I have Create SSL certificate using "Let's Encrypt" in Ubantu 18.10 .i follow below documentation to create SSL certificate.
https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates/
I have check SSL certificate was successfully created I have used below command to test it.
openssl verify chain.pem
openssl verify -CAfile chain.pem cert.pem
But Site not working getting 525 error.In cloudflare ""Universal SSL is Active "
Anyone please suggest possible solution to fix this Issue?
Thanks
I found solution. there is issue with apache config file.I have change port "443"
in apache config file and its working fine.
Thanks
Related
I am trying to add SSL cert to heroku.
When I try to add a certificate
heroku certs:add server.crt server.key --type endpoint
I am getting following error.
Resolving trust chain... done
Adding SSL certificate to ⬢ myapp... !
Only one SSL endpoint is allowed per app (try certs:update instead).
And when I try to update certificate as below
heroku certs:update server.crt server.key --type endpoint
I am getting following error
myapp has no SSL certificates
And when I check for SSL certificates
heroku certs
Here's the output
myapp has no SSL certificates.
Use heroku certs:add CRT KEY to add one.
I am unable to add SSL certificate to heroku.
Please help me out. Thanks in advance.
You can add certificates directly from setting sub menu.
Add domain
Click on configure SSL
Add priva6 key and crt
If using pointdns update target values
Is there anyoune out there who got a running arangoDB database working with a letsencrypt certificate? I just can't find out to geht this running.
ArangoDB is running on a digitalOcean droplet and I could get it running togehter with a self-signed certificate following this tutorial. So arangoDB is sucessfully running on port: 8530
Now my approach was replacing the self-signed certificate with a letsencrypt cert.
So I added a subdomain in DigitalOcean to the droplet. e.g.: db.example.com an then generated the cert-files:
sudo -H ./letsencrypt-auto certonly --standalone -d db.example.com
You will end up with 4 files: cert.pem chain.pem fullchain.pem privkey.pem
As I understood, these files are:
Private Key --------> privkey.pem
Public Key ---------> cert.pem
Certificate Chain --> chain.pem
As described in the tutorial I mentioned, you nee the certificate and the key in one file. So i did
cat chain.pem privkey.pem | sudo tee server.pem
to have a file containing the certificate and the private key.
Then I modified the file /etc/arangodb3/arangod.conf to let arango know where the keyfile is and modified the ssl section:
[ssl]
keyfile = /etc/letsencrypt/live/db.example.com/server.pem
But after restarting arango, the server is not available. When trying to connect the browser to: https://db.example.com:8530. Firewall settings for the droplet should all be ok, because I could access this address with the self-signed cetificate before.
I then tried to modify the endpoint in /etc/arangodb3/arangod.conf from
endpoint = ssl://0.0.0.0:8530
to
endpoint = ssl://db.example.com:8530
and also
tcp://db.example.com:8530
None of it was working. Has somebody out there an idea what I am doing wrong?
Please use the ip of the interface you want to use when specifying the endpoint e.g. endpoint = ssl://42.23.13.37:8530 (ip address should list your interfaces along with addresses in use). Then it could help to use the fullchain.pem to create the server.prm (cat fullchain.pem privkey.pem > server.pem). Make sure the resulting server.pem is accessible and readable by the arangodb user. If the server is still not starting correctly please provide logs of the server. To access the logs use systemctl -fu arangodb3.service or follow the logs with tail -f <logfile> if you use some custom location for logging.
I have just tested a setup with letsencrypt certificates and it was working after ensuring all above points.
Shortly after we renewed our SSL certificate on Heroku, all Mailgun webhooks (post requests made by Mailgun to our endpoint so that we can track email deliveries) started failing with the error "Could not connect to remote server: HTTPS certificate validation failure".
How could we check whether this issue might be caused from misconfiguration of our SSL certificate rather than an issue on Mailgun's side?
Here are the details of steps we took to renew and install the certificate:
We followed these instructions to generate a new private key and
CSR.
After uploading the CSR and downloading the CRT file on Namecheap, we ran heroku certs:update as described here.
These are the checks we made to verify successful installation of the new certificate:
Navigated to our site with Chrome, Safari, and Firefox and checked
the certificates. Everything looks right.
Ran heroku certs. The certificate looks good and it is shown as trusted.
Used the online checker here and here (as watery suggested in the comments). Everything is green.
Verified with Namecheap that the intermediates were setup correctly. They basically confirmed that the output of openssl s_client -showcerts -connect www.mysite.com:443 looks right.
A potential lead:
After running brew update openssl and rvm install 2.3.1 --disable-binary, the following was observed. Running Net::HTTP.get URI('https://www.google.com') works, while the same command with our URL fails with OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed.
However, running Net::HTTP.get for our URL on a freshly installed linux Docker container
does not fail, so there may be additional environment factors.
Any leads to the likely cause of this issue, or suggestions for steps we can take to find such lead, are much appreciated.
The issue was found as described in my other related question. COMODO added a new root called COMODO RSA Certification Authority instead of the previous COMODO Certification Authority. The new root was not whitelisted by Mailgun. I contacted support, and they are working to whitelist it.
I think this is related to SSL chaining issue. Please check the ssl certificate you are using must be in order of domain_cert > root_cert > intermediate_cert(they can be multiple). You need to concat certificate in fixed order to fix this issue. I hope this helps you. For more you can test you website ssl in this https://www.ssllabs.com/ssltest/
I got an email from COMODO.
the file is:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
domain_file_.crt
i set this by directadmin and copy files to private_html folder.
now when i check certificate show error:
https://www.sslshopper.com
How can I fix?
tank you.
I think you have not installed SSL correctly on your domain and due to that you are facing this issues, Please add CA bundle while installing SSL for your domain so that you will not get any error with the SSL,
http://www.geotrust.eu/en/support/manuals/directadmin/directadmin/install+certificate/
Working with a standard MediaTemple server setup with an installed GeoTrust domain certificate I am getting different responses from openssl and web requests.
Visiting the site from a site checker site I get a good response and see my domain certificate and the full Geotrust certificate chain.
When using
openssl s_client -connect subdomain.domain.com:443 -showcerts -ssl3
from my local machine I see
Server certificate
subject=/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels
Panel/CN=Parallels Panel/emailAddress=info#parallels.com
issuer=/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels
Panel/emailAddress=info#parallels.com
and Verify return code: 18 (self signed certificate)
openssl version -d = OPENSSLDIR: "/etc/pki/tls"
It's a Centos 6.x box.
The apache httpd.conf file points to a certificate and CA list in a completely different location: /usr/local/psa/var/certificates/ which would seem fine to me.
Where is the openssl s_client finding the Parallels certificate? It is not located in /etc/pki/tls. Is there a way to configure the box so that the openssl requests and apache use the same server certificate?
Thanks in advance!
openssl s_client gets the certificate from the server during the SSL handshake. OPENSSLDIR is only the place where any (optional) configurations for the openssl tool gets stored.
Note that you might get a different certificate with openssl than you have configured on your server because you need to use SNI (Server Name Indication) like the browser do. This feature is used if you have multiple certificates behind the same IP. To use this feature with openssl add the -servername hostname parameter and provide the name you expect. You must also remove the -ssl3 option since this restricts the connection to SSL 3.0 which is not only insecure but also does not support SNI.
Turns out that on MediaTemple servers they maintain certs in two locations. The apache server has a location for the CA file in its conf files that is different from where openssl maintains its CA files.
You can find the apache location in the conf files and the openssl location with
openssl version -d
Within MediaTemple's web administration pages you can use plesk to install the domain cert into the openssl location as the "server's" cert. The apache server should already have the cert and CA files in the right location. The MediaTemple custom apache configuration overrides the standard apache setup which sets apache's cert locations to be the same as openssl's.