My registrar, gandi, gave me an intermediate cert to install, so I have 3 files:
Private key file (server.key)
Certificate file (mycert.crt)
Intermediate cert (GandiSomething.pem)
I'm using the SSL Beta service on heroku. The heroku CLI heroku _certs:add, takes exactly two arguments, CRT and KEY. how do I install the intermediate cert?
Paul is right, you can combine certificates:
cat ssl.crt middle.crt root.crt > all.crt
Be assured that newlines at the end of cert files!
And upload it to Heroku (use add if you haven't SSL Endpoint yet):
heroku certs:update --app $YOUR_APP --confirm $YOUR_APP all.crt private.key
But there are some tricks you haven't forget:
Update your DNS CNAME record. Change target from <app>.herokuapp.com to secure <domain>.herokudns.com (be careful, if you have *.your.domain record it can catch requests and forward it to another server)
Check the cert chain works right: SSL Checker
Flush local DNS: Flush DNS tips (antivirus also can patch and cache you connections)
Restart your browser (to flush browser's cache too)
Check your app with browser by https:// connection
The solution here is to combine the intermediate cert and the generated cert into one file, as described here. Because that link is shady, here's how the cert file should look once combined:
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
wfsm5p9GJKaxB825DOgNghYAHZaS/KYIoA==
-----END CERTIFICATE-----
Then, this command will work:
heroku _certs:add --app name-of-my-app file-with-combined-certs.crt myserver.key
Just pass it in as an argument. Put the intermediate in the middle, it takes it as another argument. Then check heroku certs and report back if it doesn't work.
Related
I've been getting this error for a long while:
POST to https://www.xxxxxx.com/hook/mandrill/quotations/opened failed: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I got my certificates re-newed by Comodo recently & ever since, I've been getting these errors.
It still seems to work though, but I'm worried some of the webhooks might not get through.
Is someone getting these errors as well? Might it be a problem on their side? Cause I have checked my website on https://www.sslshopper.com/ssl-checker.html and it's seems to be perfectly fine..
Also I'm hosting my website on Amazon
Thanks
This is an issue with your installed SSL certificate. You most likely did not combine the .crt file and the .ca-bundle file they provided to you and only installed the .crt file. Comodo provides the following two files in the zip package they make available to you:
_yourdomain_com.crt
_yourdomain_com.ca-bundle
The .ca-bundle includes all your intermediate certificates. You need to combine the contents of the two above files together. Your output .crt file would look something like:
-----BEGIN CERTIFICATE-----
contents of original crt file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
contents of 1st cert in ca-bundle file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
contents of 2nd cert in ca-bundle file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
etc...
-----END CERTIFICATE-----
You must list the original certificate as the first certificate in the output file. Then comes the intermediate certificates in your bundle.
Replace the .crt file that your server is pointing to with the above output .crt file. No need to change any of the web server configurations for either Apache or Nginx - both support bundled certificates. Make sure to restart your web server once the changes are made.
Before you make any of the above changes, you can actually see whether or not the missing .ca-bundle is causing your error by running a SSL test against your domain. In the results section after the test finishes, look for Additiona Certificates. The results will state that you are missing certificates if you do not have the appropriate intermediate certificates in your .crt file.
HAProxy is unable to load .pem files generated by letsencrypt, why is this?
The error I'm seeing is:
parsing [/haproxy.cfg:37] : 'bind :443' : unable to load SSL private key from PEM file '/certs/cert0.pem'.
The contents of the PEM file is:
-----BEGIN CERTIFICATE-----
MIIFCjCCA/KgAwIBAgISATGh2D5ZMcKNqpIqViwd5EZOMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMTcwOTIyMDBaFw0x
NjAzMTYwOTIyMDBaMB4xHDAaBgNVBAMTE3N0YWdpbmcubXV6aGFjay5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrV1XqamfHm6tbDYAbnbjRxBw8
pxM/wPdO9RLUk5EmPnYy0XmPrbge93M5hh4qzMA7IGRxRa4xXjmj2nl4y6oLmRzF
nqHRBznh0D3u27dOmxk9vgWEGFO423T4W4DW5T6ukw+i2V5zxdtiu9tP7s8qsN7P
IxKQ8tPx8NB0PYXTg+DWhPQMZkX3Q63YEJrl6pR1kQ+shOg1WRw08/gfl8YCH0bj
AtbSPwwSNzNVylgA2IZX6mTrBYnbXJ5N63Ee/p1e+vw9fqxha4B4qPpNoByvgR27
cIGFjEoBzeS76awPzBnZLWNaVqM3E0YL9riQnAAgYPrqBIofV65GELBjwVRFAgMB
AAGjggIUMIICEDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFC5MVU7RKuD07ZwP6kGT
49qPO2tFMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUF
BwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgxLmxldHNlbmNy
eXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14MS5sZXRzZW5j
cnlwdC5vcmcvMB4GA1UdEQQXMBWCE3N0YWdpbmcubXV6aGFjay5jb20wgf4GA1Ud
IASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtU
aGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlp
bmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRp
ZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9y
ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAmcF6jtx6QWAOQtRLhnuDyViJ
9ISP2mw8Ueq5p3L/oBMebCAjS1qv7bCcHP5RyeaqsGrHclpv090JY44rCppj5oOh
OFzzsNqZ5dwLp8vNbPls1Y7ohThVxk5PfMGpfkDwpuZGxUkizB7qQtknjBr6lX2B
XX2/IknJnABU2ssh2q77aqeVkHYVWXYG8iNMETUcIys1/Mb7X/FdL1DGRhkS1kN0
geL/+e7pmusHijkSoOP7IXFgTfcnw1DiIPctXmH2/ETcQ5deWVTgOpCTBk0M1+d2
oFFNaePdQXk4iRYlJNrswoZCSgdqqUybvEcJDKvL+ogi6GwZpJCIn/Rc2PWhGQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB
BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg
PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG
dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1
gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4
4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy
BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j
b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv
ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ
MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH
AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw
MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM
LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3
pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd
v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd
ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW
ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk
6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj
f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk=
-----END CERTIFICATE-----
The problem is that I was using the fullchain.pem file generated by letsencrypt. Instead, one should concatenate it together with 'privkey.pem' (also generated by letsencrypt) into a single .pem file.
I could only fix this by using cert.pem instead of fullchain.pem when concatenating.
cat cert.pem key.pem > haproxy_cert.pem
Taken from https://www.haproxy.com/blog/haproxy-ssl-termination/:
frontend www.mysite.com
bind 10.0.0.3:80
bind 10.0.0.3:443 ssl crt /etc/ssl/certs/mysite.pem
default_backend web_servers
The ssl parameter enables SSL termination for this listener. The crt parameter identifies the location of the PEM-formatted SSL certificate.
This certificate should contain both the public certificate and private key.
To be honest, according with my experience on deploying HA Proxy with TLS/SSL end-to-end with minimum 2 nodes as Backend servers, this statement is somewhat true. In fact, HA Proxy requires fullchain.pem (instead of cert.pem) + privkey.pem as a single file. Not using fullchain.pem will lead to messages on Systemd like unable to load cert or things like that.
In a nutshell, you shall do:
$ cat fullchain.pem privkey.pem > /etc/haproxy/mydomain_certs/mydomain.pem
And not:
$ cat cert.pem privkey.pem > /etc/haproxy/mydomain_certs/mydomain.pem
This artile has a valuable example.
Just adding the issue that I encountered. The cat command generated concatenated the files without a newline between them. I manually inserted a new line (using vim) and it worked.
Also in my case I got three files from the registrar: crt, ca-bundle, and p7b. I just want to add that all I needed was the private key file and the crt file (so ca-bundle and p7b were not used).
I'm trying to install an intermediate certificate on Nginx ( laravel forge ).
Right now the certificate is properly installed, just the intermediate that is missing.
I've seen that I need to concatenate the current certificate with the intermediate. What is the best/safest way to add the intermediate certificate.
Also, if the install of the intermediate failed, can I just roll back to the previous certificate, and reboot nginx? ( the website site is live, so I can't have a too long downtime )
Nginx expects all server section certificates in a file that you refer with ssl_certificate. Just put all vendor's intermediate certificates and your domain's certificate in a file. It'll look like this.
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
To make sure everything is okay and to avoid downtime, I would suggest you to setup Nginx locally, add 127.0.0.1 yourdomain.com to /etc/hosts, and try open it from major browsers. When you've verified that everything is correct your can replicate it to the production server.
When you're done, it is a good idea to use some SSL checker tool to verify (e.g. this one). Because pre-installed CA certificates may vary depending on browser and platform, you can easily overlook a misconfiguration checking from one OS or a limited set of browsers.
Edit
As #Martin pointed out, the order of certificates in the file is important.
RFC 4346 for TLS 1.1 states:
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it.
Thus the order is:
1. Your domain's certificate
2. Vendor's intermediate certificate that certifies (1)
3. Vendor's intermediate certificate that certifies (2)
...
n. Vendor's root certificate that certifies (n-1). Optional, because it should be contained in client's CA store.
Letsencrypt: fullchain.pem
Same trouble for me. I was using Letsencrypt and, in my Nginx configuration, I needed to NOT use this:
ssl_certificate /etc/letsencrypt/live/domain.tld/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
But use this:
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
I am trying to replace my SSL cert on my Heroku Rails app.
I have reissued the SSL cert and am trying to update the SSL end point.
However, When I run the following command I get this error.
heroku certs:update server.crt intermediate.crt server.key -a my_rails_app
Resolving trust chain... failed
! No key found that signs the certificate.
First off here are some good links to help you with this.
https://devcenter.heroku.com/articles/ssl-endpoint
https://gist.github.com/shripadk/552554
https://www.resumonk.com/blog/setup-ssl-certificate-heroku/
I reissued my SSL cert and when I got it in an email I copied the whole thing not just the Cert information.
Afterwards Heroku ran the update without issues.
server.crt
Web Server CERTIFICATE
-----------------
-----BEGIN CERTIFICATE-----
MIIFKDCCBBCgAwIBAgIDEet1MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
IWAr5kQ/k2Hy4jXxHpqWMbK/SNu/UIlJM/xjyVvANy43orc2zBnGIPrzECMBWAP1
Xbkz4PUm4DuD8bRrkN7q9VKrssROFXkrl/teOg==
-----END CERTIFICATE-----
INTERMEDIATE CA:
---------------------------------------
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
knYYCnwPLI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----
After pulling my hair out over updating an existing SSL in heroku, and wasting many, many hours, I came across a Heroku Add-On called Expedited SSL that makes this process so painless, its almost too good to be true. But it is true. What I couldn't solve in the last 6 hours was just solved in literally 1 minute with this add on.
I shall say no more.
I was getting the same error. In order to fix, I had the pass the path to privkey.pem after fullchain.pem
sudo heroku certs:update /etc/letsencrypt/live/domain_name/fullchain.pem /etc/letsencrypt/live/domain_name/privkey.pem -a tc-sales-portal
Hope it helps
I found a issue that when I'm using apache benchmark(ab) with http,it is working fine but when I'm running ab with HTTPS , I'm getting error "benchmarking : SSL read failed - closing connection". Any ideas how could it be resolved
Try Siege, it's similar to ab, but it can handle https with not trusted certificates.
With Siege you can create a file with URLs you want to test (-f option), the -c tells how many users (concurrency) and -t how much time (e.g.: 1M one minute, 2H two ours)
siege -c 10 -t 1m -f file.txt
If you are using Debian, you can do a apt-get install siege
This appears to be bug that occurs on some servers:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49382
This also happens if you are using an intermediate certificate authority (StartSSL free tier) that is not trusted by the client and misconfigured your SSL certificate.
You need to add the intermediate CA's certificate to your webserver's SSL certificate so that it looks like this:
-----BEGIN CERTIFICATE-----
..YOUR CERT......
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
..INTERMEDIATE CA CERT......
-----END CERTIFICATE-----
Try installing the certificate in the machine from where you perform the request.