
-----
root@racknerd:~# sudo chown mssql:mssql mssql.pem mssql.key
root@racknerd:~# sudo chmod 600 mssql.pem mssql.key
root@racknerd:~# sudo mv mssql.pem /etc/ssl/certs/
root@racknerd:~# sudo mv mssql.key /etc/ssl/private/
root@racknerd:~# sudo /opt/mssql/bin/mssql-conf set network.tlscert /etc/ssl/certs/mssql.pem
SQL Server needs to be restarted in order to apply this setting. Please run
'systemctl restart mssql-server.service'.
root@racknerd:~# sudo /opt/mssql/bin/mssql-conf set network.tlskey /etc/ssl/private/mssql.key
SQL Server needs to be restarted in order to apply this setting. Please run
'systemctl restart mssql-server.service'.
root@racknerd:~# sudo /opt/mssql/bin/mssql-conf set network.tlsprotocols 1.2
SQL Server needs to be restarted in order to apply this setting. Please run
'systemctl restart mssql-server.service'.
root@racknerd:~# sudo /opt/mssql/bin/mssql-conf set network.forceencryption 0
SQL Server needs to be restarted in order to apply this setting. Please run
'systemctl restart mssql-server.service'.
root@racknerd:~# systemctl stop mssql-server

Obviously I used a real domain that it’s mapped to this machine IP but this is not the problem.
Following Microsoft’s guide I restart the service and I keep having this error:

Unable to open one or more of the user-specified certificate file(s)

2021-01-16 08:58:05.35 spid23s     Error: 49940, Severity: 16, State: 1.
2021-01-16 08:58:05.35 spid23s     Unable to open one or more of the user-specified certificate file(s). Verify that the certificate file(s) exist with read permissions for the user and group running SQL Server.
2021-01-16 08:58:05.37 spid23s     Error: 49939, Severity: 16, State: 1.
2021-01-16 08:58:05.37 spid23s     Unable to initialize user-specified certificate configuration. The server is being shut down. Verify that the certificate is correctly configured. Error(30). State(51).
2021-01-16 08:58:05.39 spid21s     SQL Trace was stopped due to server shutdown. Trace ID = '1'. This is an informational message only; no user action is required.

This is the same error that I get when I do the process using the Let’s Encrypt certificates. I suppose so that stating I set the right permission on the certificates, the right owner there is something wrong with the official documentation of Microsoft or there is no way to make this work. I saw that someone else had the same problems but didn’t find any fix for that, has something changed since then?

Many thanks

Certificates in docker local registry

I’m trying to set up a docker local registry within my university network. Since they offer certificates from rediris I requested one, so I have now three different files:

  1. cert.pem
  2. intermediate.pem
  3. chain.pem

In addition to this, I kept my .key and .csr as well. Following the docker website example (https://docs.docker.com/registry/deploying/#get-a-certificate)

-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt

I’m not able to comprehend how concatenate/transform those pem files into the domain.crt file I need, all my tries led to the docker local registry treating the cert as self-signed.

Thank you very much in advance and am really sorry if this question is dumb, my knowledge on system administration is minimal.

Do certificates always contain non-sensitive data?

Generally speaking, are certificates always non-sensitive? In the form of x509 certs, it’s really just a public key and some metadata right?

I see some things that call “certificates” the combination of the x509 public key certificate and the private key. But that’s not really a certificate at that point (PKCS#12) right? That’s more of a “bundle”?

Am I missing something, or is the word “certificate” maybe misused at times? Thanks in advance!

how browsers verify certificates?

correct me if i am wrong
the browser get ssl certificate from web server then browser get digital signature that get encrypted by certificate authority private key from that ssl certificate. then browser decrypt it using certificate authority public key that is present in ssl certificate.
in this way ssl find the hash of whole certificate then browser connect to certificate authority and send this hash and then that certificate authority compare the hash that browser send and the hash that certificate authority has and if they match the certificate is valid.
is this explanation right?

certificates – Is this nginx config suitable to enforce proper authorization?

Scenario

I have a website secret.example.com, which contains information which must not be disclosed to third parties. In order to protect the information, TLS client authentication was chosen. Whether or not a client is authorized depends on them possessing a client certificate which is signed by the internal CA.

The Configuration

The following snippets of the configuration file provide the client authentication:

ssl_client_certificate  /etc/ssl/nginx/secret.example.com/cert/ca.pem;
ssl_verify_client       on;

The file ca.pem contains a self-signed certificate authority, created via the following openssl command:

 openssl req -new -x509 -nodes -days 1460 -key ca.key.pem > ca.pem

Client certificates would then be signed by this root CA.

What I have tried so far

  1. Send a certificate signed by the CA – This results, as expected, in the website being displayed correctly.
  2. Send no certificate – This results in an error returned by the server, claiming no client certificate was sent.
  3. Send a self-signed certificate by a CA with the same details as the real CA – This results in the error message “The SSL certificate error”, which is not very descriptive, but still does not allow an attacker to see the confidential information.

My question

Is this configuration sufficient to enforce proper authorization? Or does an attacker have any possibility to still access the confidential information?


In order to scope the question further, the following scenarios are explicitly not in the scope of the question:

  • Vulnerabilities in nginx (however, “gotchas” in the configuration are in scope)
  • Disclosure of information through other sites (e.g. debug.example.com allowing LFI)
  • Direct attacks on the physical server
  • Attacks on the machine of a user, causing disclosure of a client certificate and private key

openssl – I need to use an SSL certificate for Linux and Windows. Will my Linux certificates stop working if I re-issue a certificate for my Windows Server?

I am new to this whole SSL thing. I need to use the wildcard certificate I bought on multiple Linux servers and a Windows server. I already installed (?) them on the Linux servers, but I’m having problems installing them on Windows (following this: https://www.thesslstore.com/knowledgebase/ssl-install/microsoft-iis-8-ssl-installation/). I am assuming that I need to re-issue a new certificate for the Windows server since it is using IIS 7. My question is, if I reissue the certificate with a new public key, will the already installed certificated stop working? Apologies for the beginner question, I just want to make sure I’m doing things right.

certificates – How does this unsigned exe launch without the windows 10 SmartScreen warning?

So, I have been working on my own project for which I have been looking into certificates and such. While browsing reddit I found a game which I can launch the exe file, expecting to get a Windows 10 warning message, such as occurs for most games on itch.io, and for my own unsigned applications. To my surprise however, the game just straight up launched without any Windows 10 SmartScreen appearing. This is despite the program not appearing to have any digital signature in the file properties.

How is this possible?

I can only think that it was signed, but for some reason it is not showing that the program is signed.

The game was MidBoss (a legitimate game which is on itch.io and steam) which I downloaded the windows main from: https://midboss.net/classic/

I expected to get a warning like this, but no warnings whatsoever were displayed.
Windows 10 smart screen warning

The properties of this application have no digital signatures tab.
Properties of application

Unlike this application which has been signed.
Application which was signed

interaction design – Best UX online courses and certificates for a software developer

I could not recommend more the Nielsen Norman Group seminars. NNG is the very high top UX consulting agency. Since the beginning of the lockdown they switched (very effectively) to online format now.

I’ve been attending their offline and online courses for over 3 years now. Can’t stress enough how insightful the classes are. Check it out!

Particularly for a software developer that would like to know more about UX (kudos for that btw) I would recommend their Lean/Agile UX seminars or anything you can find useful in their seminars offering.

tls – How can I locate and purchase SSL certificates that contain a specific trust chain?

I am dealing with a unique scenario where I have a mobile app that is unable to be updated on the App Store and has implemented SSL pinning. The issue is that the app pins against Lets Encrypt, which now will be moving to new certificates that are not pinned. As a backup, the app pinned a number of other certificates:

@"nKWcsYrc+y5I8vLf1VGByjbt+Hnasjl+9h8lNKJytoE=", // Intermediate DigiCert Global Root CA
@"E3tYcwo9CiqATmKtpMLW5V+pzIq+ZoDmpXSiJlXGmTo=", // Intermediate DigiCert Global Root G2
@"r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=", // DigiCert Global Root CA
@"i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=", // DigiCert Global Root G2
@"h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU=", // GeoTrust Global CA
@"q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8=", // GeoTrust Primary Certification Authority – G3

Originally, the developer intended RapidSSL to be used as a backup if this situation arose, with them being able to get certificates from RapidSSL that contained any one of these certificates in the trust chain. I am tasked with purchasing a certificate that achieves this, but I am not able to find any concrete information on how I would go about finding a certificate that would meet this requirement.

I was looking at DigiCert for a Basic OV certificate, with the assumption that the DigiCert Global Root CA would be somewhere in the trust chain. Would this be correct? Is there anywhere that I could see an existing certificate so I can see what the trust chain contains?