I've set up my app running on Cloud Run with a Let's Encrypt wildcard certificate to cover subdomains. It works fine, but everytime I run testssl.sh or other similar tools they notice 2 certificates: mine and Google's. The second certificate throws errors regarding name mismatch and from time to time (couldn't reproduce it, it may not be a problem) even browser notice this and say the cert is not valid, but a refresh will fix it.
Is this something common and should I ignore it? Google's DIG shows that the domain has the correct IP as A record and everything else works fine.
Use only one certificate.
A wildcard certificate with Cloud Run provides few benefits. Only domain names that are mapped will be supported so the wildcard does not help. The negative is that you must manually renew the certificate every 90 days.
Use the Google Managed certificates.
Related
I'm working on automating a web application (F# and Canopy). Getting 'Your connection is not private' screen upon launching the website/ after providing login credentials. Tried a few workaround to have the same disabled, but none did the job. Please help.
The best approach here is not try to hide or cover up the problem, but to fix it properly so you don't have to. Solutions that involve hiding the issue are necessarily going to adversely affect your security.
Note the wording of the error code: ERR_CERT_AUTHORITY_INVALID. That tells us that the certificate for the site is signed by a non-standard or unknown certificate authority.
You mentioned localhost in your comment; you're not going to be able to get a certificate for that, but you could create a self-signed one, however, if you've enabled the localhost exemption and you're still getting the error, it suggests that you may not be using localhost after all.
So, if you have a certificate signed by a real CA and you're seeing this error, it's likely that your local OS or browser has an outdated CA root certificate bundle. you can usually get the latest one by making sure your OS packages are up to date.
If your certificate is self-signed, then the 'advanced' button will allow you to add an exemption. I you have set up your own CA and signed the certificate with that, you need to add that CA's public key that signed it to your OS.
If you've got a "regular" commercial certificate from verisign, letsencrypt, comodo or whoever, then a run through a testing tool like testssl.sh or Qualys SSL labs will tell you more about what's going wrong. Without knowing the actual domain we can't test anything for you.
Added the following argument and it did the job:
options.AddArguments("--ignore-certificate-errors")
My website get traffic drop recently. I found that my user cannot access my website when their computer in wrong set of time. However, they can open other website as usual.
The error said "NET::ERR_CERT_DATE_INVALID" in google chrome and "Warning: Potential Security Risk Ahead" in firefox. So, I assumed that the problem is the SSL. Previously I use free ssl from Cloudflare, thinked that its because its free then the error appeared, I the purchased for Dedicated SSL form Cloudflare. But, I keep get the same Error.
Is there is a solution for this situastion?
Changing the user computer time its not my solution here, because other website working just fine.
Thank You
I found that my user cannot access my website when their computer in wrong set of time.
The expiration of the certificate is checked against the local time of the system. If the local time is wrong the check might fail even if the certificate is not really expired yet.
If it fails depends on how wrong the local time is compared to the expiration time in the certificate, i.e. it might be so wrong that some certificates look expired while others are not yet expired. Some sites use more short-lived certificates and thus are more likely to run into this kind of problems. For example Let's Encrypt certificates are only valid for 3 month, while other CA issue certificates for a year or even longer. And of course sites which only use HTTP instead of HTTPS don't have this problem since no certificates are involved in the first place.
Changing the user computer time its not my solution here, because other website working just fine.
There is nothing you can do against this from the server side. And while some other sites work just fine for the moment it is very likely that there are some sites apart from yours which will not work too. So the problem is not restricted to your site only.
I run a website affectionaries.com that has a valid SSL certificate hosted by Hostgator.
It has come to my attention that when searching in Google for terms such as "Affectionaries" or "Cupcakes Runcorn" an other domain appears higher up the SERP's using my meta data an is unrelated to my business. If you click the link for (https://www.miamiboxpanama.com/) then it takes you to an insecure warning page! Under advanced it tells you:
www.miamiboxpanama.com uses an invalid security certificate. The certificate is only valid for the following names: affectionaries.com, www.affectionaries.com Error code: SSL_ERROR_BAD_CERT_DOMAIN
I can not figure out what is going on here...
So far I can see that this domain is on the same nameservers and IP address as my site.
Has anyone have experience with this and know a solution to resolve this matter?
www.miamiboxpanama.com resolves to the same IP address as affectionaries.com (192.254.231.2). So both names lead to the exact same web server, and therefore also the exact same SSL certificate. Since that certificate is only for the name affectionaries.com, the browser correctly issues a warning when the name it used was www.miamiboxpanama.com.
This looks like a configuration error at Hostgator. You may want to contact them and ask what's going on.
Yesterday, I added a RapidSSL certificate, but going to supplybetter.com still gives an SSL mismatch warning, and the heroku certificate rather than mine is being presented. I'd like to get this working and get rid of the warning as soon as possible.
To get the certificate, I followed the instructions in this tutorial, with the exception that there was no analogue to "../ssldir/myapp_mydomain_com_chain.key" in step 16, so I used the _chain-less .key file, the only one I had. My PEM is composed of my CRT followed by the intermediate CRT, with spacing / newlines correct after checking.
My DNS is through Badger.com, which interacts with Heroku; current records shown below. This post recommends adding a cname that I don't have, but there's no way for Badger to do that without uninstalling the Heroku plugin; it only allows one input, a "_______.herokuapp.com" address, and does the rest.
Results of heroku certs and ssl
matt$ heroku certs
Endpoint Common Name(s) Expires Trusted
------------------------ -------------------------------------- -------------------- -------
osaka-8681.herokussl.com www.supplybetter.com, supplybetter.com 2014-03-09 23:27 UTC True
matt$ heroku ssl
supplybetter.com has no certificate
www.supplybetter.com has no certificate
This question has been submitted to Badger and Heroku support; if there's not an accepted answer, I don't yet have a solution. Thank you for your help!
--
Heroku support:
"Hey,
So the tutorial you are following was for our legacy feature ssl:hostname which has been removed in place of ssl:endpoint. Running heroku certs, I see that your cert has been added properly. However, there is one final step, you need to point your CNAME to your ssl:endpoint osaka-8681.herokussl.com
Once you do that, just wait for the DNS to propagate and you should be good to go."
Issue now is that badger doesn't have a way I see of adding non-subdomain cnames, and their heroku app only takes things in ____.herokuapp.com format.
DNS does not support CNAME records for the domain apex ("non-subdomain"). Heroku docs recommend not using the apex domain. You DNS provider may provide a redirect-function from domain.com to www.domain.com that you can take advantage of.
DNSimple has a feature that let's you use the apex on Heroku, but you'd have to switch away from badger: http://support.dnsimple.com/questions/32831-How-do-I-point-my-domain-apex-to-Heroku
Badger support manually implemented the 3 A records that I needed, plus the correct CNAME to point to osaka.herokussl.com. My major mistake was that when faced with Badger's format to enter CNAMEs, _.domain.com, I didn't realize www would work. It's now propigated and working well.
Learned:
As of 3/8/13, Badger's Heroku plugin can't support custom domains, but they're possible to add manually
Badger support is very responsive
My wildcard certificate expires in three weeks and I've just renew it and installed the new certificate, so that my IIS has two now.
I have currently more than 30 sites running and I would like to update them one by one to use the updated certificate. Though I dont see a parameter for appcmd set site which allows me to specify which certificate to use. I really would hate to have to delete the old certificate and re-add all sites asap which means my sites would be without SSL for a few minutes.
Seems like there were no other possibilities, I decided to go ahead and update them manually as quickly as possible. When entering the "Bindings" popup for the first website, it warned me (as usual with https bindings) that multiple sites were detected. I ignored the warning and set the new certificate for the first website. That also updated the https bindings on all the other sites apparently. I have checked with various online SSL checkers and the sites all seems to be updated now. Phew.