I am using IIS8 for managing around 20 sites on one IP. I use SNI to distinguish the requests and leading them to their directories.
I created 20 SSL Certs by letsEncrypt and linked all my pages.
Page 1 has: No IP binding, no SNI, using Cert MAIN
Page 2 has: No IP binding, SNI, www.page2.com, using CERT PAGE2CERT
Page 3 has: No IP binding, SNI, www.page3.com, using CERT PAGE3CERT
and so on...
Page 1 works fine, SSL connection is safe, loads correct cert Main and address bar is green.
Page 2-20 working with their http binding, but fail with https: Provided was Cert MAIN instead of PAGEXXCERT.
I tried setting bindings, enabling SNI for Page1, but this is not working either.
What can I do to simply make SNI working and providing the correct Certs to the clients? My test browsers are recently updated and provide SNI. When I get my SSL Error, I can click on "Visit this site (unsafe)" and it is connecting to https://page2.com to the correct directory. So SNI should work. But the cert is still the false one.
Thanks for your help
Karsten
Related
I'm having some trouble finding any way to make my situation workable. I have 2 applications:
1: External service web application running on sub1.domain.com. If I run this application behind traefik with acme (LetsEncrypt) it works fine. I have a few more backend services (api/auth) that all run with a valid LetsEncrypt certificate and get their http traffic redirected to https by traefik
[entryPoints.http.redirect]
entryPoint = "https"
I have to have some form of http to https forwarding for this service.
2: Internal service web application running on sub2.domain.com. I have a self signed trusted certificate (internal CA) which works fine behind traefik if I set it as a default certificate, or if I use it in the application itself (inside tomcat). However, since it is an internal service I can live without ssl for this if it solves my problem. However, this does not work with traefik's http to https forwarding.
I have been trying to get these 2 services to run behind the same traefik instance but all the possible scenarios I could think of do not work because they are either still work in progress or just plain not working.
Scenarios
1: No http to https redirect, don't bother with https for the internal service and just use http. Then inside the backend for the external webservice redirect to https.
Problems:
Unable to have 2 traefik ports which traefik forwards too Unable to
forward 1 single port to another proto (since the backend is always
either http or https port)
Use ACME over the default cert
2: Use ACME over default certificate
someone else thought this was a good idea. It's just not working yet.
3: Re-use backend ssl certificate. Have traefik just redirect without "ssl termination". I'm not sure if this is the same thing but there is an option called "passTLSCert". However it seems that this is only possible with frontends defined in the .toml file which do not work (probably because I use docker for backends).
4: use DNS-01 challenge to create an SSL certificate for my internal service.
Sounds like this could work, so I'm now using CloudFlare and have an api key. However, it does not seem to work for subdomains. and there is no reply on my issue report: https://github.com/containous/traefik/issues/1953
EDIT: I might be able to fix the issue described in 4 to get this to work. It seems the internal DNS might be conflicting with traefik
Someone decided that on our internal DNS zones would be added per subdomain, meaning that the SOA request returned the subdomain as the name. This does not play nice with cloudflare since the internal dns zone is not the same as the cloudflare dns.
Changing this to a main zone with a records for the subdomains fixed the issue (in combination with the delayDontCheckDNS option).
I have my website https://www.MyWebSite.com running on port 433. But I also have a admin login that only are available from the office local network http://MyServer:9999/Login.aspx. Both addresses points to the same site but different bindings.
Is it possible to get the one on port 9999 to use https? I tried creating a self signed certificate in IIS but my browser still complained, even though I exported the certificate and stored it in my CA Trusted root.
So just to sum everything:
My regular site: https://MyWebSite.com <-- working fine
My admin login, only accessible via local network: http://MyServer:9999/Login.aspx works fine.
When adding a selfsigned certificate issued to "MyServer" (not MyWebSite) and add the new binding on port 9999 I though to the website but Chrome is giving me a warning NET::ERR_CERT_COMMON_NAME_INVALID, even though the cert is Issued To MyServer and are trusted
Is it possible to get the one on port 9999 to use https?
yes it is possible to setup another port with selfsigned
certificate.
Normally Selfsigned certificate will have fully qualified machine name
e.g. machinename.subdomain.domain so you have to browse using https://machinename.subdomain.domain:9999/
Please double check what error you are running into ,In chrome
Your connection is not private
Attackers might be trying to steal your information from in08706523d (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
in IE,you may get
There is a problem with this website’s security certificate.
The security certificate presented by this website was issued for a different website's address.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
In that case,assuming you have given hostname as * in IIS binding, and also installed the selfsigned certificate installed your "Root Certification Authorities " You should be able to browse to
https://machinename.subdomain.domain:9999/ without any issues
I am quite confused here:
I use DNSMadeeasy to manage my DNS. I have two apps.
One is Heroku hosted, and has https on https://example.com - Heroku has many great tutorials to setup the certificate, it hasn't been a problem.
The other one is a wordpress, hosted in 1and1 (though it shouldn't matter here), and is reachable at http://subdomain.example.com and we want it to be available at https://subdomain.example.com
1and1 does sell SSL certificate, but their automated setup works only when one uses their services for DNS also, as they say. Their support says it should be DNSMadeEasy which should be hosting our SSL certificate. I have the feeling it is not true, because for https://example.com, DNSMadeEasy was never involved.
Questions:
When does certificate querying occurs? Before, After, or in parallel of DNS resolution?
Who is hosting a certificate? The DNS provider? The server (accessible like a sitemap.xml at the root for instance)? A third party?
To enlarge the case, in general if I have a personal server with a fix IP, how can I communicate through https with a valid certificate?
In my case, how can I get my way out of it to make https://subdomain.example.com work?
You are right for not believing the 1and1 suggestion.
To answer your questions:
When does certificate querying occurs? Before, After, or in parallel
of DNS resolution?
A client resolves domain name to an IP address first. So DNS resolution happens first.
Who is hosting a certificate?
The server (in simplistic terms) hosts the certificate.
When a client wants to connect to your site (via HTTPS) it will first establish a secure connection with that IP address on port 443 (this is why usually (without SNI) you can only have one SSL certificate per IP address). As part of this process (which is called handshake) a client can also specify a server name (so-called server name extension) - this is a domain name of your site. This is useful if you have an SSL certificate that is valid for multiple domains.
A good/detailed explanation how it works can be found here
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
if I have a personal server with a fix IP, how can I communicate
through https with a valid certificate?
Your server will need to be able to respond on port 443 and have/host an SSL certificate for a domain that resolves to that IP address.
In my case, how can I get my way out of it to make
https://subdomain.example.com work?
You need to purchase a certificate for subdomain.example.com and install it on the wordpress server.
Usually in hosted solution like yours you have 2 options:
Buy the SSL certificate via the provider (1and1 in your case) - a simpler option, they will configure everything for you.
Buy the SSL certificate yourself. Here you will most likely need to login to your 1and1/Wordpress management interface and generate a CSR (essentially a certificate request). Then you purchase the SSL certificate using this CSR and then you can install it via the same management interface.
The process will look similar to this:
http://wpengine.com/support/add-ssl-site/
we need to host multiple site with different domains.
for instance
a.test.dk
b.test.dk
a.test.fi
b.test.fi
Now from what i know is that being either in apache or iis you would need 1 ip/host when using a domain ssl certificate, that means we would have to buy
4 certificate and 4 ip addresses to host them on
another option is to use wildcard certificates , if we buy a *.test.dk and a *.test.fi we can use 2 ip/addresses and 2 certificates to host the same amount of sites since our iis/apache can use sni.
But now my real question :
there is also something called multiple domain ssl
will this be allowed to run all 4 sites under 1 ip-address?
because we are strugling with our use of external ip-addressess at this moment.
Well you're confusing 2 different things. You're confusing wildcard certificates and SNI (Server Name Indication). They are definitely different solutions to similar problems.
Wildcard certs do not rely on header inspection to encrypt your traffic, you just point the DNS at the IP address you want and your request goes to whatever site you've configured in IIS.
SNI is different and is what you want. SNI inspects each HTTP request and figures out what IIS site you want based on the host headers. Before SNI existed you couldn't inspect headers in SSL requests because the headers were encrypted too.
With SNI, assuming you have certificates for each site (wildcard certs or single site certs, UCC certs, or some combination of those) you can use SNI to inspect each HTTP request and serve up the appropriate SSL cert and site. You can do this for as many websites as you'd like and share 1 IP:port combination across them all.
Here is a WikiPedia article that explains it in a little more detail:
http://en.wikipedia.org/wiki/Server_Name_Indication#Background_of_the_problem
Here is an article on how to configure it in IIS 8 and above:
https://www.digicert.com/ssl-certificate-installation-microsoft-iis-8.htm#multiple
In step 18 in those instructions is where you enable SNI.
Here is an article on how to configure it in Apache 2.2.12 and above:
https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm
I have open ssl installed on the server, all the key ,csr and crt on the server. Configured apache conf to the correct path for key and cert but i don't see a lock in the url(firefox 3.6.2).In chrome it shows https crossed out with red.Does this mean the certificate is not working properly? I have apache2 as the web server.
tls provides both encryption and authentication.
Encryption means that outsiders are unable to read your traffic.
Authentication means that you are confident of the identity of the host your are communicating with.
If chrome crosses out the https, it means that you are using tls, and you have probably set up encryption properly, but chrome is not confident in the authentication of the server. Typically, this is caused by an untrusted certificate; either the subject does not match, or the CA is not trusted.
If you are using a self-signed cert, then it's probably an untrusted CA. Installing the CA into chrome should fix the problem.
I face same problem some time ago that I have installed the SSL certificate successfully but still it show cross on browser address bar, I found the issue was caused due to a image and a javascript file which was included as absolute HTTP url. I change absolute URL to relative and now both files were loading over HTTPS and browser show green bar.