Authorization Failed to install new certificate on Windows server 2012 - ssl-certificate

I'm trying to create a new certificate for my website which is hosted on Windows server 2012.
Currently, I have a self signed expired certificate. I would like to try Let's Encrypt SSL cert. So, I've downloaded latest version of Lets Encrypt from https://github.com/PKISharp/win-acme/releases and ran wacs.exe from unzipped folder.
When I select N=Create new certificate and entered my domain, I'm getting below error.
Expected: Certificate installed
Actual: Authorization failed error

It looks like the server is not reachable from the Internet. Your server must be accessible from Internet in order to allow Let's Encrypt systems to verify the ownership of the domain.
According to the error which appears (NXDOMAIN), it may be that the website is too new (DNS registers can take up to 48 hours to replicate), the DNS are not properly configured to point to your server, or maybe you have a firewall or filter which disallows external connections.
Make sure that you can reach your domain from Internet first and it points to your server, then try again to request a certificate.

Related

Publishing to IIS with WebDeploy from Visual Studio certificate error

I'm attempting to move to a new server. The new server is Windows 2022 with IIS 10. I've added my domain, lets use example.com, and added a trusted ssl certificate to it. The site is reachable and only accepts secure connections. I pinged the domain and the ip matches the server.
This is the certificate information when you visit the webpage.
My publish settings are set to that domain for all applications that I'm publishing on this server:
https://example.com:8172/MsDeploy.axd
When I go to publish though, it's giving me a message about an invalid certificate.
It's not seeing the certificate that I have for for mydomain.com. Does WebDeploy use a different certificate when publishing? I thought it would use the domain that I'm connecting to domain.
Anyone have any suggestions?

How to run a website on a subdomain when the root domain is hosted elsewhere

Scenario:
I have built a job board for a client and am running that website on my server while the client’s main website is still hosted in its original location.
client.com (root) is on client’s server
jobs.client.com on my server
“jobs” is set up on client.com as an “A” record pointing to the IP address of my server. A real subdomain has not been created on client.com’s server.
Problem:
I am getting a SSL error because it seems jobs.client.com is not covered by a certificate.
Question:
Is it just a matter of time before client.com’a certificate provider will detect and cover the new subdomain?
Or will I need to add a certificate to jobs.client.com on my server?
Is it just a matter of time before client.com’a certificate provider will detect and cover the new subdomain?
No.
Or will I need to add a certificate to jobs.client.com on my server?
Yes. The certificate covering the hostname specified in the URL needs to be explicitly installed at the server which serves this hostname. It is unclear what kind of certificate your server currently provides, but likely the wrong one.

How to force browser to fetch new SSL certificate instead of old one using server side configuration (Nginx)?

We have a website with SSL configured. 2 days back SSL certificate was expired so I purchased a new instead of renewing. I have configured the new one. Now some of users are still getting SSL certificate expired issue although the new one is configured.
I want to force the browser to recheck the new SSL certificate using some server side configuration since we can not go and update each user browser certificate manually. It have to be done using some server side configuration. We are using Nginx.
This is really critical to us.
Please help in this regard.
Thanks!
The certificate is validated by the client only when the server sends one. The server sends one with each full TLS handshake. The browser does not somehow cache an old certificate and ignore the one sent by the server when validating.
It is more likely that you've not fully rolled out the new certificate on the server side. For example if you have multiple servers make sure that all have the new certificate. If your server provides access for IPv4 and IPv6 make sure that in both cases the proper certificate is served. If you provide service on multiple ports make sure that they all use the new certificate.
It's also possible your affected users are behind a proxy that caches certificates. For example if they're behind a Smoothwall proxy that generates its own certificates after inspecting HTTPS traffic and caches them.
Either way, if you've updated the certificates on your server and restarted the necessary services, it's probably nothing you have control over and will most likely resolve itself in time.

Odd SSL certificate issue

So, I have a wildcard SSL cert from Go Daddy, and it has been installed on a few servers. However, on one particular server I cannot seem to get this thing done. Here's the process that has worked on all servers but this one:
1. Create CSR
2. Having gotten the certificate from the provider, I open the MMC certificates snap-in and import the intermediate cert to the intermediate authority store (or personal store, both have been tried). This is successful, in that I can view the certificate from the MMC
3. Go to the IIS server and under Server Certificates, I complete the CSR, point to the provided certificate and it imports into the web server successfully.
4. I go to an individual web site to assign the certificate to the web site under binding. When I select https and the IP address, the drop-down menu activates, but the certificate I just installed is not available for choosing.
5. I go back to the server Certificates, and the cert I just viewed is no longer there.
Go Daddy says to rekey, however, this makes no sense, since immediately prior to this, I installed that same wildcard cert to a different server, and it works fine. Obviously, this is something with IIS or Windows on this particular server.
Does anyone have any idea how to fix this without rekeying? Server platform is Windows 2008R2, IIS 7.5
If you have followed steps described in https://www.godaddy.com/help/iis-7-install-a-certificate-4801 then from your side it's done. And for more references, you can also check out this https://stackoverflow.com/a/43247419/7738413
Otherwise, rekeying is the last option.

SSL with WCF not working! How to Debug

I am dabbling with WCF and SSL and have hit a bit of a problem.
I have a self-hosted WCF service and a basic client which connects to request a token.
I have it set up on my development machine it appears to communicating over SSL just fine.
But when I set it up on a different machine to test the deployment the client keeps getting nothing back from the service.
I assume it has something to do with the certificates I have set up as this is the only thing I think could be different.
I have used the netsh command to associate my port with an existing certificate that was already on the server. And it appears the same as my dev machine (where I created the certificate with makecert manually.
I initially tried to follow the same steps on the deployment server but failed as there was already a certificate with a common name of the server, so eve though the certificate generated when ever I tried to use the cert hash thumbprint of the newly generated certificate I was being given the :
SSL Certificate add failed, Error: 1312
A specified logon session does not exist...
The only way I could get the netsh http add to work was by specifying the cert hash of the existing certificate.
Is this my problem or a red herring? How do you debug issues like this?
Personally I just configure WCF tracing. It usually provides more user friendly info about a problem. Here's a how to link Configuring Tracing
Hope it helps!