Im trying to enable HTTPS using this guide (https://thingsboard.io/docs/user-guide/install/pe/add-haproxy-ubuntu/#step-10-refresh-haproxy-configuration) but i got stuck on step 9 i believe.
sudo certbot-certonly --domain your_domain --email your_email
I get the following error
certbot: error: unrecognized arguments: --tls-sni-01-port 8443
As far as i can tell, lets encrypt no longer supports this argument (tls-sni-01-port) or using ports other than 80 and 443. I got this from (https://serverfault.com/questions/805666/certbot-letsencrypt-on-different-port-than-443).
I am uncertain as how to solve this problem.
Here is my docker-compose.yml for Thingsboard + HTTPS through Nginx reverse proxy with automatic Let's Encrypt certificates: https://github.com/michalfapso/thingsboard_docker_https/
It uses linuxserver/swag which takes care of the certificates and is kept in sync with Let's Encrypt requirements by the linuxserver.io community.
Related
I have app (backend part) running e.g. on: https://bla.com:8443. I created a certificate for it via letsencrypt for domain bla.com.
When I tried to receive payments (webhook) from www.stripe.com I end up with TLS error. After some investigation I figure out that problem is with invalid certificate chain for https://bla.com:8443 and if I would run it on https://bla.com:443 everything would be ok.
I can't change it to port 443 because on https://bla.com:443 is running frontend part of the app.
I thought about 2 solutions, but my technical knowledge is quite limited so I am not sure if its possible:
create certificate for domain + port
run frontend & backend part on same port: https://bla.com:443 and configure apache2 to forward all /backend-api/* to https://bla.com:8443/backend-api/*
My question is, is any of the proposals possible and more importantly is there any better solution which I am missing?
Thanks for any suggestions!
A certificate is not bound to a port. It is perfectly fine to use the same certificate on port 443 and 8443. But the servers on port 443 and 8443 have a different configuration. If it works on 443 but not on 8443 this is likely due to some error in the configuration on port 8443. The fix is thus to have the correct configuration and not to work around with a different certificate or somehow to reverse proxy it from port 443.
Unfortunately details on how to exactly fix it cannot be given since the current configuration is not known.
Configuring the program to use fullchain.pem instead of cert.pem fixed it for me.
Background:
I have a running app at ports 8080 in the remote server and a https ingress proxy at 443 on the same server, which redirects everything to 8080 app after handling the SSL.
What I want to do:
I want to communicate with the app through SSL remotely, while not having access directly to this domain (it is on a local network, I can access the server remotely via a different domain).
What I did:
I tunneled 443 port from my remote server ssh -L 3001:0.0.0.0:443 user#example.com. I then added 127.0.0.1 example.com to my /etc/hosts to make sure that the domain on my system is resolved properly.
Now, what I can do is enter https://example.com:3001/some/thing/ in firefox and it gets me a proper response from the server, while everything is ran through ssl without any problems. I also am able to use curl without checking the certificate: curl --insecure https://example.com:3001/some/thing works fine.
At the same time secure curl call fails: curl https://example.com:3001/some/thing with the error:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
Just to make sure both are using the same certificates, I actually used this tool: https://curl.haxx.se/docs/mk-ca-bundle.html to create a ca-bundle.crt from the most recent firefox certificates and passed it to curl with --cacert ca-bundle.crt. No luck - the same error. (I also tried following other curl tutorial on getting the local installation of firefox's certs, also no luck).
Question
What is going on? Why is curl's output different from firefox's even if I seem to use the same certificates? How can I debug this?
Side note
The real reason I am concerned about it is that with a normal (local) access to the server, I observed the same behaviour: I could connect to the server through chrome on https, but my react native app could not. I suspect the app to use libcurl under the hood or something similar and I believe debugging this problem could help me understand what's the problem with the app.
I'm having issues with TLS enabling in Mattemost. In my server I configured a lot of virtualHosts plus the mattermost files. In http everything was working fine.
Today I tried to setup TLS and https. I followed the instuctions as in https://docs.mattermost.com/install/config-tls-mattermost .html. Now I get this:
Please notice the error: I'm trying to access domain1.mywebsite.com and the error is "its security certificate is signed by domain2.mywebsite.com". domain2.mywebsite.com is one of the websites configured as virtualhosts in apache.
I did not configure any virtualhost for Mattermost, since I don't thing any is needed (and it worked flawlessly without one, and without TLS). But how can I tell mattermost (or the browser?) that the server of domain2.mywebsite.com is the same of domain1.mywebsite.com?
I generated the certificates using letsencrypt with the standalone option (sudo certbot certonly --standalone -d domain1.mywebsite.com) and didn't move any file, just enabled "UseLetsEncrypt": true, in config.json file.
Do you happen to have any idea about how I could fix this?
Thank you
Marco
You'll need to configure TLS on Apache. You'll needs to use separate certificates for each virtual host.
Here is information that might help you: https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
Don't configure TLS on Mattermost if TLS is being handled by the proxy.
I am on a very newby level when it comes to AWS and SSL.
I got an SSL from GoDaddy. After that I generated the .csr file on AWS and I got an elastic IP. I created a subdomain on godaddy sub.mydomain.com that points to that IP.
I installed the certs following the instructions a found online, but now I get an error. I've tried installing apache2 on the EC2 and rebooting the instance but no luck yet.
Is there a way to remove the SSL cert or Fix the issue? When I got the SSL from GoDaddy, the zip had 2 files and ran the following command to install them:
sudo java -jar lib/ace.jar import_cert gd_bundle-g2-g1.crt gdroot-g2.crt sfroot-g2.crt 54581acbeba8a74e.crt
System said the certs were installed but now as I get that error, on the EC2 we have a unifi controller and we want to get that SSLrunning to accept payments for the hotspot.
I had the same issues my controller is hosted on an EC2 instance.
Check your system.properties which sits in /var/lib/unifi/ open the file with vim or your text editor of choice.
Have a look at your HTTPS options, the important ones are the ciphers and protocols.
The Protocols you need are TLSv1 and potentially SSLv2Hello there should be no other SSL protocols in there.
The Ciphers you ideally want are TLS, so for example TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA
If you are having issues throw them all in, CAUTION! only use this in a demo /test environment.
unifi.https.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
Remember once you have edited the system.properties you need to restart the controller.
sudo service unifi restart
Lots of help on the Unifi page
UniFi - SSL Certificate Error
UniFi - Explaining the config.properties File
UniFi - system.properties File Explanation
I just followed the steps for using SSL on localhost: https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04
But when i access https://localhost, i get this message:
Page Web inaccessible
ERR_CONNECTION_REFUSED
I'm using Apache2 with Ubuntu trusty on Vagrant.
Let me know if you want more informations.
Thank's
There are three possibilities about this message:
Your self-signed certificate is invalid for some reason.
Please see your Apache error log.
Your Apache SSL/TLS protocols do not match with those of your browser.
Try something like the following from a command prompt: openssl s_client -connect localhost:443 to test the SSL/TLS connection. Please update your question with the output.
May be there is a firewall between your browser and your Apache server?
The problem could be due to Apache performing a reverse DNS lookup on the URL - the result of which does not match any of your PC's aliases.
Try https://127.0.0.1 or https://<hostname>.