APIM Consumption Tier, Custom Domain, Cloudflare & third level subdomain - ssl

I am working with Azure API Management Service, in the Consumption Tier, and I registered a "Custom domain" through a free account at Cloudflare, in cloudflare register the domain and configure full encryption.
Also add the domain as DNS to my API Management, as example CNAME "third.two.example.com".
Once this is done, create a source server certificate for the domain that I will use, it is a third level domain example "third.two.example.com" and then download the certificate and key (PEM and KEY).
Once this is done, because Azure when adding the certificate in API Management threw me the error "The content type needs to be application / x-pkcs12." I had to transform the certificate from PEM to PKCS12, I did it with the following script in OpenSSL on my computer.
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt
(I did not add any key).
Then I upload the certificate in an Azure Key Vault as a certificate which does not give me any problem.
Finally I add the domain "third.two.example.com" to my Azure API Management referencing as custom domains in API Management, referencing the certificate uploaded to Key Vault, the process runs correctly and everything is fine.
However, when entering this domain, the browser shows me the following error:
And when trying to call the API through Postman with SSL active:
I also get the following error:
You could tell me if I'm doing something wrong or I have everything wrongly configured, I really don't have much knowledge in digital certificates so I don't know if I should do something additional or the configuration I'm using is not correct, thanks in advance for your comments.
The certificate information through the browser is as follows:
in advance thanks for your help !, sorry for the blurr but some data is private and I can't show it.
UPDATE
I found on this site that i have to change the cloud to orange (Proxied) so i did it and it doesn't work.
Finally i tested the same steps with the domain "third-two.example.com" and it works with 0 problems (The only thing to keep in mind is that the proxy must be activated after adding the domain in APIM), is there something that i need to do or update to some tier on CloudFlare for make a multiple level ssl certificate?, on the creation page, it says that is allowed here:
UPDATE - 2021-09-02
Ok, for everyone that still having this issue, there's no way to do that without an edge certificate (The plan cost 10 USD).
Quote for the activation:
Create a certificate in the dashboard
To create a new advanced certificate in the dashboard:
Log into your Cloudflare account and select a domain.
Select SSL/TLS > Edge Certificates.
Select Order Advanced Certificate.
If Cloudflare does not have your billing information, you will need to enter that information.
Enter the following information:
Certificate Authority
Certificate Hostnames
Validation method
Certificate Validity Period
Select Save.
With all the steps done, you can now order an edge certificate that contains, all the hosts needed, for my example: main domain, the wildcard domain, and the three level subdomain:
example.com
*.example.com
third.two.example.com
You can add a total of 50 hostnames, so if you need additional hostnames you can add it here, the steps are the following:
Log into your Cloudflare account and select a domain.
Select SSL/TLS > Edge Certificates.
Select Order Advanced Certificate.
In the certificate hostnames, fill all the domains from before.
With this steps and all the steps from before done, your API Management will recognize the domain as secured and also the SSL Certificate as follows:
Finally, i know this is a very specific topic using Azure Functions on Azure API Management, with a custom domain in Cloudflare, but maybe it can be usefull for someone, but it's not free, its 10USD per month, so if you want to use third level domain, but i think this is the cheapest and secure way to do it.
I will close this question.

I edited the question to add the answer from the CloudFlare forum, and it works so i think i will close this question.

Related

Implementing LDAPS: Can I buy the same kind of SSL certificate as I would use to secure a web domain?

I'm looking at hardening LDAP on my domain controller (DC). To do this I need to import a security certificate to the DC.
I don't want to self sign as I've been told it is not best practice and the service I wish to integrate with LDAPS (Mimecast) does not recommend self signing.
I've created my certificate request, based upon the domain's fqdn. e.g. mydomain.local
What I'm not sure about now is where I can get a certificate based on that request.
I'm familiar with SSL for HTTPS. That process makes sense to me, the certification authority checks that I own the domain and provides a certificate that I can then install on my web server.
Will 3rd party SSL providers let me configure a certificate with the common name "mydomain.local"?
Or am I looking in completely the wrong area?
Many thanks in advance for any help that provided.
The type of certificate is exactly the same type of certificate as you would get for securing a website, yes. However, the domain name must be a valid internet domain (not .local)
There is a good walk-through here for Using Let's Encrtypt for Active Directory Domain Controller Certificates, including all the caveats you need to be aware of.

How to add a certificate to a sub-sub-domain with Cloudflare?

I'm wondering how I could add a SSL Certificate to a sub-sub-domain on Cloudflare like for example maintenance.login.example.com I've already added the sub-sub-domain to my site but I keep getting this error This site can’t provide a secure connection maintenance.login.example.com sent an invalid response. Try running Windows Network Diagnostics. ERR_SSL_PROTOCOL_ERROR
Our default/free certificates—"Universal SSL"—cover the apex of your domain (example.com) and one level of wildcard (*.example.com).
If you'd like to cover additional levels beyond that, e.g., *.test.example.com or maintenance.login.example.com, you can either purchase a Dedicated Certificate with Custom Hostnames or you can upload a custom certificate to a Business plan or higher.
I wrote a blog post describing Dedicated Certificates here: https://blog.cloudflare.com/dedicated-ssl-certificates.

Dedicated server SSL certificates, updating and installing?

we have a website on a dedicated server with iweb.com. Our SSL certificate is purchased through Godaddy and expiring soon, so it’s time to get it updated. Iweb has a general article on how to install ssl certificates (https://kb.iweb.com/entries/21117106-Installing-SSL-certificates) but it’s not detailed so there are still some questions about that.
GENERATING A CSR AND INSTALLING A SSL CERTIFICATE:
“In order to get a SSL certificate, you need to create a Certificate Signing Request (CSR) and send it to the Certificate Authority.”
- Does it mean I can create a certificate myself for free, and don’t have to purchase it through godaddy or any other service? If yes what is the difference? And if I already have a certificate should I skip the certificate generating step and start with the installation?
FOLLOW THIS PROCEDURE TO INSTALL THE SSL CERTIFICATE:
Under the installation steps it asks to enter the domain name for which the SSL certificate was created, will it include the ftp, email, cpanel servers as well?
And lastly, what’s going to happen with my old certificate, will it be deleted or I have to remove it manually?
Thank you!
Does it mean I can create a certificate myself for free, and don’t
have to purchase it through godaddy or any other service?
Well, you can get a self-signed one for free, But, if people are visiting your website, there will be a HUGE alert on their browser, and try to stop them from browsing.
And the Certificate Signing Request is not actually a Cert! (well, it does contain your public key, and some other information)
The difference between a self-signed and public-CA-signed one is just like your school ID and your passport, the school ID only valid in a small community, and the passport is recognized by the general public as a personal ID.
See: How to create a self-signed cert in Ubuntu with Apache Using OpenSSL
If your think the price for Godaddy is too high, you may try something cheaper like PositiveSSL or RapidSSL, which is only around 10 USD/year/domain
And there is also a free one: StartSSL
Under the installation steps it asks to enter the domain name for which the SSL certificate was created, will it include the ftp, email, cpanel servers as well?
No, just the web server you wish the general public to be able to visit.
if there is a web interface for the email (like Gmail) or CPanel, you may have to create a ssl for them as well.
And lastly, what’s going to happen with my old certificate, will it be deleted or I have to remove it manually?
You should update it. if you haven't renew and update it, the browser will try to block your visitors with a HUGE alert again after the expiration date.

Azure Websites SSL Intermediate certificate

Azure Websites now supports SSL and allows you to upload a certificate. I have a GoDaddy certificate that I have uploaded and although this works fine for 80% of users it seems that Windows XP users browsing the site in Internet Explorer are given the following error:
There is a problem with this website's security certificate.
On further investigation it seems like I may need to provide an intermediate certificate but I can not find how to supply a Godaddy intermediate certificate (I have one) for my Azure Website.
Can anyone tell me if there is a solution to the intermediate certificate issue?
I followed the following step process when I was setting up SSL in Azure using GoDaddy as CA. (Notice the highlighted line below that might be your key):
Create a Certificate Signing Request (CSR) on the web server (local IIS, not Azure)
Send CSR to CA (Certificate Authority – GoDaddy) and specify alternative domain names (if you've paid for that possibility)
Download certificate from CA
Import certificate to web server (local IIS, not Azure)
Import the intermediate certificates from CA into local computer (where you have IIS)
Export the certificate as PFX file from IIS and give it a password
Import PFX file into Azure together with password
Bind configured domain names to the certificate in Azure
There are a few different ways to create the CSR file. I used IIS Manager on my local developer computer.
You can read an extended version of the list here where all the steps are more thoroughly explained.
Had a reply on twitter from Microsoft, the reply they give is as follows: "this is a known issue. Not an oversite but rather a bug... Check the MSDN support forum" I checked my post on MSDN forums and the reply they left there is "We will have this support soon".

Does enabling SSL require more than just turning it on?

I run an nginx-powered application and I recently turned my attention to using it over https. This is the module in nginx that does this: http://wiki.nginx.org/HttpSslModule
However, I'm somewhat unclear about what is actually required to run a site over https.
What else is there to do to serve my site over ssl? What is the role of the certificate, and is it a requirement that I purchase it from somewhere?
You need a certificate to prove to your user that the server they're connected to is indeed the one intended (and not a MITM attacker).
If your server is to be used by a limited number of users to whom you could give a certificate explicitly, you could use a self-signed certificate or create your own certification authority (CA).
Otherwise, if you want your certificate to be recognised by most browsers, you'll need to get one from a commercial CA.
You should find more details in this answer. You may also be interested in this.