Can't Use https on IIS on windows server 2019 - ssl

I have new server windows 2019 standard Edition, with IIS 10 installed on it I exported my wildcard SSL from my old server to the new server my website can work successfully on http only while on https it gives an error can't open and gives this error
https://www.screencast.com/t/zgpV7hnUw
I tried to create a new request and get a new certificate also get the same error, also I enabled SSL 3.0 in the registry but also no result.
also, strange behavior when I tried to test the SSL with ssllabs website I found the response successful with grade A
Any advice
Thanks in advance

To resolve the issue you could try below things:
1)Open iis manager.
2)select your site-> bindings.
3)add binding with the below values:
type: https
IP: all assigned
port: 443
keep hostname blank
in certificate select IIS Development Certificate and click ok.
restart iis and site.
clear browser history and try to browse the site.

Thanks for you all the problem is when I applied the registry that applies to enable ciphers and Tls 1.3 and Tls1.2 and disable Tls1.0 and Tls 1.1 on windows 2019. windows 2019 don't need to add any ciphers or Tls1.3 and tls1.2 protocols

Related

How do I resolve the TLS error on my website hosted on a server

I am getting the below error when I try to access my website hosted on a server, I have enabled the internet options TSL 1.2,TSL 1.1 and TLS 1.0 and even added the website into the trusted sites on the server but still the issue has not resolved. A new certificate has also been installed on the server.
This is the error](https://i.stack.imgur.com/Hwxfy.png)
I tried changing all the internet options settings including the enabling of TLS , trusted sites and installing a certificate on the server , none worked.

Cloudflare - 525 SSL handshake failed

I switched with my Domain to Cloudflare and now I'm trying to use CloudFlare's SSL Feature.
I already own a SSL cert from StartSSL so I would be possible to set the settings to 'Full (Strict)' but I don't want to so I turned it to 'Full'.
Now I'm getting 525 Errors, after a 'Retry for a live Version' everything is okay.
But I'm getting this Error everytime.
Has anyone an idea ?
Thank you
Picture of my Error
Change Cloudflare SSL/TLS encryption mode in to Flexible. it worked for me.
A 525 error indicates that CloudFlare was unable to contact your origin server and create a SSL connection with it.
This can be due to:
Your servers not having matching or compatible SSL Ciphers
Your website may not have a certificate installed properly
Your website may not have a dedicated IP OR is not configured to use SNI
Attempt to contact your hosting provider for assistance to ensure that your SSL certificate is setup correctly. If you are using a control panel, a quick google search can help you find a install guide for that said control panel.
Visit SSL/TLS tab in Cloudflare. Then:
Switch Your SSL/TLS encryption mode to Flexible.
Make sure to switch On "Always Use HTTPS" under "Edge Certificate" tab.
This will transfer all your request from Http to Https automatically. And if you'll implement custom SSL certificate on your hosting server then this 525 error will automatically disappear without changing anything on Cloudflare.
Got the same problem a few days ago.
Our DevOps contacted support and found out that Cloudflare changed certificate type or smth in that way. Asked to return everything back.
That helped.
I went through the same problem today and found that (at least in my case) it was the lack of TLS v1.3
I had just made a server using nginx + php-fpm and a self signed ssl to use below CloudFlare proxy.
When I switched from the production server to this new one, it gave error 525.
I gave the command: curl -I https://your_server_public_ip/ and it returned the error:
error: 1408F10B: SSL routines: ssl3_get_record: wrong version number
This error is described in the CloudFlare community at:
https://community.cloudflare.com/t/community-tip-fixing-error-525-ssl-handshake-failed/44256
There they advise turning off TLS v1.3 on the CloudFlare panel, but I decided to try installing it.
Using nginx is so easy that I don’t know why to have it shut down.
Only add TLSv1.3 like this-> ssl_protocols TLSv1.2 TLSv1.3; in your nginx/snippets/ssl-params.conf file (default Ubuntu 20 and 18) that will work and you still use the latest and most secure protocols.

403 - Forbidden: Access is denied, certificates issue in IIS7

I have installed a renewed SSL certificate on my web server running IIS7.
After installation, I applied website binding to port 443.
My application uses client certificates too, so I have changed the SSL setting to Require 'client certificate'.
Both client and SSL server certificates are valid but still I am not able to access my application. The error I get is:
403 - Forbidden: Access is denied.
I have enabled client certificate mapping in IIS role settings also but still not getting rid of this 403 error.
I guess client certificate is not able to handshake with server certificate. Please help!
In certificate Store verified all server certificate and client cert with its authority hierarchy are available.
also cross check below settings
Application Authentication: Anonymous
Application SSL Setting: Require SSL/ Accept
ApplicationHost.config: enabled OnetoOneMapping under iisClientCertificateMappingAuthentication also added base64 certificate mapped with service accounts
Also based on my past experience we need to ensure we have SChannel registry setting as mentioned in below post.
https://support.microsoft.com/en-us/kb/2464556
Simplest workaround just discovered this today. In IIS for your application, Go to Edit Bindings and change your port number. 443 to 4431 or 44301. Any variation you want. In your client computer, type in the new URL using new port number and you will establish a fresh connection to application. Make sure you SSL Settings for IIS Application is set to "Accept" instead of "Require". This means you can click "Cancel" when the pop up asks you to select a certificate you can simply hit "Cancel" and still hit the site. No 403 Error.
Do not spend hours trying to mess with your certificate store, just simply change the port on IIS Server and you'll be fine.

Do I need to install SSL on my server?

I have a virtual server with a few websites on it. To be honest I know next to nothing about SSL. When Itry to log in to my servers Web Host Manager or any of my sites Cpanels I get a screen (In chrome) saying "This website is not trusted". Is this because the server needs to have SSL installed on it?
Maybe it's not even to do with SSL, but any explanation is appreciated.
SSL secures your conecction between your browser and the server. If you have important data there you should install SSL to protect your connection from "sniffing".
SSL is network protocol so you have to install it or enable it on the server.
here is resource for installing/enabling SSL on Apache server:
http://www.digicert.com/ssl-certificate-installation-apache.htm
and here is how to install/enable SSL on IIS:
http://support.microsoft.com/kb/299875

Tomcat - enabling two-way SSL

I am using Windows XP and running Tomcat 6.
I am trying to enable SSL on Tomcat. First, I tried it with client authentication.
It didn't work - and I configured it to work without client authentication.
I have certificate installed on the tomcat server, and also the CA certificate installed on the browsers (IE & FireFox).
It still doesn't work.
In IE the server doesn't throw any exception except for EOFException.
In FireFox it throws SSLHandeShakeException: Remote host close the connection.
Can anyone help?
Thanks.
The SSL configuration as provided in the comments is highly suspect - particularly the keyStorePass attribute. I suggest you work from the Tomcat SSL docs and proceed in the following order:
Get https working from a browser with a self-signed certificate
Then get it working with a proper certificate
Then try and add client certificate authentication
This does all work. It is tested as part of the Servlet TCK and every Tomcat release passes the TCK.