Custom SSL Certificate Upload fails - ssl

I own a custom domain. (i.e. domain.com) and have been routing the traffic to my Bluemix (Java Liberty) application just fine for the last year. (By adding the domain to the "Manage Domains" screen on the console.)
I've been trying to upload a SSL Certificate I purchased from Namecheap (RapidSSL) for this domain, to the console, but keep getting this error:
BXNUI0060E: A certificate for the 'domain.com' domain wasn't uploaded because a problem occurred contacting IBM DataPower Gateway.
I use the (.crt) certificate and (.pem) private key with password. I enter both those and the password in the appropriate fields and click 'Upload', but this appears after a minute. Also, I have tried with and without the intermediate (.crt) certificate, but still get the same error.
This error has been consistent for the last month. So I don't think its anything to do with my connection. Is there something I'm doing wrong? Thanks for any and all help!

Two possible causes of this error would be a temporary service outage at Bluemix or a software mismatch due to a Bluemix service upgrade. You can check for outages and upgrade notices on the Bluemix status page. You can also find information about upgrades on the IBM Bluemix blog.

Related

HTTPS communication in ServiceFabric Local Cluster

Here's my setup
an IdentityServer 4 as a stateless reliable ASP.NET Core service.
a WebAPI as a reliable ASP.NET Core service.
using them with a JS client, it is now working with HTTP. The problem is with HTTPS. The WebAPI needs to request the openID config via htttps [is4URL].well-known/openid-configuration. I'm getting this error
System.InvalidOperationException: IDX10803: Unable to obtain
configuration from:
'https://localhost:9999/.well-known/openid-configuration'. --->
System.IO.IOException: IDX10804: Unable to retrieve document from:
'https://localhost:9999/.well-known/openid-configuration'. --->
System.Net.Http.HttpRequestException: An error occurred while sending
the request. ---> System.Net.WebException: The underlying connection
was closed: Could not establish trust relationship for the SSL/TLS
secure channel. --->
System.Security.Authentication.AuthenticationException: The remote
certificate is invalid according to the validation procedure.
can anybody help me to make this work in localhost with the SF Local Cluster Manager?
Thanks
Here's my two cents worth but it will need to be verified...
I am assuming that you have created a self-signed certificate using following article or similar but the certificate has same properties.
https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-configure-ssl-certificate
This means that the certificate can not be verified via actual CA. Ofcourse with self-signed certificate this is not possible.
Now when you upload the certificate to Azure App Service it installs in CurrentUser - MyStore. With self-signed certificate, it also needs to be installed in LocalMachine Root store.
This is becouse then the machine's Certificate Authority can verify that certificate to be valid. (May be a security expert can correct me if I am wrong but thats my theory). I have got same setup on my locally hosted windows server where the self-signed certificate is installed in Root Certificate Store as well as Personal store and the app works. This is the reason I belive this happens.
So this part which needs to be verified. Following is the article which shows you how you can do this in Azure App service.
https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate-portal
AGAIN THIS IS JUST A THEORY THIS NEEDS TO BE VERIFIED. :)
EDIT:
I have just tested this and it is the case. In cloud services you can do as shown in second link above and create Web Job which install certificate in appropriate store.
For Azure App Service unfortunaltly you dont have access to root store. It has to be install in CurrentUser's personal store. Which means the self signed certificate will not work, and you have to purchase a real certificate. :( I think this is a real thumb down to Microsoft. Why should I need to pay for real certificate for my dev/test environment? (Rant Over)
For Service Fabric you will need to find out how to install certificate in Root Store as well as personal store (if thats possible at all). Here's Links that might be useful
http://ronaldwildenberg.com/running-an-azure-service-fabric-cluster-locally-on-ssl/
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-security-update-certs-azure
Hope this helps.

Attempting to receiving SMS from Twilio, twilio is getting SSL/TLS handshake error

I have implemented a servlet to receive sms messages from Twilio; when someone replies to my twilio number. I have configured the server in twilio but I am getting ERROR 11220.
The servelet is in a AWS ec2 instance and is accessible via browser, JMeter. SSL Labs gave the servelet URL A+ rating. Not sure how come twilio can't reach it. I'm at a loss. Any tips on anything I can try would be greatly appreciated. Thanks.
TL/DR: Install (or have your server management company install) the full certificate chain that you got when you purchased the cert for your domain.
We ran into a similar issue with Twilio while using their faxing service; it gave the same error on callbacks.
More specifically, their event console (https://www.twilio.com/console/debugger) shows:
11200 - HTTP retrieval failure. In the details section it shows:
ErrorMessage: "Failed to fetch fax media from URL ... (Got status 502 trying to download media)"
Twilio_was_unable_to_fetch_content_from: ...
Error: _Connection_reset_by_peer_over_TLS, _assuming_that_this_is_a_handshake_failure
... SSL_Version:_TLSv1_2 URL_Fragment:_true
Twilio likely uses a Java library which, by default, has a set of certificates independent from the operating system's set of certificates.
All major browsers use their operating system's certificates, which is why you can see that the cert is valid in your browser. Services like SSL Labs that properly handle certs can also validate it.
Twilio could fix this by using their operating system's certificates or by keeping their certs up-to-date. Until such a time...
You have to work around the issue by installing the full certificate chain so that they can validate it. When you purchase a cert for your domain, they generally send the plain cert, as well as a full certificate chain bundle with all of the intermediate certificates. Installing the full chain should fix the issue.

How to add a certificate to a sub-sub-domain with Cloudflare?

I'm wondering how I could add a SSL Certificate to a sub-sub-domain on Cloudflare like for example maintenance.login.example.com I've already added the sub-sub-domain to my site but I keep getting this error This site can’t provide a secure connection maintenance.login.example.com sent an invalid response. Try running Windows Network Diagnostics. ERR_SSL_PROTOCOL_ERROR
Our default/free certificates—"Universal SSL"—cover the apex of your domain (example.com) and one level of wildcard (*.example.com).
If you'd like to cover additional levels beyond that, e.g., *.test.example.com or maintenance.login.example.com, you can either purchase a Dedicated Certificate with Custom Hostnames or you can upload a custom certificate to a Business plan or higher.
I wrote a blog post describing Dedicated Certificates here: https://blog.cloudflare.com/dedicated-ssl-certificates.

Ask for client certificate IIS7.5 when accessing certain folders

We've an ASP.NET MVC4 app where there is a part which should be secured through client certificates.
When anyone wants to connect to this part of the app, browsers should ask them for a client certificate, once they select it, our server will get it, check it's validity and show the content.
Ok, I'm getting trouble with the select certificate part. Before setting it just to one folder on views content, I'm trying to configure this on the global app.
I've set SSL to be required, and also set require client certificates on SSL Configuration on apps configuration on IIS.
I've enabled the iisClientCertificateMappingAuthentication (although I've set no mapping yet)
When I try to access the app both, Firefox and Chrome, return a 403 forbidden error, stating that I have no access to the app with the credentials provided.
I've a client certificate installed on my local machine and the CA who created this certificate as a trusted root certificate on server local machine.
I'm not being prompted for certificate.
If I uncheck the "require" from client certificates on SSL Settings, I can access the app through https.
This is the first time I work with client certificates, so it's being a bit confusing and maybe I'm not giving enough info. Feel fre to ask for further info on the comments.
EDIT: I've exported the client certificate, copied it to the server and checked it there. The certificate shows as valid and every element in the certification chain seems to be recognized in the server.
I've checked IIS logs also, and the error I'm getting is 403.7, so the certificate is not being issued to the server or it's invalid.
Now... I've checked that the certificate is valid on the server, it's correctly installed on the client but it's not getting to the server or is not beign validated there... what am I missing here?
Ok, finally I've found the problem, it's related to the buffer size reserved for the list of trusted certification authorities.
Check this kb article:
https://support.microsoft.com/en-us/kb/933430
TL DR; To solve the problem just add a new entry in the registry at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
named SendTrustedIssuerList as a DWORD value with value 0.
This way, the server won't send the trusted certification authorities list, so browsers will display the complete list of certificates to the user.

APEX Migration to Weblogic now throws certificate error

Ever since moving an internal apex website from the embedded PL/SQL gateway to a weblogic server browsers throw certificate errors.
How can i get rid of these errors/fix the certificates?
Internet Explorer:
The security certificate presented by this website was not issued by
a trusted certificate authority. Security certificate problems may
indicate an attempt to fool you or intercept any data you send to the server
Chrome:
You attempted to reach sy02131.adt.com, but the server presented a
certificate issued by an entity that is not trusted by your computer's
operating system. This may mean that the server has generated its own
security credentials, which Google Chrome cannot rely on for identity
information, or an attacker may be trying to intercept your communications.
Out of the box, the embedded SQL gateway (EPG) uses no SSL. It looks like your Weblogic instance did or even requires SSL. It's probably using a set of starter keys that you're meant to replace. At any rate, your browser is causing this problem, not the server. You should be able to bypass this as a warning in the browser or add an exception. If you want this error to go away in production, get some proper SSL keys from a certificate authority.
Here is how to configure them once you get them:
http://docs.oracle.com/cd/E12840_01/wls/docs103/secmanage/ssl.html