💾 Archived View for gemi.dev › gemini-mailing-list › 000700.gmi captured on 2023-12-28 at 15:51:22. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-11-04)

🚧 View Differences

-=-=-=-=-=-=-

Molly Brown Certificate Zone Help

1. Lindsay (newsspeak11 (a) gmail.com)

Greetings all,

I am trying to set up a server using Molly Brown and am having trouble
implementing its "Certificate Zone" feature. If this isn't the correct
forum for this question, please let me know.

So far, I've set a directory require a certificate and successfully tested
it - I am free to access all areas on the site and receive a certificate
challenge to the one directory as configured.

The problem I'm having is understanding how to add a specific client
fingerprint to the "allowed" list in the config file. The Molly Brown
documentation specify an allowed value takes the format of "hex-encoded
SHA256 fingerprints of client certificates". I have what I think is a valid
fingerprint that I then converted into hex added to this section (which is
significantly longer than any of the examples provided), but the
corresponding certificate is rejected when provided.

I am certain this is user error. I have very little knowledge on how to
manage certificates and rely on google searches when generated the correct
ones for this server. Assuming the values provided in the example config
file are based on real, working values, my value is nearly 4 times as long.

Here's what I did:
1. Generate a new key with following command:

> openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out
> cert.crt -keyout key.key
>
2. Changed extension on output keys to .pem as required by Kristall Browser
3. Imported ley and cer into Kristall
4. Converted the fingerprint of the cert into hexadecimal with the
following command:

> echo -n "[Fingerprint went here]" | od -A n -t x1
>
> 5. Copied hexadecimal value into Molly Brown configuration file so the 
section looks like this:

[CertificateZones]

"^/foo/" = [
> #       "d146953386694266175d10be3617427dfbeb751d1805d36b3c7aedd9de02d9af",
>
> "aa1ee9e5a1572a4677e9f59e181b5c6a27527c7602bd441e7bf909f681db2eb36c32246c
5193a270fcfbc509fef9349b03d6a299907580c90566c881752a01adcd9055fae1e53a308c5
6020462849b42ab777d67c9c5e3fd0427ec6d42a997",
> ]
>
6. Relaunch Molly Brown

Apologies if this is an elementary problem or the incorrect forum for
such a question and appreciate any help that is provided.

Tanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210213/e5b5
2f27/attachment.htm>

Link to individual message.

2. Lindsay (newsspeak11 (a) gmail.com)

After some additional reading and trial and error, I think I've made
progress, but still not successful.

I've now created a client key and a signed client certificate and added
them both to Kristall's certificate manager. I've also managed to generate
what I believe is a proper SHA256 has using this command on my client
certificate: openssl dgst -sha256

I believe this is a proper hash as it matches the style and length of the
examples proved in the molly.conf file. I've also verified that the
fingerprint of the key pair in Kristall matches the fingerprint of the
client certificate I used to generate the SHA256 hash.

The Certificate Zone area of the config file now looks something like this:

> [CertificateZones]
> "^/foo/" = [
>     "d146953386694266175d10be3617427dfbeb751d1805d36b3c7aedd9de02d9af"
>
> ]
>

Now that I have a certificate value that looks to be correct, I'm not sure
what else to try. Are there any verbose logs available that I can enable to
see what is being passed to Molly Brown or how the certificates are being
compared?

On Sat, Feb 13, 2021 at 7:31 PM Lindsay <newsspeak11 at gmail.com> wrote:

> Greetings all,
>
> I am trying to set up a server using Molly Brown and am having trouble
> implementing its "Certificate Zone" feature. If this isn't the correct
> forum for this question, please let me know.
>
> So far, I've set a directory require a certificate and successfully tested
> it - I am free to access all areas on the site and receive a certificate
> challenge to the one directory as configured.
>
> The problem I'm having is understanding how to add a specific client
> fingerprint to the "allowed" list in the config file. The Molly Brown
> documentation specify an allowed value takes the format of "hex-encoded
> SHA256 fingerprints of client certificates". I have what I think is a valid
> fingerprint that I then converted into hex added to this section (which is
> significantly longer than any of the examples provided), but the
> corresponding certificate is rejected when provided.
>
> I am certain this is user error. I have very little knowledge on how to
> manage certificates and rely on google searches when generated the correct
> ones for this server. Assuming the values provided in the example config
> file are based on real, working values, my value is nearly 4 times as long.
>
> Here's what I did:
> 1. Generate a new key with following command:
>
>> openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out
>> cert.crt -keyout key.key
>>
> 2. Changed extension on output keys to .pem as required by Kristall Browser
> 3. Imported ley and cer into Kristall
> 4. Converted the fingerprint of the cert into hexadecimal with the
> following command:
>
>> echo -n "[Fingerprint went here]" | od -A n -t x1
>>
>> 5. Copied hexadecimal value into Molly Brown configuration file so the 
section looks like this:
>
> [CertificateZones]
>
> "^/foo/" = [
>> #
>>       "d146953386694266175d10be3617427dfbeb751d1805d36b3c7aedd9de02d9af",
>>
>> "aa1ee9e5a1572a4677e9f59e181b5c6a27527c7602bd441e7bf909f681db2eb36c32246
c5193a270fcfbc509fef9349b03d6a299907580c90566c881752a01adcd9055fae1e53a308c
56020462849b42ab777d67c9c5e3fd0427ec6d42a997",
>> ]
>>
> 6. Relaunch Molly Brown
>
> Apologies if this is an elementary problem or the incorrect forum for 
such a question and appreciate any help that is provided.
>
> Tanks!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210214/4562
044e/attachment.htm>

Link to individual message.

3. Lindsay (newsspeak11 (a) gmail.com)

I was able to solve my problem, although I'm still not sure what the issue
was.

I stumbled across solderpunk's gemcert
<https://tildegit.org/solderpunk/gemcert> program for creating
certificates. His program provides server and client key pairs. As part of
the client key creation process, it automatically outputs a certificate
fingerprint with SHA256 encoding.

With this I did the following:
1. Reinstall server certificates issued by gemcert
2. Add client key and certificate to Kristall issued by gemcert
3. Added the hash provided by gemcert from creating client certificates to
the CertficiateZone are of the Molly Brown configuration file.
4. Restart Molly Brown

I can now browse the restricted area using the client certificate, but I'm
still not sure why this worked and creating one through OpenSSL did not
work. The only difference I could see is that gemcert creates ECDSA
certificates instead of the RSA ones I tried previously.

If anyone has any insights, I'd love to understand why this was successful.
Unfortunately the only thing I learned through all this is to use gemcert
for client certificates and I have no idea why.

On Sun, Feb 14, 2021 at 7:03 PM Lindsay <newsspeak11 at gmail.com> wrote:

> After some additional reading and trial and error, I think I've made
> progress, but still not successful.
>
> I've now created a client key and a signed client certificate and added
> them both to Kristall's certificate manager. I've also managed to generate
> what I believe is a proper SHA256 has using this command on my client
> certificate: openssl dgst -sha256
>
> I believe this is a proper hash as it matches the style and length of the
> examples proved in the molly.conf file. I've also verified that the
> fingerprint of the key pair in Kristall matches the fingerprint of the
> client certificate I used to generate the SHA256 hash.
>
> The Certificate Zone area of the config file now looks something like this:
>
>> [CertificateZones]
>> "^/foo/" = [
>>     "d146953386694266175d10be3617427dfbeb751d1805d36b3c7aedd9de02d9af"
>>
>> ]
>>
>
> Now that I have a certificate value that looks to be correct, I'm not sure
> what else to try. Are there any verbose logs available that I can enable to
> see what is being passed to Molly Brown or how the certificates are being
> compared?
>
> On Sat, Feb 13, 2021 at 7:31 PM Lindsay <newsspeak11 at gmail.com> wrote:
>
>> Greetings all,
>>
>> I am trying to set up a server using Molly Brown and am having trouble
>> implementing its "Certificate Zone" feature. If this isn't the correct
>> forum for this question, please let me know.
>>
>> So far, I've set a directory require a certificate and successfully
>> tested it - I am free to access all areas on the site and receive a
>> certificate challenge to the one directory as configured.
>>
>> The problem I'm having is understanding how to add a specific client
>> fingerprint to the "allowed" list in the config file. The Molly Brown
>> documentation specify an allowed value takes the format of "hex-encoded
>> SHA256 fingerprints of client certificates". I have what I think is a valid
>> fingerprint that I then converted into hex added to this section (which is
>> significantly longer than any of the examples provided), but the
>> corresponding certificate is rejected when provided.
>>
>> I am certain this is user error. I have very little knowledge on how to
>> manage certificates and rely on google searches when generated the correct
>> ones for this server. Assuming the values provided in the example config
>> file are based on real, working values, my value is nearly 4 times as long.
>>
>> Here's what I did:
>> 1. Generate a new key with following command:
>>
>>> openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out
>>> cert.crt -keyout key.key
>>>
>> 2. Changed extension on output keys to .pem as required by Kristall
>> Browser
>> 3. Imported ley and cer into Kristall
>> 4. Converted the fingerprint of the cert into hexadecimal with the
>> following command:
>>
>>> echo -n "[Fingerprint went here]" | od -A n -t x1
>>>
>>> 5. Copied hexadecimal value into Molly Brown configuration file so the 
section looks like this:
>>
>> [CertificateZones]
>>
>> "^/foo/" = [
>>> #
>>>       "d146953386694266175d10be3617427dfbeb751d1805d36b3c7aedd9de02d9af",
>>>
>>> "aa1ee9e5a1572a4677e9f59e181b5c6a27527c7602bd441e7bf909f681db2eb36c3224
6c5193a270fcfbc509fef9349b03d6a299907580c90566c881752a01adcd9055fae1e53a308
c56020462849b42ab777d67c9c5e3fd0427ec6d42a997",
>>> ]
>>>
>> 6. Relaunch Molly Brown
>>
>> Apologies if this is an elementary problem or the incorrect forum for 
such a question and appreciate any help that is provided.
>>
>> Tanks!
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210216/6b3e
85f1/attachment-0001.htm>

Link to individual message.

---

Previous Thread: Source Code Control (git)

Next Thread: Counting visits