First let me state that I am a Linux noob. I am learning as I go here. Here is my situation. I have an Ubuntu 16lts server, with apache. The software we just installed comes with "samples" These samples are stored in the same directory structure as the program. The instructions have you add an alias and a directory to the apache2 config file. Like so
Alias /pccis_sample /usr/share/prizm/Samples/php
This actually worked :)
However now we want to make sure this site is SSL. I did manage to use openssl to import to Ubuntu the certificates we wanted to use. (i am open to using self signed though at this point its non prod so i dont care)
In trying to find out the right way to tell Apache i want to use SSL for this directory and which cert i want to use. Things went wonky on me. I did manage to get it to use ssl but with browser warning as one would epexct with a self signed cert. I had thought that i could just install the cert on our devs machines and that would go away. But no dice. Now in trying to fix all that i just done broke it. SOOOO What I am looking for is not neccessarily and spoon fed answer but rather any good tools, scripts, articles tips tricks gotchas that i can use to get this sucker done.
Thanks
You need to import your certificate(s) into the browsers trusted store. For each browser on each machine you test with. "What a pain!" you probably think. You are right.
Make it less painful - go through it once. Create your own Certificate Authority, and add that to your browsers trusted certificates/issuers listing. This way, you modify each one once, but then any certificate created by your CA certificate's key will be considered valid by those clients.
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
Note that when configuring Apache or other services, they will still need an issued/signed certificate that corresponds correctly to the hostname that is being used to address them.
Words of warning - consider these to be big, red, bold, and blinking.
DO NOT take the lazy way and do a wildcard, etc. DO keep your key and passphrase under strict control. Remember - your clients will implicitly trust any certificate signed by this key, so it is possible for someone to use the key and create certificates for other domains and effectively MITM the clients.
Related
I'm working on automating a web application (F# and Canopy). Getting 'Your connection is not private' screen upon launching the website/ after providing login credentials. Tried a few workaround to have the same disabled, but none did the job. Please help.
The best approach here is not try to hide or cover up the problem, but to fix it properly so you don't have to. Solutions that involve hiding the issue are necessarily going to adversely affect your security.
Note the wording of the error code: ERR_CERT_AUTHORITY_INVALID. That tells us that the certificate for the site is signed by a non-standard or unknown certificate authority.
You mentioned localhost in your comment; you're not going to be able to get a certificate for that, but you could create a self-signed one, however, if you've enabled the localhost exemption and you're still getting the error, it suggests that you may not be using localhost after all.
So, if you have a certificate signed by a real CA and you're seeing this error, it's likely that your local OS or browser has an outdated CA root certificate bundle. you can usually get the latest one by making sure your OS packages are up to date.
If your certificate is self-signed, then the 'advanced' button will allow you to add an exemption. I you have set up your own CA and signed the certificate with that, you need to add that CA's public key that signed it to your OS.
If you've got a "regular" commercial certificate from verisign, letsencrypt, comodo or whoever, then a run through a testing tool like testssl.sh or Qualys SSL labs will tell you more about what's going wrong. Without knowing the actual domain we can't test anything for you.
Added the following argument and it did the job:
options.AddArguments("--ignore-certificate-errors")
We are having problems with some browsers attempting to get Bootstrap 3 (js and css) from the documented CDN (https://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/js/bootstrap.min.js). The main two browsers are IE8 and IE9 and we don't have option of telling client to upgrade. Other high level browsers (even IE11) seem to work properly.
We've had to resort to hosting files ourselves, but obviously I would much rather reference the CDN.
For a simple example, in IE11, if I do the following:
1) Type following in url...
2) Hit enter...
3) Click Run...
Now, IE11 will actually continue and run (obviously script will error out), but all these warnings are my best guess as to what might be tripping up IE8/9 (and maybe other lower level browsers). As I said, I've temporarily hosted the files on our own secure.benefittech.com domain, and no warnings occur when I do same steps.
Here are some screen shots from client browser (IE8) when attempting to run the real site referencing CDN urls.
This first one is showing the debugger not knowing what the .tooltip() method is (from Bootstrap.min.js).
Finally, this is the IE security bar warning they get when hitting the site
Any ideas on how this might be resolved or what info I could supply MaxCDN with to try and resolve this would be greatly appreciated - or do we have to continue to host files ourselves?
I realize IE8/9 are old browsers (neither of which I'd be running at this time), but as mentioned earlier, I don't have option to force client to upgrade and surprised no one else has raised this issue (when I contacted MaxCDN, they were surprised by the issue, but not being experienced in Certificate 'technology/language', I didn't really know what to provide them.
Do you have a test environment with IE8/9 where you could do some tests? It could be a problem with certificate chain building. Maybe some certs in the chain are not trusted.
Could you import SubCA certificate from http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt to intermediate CA store and Root CA from http://secure.globalsign.net/cacert/Root-R1.crt?
SubCA certificate (GlobalSign Domain Validation CA - SHA256 - G2) is pretty new (issued 20.02.2014) so if IE8/9 does not follow authority info access from end entity certificate (to build certificate chain) or it does not handle well that the certificate of subCA is in PEM format at http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt (should be DER IMO) or if by any chance GlobalSign Root CA is not trusted by IE8/9 then I believe this could be the reason for the IE warnings.
I need to add SSL to my heroku custom domain. I have done through a wide variety of keys/crts/pems etc. All I want to do is have SSL on a heroku wildcard custom domain.
I bought a wildcard ssl certificate. I have a plan on DNSimple.com, and now I need to upload everything to the server.
What files do I need to add? How can I get them?
I have a Certificate and a private key from DNSimple, now I understand I have to upload a CRS file to DNSimple. Can someone offer a step-by-step, heroku's is very poorly designed and convoluted.
Right now, chrome gives me a big red user warning.
Thanks,
Brian
Hope you have gone through Heroku documentation for DNS simple-
https://devcenter.heroku.com/articles/ssl-endpoint
https://devcenter.heroku.com/articles/ssl-certificate-dnsimple
If still not working, let me know. Will post the steps needed to do this.
I have two "Web Sites" running under IIS6 (Windows Server 2003R2 Standard), each bound to a separate IP address (one is the base address of the server).
I used SelfSSL to generate and install an SSL certificate for development purposes on one of these sites and it works great. I then run SelfSSL to generate a certificate for the second site and the second site works, but now the first site is broken over SSL.
I run SSL Diagnostics and it tells me:
WARNING: You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed
If I re-run SelfSSL on the first site (to fix it), the first site works but then the second site is broken.
It seems like SelfSSL is doing something in a way that is designed to work with only one Website, but I can't seem to put my finger on exactly what it's doing and figure out how to suppress it. I would manually configure SSL but I don't have a certificate server handy, but maybe there is a way to get SelfSSL to just gen the cert and let me install it?
FWIW I have also followed the guidance of several posts that indicate changes to the permissions of the RSA directory are in order, etc. but to no avail. I don't work with SSL everyday so I may be overlooking something that someone with more experience might notice, or perhaps there is a diagnostic process that I could follow to get to the bottom of the issue?
We had a similar problem today. Our IT guy said he solved it by basically using ssldiag instead of selfssl to generate the certs.
See the reply from jayb123 at this URL: http://social.msdn.microsoft.com/forums/en-US/netfxnetcom/thread/15d22105-f432-4d8f-a57a-40941e0879e7
I have to admit I don't fully understand what happened, but I'm on the programming side rather than the network admin side.
I need to see how a web application will work with HTTPS. But I can't really find much information around about it. I tried to set up my local Apache but I can't find a CA autorithy to sign my certificate... Hints? Suggestions?
The possibilities to consider are:
Generate your own certificate (self-signed certificate)
Get a certificate issued by a known issuer
Get a certificate issued by an issuer not recognised by the browser
Nr. 1 is probably the most widely used solution. You can find instructions here. The only disadvantage is that browsers will complaint about the unknown CA. In Firefox, you can just add a permanent exception and get rid of the warning. (Neither Chrome nor Internet Explorer seem to provide such option.)
Nr. 2 normally costs money so it isn't a popular choice for dev environments.
Nr. 3 can be obtained for free (see https://www.cacert.org/) but they also trigger a browser warning. A difference with nr. 1 is that you have the possibility of adding the CA to your browser's trusted authorities; however, that's a serious decision that requires serious consideration because of its security implications. In general, I would not recommend it for mere testing.
Self-signed certificates (as already mentioned) are probably the easiest option for a single host.
If there are a few hosts, you could create a mini CA of your own. There are tools for this, for example:
CA.pl: a script provided with OpenSSL.
TinyCA: a tool with a GUI.