I am trying to activate ssl for my websites that I have setup in Lightsail. As I am going to use SSL and lightsail doesn't offer SSL for single instance of server and I need to have multiple servers and then get load balancer and then get the SSL ( which is ridiculous ), I tried to get SSL from 1and1 and then load the certificate into lightsail IIS.
Importing SSL certification ( .cer ) file in IIS is successful and it even show it in the list of approved certificates, but when I try to add a web site in IIS, SSL Certificate list is still empty and when going back to IIS home page and click "Certificates", it has been removed from there.
Does it mean that amazon doesn't allow to import third party Certificates to be imported or there is some other issues.
Any advices would be appreciated?
I found out that in order to activate SSL in windows server IIS , I have to provide a ssl key that is generated using private key and I have to get that private key separately from my SSL provider and also set a password when creating ssl file.
this Private key enabled ssl file is different from regular .cer file that the ssl provider let you to download.
https://serverfault.com/questions/72297/ssl-certificates-disappear-iis
Related
Pulling my hair out here. Yesterday I set up an SSL Certificate in IIS10. This is the process I followed:
In IIS, under Server Certificates complete Create Certificate Request (generated server.csr & server.key)
Go to sslforfree.com and start "create certificate" process.
Enter Static IP in Domain box
In Validity, choose paste Existing CSR (paste in contents of server.csr)
Select free 90 day certificate
Choose HTTP file upload and add auth file to virtual share in IIS.
Verified OK.
Download certificate
Back in IIS, select "Complete Certificate Request"
Browse to and select "certificate.crt" file.
Give it a friendly name etc, and save.
Browse to website under sites in IIS, and select Bindings. Choose the IP of the server, the incoming Port, and the newly imported SSL certificate.
Back in sslforfree, check the installation.
Everything all good
So everything was working beautifully, could see the certificate in the browser etc, job done.
Now come to today, and the server is actively refusing requests. Go back to check the installation of my SSL on sslforfree, and it's no longer found. Tried removing and re-adding, but nothing I do seems to get the SSL to be visible.
It's not that the certificate is refused, the browser doesn't even think it's there. Why would IIS suddenly stop sharing the certificate? I am totally stumped.
EDIT
As per the advice below, I set up a DNS name with CloudFlare and pointed it at my server.
I Set up the bindings in IIS to link to the new hostname and removed the old certificate (one for port 443 and this one for port 4443 which the API runs on):
Ports 80, 443 and 4443 are all port-forwarded on the router to my server:
I then downloaded Win-ACME and successfully created the Let's Encrypt certificate, and the renewal task created in Task Scheduler.
SSL Cert now shows in Bindings:
SSL Certificate appears to be all good:
...but when I go to the site, using the new domain name. Same problem... no certificate:
So I'm not sure what the problem is here...
This issue may happens when the imported cert does not have a private key associated. solution would be to import the .CER file to your system(from where certificate is requested) personel store and export it with private key. Then copy the .pfx file to required server and import it from server certificate option under IIS.
And you can refer to this link: The Whole Story of "Server Certificate Disappears in IIS 7/7.5/8/8.5/10.0 After Installing It! Why!".
Thanks to Lex Li, I was able to dig around with Jexus Manager, and IIS Crypto to work out what was wrong.
Seems having TLS 1.2 an TLS 1.3 enabled on my machine at the same time was causing issues. Discovered this using Postman and disabling certain TLS Protocols, eventually getting it to work.
For those of you who may experience similar issues, using this application and setting it to "Best Practices" after disabling TLS 1.3 in my Registry, I finally have it working, with a certificate.
I have a website in my local network and the website is not ssl secured.
Many clients can not reach the website because of
"ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
Is there any way to secure websites in a local network with ssl? I am using an Active Directory Server in my network.
There are also a lot of local Websites on a vmware that are not secured. I would like to secure them easily.
• I would suggest you to please install ADCS (Active Directory Certificate Services) role in your Active Directory and create a self-signed SSL certificate through it for your internal use. Since, Active Directory is a trusted public key authentication infrastructure provider, the concerned role installed on it for the said purpose does not need certificates from globally trusted CA (certification authority) and can be thus, used locally. For the time being, if you want to create a self-signed SSL certificate on the concerned server, you will have to install ‘Web Server (IIS)’ role and then open the ‘IIS manager’ console from where you can generate the SSL self-signed certificate and bind the same to the website on that server itself. For this process, kindly refer to the link below which explains in detail the steps to be followed for generating a self-signed certificate and binding it to a website: -
https://www.thewindowsclub.com/create-self-signed-ssl-certificates-in-windows-10
Please note that the above stated process is for that server on which the website is hosted locally. Thus, the self-signed certificate generated will not be useful on other servers in your environment.
• To generate an SSL certificate for a web service/website that is hosted on a cluster of servers configured for the same purpose/website, then you will have to configure an SSL certificate template from a root CA, in your case, an AD server installed with ADCS role will serve as a root CA in your domain environment. Then assign that template to the CA (AD server in your case) for it to authorize the issuing of the configured SSL template to the concerned server where the website for which this SSL certificate is to be installed is hosted. For more detailed information regarding this, please refer to the documentation link below: -
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn781428(v=ws.11)#obtain-an-ssl-certificate-from-ad-cs
Please note that the above link states the issuing of the SSL certificate for an ADFS Server. You will need to change the Subject Name of the issued certificate to that website for which you are issuing this certificate.
I have bought my domain name www.thoughtgrub.com from goDaddy.
However I am hosting it on Heroku.
I needed an SSL certificate so I set that up using cloudflare.
When I check whether SSL is installed using https://www.digicert.com/help/
It says certificate installed correctly.
However web browser shows www.thoughtgrub.com as unsecure.
also https://thoughtgrub.com --> throws Site cannot be reached error or
shortener.secureserver.net/error_404
What's going wrong?
IS there any other method to achieve https certification?
you need to go to heroku settings and click on add SSl certificate.
I've tried setting up SSL for localhost running my azure web role.
What I've done is that I've created my own CA, created a client and server certificate and then installed them all in my certificate store. The server certificate is located in the local computer personal certificates, the client certificate is installed in the current user store under personal and the CA certificate is installed in trusted root certificates in both stores.
I've also configured my IIS website to use SSL and used netsh to bind the server certificate to the ip the site is running on.
However when I try to access my website through the IIS, I get an error:
HTTP Error 403.16 - Forbidden
Your client certificate is either not trusted or is invalid.
I know for a fact that the certificates I use are issued by the same CA, so I cant really see any other reason than that the IIS probably cant access my trusted root store. When I deploy my solution to azure, it works without giving me this error, so I'm positive that its a configuration issue with the local IIS that I cant work out.
Any suggestions on what could be the problem here?
I am using the EC2 Load Balancer to handle HTTPS requests. For Chrome & Safari, having the Load Balancer Protocol set HTTPs at Port 443 with the the SSL cert handles most traffic correctly. HTTPS requests from Safari & Chrome are fine. However in Firefox, I get the connection is insecure "(Error code: sec_error_unknown_issuer)." In checking with a cert checker, I get
The certificate is not signed by a trusted authority (checking against
Mozilla's root store). If you bought the certificate from a trusted
authority, you probably just need to install one or more Intermediate
certificates.
In talking with my cert provider, the information I got was :
As we can see certificate has been installed improperly at the server.
There is no CA bundle at the server that is why browsers may show
warning messages.
How do you install a CA Bundle using the Load Balancer?
The solution is to add the ca_bundle to your load_balancer under "Certificate Chain"
That depends on how you are creating the ELB (Elastic Load Balancer).
If you are creating it from the AWS Console, then, when you create the ELB you can create a new SSL sercificate and, when promted, and as #Emile said, you have to specify the contents of the provided "CA Bundle" under the "Certificate Chain" field.
If you are creating it from the command line or using the API, then when you create the SSL certificate you have to specify the "CA Bundle" contents in the "Certificate Chain" parameter.
Right now, what you probably have to do is to create a new ELB specifying the right paramenters, modify your DNS accordingly and once the change has been applied, delete the old load balancer.
First you'll need to obtain a copy of the appropriate certificate bundle from your certificate authority.
Then you'll need to update the SSL certificate on your AWS ELB. Select "Upload a new SSL Certificate" from the ELB Select Certificate window. Paste your current private and public certificate keys into the appropriate fields and then paste the certificate bundle into the "Certificate Chain" field.