I am wondering if anyone has any experience with Zevenet Load Balancers.
I have setup the community version (V4). I have 2 web servers with replicated content, I have a virtual IP setup in the system which points to the 2 IP addresses of the web servers. The load balancer works for HTTP and HTTPS traffic correctly but shows an cert error when trying to get to the servers via HTTPS.
I want to combat this by adding a certificate to the load balancer. To do this I have followed the these steps:
https://www.zevenet.com/knowledge-base/howtos/manage-certificates-with-zen-load-balancer/ (ignoring the bit about purchasing a cert from SofIntel as we use JISC for our Certs)
Basically I created a certificate in the load balancer, generated the CSR, purchased a certificate from JISC by uploading the CSR generated from the load balancer.
I then downloaded the ZIP file from JISC which contains the crt for the domain, as well as the root certificates required also in the ZIP.
I tried uploading the ZIP to the load balancer and it pops up an error showing that the certificate needs to be created in a PEM format.
I then found this here:
https://www.zevenet.com/knowledge-base/howtos/create-certificates-pem-format/
I am not really sure what this is asking me to do....does this mean the original CSR that I generated is irrelevant now? The instructions on the above link say that the PEM file needs to be the following:
-----BEGIN RSA PRIVATE KEY----- Private Key (without passphrase) -----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE----- Certificate (CN=www.mydomain.com) -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- Intermediate (Intermediate CA, if exists) -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- Root (ROOT CA, who signs the Certificate) -----END CERTIFICATE-----
Essentially I already have the domain certificate, the intermediate and the root all from JISC now. But is there any way can go about getting the Private key from the load balancer so that I can just create the PEM file manually.
I am pretty new to cert stuff, not sure why it wont just let me upload the zip file.
Related
I need to make a request to a soap service and it is protected with certificates.
I have installed the certificates as far as I am able to tell. However the soap request fails with handshake errors.
I have a bunch of certificate files given to me but I have no idea which ones are which.
So I have as follows (names changed to protect information)
MyCertificationAuthority.pem
MyCert.pem
MyCert2.pem
then I have what looks to be the same things in a different format.
MyCertificationAuthority.p7b
MyCert.p7b
then I have a single file named MyCert.pem but is smaller in file size than the other one of the same name and contains simply
-----BEGIN NEW CERTIFICATE REQUEST----- a lot of characters
-----END NEW CERTIFICATE REQUEST-----
I was told that this was the private key file, however if I check it using
openssl rsa
then it errors.
I have double clicked on the p7b files and installed the certificates in them using the default options and I have those certificates in the Certificate Management app in windows.
3 are in the Third Part Certification Authorities folder
1 ended up in the Other People folder (which I have also copied into the Trusted Root Certification Authorities Folder)
4 have ended up in the Intermediate Certification Authorities Folder
All were installed for local computer rather than current user.
Now I am led to believe I should have a private key file too. However I can not find where this could be.
What am I doing wrong? Where would I normally get the private key file from?
I would have thought the service side has the private key in order to verify that our certificate is valid?
MyCert.pem is as follows (with the actual data removed for privacy reasons)
subject=CN=********************** issuer=CN=************************
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE----- subject=CN=**************** issuer=CN=*****************
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=CN=********************** issuer=CN=***********************
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
I've been getting this error for a long while:
POST to https://www.xxxxxx.com/hook/mandrill/quotations/opened failed: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I got my certificates re-newed by Comodo recently & ever since, I've been getting these errors.
It still seems to work though, but I'm worried some of the webhooks might not get through.
Is someone getting these errors as well? Might it be a problem on their side? Cause I have checked my website on https://www.sslshopper.com/ssl-checker.html and it's seems to be perfectly fine..
Also I'm hosting my website on Amazon
Thanks
This is an issue with your installed SSL certificate. You most likely did not combine the .crt file and the .ca-bundle file they provided to you and only installed the .crt file. Comodo provides the following two files in the zip package they make available to you:
_yourdomain_com.crt
_yourdomain_com.ca-bundle
The .ca-bundle includes all your intermediate certificates. You need to combine the contents of the two above files together. Your output .crt file would look something like:
-----BEGIN CERTIFICATE-----
contents of original crt file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
contents of 1st cert in ca-bundle file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
contents of 2nd cert in ca-bundle file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
etc...
-----END CERTIFICATE-----
You must list the original certificate as the first certificate in the output file. Then comes the intermediate certificates in your bundle.
Replace the .crt file that your server is pointing to with the above output .crt file. No need to change any of the web server configurations for either Apache or Nginx - both support bundled certificates. Make sure to restart your web server once the changes are made.
Before you make any of the above changes, you can actually see whether or not the missing .ca-bundle is causing your error by running a SSL test against your domain. In the results section after the test finishes, look for Additiona Certificates. The results will state that you are missing certificates if you do not have the appropriate intermediate certificates in your .crt file.
I am trying to use certificate signed for another server. I have both private key and certificate.
My PEM file order is :
subject=/C=***/L=*****/O=**********/CN=*********
issuer=/C=***/O=*****Inc/CN=********Secure Server CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/C=US/O=******** Inc/CN=********* SHA2 Secure Server CA
issuer=/C=US/O=********* Inc/OU=*********/CN=******** Global Root CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/C=US/O=********* Inc/OU=***********/CN=*********** Global Root CA
issuer=/C=US/O=********* Inc/OU=************/CN=******** Global Root CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
When i tried to deploy it to my haproxy, i got this error.
[ALERT] 188/141626 (2322) : parsing [/etc/haproxy/haproxy.cfg:32] : 'bind *:443' : inconsistencies between private key and certificate loaded from PEM file ................
[ALERT] 188/141626 (2322) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 188/141626 (2322) : Proxy 'www-https': no SSL certificate specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:32] (use 'crt').
[ALERT] 188/141626 (2322) : Fatal errors found in configuration.
Errors in configuration file, check with haproxy check.
And my haproxy version is:
HA-Proxy version 1.5.2 2014/07/12
Copyright 2000-2014 Willy Tarreau <w#1wt.eu>
I can start my haproxy with self-signed cert. Why does occur this inconsistency? I am sure that private key belongs to certificate.
I'm trying for hours now but I can not find the reason.
Please help! Thank you!
The order of the certificates in your file is wrong. It seems you are putting the intermediate certificate (i.e. Secure Server CA) first which is thus expected to be the server certificate. The order of the certificates needs to be:
server certificate
server private key (without any password)
intermediate certificate 1
intermediate certificate 2
It's actually not that important where you put the private key. However, the order of the certificates strictly needs to be ordered from leaf to root, i.e. first the server certificate, then the intermediate, then it's parent. Basically, you put the server certificate first, then its signer, then its signer, ...
For more information, please refer to the documentation.
We have a password-protected pfx file, expiring in a few days, which we use to sign our exes.
We have renewed our SSL certificate from Symantec, but all we have received is a bunch of data:
Below is your Code Signing certificate:
-----BEGIN CERTIFICATE-----
base-64 encoded data
-----END CERTIFICATE-----
Below is the intermediate CA certificate:
-----BEGIN CERTIFICATE-----
base-64 encoded data
-----END CERTIFICATE-----
Below is your certificate in pkcs7 format:
-----BEGIN CERTIFICATE-----
base-64 encoded data
-----END CERTIFICATE-----
I have seen a few tutorials to create pfx files from .cer and .key files, but the fun part is, Symantec doesn't use the same terminology as the rest of the world. So I don't know which is which. And no single tutorial explains what should be in the files, so I can't go from there either. So, I don't know how to create the .key file, for instance.
Thanks!
It turns out that the main requirement is to install the certificate on a browser, from the computer that has made the request for a new certificate.
Then, most browsers (IE, FF, Chrome) can export it to PFX from the installed certificates list.
More info can be found here:
http://blog.ksoftware.net/2011/07/exporting-your-code-signing-certificate-to-a-pfx-file/
http://blog.ksoftware.net/2011/07/exporting-your-code-signing-certificate-to-a-pfx-file-from-firefox/
https://knowledge.verisign.com.sg/support/code-signing-support/index?page=content&id=AR190&actp=search&viewlocale=en_US&searchid=1360582675798
I'm using Amazon Load Balancer with SSL configuration. everything when fine except on Firefox that show the exception page. It looks not self to user.
This article suggest to put the Certificate Chain to the configuration section.
My SSL provider is Comodo (InstantSSL). They provide two files .crt and .ca-bundle only.
How can i generate the Certificate Chain?
You can cat the .crt and the .ca-bundle file together. That's what we wound up doing using a service called OpDemand, which is backed by AWS.
cat certfile.crt bundle.ca-bundle >> chain.crt
chain.crt should be the file you're looking for. Also, the order is important. The certificate.crt file has to be first.
Use Root.crt and Intermediate.crt content and arrange them in following order. you can create this file manually as well
-----BEGIN CERTIFICATE-----
<Root content>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Intermediate content>
-----END CERTIFICATE-----
More Information
Comodo should provide you with the Certificate Chain. This is not something that you can generate yourself. A quick google looks like you should be able to download it from here: https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1