Hello Team , like to know where to slick the SSL cert in the rocky Linux 9 OS and update it.
Best location for certs:
/etc/pki/tls/certs
for private key:
/etc/pki/tls/private
No Luck⌠it didnât go thought it.
Define âitâ and how you have configured âitâ to use a SSL certificate.
Our ORG has released the SSL cert in order to use the internet , this SSL cert will help go though the firewall⌠the SSL cert is working fine other LINUX platform like ubuntu / centos .
Doesnât really make sense, unless these are internally generated and require to be trusted. In which case perhaps putting them in /etc/pki/ca-trust/source/anchors and run update-ca-trust.
Otherwise just dropping a certificate on a system isnât going to work - it would require additional configuration. You would need to explain in far greater detail how this is supposed to work for people to help you. Like maybe explain what you did on Ubuntu for it to work, or what you did on CentOS - since CentOS will work the same for Rocky pretty much in terms of instructions to follow.
But try the update-ca-trust and see what happens.
1 Like
Still no luck below are the commands used in Ubuntu 20.04 post this we are able to communicated to repos for updates FYI.:
$ sudo apt-get install -y ca-certificates
$ sudo cp local-ca.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates
So the equivalent in EL distributions is to put them in /etc/pki/ca-trust/source/anchors and then run update-ca-trust for trusting internal CAâs.
Still the same, when i try to update same error , after SSL cert copied and updated.
sudo dnf update
Rocky Linux 9 - BaseOS 0.0 B/s | 0 B 00:05
Errors during downloading metadata for repository âbaseosâ:
- Curl error (35): SSL connect error for https://mirrors.rockylinux.org/mirror list?arch=x86_64&repo=BaseOS-9 [error:0A000152:SSL routines::unsafe legacy reneg otiation disabled]
Error: Failed to download metadata for repo âbaseosâ: Cannot prepare internal mi rrorlist: Curl error (35): SSL connect error for https://mirrors.rockylinux.org/ mirrorlist?arch=x86_64&repo=BaseOS-9 [error:0A000152:SSL routines::unsafe legacy renegotiation disabled]
After what is being said in this thread it is not fully clear to me if the certificate is âjustâ a CA certificate or a client certificate used for authentication and on which layer the authentication is supposed to take place.
There is such a thing like 802.1x
If your Infrastructure is using it, the following link may help
But If you want to use the certificate just for dnf as client certificate with the https protocol then you probably want to configure the yum/dnf. Maybe (personally I have not used client certificates with dnf) something like the following:
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
sslclientcert=/etc/pki/tls/certs/cert.pem
sslclientkey=/etc/pki/tls/private/key.pem
put that in your repo config or even into /etc/yum.conf
however, the âunsafe legacy renegotiation disabledâ message could hint towards some SSL Incompatibility with your firewall.
error:0A000152:SSL routines::unsafe legacy renegotiation disabled
Seems this is the problem. Legacy certificate. How has the certificate been generated? RSA 2048? SHA1? Something else?
This post suggests a solution: Curl Panics unsafe legacy renegotiation disabled - #4 by svenc56
I looked up the history: it seems that vijayâs firewall does not implement rfc 5746 [1] which fixed CVE 2009-3555 [2]. Itâs not the certificate thatâs wrong. I also found an old Article from RedHat with fixes for RHEL 3,4,5 [3]. This is an fairly old issue from 2009/2010. What other weaknesses could be found in such a firewall?
[1] RFC 5746: Transport Layer Security (TLS) Renegotiation Indication Extension
[2] CVE - CVE-2009-3555
[3] Is Red Hat affected by TLS renegotiation MITM attacks (CVE-2009-3555)? - Red Hat Customer Portal
1 Like
Good suggestion! I found that folder, I wish Rocky admin could have an article about this.