Local Cluster SSL Certificate invalid trust - ssl-certificate

My local development (5 node) cluster have two stateless services installed. One .Net Core Web Gui service and one .Net Core WebAPI service.
Both are configured to use a https endpoint.
The certificates are self signed certificates and are added to both trusted root and personal (in both current user and localmachine).
I can access both endpoints using a local browser without getting any certificate errors. It says the connection is secure and the certificates are trusted.
So far so good.
But when my Web API services calls my Web Gui service, is says it cannot create a trusted connection.
Why can my local browser create a trusted connection but not the Service running in the local cluster?
Does a Node in a local cluster have it's own Certificate Store?

So it turns out that I missed adding the certificates to the machine root and that's what caused the problem.
For local SSL to work, I needed to to add the self signed certificates to:
localmachine/my
localmachine/root
This lets services call services from within the local cluster.
currentuser/my
currentyser/root
This lets my browsers call my services without ssl errors.
Hope this helps someone else :)

Related

HTTPS communication in ServiceFabric Local Cluster

Here's my setup
an IdentityServer 4 as a stateless reliable ASP.NET Core service.
a WebAPI as a reliable ASP.NET Core service.
using them with a JS client, it is now working with HTTP. The problem is with HTTPS. The WebAPI needs to request the openID config via htttps [is4URL].well-known/openid-configuration. I'm getting this error
System.InvalidOperationException: IDX10803: Unable to obtain
configuration from:
'https://localhost:9999/.well-known/openid-configuration'. --->
System.IO.IOException: IDX10804: Unable to retrieve document from:
'https://localhost:9999/.well-known/openid-configuration'. --->
System.Net.Http.HttpRequestException: An error occurred while sending
the request. ---> System.Net.WebException: The underlying connection
was closed: Could not establish trust relationship for the SSL/TLS
secure channel. --->
System.Security.Authentication.AuthenticationException: The remote
certificate is invalid according to the validation procedure.
can anybody help me to make this work in localhost with the SF Local Cluster Manager?
Thanks
Here's my two cents worth but it will need to be verified...
I am assuming that you have created a self-signed certificate using following article or similar but the certificate has same properties.
https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-configure-ssl-certificate
This means that the certificate can not be verified via actual CA. Ofcourse with self-signed certificate this is not possible.
Now when you upload the certificate to Azure App Service it installs in CurrentUser - MyStore. With self-signed certificate, it also needs to be installed in LocalMachine Root store.
This is becouse then the machine's Certificate Authority can verify that certificate to be valid. (May be a security expert can correct me if I am wrong but thats my theory). I have got same setup on my locally hosted windows server where the self-signed certificate is installed in Root Certificate Store as well as Personal store and the app works. This is the reason I belive this happens.
So this part which needs to be verified. Following is the article which shows you how you can do this in Azure App service.
https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate-portal
AGAIN THIS IS JUST A THEORY THIS NEEDS TO BE VERIFIED. :)
EDIT:
I have just tested this and it is the case. In cloud services you can do as shown in second link above and create Web Job which install certificate in appropriate store.
For Azure App Service unfortunaltly you dont have access to root store. It has to be install in CurrentUser's personal store. Which means the self signed certificate will not work, and you have to purchase a real certificate. :( I think this is a real thumb down to Microsoft. Why should I need to pay for real certificate for my dev/test environment? (Rant Over)
For Service Fabric you will need to find out how to install certificate in Root Store as well as personal store (if thats possible at all). Here's Links that might be useful
http://ronaldwildenberg.com/running-an-azure-service-fabric-cluster-locally-on-ssl/
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-security-update-certs-azure
Hope this helps.

Self signed client certificate does not reach server application

I have the following setup:
A self signed certificate for development purposes
An OWIN hosted Web API, deployed on a local Azure Service Fabric Cluster as a ASF service. The Web API uses HTTPS facilitated with the dev certificate in question.
A simple .net client application that calls the Web API. In that application the ServicePointManager.ServerCertificateValidationCallback method is set so it always returns true (since the CA is not trusted)
Both the client application and the Web API are on the same local development machine. The certificate is installed in that same machine on the "machine store"
Now I am able to make calls to the web api using Fiddler by providing the required client certificate. However when I try to do the same via .net code (be it RestSharp or WebRequest) the client certificate is not present in the RequestContext object on the server side. This result in an Unauthorized response. I do not think the problem is with the client code, the certificate is loaded correctly and assigned to the http client or request. Fiddler shows encrypted tunneling to the server. However the client certificate does not seem to be present at the server side.
I am at a complete loss regarding what am I missing that could cause this behavior. Any help will be deeply appreciated.
Install the certificate into the 'Local Machine/Trusted People'.
The server needs to already trust the certificate before it asks. The CertificateRequest message that it sends lists the acceptable CAs that can sign the client certificate. If the client certificate's signer isn't in that message, it can't send it.
How you accomplish that in your environment is left as an exercise for the reader. In general now that SSL certificates are available free there is little reason to indulge in the time costs and administrative inconveniences of self-signed certificates. IMHO there wasn't even if you were paying for a CA signature.
I had a problem when a service called another service over HTTPS and it couldn't setup a secure connection. My problem was that since the service is running as NETWORK SERVICE, it couldn't find the certificate, because it was looking in the localmachine/my certificate store.
When I was running from my web browser it was working fine because then, my browser found the certificate in the currectuser/my certificate store.
Add the certificate to the machine/my store and see if it helps.

How to keep the SSL server certificate for verification in Cloud Foundry/Heroku?

I am developing an app to run in Cloud Foundry.
The app makes constant connections to a web service using https protocol.
The web service uses a pair of self-signed certificate created by openssl.
As there is no DNS setup, I am using IP address as the Common Name(CN) in the ssl certificate.
However, the web service IP address varies from time to time. The ssl certificate has to be re-generated each time.
In order for the app to connect, it needs to trust the SSL certificate so I have been packaging the public key for the web service’s SSL cert as a file with my app.
The problem is that I have to re-upload the app to Cloud Foundry once the public key of the SSL cert changes.
Here are some possible solutions:
Register a host name in DNS. In that case, the certificate is only bound to host name. (Might not be possible cos of the budget. )
Create a private CA and issue certificates from the CA, then install the CA as the trusted CA on the client. It is feasible and a common way for internal services. However, what if the app is pushed to the CF? How can we configure the node for the certs?
Disable the SSL server authentication. Not sure whether it would put the app at risk if the authentication is skipped. For the time being, the app pulls data from the web service.
I've been thinking of keeping the public key in the database. In that case, I don't need to re-upload the app to make it take effect. But I am not sure whether it is a safe way.
Question
I am seeking for a common and safe way to keep the SSL server cert in a Cloud Foundry env. Are any of the above solutions viable? If not, is there any other CF preferred ways?
Thank you
This is a bit old, but in case this helps...
Did you try to generate your server SSL certificate with whatever hostname (even "localhost"). As you are uploading this certificate in your application (i.e. to "blindly" trust it), I think that it could work and this would avoid dependencies with your IP address.

WCF : Could not establish trust relationship for the SSL/TLS secure channel with authority error

I have a client site that when a button is clicked it calls a wcf web service. The client site is http, while the url for the web service is https and requires a certificate. I have a valid signed private key certificate I am using.
Everything works fine on my localhost; however, after deploying to a windows 2003 server running iis 6, I get the below error when the web service is called:
Could not establish trust relationship for the SSL/TLS secure channel
with authority "host's url"
I added the cert to the store, using same web.config that works locally. I have validated that the web service call finds and sets the valid X509Certificate.
Not sure what I am missing, and I don't want to override the servicepiont manager to return true every time.
Any ideas or things I might looks into?
Found the problem.
The root certificate which the host of the web service uses was not trusted by my server. (not sure why it was on my local machine and not my server). I found this out by opening the host's url in a web browser from the server to view their wsdl and got the security warning.
Remedy: went to the issuer's site downloaded their root cert and added to my trusted root certifcation authorities.
Bam, it works now.
If it is a private cert it must be added to both the client and the server as no client can validate its root key.

Mismatched SSL certificate in Azure Compute Emulator

I have Azure app containing 4 sites in a single web role (differentiated by host headers). I setup the sites to run over SSL. I issued 2 self signed certificates: 1 as CA installed into Trusted Root CAs store and 1 wildcard SSL certificate (issued using the first one).
The application runs, however I'm getting certificate error 'Mismatched address' in Azure Compute Emulator. I examined the mismatched certificate and found out it is not the one specified in service configuration. I went into IIS management console and checked the bindings - there was no cert set for my sites. So I setup the wildcard certificate manually in the site bindings. But in browser I still have mismatched certificate, still the one for 127.0.0.1 (comming with DevFabric). How can I make the IIS to return the correct certificate configured for the site?
(I have some services in the web sites consumed by Silverlight application and it does not work when there is forced manual confirmation of the certificate by user.)
Thanks!
Are you sure that you really access the service using https://127.0.0.1 and not using https://localhost?