I am developing an app to run in Cloud Foundry.
The app makes constant connections to a web service using https protocol.
The web service uses a pair of self-signed certificate created by openssl.
As there is no DNS setup, I am using IP address as the Common Name(CN) in the ssl certificate.
However, the web service IP address varies from time to time. The ssl certificate has to be re-generated each time.
In order for the app to connect, it needs to trust the SSL certificate so I have been packaging the public key for the web service’s SSL cert as a file with my app.
The problem is that I have to re-upload the app to Cloud Foundry once the public key of the SSL cert changes.
Here are some possible solutions:
Register a host name in DNS. In that case, the certificate is only bound to host name. (Might not be possible cos of the budget. )
Create a private CA and issue certificates from the CA, then install the CA as the trusted CA on the client. It is feasible and a common way for internal services. However, what if the app is pushed to the CF? How can we configure the node for the certs?
Disable the SSL server authentication. Not sure whether it would put the app at risk if the authentication is skipped. For the time being, the app pulls data from the web service.
I've been thinking of keeping the public key in the database. In that case, I don't need to re-upload the app to make it take effect. But I am not sure whether it is a safe way.
Question
I am seeking for a common and safe way to keep the SSL server cert in a Cloud Foundry env. Are any of the above solutions viable? If not, is there any other CF preferred ways?
Thank you
This is a bit old, but in case this helps...
Did you try to generate your server SSL certificate with whatever hostname (even "localhost"). As you are uploading this certificate in your application (i.e. to "blindly" trust it), I think that it could work and this would avoid dependencies with your IP address.
Related
I'm using a React frontend application on a domain with a valid SSL certificate, which makes calls to a Django backend application on a VPS (Ubuntu 20.04, apache2), which doesn't have a domain name registered (instead the calls are being made using the IP of the server). The server doesn't yet have a valid SSL certificate which prevents the React app from receiving the resources. Self-signed won't work since it's then not valid in the browser (I might be wrong here).
Do I also need to register a domain name for the backend API server for the SSL certificate to be valid or can I just buy an SSL certificate and work from there?
To even get an SSL certificate back from the vendor, you need a fqdn (fully qualified domain name). That information is used to sign and create the certificate request. Your webserver won't even properly encrypt until you have valid signed certificate for the server in question. You can expand the number of hosts that a certificate will serve by buying a wildcard certificate (*.example.com vs specifichost.example.com)
If your back end server is on some cloud or hosted service, you can use self signed certificates but you would have to disable "strictness" in your front end. If you're at any time performing financial transactions this is not advisable.
If you're making axios calls, here's a pretty good article on disabling https strictness (https://github.com/axios/axios/issues/535).
Your vendor for the VPS might have some helpful information on how to harden up the server.
If this is not how you'll be doing this in production and the setup you describe is for testing only, then probably you want to use the environment to set a variable indicating 'strict' or 'test' and switch your calls accordingly. That way, a relaxed setup will work in test or in your sanbox, but production would use a properly configured host with a valid certificate.
I'm getting crazy with SSL certificates. After trying from lots of different providers I finally got one using SSL for free.
But there's one thing that I haven't understood yet.
Do I have to upload my certificate on my Domain provider (such as Register.it) or on my Host service (such as 000webhost or InfinityFree)?
The problem is that 000webhost offers a better service but not the possibility to upload an SSL certificate on a free plan, while InfinityFree (which offers a worse service) does.
I have the possibility to upload my certificate on the Domain provider (Register.it), but I can't understand if it works or it is overridden by InfinityFree one, and I have difficulties in trying switching from Host to Host because of the really slow DNS propagation.
Sorry if I made confusion, but it was to explain better my situation... My question remains one: Do I have to upload my certificate on my Domain provider or on my Host service?
You need to upload ssl certificate to your hosting. SSL for free is a Let's Encrypt certificate.
You can check which provider ssl running on your domain.
Step:
Tab your browser green lock icon then details
I'm having an issue with my development where I am trying to implement OAuth authentication in my app. In order to get this to work I have to set up my .net core app to run with SSL certificates. These certificates are generated automatically and trusted, so far so good.
The issue arises where I try to use a phone client on these sites. Obviously the device doesn't have the certificate installed, and installing the certificate on the device makes little difference (the certificate provided by the dotnet tool doesn't have a CA attribute or something? So I can't physically trust the certificate on an iOS device).
From where I'm standing, it would make more sense to just use a Let's Encrypt SSL certificate on IIS Express, have the certificate provided by a recognised authority, but it seems that I can't do that for localhost. I think this is because the Let's Encrypt ACME bot can't connect to my local development instance which makes sense.
Is there any way to have a recognised development certificate (when I say recognised, I mean something like Let's Encrypt) in use for IIS express or local development? Or do I have to use a self signed certificate and find some way to install them on my testing devices?
Thanks.
I think you need 2 steps to achieve it.
Configure your IIS Express to use a custom domain name rather than localhost. This custom domain name is the one that you have SSL certificate for. Check here for how to do it.
Bind the Let's Encrypt certificate to IIS Express. This blog post uses a self signed cert, but in theory it should also work for Let's Encrypt cert.
I am trying to wrap my head around certificates and any help is appreciated. So far this is what I understand, please correct me if I am wrong.
When using the browser when I navigate to the https site the browser downloads the certificate(without the private key) and then continues to send the data over https?
I have come across some sites (especially when developing) that require you to install the certificate on the local machine before making a service call. What is the purpose here and how does it work?
I have also seen some scenarios where you need to install the certificate on the client machine for authentication purposes for example if you are using an email client, how does this work?
When using the browser when I navigate to the https site the browser downloads the certificate(without the private key) and then continues to send the data over https?
No, the browser and the server stablish a SSL/TLS secure channel with a symmetric encryption key. During the handshake process the server presents the https certificate and digitally signs some data with the private key as a proof of authenticity.
I have come across some sites (especially when developing) that require you to install the certificate on the local machine before making a service call. What is the purpose here and how does it work?
The client must trust the server certificate. Usually it has a list with the Certification Authorities for which certificates are accepted. For other certificates is needed to add them to the trust list. If not, the communication will be rejected
I have also seen some scenarios where you need to install the certificate on the client machine for authentication purposes for example if you are using an email client, how does this work?
Probably the same case as the previous one. Also the public part of the certificate of a user can be used to encrypt a message for him
I working to develop small HTTPS server that will be included in my android application. And the client will be browser. User can browse to the contain that I have on my HTTPS server. Can someone tell me what kind of setup do I need as far as the certificate and private/public keys are concerned. I am planning to use openssl to create my self-signed certificate.
FYI, I have initial setup done. And since my certificate is self-signed, browser displays warning to accept it on your own risk. So I believe server authentication is working. What do I need for server to authenticate the client ?
Thanks
The problem with hosting an HTTPS webserver on an android device is that the certificates are validated using a domain name. Without a domain name the client browser will display an error unless the server certificate is installed and trusted locally.
The two options are:
Register a domain name, use dynamic dns, and then request an ssl/tls certificate based on that name.
Installing self-signed certificate programmatically
There is an Android library that supports https: http://tjws.sourceforge.net/