How to add a certificate to a sub-sub-domain with Cloudflare? - ssl

I'm wondering how I could add a SSL Certificate to a sub-sub-domain on Cloudflare like for example maintenance.login.example.com I've already added the sub-sub-domain to my site but I keep getting this error This site can’t provide a secure connection maintenance.login.example.com sent an invalid response. Try running Windows Network Diagnostics. ERR_SSL_PROTOCOL_ERROR

Our default/free certificates—"Universal SSL"—cover the apex of your domain (example.com) and one level of wildcard (*.example.com).
If you'd like to cover additional levels beyond that, e.g., *.test.example.com or maintenance.login.example.com, you can either purchase a Dedicated Certificate with Custom Hostnames or you can upload a custom certificate to a Business plan or higher.
I wrote a blog post describing Dedicated Certificates here: https://blog.cloudflare.com/dedicated-ssl-certificates.

Related

APIM Consumption Tier, Custom Domain, Cloudflare & third level subdomain

I am working with Azure API Management Service, in the Consumption Tier, and I registered a "Custom domain" through a free account at Cloudflare, in cloudflare register the domain and configure full encryption.
Also add the domain as DNS to my API Management, as example CNAME "third.two.example.com".
Once this is done, create a source server certificate for the domain that I will use, it is a third level domain example "third.two.example.com" and then download the certificate and key (PEM and KEY).
Once this is done, because Azure when adding the certificate in API Management threw me the error "The content type needs to be application / x-pkcs12." I had to transform the certificate from PEM to PKCS12, I did it with the following script in OpenSSL on my computer.
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt
(I did not add any key).
Then I upload the certificate in an Azure Key Vault as a certificate which does not give me any problem.
Finally I add the domain "third.two.example.com" to my Azure API Management referencing as custom domains in API Management, referencing the certificate uploaded to Key Vault, the process runs correctly and everything is fine.
However, when entering this domain, the browser shows me the following error:
And when trying to call the API through Postman with SSL active:
I also get the following error:
You could tell me if I'm doing something wrong or I have everything wrongly configured, I really don't have much knowledge in digital certificates so I don't know if I should do something additional or the configuration I'm using is not correct, thanks in advance for your comments.
The certificate information through the browser is as follows:
in advance thanks for your help !, sorry for the blurr but some data is private and I can't show it.
UPDATE
I found on this site that i have to change the cloud to orange (Proxied) so i did it and it doesn't work.
Finally i tested the same steps with the domain "third-two.example.com" and it works with 0 problems (The only thing to keep in mind is that the proxy must be activated after adding the domain in APIM), is there something that i need to do or update to some tier on CloudFlare for make a multiple level ssl certificate?, on the creation page, it says that is allowed here:
UPDATE - 2021-09-02
Ok, for everyone that still having this issue, there's no way to do that without an edge certificate (The plan cost 10 USD).
Quote for the activation:
Create a certificate in the dashboard
To create a new advanced certificate in the dashboard:
Log into your Cloudflare account and select a domain.
Select SSL/TLS > Edge Certificates.
Select Order Advanced Certificate.
If Cloudflare does not have your billing information, you will need to enter that information.
Enter the following information:
Certificate Authority
Certificate Hostnames
Validation method
Certificate Validity Period
Select Save.
With all the steps done, you can now order an edge certificate that contains, all the hosts needed, for my example: main domain, the wildcard domain, and the three level subdomain:
example.com
*.example.com
third.two.example.com
You can add a total of 50 hostnames, so if you need additional hostnames you can add it here, the steps are the following:
Log into your Cloudflare account and select a domain.
Select SSL/TLS > Edge Certificates.
Select Order Advanced Certificate.
In the certificate hostnames, fill all the domains from before.
With this steps and all the steps from before done, your API Management will recognize the domain as secured and also the SSL Certificate as follows:
Finally, i know this is a very specific topic using Azure Functions on Azure API Management, with a custom domain in Cloudflare, but maybe it can be usefull for someone, but it's not free, its 10USD per month, so if you want to use third level domain, but i think this is the cheapest and secure way to do it.
I will close this question.
I edited the question to add the answer from the CloudFlare forum, and it works so i think i will close this question.

Getting 'SSL_ERROR_BAD_CERT_DOMAIN' error after deploying site using Surge to a custom domain

I'm using Surge.sh to deploy a simple react app to a custom domain i bought from GoDaddy.com.
I've followed the instructions regarding custom domains on their site and get a confirmation that my site was deployed successfully:
https://surge.sh/help/adding-a-custom-domain
On GoDaddy I've configured the CNAME and A types to point to Surge:
However when I open up the domain at https://codatheory.dev/ I receive an error message with error code: SSL_ERROR_BAD_CERT_DOMAIN
I'm quite new to hosting sites on custom domains, so I'm sure I've misunderstood something. The certificate registered on the site is provided by surge.sh.
What configuration steps can I take to resolve this issue? Do I need to create a new certificate to be signed by a CA in order to use this domain, or have I missed something in my deployment?
Thanks!
SSl with surge comes out of the box with *.surge.sh domains. For these domains you can force a redirect of http to https. However, for custom domains surge does not offer SSL as stated explicitly here and they mentioned that it is a feature of surge plus. To answer your Q, yes you could generate a certificate using some provider (e.g. https://letsencrypt.org/) and add it to surge but that would be within the frame of surge plus (not the free tier anymore).
I would try if I were you maybe s3 with cloudfront? it does not cost that much if the traffic is not that high.

How to implement a SSL Client Certificate on an Apache Server for a REST api?

Background:
Imagine a website, visible to the world, https://www.example.com, with a static IP address, 1.1.1.1. This site is hosted in an Apache server and it already possess an SSL Server Certificate.
On the other hand, inside a protected internal network, not visible to the world, a server (https://www.myinternalserver.com), with a static IP address (2.2.2.2), also running Apache, runs some internal web-based applications.
A static IP address (3.3.3.3), that maps to a subdomain (myapps) of the external site (https://myapps.example.com) serves as an entry point to the server where the internal web-based applications reside.
A firewall that protects the internal network does the redirect/proxying so all external traffic going to 3.3.3.3 is redirected internally to 2.2.2.2.
The firewall also limits all external traffic so any calls going to 3.3.3.3 must have been originated at 1.1.1.1, in essence, making the external website (https://www.example.com) the only authorized caller to the internal server (https://www.myinternalserver.com).
Scenario
With this infrastructure in place, I can make REST calls from the external website into the internal network and send back data to use in the pages. So, in this scenario, the external site is the client and the internal application, the server.
Question:
But beyond that, I want the server in the internal network to issue an "SSL Client Certificate" that would be "installed" (I don't know if this is the correct term), in the external website so all calls from the external site would have to be authenticated against this certificate.
How do I accomplish this?
Breaking the question:
I know that the question above is very broad, so let me try to break it into three (not so) "smaller" questions:
1 - How to I create the key/certificate? Using OPENSSL and some online recipes (this is one of them: http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html), I was able to generate the certificate file and learned (or so I believe) what I have to do with it and what to change in the httpd.conf file. In any case, I would like to feel more secure about what I have done so any suggestions/guidance here would be highly appreciated. For example, is the recipe I used any good?
2 - How to "install/transfer" this certificate to the external site? Do I simply copy/send one of the files created when generating the certificate? If so, which one? Where specifically does it go in the client server (external site)? Do they have to do anything at their end? If not, what is the process? I tried to contact the hosting company but I don't know if Icouldn't explain it to them or if they don't have experience with "SSL Client Certificate". All they told me is that there's already an SSL Certificate installed (SSL Server Certificate). They don't even seem to know what a "SSL Client Certificate" is.
3 - Once the certificate in place, what can I do to guarantee that ALL calls to the internal server, by default, come with the Certificate, without the need to code it into each API I create? I know very little about certificates so it might be possible that it happens "by default" always, but I read online about certificates that are "embedded" in the header of the API call, so I just want to be sure.
Thank you.
After some more research, this is what I found...
1 - How do I create the key/certificate?
I had to try other recipes and use a combination of them to get what I wanted. What I learned is that I have to create a certificate (CA Certificate) first, and generate the Server and Client certificates based on that first one. So look for recipes that encompass all three certificates: CA, Server, Client.
2 - How to install/transfer this certificate to the external site?
Actually you simply copy the necessary ones (client/CA) to a safe place in your share of the external site. A place outside the "www" tree.
3 - Once the certificate in place, what can I do to guarantee that ALL calls...
Well, here is what I did.
I "objectified my API call using php/libcURL and place it too, outside the "www" tree. For any developer in my site to use it, all they have to do is create an instance of the object and make the call by passing the URL as a parameter. In other words, you don't install the certificate. Instead, you make a call to the certificates each time you make a call to the internal server.
I hope it helps someone out there.

Azure app using custom domain with SSL certificate

Could someone explain the steps that one must do to show an Azure application (example.cloudapp.net) in a custom domain (service.example.com), when we want to use a secured connection? So the users browse to https://service.example.com, see it as a certified, trusted domain, and can safely access the application.
Right now, I think that
1) we need a domain (and subdomain) with a static IP from a service provider
2) we need a certificate from a CA for our domain
But I'm not quite sure how the connection between our domain and cloudapp.net should be made. I have found many examples and blog posts, but they tell either how to install a certificate to Azure application or how to show the application in custom domain (without the certificate).
This sounds like a basic requirement, so I'd expect a rather simple solution to exist.
Thanks!
Look at this blog entry
Custom Domain Names in Windows Azure
Basically you need to buy domain name and add some CNAME record in DNS table. The part remaining would be to buy appropriate SSL certificate for your site.
Here is a stop-gap for custom domains: http://www.bradygaster.com/running-ssl-with-windows-azure-web-sites
I do not believe that Azure currently supports using a certificate with a custom domain (see request for feature). In the meantime, you can use CORS.

Managing SSL certs for a multi-tenant website

We have a multi-tenant website where we use a wildcard SSL cert to give people a subdomain to our site. Some of our customers would like to use their own domain, but I'm concerned about how we would manage each customer's certificate as our business grows. Currently the certificate resides on the web server, which means loading all of the certs to each web server as we add them.
I'm aware we could introduce a dedicated SSL device in front of the web servers, but are there other options to improve the management of these certificates?
I'm a Microsoft Technical Evangelist and one of my partners had exactly the same challenge.
I have created a sample source code that automates and manages SSL certificates for multiple domain bindings using a new IIS 8 (Windows Server 2012) feature called SNI, which is a kind of SSL hostheaders.
All you will need to do is to reuse my code (it's quite simple) and upload your custom SSL certificates to the blob storage, or you can write your own provider to fetch custom domains and certificates from your database.
I have posted a detailed explanation and a sample "plug & play" source-code at:
http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/
You could make your clients deal with their own certificates and make them run there own https site. They can serve a page containing a single frame with your content (over https). The users will see their domain and their certificate and the browser will load the frame without complaining as long as the frame contents are also loaded over a valid https connection. I created a quick an dirty test page so you can see it in action.
This solution will 'break' the address bar as it will keep the url of the page containing the frame. Depending on the type of site you're running this might be a showstopper.