I have a data collection / reporting web application hosted on an AWS Lightsail instance with Ubuntu 18.04 OS and Apache2. I use a 'Lets Encrypt' SSL certificate on the site. This all works fine.
I also have an embedded device which uploads data to the website via an API. The embedded device is currently not operating on SSL, but I need to change this. The embedded device can communicate on SSL but its not easily updateable in the field. My concern is that the CA certificate that is embedded into the device cannot be updated, and so using the same 'Lets Encrypt' certificate, means that a change in the Lets encrypt certificate will render the remote embedded device unable to connect to the server.
The common solution to this problem is a self signed certificate over which I have total control, and yes this would fix the problem, but it would create another problem. If I use a self signed certificate, then any user connecting to the site to view data from their PC would get an Untrusted Certificate warning on their browser, which is not acceptable.
So, to fix this ideally I would have my web app protected by 'Lets Encrypt', but the API protected by a separate self signed certificate. However, both web app and API need to be on the same domain. Also they should ideally also both be on the same standard 443 https port.
Is there a way to setup the web app and API to serve different SSL certificates?
Related
I'm using google firebase Messaging for push notifications of my website.
my website doesn't have a domain. Its using HTTPS with self-signed certificate.
as i realized service worker needs HTTPS with valid SSL certificate. witch isn't available for sites without domain.
in some of other push notification services there is an option for HTTP websites that it opens a new window with a sub domain and notifications will be received from there.
is there any free option in any site that provides such future?
or
is there another option for me to pass invalid SSL error when enabling service worker?
btw: i'm aware about browsers flags for allowing self-signed certificate. i'm not gonna use that because i have some users now.
my frontend is a angular cli app running with nginx on a ubuntu server.
I've generated a self-signed certificate with Open SSL to use in a application that runs on IIS which authenticates users via Integrated Windows Authentication method.
However there is a limiting factor that is impacting the auth method that is the lack of DNS.
When there is no WAN the LAN lacks the ability to resolve hostnames and the clients cannot connect to the server without using direct IP or by registering the alias in the hosts file.
Chrome does not allow to use the Integrated Windows Auth method and shows a pop-up to authenticate the user. However not having the connection to the WAN makes the pop-up to keep being shown and never really authenticates the user.
Accessing the application in the own server allows the auth method to work when the domain is added to the hostname in the URL. However this only works for the server itself and not for the other computers in the network.
In the certificate I added the CN as the private IP of the server and also added it at the SAN, but it did not work. Chrome keeps showing the pop-up. Also added the certificate in client's machine in the Trusted Root Certificates.
In this scenario is it possible to make Chrome to recognize the certificate and allow this auth method to work or this won't work at all?
I have a desktop bridge app which uses a worker service to host a PWA and WebAPI with Kestrel over https
User runs the worker, and browses to the service from ff/chrome/edge
This works fine in development as the development machine has a trusted certificate installed
However, when I package it up and deploy to test machine, there is no cert and the app crashes
So, how what is the best way to do this?
Options
Bundle a cert with the app, install it in the containers local
store? How would this work with the browser, which wouldn't trust the
cert as its not installed in the browser users context
Buy a cert from a CA. How would I distribute it?
Magic UWP trusted certs I can add to kestrel?
So, it seems you can't
In 2015 certs can not be issued to IPv4 or IPv6 address and must be a FQDN with a public top level domain
TLS is not just about encryption, but also identification, private ips can't be publicly identified
And PWA's need https to work, so options..
Self-signed certificate, which won't be trusted and show the user a
nasty message
Publicly host the PWA and certify that domain, then
call back to the loopback address 127.0.0.1 over http to communicate
with the running worker, this is considered secure. I have done this
and it does work, but means my app can only communicate with the user
on the same machine
There are other options that need you to have control of the network dns - which I won't have
I am developing an app to run in Cloud Foundry.
The app makes constant connections to a web service using https protocol.
The web service uses a pair of self-signed certificate created by openssl.
As there is no DNS setup, I am using IP address as the Common Name(CN) in the ssl certificate.
However, the web service IP address varies from time to time. The ssl certificate has to be re-generated each time.
In order for the app to connect, it needs to trust the SSL certificate so I have been packaging the public key for the web service’s SSL cert as a file with my app.
The problem is that I have to re-upload the app to Cloud Foundry once the public key of the SSL cert changes.
Here are some possible solutions:
Register a host name in DNS. In that case, the certificate is only bound to host name. (Might not be possible cos of the budget. )
Create a private CA and issue certificates from the CA, then install the CA as the trusted CA on the client. It is feasible and a common way for internal services. However, what if the app is pushed to the CF? How can we configure the node for the certs?
Disable the SSL server authentication. Not sure whether it would put the app at risk if the authentication is skipped. For the time being, the app pulls data from the web service.
I've been thinking of keeping the public key in the database. In that case, I don't need to re-upload the app to make it take effect. But I am not sure whether it is a safe way.
Question
I am seeking for a common and safe way to keep the SSL server cert in a Cloud Foundry env. Are any of the above solutions viable? If not, is there any other CF preferred ways?
Thank you
This is a bit old, but in case this helps...
Did you try to generate your server SSL certificate with whatever hostname (even "localhost"). As you are uploading this certificate in your application (i.e. to "blindly" trust it), I think that it could work and this would avoid dependencies with your IP address.
I working to develop small HTTPS server that will be included in my android application. And the client will be browser. User can browse to the contain that I have on my HTTPS server. Can someone tell me what kind of setup do I need as far as the certificate and private/public keys are concerned. I am planning to use openssl to create my self-signed certificate.
FYI, I have initial setup done. And since my certificate is self-signed, browser displays warning to accept it on your own risk. So I believe server authentication is working. What do I need for server to authenticate the client ?
Thanks
The problem with hosting an HTTPS webserver on an android device is that the certificates are validated using a domain name. Without a domain name the client browser will display an error unless the server certificate is installed and trusted locally.
The two options are:
Register a domain name, use dynamic dns, and then request an ssl/tls certificate based on that name.
Installing self-signed certificate programmatically
There is an Android library that supports https: http://tjws.sourceforge.net/