Doesn't seem to find my certificate. When I visit site with https advise if certificate is out of date and points to when the domain was first set up doesn't seem to use or find the new certificates.
Have created new lets encrypt certs in plesk (CENT OS) and even as advised copied and moved said certs to a folder in /var/lib/couchdb/certs/
gave teh folder and certs CouchDB ownership and certs also set to 600 and edited .ini as follows and restarted CouchDB but just doesn't seem to work.
[daemons]
; enable SSL support by uncommenting the following line and supply the PEM's below.
; the default ssl port CouchDB listens on is 6984
httpsd = {chttpd, start_link, [https]}
[ssl]
cert_file = /var/lib/couchdb/certs/fullchain.pem
key_file = /var/lib/couchdb/certs/privkey.pem
Related
Pulling my hair out here. Yesterday I set up an SSL Certificate in IIS10. This is the process I followed:
In IIS, under Server Certificates complete Create Certificate Request (generated server.csr & server.key)
Go to sslforfree.com and start "create certificate" process.
Enter Static IP in Domain box
In Validity, choose paste Existing CSR (paste in contents of server.csr)
Select free 90 day certificate
Choose HTTP file upload and add auth file to virtual share in IIS.
Verified OK.
Download certificate
Back in IIS, select "Complete Certificate Request"
Browse to and select "certificate.crt" file.
Give it a friendly name etc, and save.
Browse to website under sites in IIS, and select Bindings. Choose the IP of the server, the incoming Port, and the newly imported SSL certificate.
Back in sslforfree, check the installation.
Everything all good
So everything was working beautifully, could see the certificate in the browser etc, job done.
Now come to today, and the server is actively refusing requests. Go back to check the installation of my SSL on sslforfree, and it's no longer found. Tried removing and re-adding, but nothing I do seems to get the SSL to be visible.
It's not that the certificate is refused, the browser doesn't even think it's there. Why would IIS suddenly stop sharing the certificate? I am totally stumped.
EDIT
As per the advice below, I set up a DNS name with CloudFlare and pointed it at my server.
I Set up the bindings in IIS to link to the new hostname and removed the old certificate (one for port 443 and this one for port 4443 which the API runs on):
Ports 80, 443 and 4443 are all port-forwarded on the router to my server:
I then downloaded Win-ACME and successfully created the Let's Encrypt certificate, and the renewal task created in Task Scheduler.
SSL Cert now shows in Bindings:
SSL Certificate appears to be all good:
...but when I go to the site, using the new domain name. Same problem... no certificate:
So I'm not sure what the problem is here...
This issue may happens when the imported cert does not have a private key associated. solution would be to import the .CER file to your system(from where certificate is requested) personel store and export it with private key. Then copy the .pfx file to required server and import it from server certificate option under IIS.
And you can refer to this link: The Whole Story of "Server Certificate Disappears in IIS 7/7.5/8/8.5/10.0 After Installing It! Why!".
Thanks to Lex Li, I was able to dig around with Jexus Manager, and IIS Crypto to work out what was wrong.
Seems having TLS 1.2 an TLS 1.3 enabled on my machine at the same time was causing issues. Discovered this using Postman and disabling certain TLS Protocols, eventually getting it to work.
For those of you who may experience similar issues, using this application and setting it to "Best Practices" after disabling TLS 1.3 in my Registry, I finally have it working, with a certificate.
Configure Apache and F5 loadbalancer.
From Apache layer we generate CSR and get the trusted cer as:
1) .cer
2) .p7b
Then I convert the .cer and .p7b file to .crt file and configure in our apache as keyfile, certificate and chain.
We are facing some issue while configuring the SSL between F5 and Apache. Our flow is:
Client(SSL) -> F5 (SSL drops ) -> (recreate ssl to apache layer) -> Apache webserver.
1) create CSR from apache web layer, get sign as trusted from the company (not external)
2) configure in ssl.conf and ciphersuite
Now initiate a request using openssl it is throwing:
depth = 1
DC = net
DC = racb
CN = XXXXXX
CA 1 verify error:num=20:unable to get local issuer certificate read from 0x1b9c8d0 [0x1ca04f3] (5 bytes => 5 (0x5))
In order to verify it I modified the /etc/hosts entry as xxx.xxx.xxx.net as 127.0.0.1 and move the chain certificate to /etc/pki/ca-trust/source/anchor and update-ca-trust extract and run the openssl which is return with error code=0 and waiting in SSL session.
What mistake we are doing in F5 no idea.
Can someone throw the lights?
If you're setting up a bridging config, you need both an SSL Client Profile (typically you take your Apache key/cert/chain) and an SSL Server Profile, and both are chosen on the Virtual Server configuration.
For the Client Profile you first need to import the private key, the certificate(s) and of course you have to see on the Certificates screen that the private key matches the certificate.
Usually for the Server Profile, if we know that we can trust the backend server, instead of setting up something with certificates of your own, we just choose the unsecure-compatible profile and it will work in almost all cases.
If there is no need to setup SNI, it's enough to make it work.
I have installed a new certificate on an existing webserver.
Ran "https://www.sslshopper.com/ssl-checker.html". says the certificate
is 700+ days old.
The domain is "www.infocon-inc.com"
Certificate is SHA2.
Created a free certificated made sure sha256.
using both the configure file and the command line -sha256.
running Apache 2.2+ with openssl 1+
Checked IP Address
checked the firewall https is open port.
restart Apache, everytime I updated the certificate.
Still get "ERR_CERT_AUTHORITY_INVALID" error in the browser.
Site has been up for years.
Any ideas as to where to look for the problem?
The problem was there was in ssl.conf referenced localhost.crt and localhost.key.
I try to activate ssl of emqttd server. For this, I added following lines to emq.conf under the etc folder.
mqtt.listener.ssl.tls_versions = tlsv1.2,tlsv1.1,tlsv1
mqtt.listener.ssl.handshake_timeout = 15s
mqtt.listener.ssl.keyfile = etc/certs/key.pem
mqtt.listener.ssl.certfile = etc/certs/cert.pem
mqtt.listener.ssl.cacertfile = etc/certs/cacert.pem
mqtt.listener.ssl.verify = verify_peer
All other settings is same to default.
However, I can connect my local mqtt server without doing any ssl configuration like ssl version, certificate, etc. by using mqtt-spy broker. I think i didn' t configure ssl properties of emqttd. How can i solve this problem?
Thanks in advance.
You must check which port you are trying on for SSL.
Secondly you need to place your key.pem and cert.pem at the path mentioned.
It will just work fine if client have the certificate to authenticate the server.
I'm trying to connect to a server using an SslStream. I've been given a PFX file from the owner of the server and I've installed it on my client but I'm not sure how to access the certificate from my code.
Specifically, imagine that I have the following code...
var serverName = "?";
var stream = new SslStream();
stream.AuthenticateAsClient(serverName);
What would the value of serverName be? I've tried
the IP address of the server
"MyServer"
"CN = MyServer"
None of these values seem to work. Is there something additional I need to do to access the cert store on my machine, or do I not understand what the serverName needs to be?
It must be the Common Name (CN - which is usually a fully qualified domain name) of the servers certificates subject for the host you are connecting to.
For example if the servers certificates subject looks like:
CN = www.verisign.com, OU = Production Security Services, O = VeriSign, Inc ...
you should use:
stream.AuthenticateAsClient("www.verisign.com");
If the host you are connecting to allows connections without client certificate verification then you should be able to connect to it (with a browser for example - if HTTPS) and see the server certificate, or you can try using OpenSSL client.