I have spent 2 days trying various solutions breaking the stack multiple times... you are my only hope:)
I have setup Plesk on an aws instance and i'm using a webhost license.
Set up a hostname, issued a certificate with lets-encrypt, and works fine when accessing the admin interface on hostname.com:8443
Set up a client domain, issued certificate with let-encrypt, works fine for the front end but when i want to enter admin on clientdomain.com:8443 i get a privacy error. Same thing when trying to access admin with the server ip only as well. In both cases it tries to pull the certificate of "hostname" instead of the cert issued to the client domain.
The goal is to get clients clientdomain.com:8443 and server ip working with ssl or to redirect to hostname.com:8443
I would like to understand what's happening and how can i fix it.
Just in case someone stumbles across the same issue:
Currently this is not possible in Plesk (Obsidian18.0.27) but its being considered
As a temporary solution the best practice is to redirect all clientdomain:8443
requests to hostname:8443 and force https to ensure secure connection.
To achieve this follow these instructions:
https://support.plesk.com/hc/en-us/articles/115001421414
Related
I am trying to use Azure Traffic Manager to load balance traffic between a website hosted on an Azure VM in 2 different regions (Europe and US).
The Azure Traffic Manager is setup happily with the DNS name mywebsite.trafficmanager.net
I have 2 end points setup with dns names mywebsite-uk.uksouth.cloudapp.azure.com and mywebsite-us.westus.cloudapp.azure.com
In order to setup a vanity domain I have a CNAME record pointing to
www.mywebsite.trafficmanager.net
When I go to http://mywebsite.trafficmanager.net or www.mydomain.com I get correctly routed to the closest site.
Unfortunately I am struggling when I try to get HTTPS / SSL working. I am attempting to use Let's Encrypt via the Certify SSL Certificate Management tool to issue an SSL certificate to each of the servers however I am getting the following error:
Validation of the required challengers did not complete successfully. Please ensure all domains to be referenced in the Certificate can be used to access this site without redirection.
I have created bindings in IIS for both mywebsite-uk.mydomain.com and www.mydomain.com, and an A record for mywebsite-uk to the ip of the web server and whenever I request a certificate that includes www.mydomain.com I get the error.
Has anyone got an experience with this type of setup? and more importantly any advice on what I am doing wrong? Would I be better biting the bullet and getting a paid for SSL certificate?
Many thanks in advance,
this one is driving me mad - hopefully anyone of you can help.
I ordered a cloud server with intention of running multiple customer sites on one server/one ip. Everything is working fine so far, but Im having troubles with SSL.
I added 2 Domains (Domain a, Domain b) via Plesk Panel and installed basic ssl certificates which are working perfectly fine. Both Domains can be accessed via https:// and in the broswer both certificates are shown as valid / secure
Problem: Im getting SSL Issues / Warnings when connecting to the domains mailboxes -> to secure the Plesk Panel a self-signed Certificate was pre-installed.
When I exchange the Plesk self-signed certificate to a certificate for Domain a, Domain a mailboxes are working perfectly fine - but not for Domain b. (obviously). What certificate do I need to install to secure the Plesk Panel and which does not cause any problems with all underlying Domains & their mailboxes?
Will creating a certificate for the servers IP address will do the trick? Is this accepted, even possible or will it result in another warnings? If yes, do I need to create a certificate for xx.xxx.xxx.xxx or xx.xxx.xxx.xxx:8443?
Or is there any other option for running multiple domains on one shared ip?
Any help/guidance is very much appreciated!
Thanks!
Did you mean something like mail.domainb.com or autodiscover.domainb.com for mailbox? Then make sure you have valid SSL certificate for them also not only for mail domain. As far as I know you would not be able to get third-party certificate on IP addresses.
Sorry if I have guessed wrong.
Here is my story
I have Amazon EC2 with Tomcat 7 hosted at an Elastic IP as
http://ec2-XX-XXX-XXX-XX.us-west-X.compute.amazonaws.com:8080/webAppX
http://ec2-XX-XXX-XXX-XX.us-west-X.compute.amazonaws.com:8080/webAppY
http://ec2-XX-XXX-XXX-XX.us-west-X.compute.amazonaws.com:8080/webAppZ
Then I bought a domain at 1&1 as domainXYZ.com
I bought SSL from sslmate.com for the domainXYZ.com
Now, my confusions come
We follow instructions from sslmate.com and do the same for httpd from Amazon EC2 but when I access https:// , the browser says errors as below
Your connection is not private
Attackers might be trying to steal your information from ec2-XX-XXX-XXX-XX.us-west-2.compute.amazonaws.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
This server could not prove that it is ec2-XX-XX-XX-XX.us-west-2.compute.amazonaws.com; its security certificate is from www.domainXYZ This may be caused by a misconfiguration or an attacker intercepting your connection. Learn more.
Could you please advice me what things I missed or wrong.
Question #2: How come I re-direct from 1&1 to ec2-XX-XX-XX-XX.us-west-2.compute.amazonaws.com?
I do see we have options such as FramRedirect, or A record by changing DNS using IP
But I'm not sure which one I should use for HTTPS will be handled.
Thanks,
Nghia
You are making your life unnecessary difficult.
Just buy the domain using AWS Route 53 and link it to your Elastic IP.
As soon as your instance is reachable via the domain set up a certificate for free using LetsEncrypt and EFF's certbot.
Finally open HTTPS port via AWS console security settings.
I am using the Let's Encrypt IIS client from https://github.com/Lone-Coder/letsencrypt-win-simple to generate a certificate for a server. Since the certificate is only valid for three months, I want it to auto-renew.
But the server for which I need that auto-renewing certificate is only bound to https:||mysubdomain.mydomain.com:443 and smtp:||mysubdomain.mydomain.com:25.
Both http:||mysubdomain.mydomain.com:80 and ftp:||mysubdomain.mydomain.com:21 point to a different server.
As you may have guessed, the error that is now thrown during the process is "The ACME server was probably unable to reach http:||mysubdomain.mydomain.com:80/.well-known/acme-challenge/abcdefgh...xyz".
It is completely clear to me why, but I can't fix it, because http:||mysubdomain.mydomain.com has to point to the other server. If the ACME server would try https:||mysubdomain.mydomain.com:443/.well-known/acme-challenge/abcdefgh...xyz, but ignore any certificate issue, he would successfully find the challenge.
Is there anything I can do, any feature I have overlooked, that would help me to get automated renewal working?
There are multiple options:
http-01
Redirect http://example.com/.well-known/acme-challenge/* to https://example.com/.well-known/acme-challenge/*, Boulder will happily follow any such redirect and ignore the provided certificate. That's the most simple way if you have access to the other server and can configure that redirect. It's a permanent redirect that you don't have to adjust, it'll be just fine every three months.
The option to use HTTPS directly has been removed due to security issues with some popular server software that uses the first host defined if some other virtual host doesn't define any HTTP host, which might lead to wrong issuances in multi-user environments aka shared hosting.
tls-sni-01
If you want to use just port 443, you can use another challenge type called tls-sni-01. But I think there's no client for Windows available yet that supports that challenge type.
dns-01
If you have control over the DNS via a simple API, you could also use the DNS challenge, it's completely independent of the port you can use.
I have SSL working fine in production but have some issues locally.
When I run the site it opens 2 tabs, one http:// and one https://
I want to just use the http:// tab locally for testing. When I go to a page that requires https I get the error:
Unable to make a secure connection to the server. This may be a
problem with the server or it may be requiring a client authentication
certificate that you don't have
I have added the certificate to:
Persona/Certificates
Trusted Root Certification Authorities/Certificates
Intermediate Certification Authorities/Certificates
Everything works fine locally when I use the https:// tab.
Do I need to add the certificate somewhere else too?
Using SSL certs locally is always a challenge. When the website opens, it's likely using the loopback IP (127.0.0.1) which will always (rare exceptions, perhaps, that I can't think of) give a certificate error, because the cert is bound to a domain name, not an IP. Ideally you'd probably want to not use your websites real SSL cert locally anyway for security reasons.
You can use a self signed cert for localhost, which should work:
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/32bc5a61-1f7b-4545-a514-a11652f11200
Also, I just blogged a code snippet we've used before -- in short, it just avoids using SSL for local connections and otherwise lets you define which pages/folders should otherwise be SSL protected...
http://www.structuretoobig.com/post/2013/02/19/Skipping-SSL-Connections-Locally.aspx