Hak5 KeyCroc problems connecting to Cloud C2 when https is used

Hak5 KeyCroc problems connecting to Cloud C2 when https is used

After deploying the new HAK5 C2 Cloud instance on AWS LightSail (tutorial here), I found that my [easyazon_link keywords=”HAK5 KeyCroc” locale=”US” tag=”bobmckay-20″]HAK5 KeyCrocs[/easyazon_link] wouldn’t connect if I had https enabled on my C2 instance.  I didn’t feel comfortable not using https, even though I have it locked down to IP addresses because even sensitive customer data would still be sent in plaintext.

After banging my head against this for a while I took to the HAK5 forums and the ever helpful dark_pyrro came to the rescue, confirming that this was most likely down to Let’s Encrypt expiring their root certificates, correctly guessing I’d used Let’s Encrypt to generate my SSL certificates.

Dark_pyrro then went on to provide me with the steps to diagnose/check and then resolve the issue, which I’ve replicated below to hopefully be easy for others to find.

Note that this fix only applies to situations where you are using Let’s Encrypt for your Cloud C2 SSL certificate, if you have a purchased or self-signed one, this is unlikely to help.

Check that this is indeed the issue by connecting to the [easyazon_link keywords=”HAK5 KeyCroc” locale=”US” tag=”bobmckay-20″]KeyCrocs[/easyazon_link] via SSH and running the following command:

curl -I https://your.c2-domain.com/

Both should indicate that the certificate has expired (the root certificate that is)

Verify if the expired “DST Root CA X3″ certificate is on they [easyazon_link keywords=”HAK5 KeyCroc” locale=”US” tag=”bobmckay-20″]KeyCrocs[/easyazon_link], it should be there if you got expired certificate issues from the command above:

grep X3 /etc/ca-certificates.conf

The output will include “mozilla/DST_Root_CA_X3.crt” if the [easyazon_link keywords=”HAK5 KeyCroc” locale=”US” tag=”bobmckay-20″]KeyCrocs[/easyazon_link]has the certificate installed.

Take a copy of the ca-certificates.conf file (just in case), appending it with “old1”:

cp /etc/ca-certificates.conf /etc/ca-certificates.conf.old1

Remove the X3 root certificate:

sed -i '/^mozilla\/DST_Root_CA_X3/s/^/!/' /etc/ca-certificates.conf

Update the certificates on the device:

update-ca-certificates -f

Use the DIFF command to compare the new and old configuration file, this should show “DST Root CA X3” as the difference now its been removed.

diff /etc/ca-certificates.conf /etc/ca-certificates.conf.old1

If you run the first command again, this should successfully retrieve the page with no problems now the SSL root certificate issue has been resolved.

curl -I https://your.c2-domain.com/
Bob McKay

About Bob McKay

Bob is a Founder of Seguro Ltd, a full time father and husband, part-time tinkerer-with-wires, coder, Muay Thai practitioner, builder and cook. Big fan of equality, tolerance and co-existence.

Disclosure Policy

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.