How can I renew certificate on a service fabric https endpoint after it expires?
I use port sharing for multi-domain support (WebListener) and netsh to bind cert to ip:port (I can't use manifest file to bind domain name, is not supported now).
But if I don't want to upload new package version (only for run SetupEntryPoint) is there a way to send a netsh command to VM Scale Sets?
If you want to run the same command, like netsh, on all the VMs in a scale set, a good way to do this is to use a custom script extension. You can add a custom script extension using the PowerShell cmdlet Add-AzureRmVmssExtension.
Related
I have one scenario where I am working on the IIS Website Configurations for URL Routing.
I have added the website and Import the required Certificates on the server.
My scenario is (I have multiple website URLs and two SSL Certs - as below):
qatest1.abc.com
qatest2.abc.com
qatest3.abc.com
Above 3 URLs need to be configured on one SSL Certificate - which is QA Certificate.
Another URL is:
perftest.abc.com
And for this URL there is a separate certificate as PERF (performance) certificate.
This is how the Task is given to me to configure the IIS Settings on MS IIS 10.
Now the Issues which I am facing is:
Not able to configure all the URLs configuration on the same IIS, as per the task given to me I am supposed to configure them all on the same IIS.
Getting a strange message (image attached) and it won't allow me to configure all my above website URLs on the same machine, on the same IIS.
Also trying to read about SNI (But Not sure about how to make use of SNI in this case).
Need help from IIS Experts who can support me on this activity to complete.
you could check the Server Name Identification by using this you can avoid the certificate prompt.
This feature offers an easier solution to hosting multiple sites that have a different or individual SSL on a single IP address.
Each HTTPS binding requires a unique IP/port combination because the Host Header cannot be used to differentiate sites using SSL.This is because the host header is not visible during the SSL handshake.
Server Name Indication (SNI) allows the server to safely host multiple TLS Certificates for multiple sites, all under a single IP address.
#1 - its possible via CLI commands (appcmd & netsh) or scripting (PowerShell) and programming (c#) but not with the IIS Manager GUI afaik.
#2 - (see #1). IIS Manager is stupid and will overwrite existing bindings with the last certificate selected. You end up with bindings attached to the wrong certificate if you click Yes. This is a limitation of IIS Manager GUI not IIS.
#3 - You want SNI turned on. It means you can have multiple certificates associated with the same IP address. Without SNI you would need 1 IP address per certificate
These 2 links will give you an idea how to use appcmd and netsh - this is the quickest/easiest way to create your desired configuration.
Adding a HTTPS binding to a site
Binding a certificate with netsh
If you know PowerShell("POSH") you can use the IISAdministration PowerShell cmdlet New-IISSiteBinding to create bindings and associate with a certificates thumbprint (though netsh is still useful for debugging and fixing issues).
Either approach your really configuring 2 things - IIS' bindings and Windows/SChannel/HTTPS.sys (the operating system component actually responsible for the 'S' in 'HTTPS'). Sometimes they get out of sync and the easiest fix is to delete and re-create the bindings (after clicking yes to "At least one other site is using the same HTTPS binding..." for example).
Few tips:
Once you start using this configuration IIS Manager or Windows Update/software installs will probably break your bindings at some point. Write a script that can remove and re-create all your bindings for port 443(only!) so you can easily fix future issues.
If you use netsh - its very fussy about the syntax. Order and spacing of parameters are important when using command netsh http add sslcert.
While your testing netsh http show sslcert and netsh http delete sslcert are very useful to try different configurations (this wont delete the cert, just the binding)
Cert needs to be in the Machine certificate store and make a note of the path. When using POSH or netsh always specify both certificate thumbprint and the store\path where the cert was installed.
If you need a default HTTPS binding on the IIS Site (eg load balancer healthchecks etc) add it before any named HTTPS bindings.
Final aside - if your domains are all 1 level under abc.com getting a wildcard certificate would save you a lot of bother. a single *.abc.com certificate would cover all your domains and you can avoid this limitation entirely.
Good luck!
Some background... I'm trying to run a nifi registry on ECS. I'm using the apache/nifi-registry:latest container image.
I'm unable to set this up via TLS (without baking my cert details into my dockerfile which is a security nightmare). Is there another way to still be able to use the registry with users/etc and NOT need to be running on HTTPS ports?
I'd prefer to run this container on port 18080 still, but it appears when doing so I'm unable to login/really do anything with nifi reg?
I've connected my Lita bot to a Diaglogflow agent via the lita-api-ai plugin and (currently) a Firebase-enabled fulfillment script edited inline on the Dialogflow site.
I'd like to convert that webhook into ruby and host it as a handler in Lita itself, but Dialogflow requires SSL on the webhook endpoint.
I'm using the standard docker setup for Lita on CoreOS, and I'd like to use a Let's Encrypt cert. How can I do this? I'm not experienced with the innards of Docker or a ruby app like Lita (as opposed to a full-blown nginx/Apache setup) -- can I put something around Docker to handle the SSL? Do I need to modify the Docker image itself?
The best way to go about this is to install a web server (nginx, caddy, etc.) to handle SSL termination. It should then proxy requests to the Docker instance. You can use nginx-proxy with the LetsEncrypt companion as the basic setup, although you'll need to alter the Lita systemd script to include config and environment variables (e.g., VIRTUAL_HOST, expose).
nginx-proxy listens for container changes to dynamically update its proxying, but I created systemd services for both nginx-proxy and the LetsEncrypt companion so that they would start on boot.
I am dabbling with WCF and SSL and have hit a bit of a problem.
I have a self-hosted WCF service and a basic client which connects to request a token.
I have it set up on my development machine it appears to communicating over SSL just fine.
But when I set it up on a different machine to test the deployment the client keeps getting nothing back from the service.
I assume it has something to do with the certificates I have set up as this is the only thing I think could be different.
I have used the netsh command to associate my port with an existing certificate that was already on the server. And it appears the same as my dev machine (where I created the certificate with makecert manually.
I initially tried to follow the same steps on the deployment server but failed as there was already a certificate with a common name of the server, so eve though the certificate generated when ever I tried to use the cert hash thumbprint of the newly generated certificate I was being given the :
SSL Certificate add failed, Error: 1312
A specified logon session does not exist...
The only way I could get the netsh http add to work was by specifying the cert hash of the existing certificate.
Is this my problem or a red herring? How do you debug issues like this?
Personally I just configure WCF tracing. It usually provides more user friendly info about a problem. Here's a how to link Configuring Tracing
Hope it helps!
I'm trying to connect to my Meteor project via SSL/TLS.
Therefore I did the following:
meteor add force-ssl
in the meteor folder.
Then I start the programm with 'meteor'.
Everything is running fine on localhost, but if I want to connect to the server with giving the IP and Port over http, I get redirected to a https connection with the same IP and an 'Unable to connect message'.
Note: I created a certificate on my own an put it into the Meteor/server folder.
Does anyone know my mistake?
If you need to enable SSL support for your Meteor app deployed with Meteor Up. Now it has the support for SSL. You just need to tell where the SSL certificate and the key are.
If you are not familiar with the process of generating a SSL certificate, follow this guide.
Disclaimer: I'm the author of Meteor Up.
You can't just put the certificate inside Meteor/server folder. You will need a web server to proxy the request and configure that server with your certificate (Docs also say that, search for force-ssl: http://docs.meteor.com/)
I recommend you to put an nginx instance as the proxy. Here an example of how to do it: http://www.digicert.com/ssl-certificate-installation-nginx.htm