I have app (backend part) running e.g. on: https://bla.com:8443. I created a certificate for it via letsencrypt for domain bla.com.
When I tried to receive payments (webhook) from www.stripe.com I end up with TLS error. After some investigation I figure out that problem is with invalid certificate chain for https://bla.com:8443 and if I would run it on https://bla.com:443 everything would be ok.
I can't change it to port 443 because on https://bla.com:443 is running frontend part of the app.
I thought about 2 solutions, but my technical knowledge is quite limited so I am not sure if its possible:
create certificate for domain + port
run frontend & backend part on same port: https://bla.com:443 and configure apache2 to forward all /backend-api/* to https://bla.com:8443/backend-api/*
My question is, is any of the proposals possible and more importantly is there any better solution which I am missing?
Thanks for any suggestions!
A certificate is not bound to a port. It is perfectly fine to use the same certificate on port 443 and 8443. But the servers on port 443 and 8443 have a different configuration. If it works on 443 but not on 8443 this is likely due to some error in the configuration on port 8443. The fix is thus to have the correct configuration and not to work around with a different certificate or somehow to reverse proxy it from port 443.
Unfortunately details on how to exactly fix it cannot be given since the current configuration is not known.
Configuring the program to use fullchain.pem instead of cert.pem fixed it for me.
Related
I'm using CloudFlare SSL. when I set SSL to flexible everything works fine.
But if I use full SSL mode this error occurs instantly:
Note that I set the certificate and the key in my cpanel ssl section and I think everything is done ok.
Why this is happening and how to fix it ?
It is quite simple. All you have to remember is:
Flexible - there should be no SSL installed for that domain on the server ( no VHOST for port 443 either ).
Full - there should be an SSL installed for that domain, but it does not have to be a valid one ( you can use a self-signed or expired SSL ).
Full Strict - there should be a VALID SSL installed for that domain on the server ( it has to be absolutely a valid and active SSL ).
So, depending on the SSL you have on your domain server, just set the Cloudflare SSL to one of the above options. If you believe that everything is okay and you still get an issue, I would suggest reaching your web host to check that further for you.
I've seen a lot of similar questions but none of the answers helped me (and there's one addition I didn't see anywhere).
So, I'm using Mamp-Pro 6.0.1 for local testing. I have a domain set up (www.mydomain.lo), enabled SSL and used a self signed certificate I created with the button in Mamp.
I added the cert to my keychain (I'm on a Mac) and set it to «always trust» in the keychain-info.
But when I try to access the local page with https://www.mydomain.lo, I get an error saying:
There was an error connecting to … SSL received an entry which exceeds the max allowed length. Error-Code: SSL_ERROR_RX_RECORD_TOO_LONG
(this is loosely translated from German).
The page works with http:// but I'd like to test the SSL-Version, too.
Any ideas?
I was able to partly solve this riddle.
SSL just doesn't work on local hosts, when the standard port (443) is used.
But it works when the «default MAMP ports» are used.
in MAMP-Pro got to «Ports & User» and click on «Set default MAMP ports».
The ports change as following:
Apache 8888 - SSL 8890
Nginx 7888 - SSL 7890
MySQL 8889
…
It is important that you don't change any of these. I tried to only change the Apache SSL port to 8890 and leave the other ports on their standard (Apache 80, MySQL 3306,…) but then the MySQL-Server doesn't respond.
Problem is that faced was when we pointed the DNS to ELB, It was not able to get certificate validation from LetsEncrypt however it worked when we did edited DNS to EC2 servers IP. --> This is OK if we have one server but what if we have many servers it won't work. Hence, we want this LetsEncrypt to
Letsencrypt still needs to use port 80.
If your ELB is only forwarding port 443 for normal traffic you can use the following approach.
Forward port 80 to a small instance only running NGINX and certbot.
Initiate the cert renewal process from the this NGINX box.
Upload cert from NGINX box to ELB.
For extra points you can normally have port 80 disabled on your ELB and only open it when doing the renewal request.
Example setup is here:
https://blog.cloudinvaders.com/installing-a-lets-encrypt-certificate-on-an-elastic-load-balancer/
I'm having issues with TLS enabling in Mattemost. In my server I configured a lot of virtualHosts plus the mattermost files. In http everything was working fine.
Today I tried to setup TLS and https. I followed the instuctions as in https://docs.mattermost.com/install/config-tls-mattermost .html. Now I get this:
Please notice the error: I'm trying to access domain1.mywebsite.com and the error is "its security certificate is signed by domain2.mywebsite.com". domain2.mywebsite.com is one of the websites configured as virtualhosts in apache.
I did not configure any virtualhost for Mattermost, since I don't thing any is needed (and it worked flawlessly without one, and without TLS). But how can I tell mattermost (or the browser?) that the server of domain2.mywebsite.com is the same of domain1.mywebsite.com?
I generated the certificates using letsencrypt with the standalone option (sudo certbot certonly --standalone -d domain1.mywebsite.com) and didn't move any file, just enabled "UseLetsEncrypt": true, in config.json file.
Do you happen to have any idea about how I could fix this?
Thank you
Marco
You'll need to configure TLS on Apache. You'll needs to use separate certificates for each virtual host.
Here is information that might help you: https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
Don't configure TLS on Mattermost if TLS is being handled by the proxy.
I used certbot to generate a Let's encrypt certificate for my website, but Yaws gives me an SSL accept failed: timeout error when I try to connect to it (after it times out of course). Interestingly it works when I redirect example.com to the local ip address of the server in the hosts file on my machine and connect to example.com:8080, but not when I connect to example.com without editing the hosts file or when I connect from my phone over 4G. Here's my webserver's configuration file (it is the only configuration file in conf.d):
<server www.example.com>
port = 8080
listen = 0.0.0.0
docroot = /usr/share/yaws
<ssl>
keyfile = /etc/letsencrypt/live/example.com/privkey.pem
certfile = /etc/letsencrypt/live/example.com/fullchain.pem
</ssl>
</server>
I made sure that the keyfile and the certificate are both readable by the yaws user. Next to the keyfiles is a README that contains the following:
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
So I'm relatively sure I've used the right file (the other ones gave me errors like badmatch and {tls_alert,"decrypt error"}). I also tried trivial things like writing https:// before the URL, but it didn't fix the issue, also, everything works fine when the server is running without SSL. The version of Erlang running on my server is Erlang/OTP 19. Also, if it's unclear, the domain isn't actually example.com.
Also, example.com is redirected via cname to examplecom.duckdns.org, if that matters.
UPDATE:
My server was listening on port 8080, that was forwarded from the external port 80, for https connections, when the default https port is port 443. My other mistake was connecting to http://example.com instead of https://example.com. Forwarding the external port 443 to the internal port 8443 and configuring yaws to listen on port 8443 fixed everything.
Just to be sure to understand, when you do something like curl -v https://example.com:8080, you get a timeout, that's it ? (here https protocol and port 8080 are mandatory of course)
SSL timeout during accept can be triggered when an unencrypted request is received on a SSL vhost.
Could you also provide the output of the following command:
echo -e "HEAD / HTTP/1.0\r\n\r\n" | openssl s_client -connect mysite.com:8080 -ign_eof
And finally, which version of Yaws are you running ? on which OS ?