I have a PHP app running behind AWS ALB. TLS tunnel terminates at the ALB and the traffic from ALB to the PHP servers (Apache) is over the self-signed cert TSL. Everything has been working great, no issue. Now our certificate is about to expire, so I renewed the cert from Godaddy, uploaded it to ALB. My website works well with the new cert. I have a react native app that works well too. However, my Xamrin app throws a "Trust Failure" error. It looks like Xamrin is keeping the old certificate and not using the new one. Any help appreciated.
Edit
I commented out the code for certificate pinning but I still got the trust failure. So I got the new cert and pinned that cert. Now the app is working. I wish I could just not pin the cert. Well, I am running against the time, cert expiring next day, so I am going to go with this.
Figured out the issue. The developers had pinned the public certificate in the Xamrin app. We removed the pinning, still, the app was throwing a trust failure error. So we simply pinned the app to the new cert and released app. Not the ideal solution for us, I wanted to not pin the cert. But had no time to debug, we were running out of time as the cert was about the expire.
Related
I Need to attach a CA certificate with the postman request. I am attaching a CA certificate as shown in this in postman CA certifcate image. Here domain.pfx is not a self-signed certificate. It is signed by CA. When I attach this certifcate and hit the dotnet core web api controller, It is giving the socket hangup error. Its not even hitting dotnet core web api. Giving this error in postman.error_imageerror details.
But When I attach the self-signed certificate instead of a certificate signed by CA, everything works as expected. I can hit the controller and retrieve thumbprint from it. I am attaching the self-signed certificate in the same way.self-signed-certificate
I am getting the socket hangup error only when a CA certificate is attached, with Self-Signed certificate its working. How can I resolve this issue? Am I doing something wrong in adding CA certificate? Is there any other ways to attach a CA certificate in postman?
Your configuration of the certificate does not appear to be a problem. Since I don't know what your request looks like, I can only share with you a few cases where I encountered this error.
When you use same port for connecting database, which port is already in use for other service, then "Socket Hang up" error comes out. For example: port 51223 is dedicated port for some other service or connection. You cannot use same port (51223) for making a database connection on same server.
Your application was switched to https and your postman requests still had http in them. You can change postman to https to fix it.
Check if there is a VPN connection, if so, disconnect it.
Check if the version of postman is the latest version, this problem occurs in some versions.
Hope this can help you.
I am running a small sinatra application which re-uses a company-wide client certificate every employee has already installed (signed by an internal SSO_CA).
My Sinatra/Thin combination is using the server certificate signed by an internal company CA but is expecting the client certificate signed by SSO_CA.
Technically this worked fine until we got a second self-signed client certificate on our PCs. The browser is unsure which certificate to use and is guessing the wrong one, most users do not read and use the new certificate, which ends in a 403 error.
In addition, browsers remember the decision and you have to explain to many people how to reset the SSL state.
=> Sinatra / Thin/ Eventmachine are not providing an option like :SSLCACertificateFiles '/usr/sinatra/certs/SSO_CA.crt'
to tell the browser "please show up with client certificate from SSO_CA"
Webrick has it but this is not the right choice for "production". Moving to Nginx feels strange as I cannot be the first having this issue in Thin.
I remember there was somewhere in a forum (cannot find it again) someone telling me that the feature is missing but I found this before I had an understanding that this is going to be my problem as well.
Has anybody an idea how to force Thin/Eventmachine to forward a specific CA suggestion for client certificate? It is not :SSLCACertificateFiles, I tried it already.
I have mattermost installed in my local server, currently login to it using http://192.168.x.x:8065, and I've setup a ddns port forwarding for it, means that I can login to mattermost using http://xxx.ddns.net:8065 as well.
Now I'm going to install https SSL for it, I tried using self-signed certificate, it seems work fine when I login from my desktop (chrome, firefox, desktop app).
But when it comes to iPhone native app, my mattermost will trigger error message:
Please check connection, Mattermost unreachable. If issue
persists, ask administrator to check WebSocket port.
and now all the messages coming to mattermost will not be shown and no notification at all until we manually refresh the app.
Is there any suggestion on overcoming this issue? Is it because iPhone tried to block any untrusted / self-signed certificate?
Thank you.
Best regards,
Kong
You are correct that the iPhone does not trust your self-signed certificate out of the box. An easier way to get this working would be to get a free SSL certificate for xxx.ddns.net using a service like Let's Encrypt, which will be trusted out-of-the-box by your iPhone.
This is especially straightforward to do with Mattermost, as it has built in support for using a Let's Encrypt certificate. You can configure this by following the steps in the documentation here
I have a site which is hosted using godaddy and heroku and it has issued SSL certificate fro the godaddy.
Right now I am facing issue as, I (including all my friends and family) can see site very well (It means I can see green color HTTPS on the address bar.)
But for my client getting the SSL error(red cross on HTTPS).
First I thought SSL certificate is not properly installed so I online check the SSL certificate error. For this I used following sites
https://www.sslshopper.com
https://www.digicert.com
but all the sites showing that the certificate is perfectly issued and applied.
Can any one please help me what is actual cause behind this. Is there any firewall issue. Please let me know your thoughts.
I am writing to check if anyone has had a similar issue with Jasig CAS.
We are basic facing infinite redirects in the browser (In firefox: "Firefox has detected that the server is redirecting the request for this address in a way that will never complete.") after being able to log in CAS. It seems the client side does not get properly the authentication details ?
Since we have not done any code change, I think this is because a certificate change we did last night. We had a new ssl certificate from Verisign which we are using in all our servers., matching the server against our root domain.
Verisign certificate seem correct, and also intermediate ones...
Don't know if the old certificate could be cached somewhere in CAS or what could be the problem as to why the client and cas keep redirecting themselves, all only after we uploaded the new certificate into the Load Balancer (as the old one was expired).
Any ideas?
Disclaimer: I'm the Chairman of CAS and founder of CAS in the cloud (https://www.casinthecloud.com).
My guess would be that the new certificate, even if it works properly from a browser, doesn't work properly for a direct call directly from the application in the JVM (bad intermediate certificate for example). So, the service ticket validation fails and if the error page is protected, the user is sent to the CAS server which redirects him back to the application for service ticket validation and so on. Thus, the infinite loop...