I have a Meteor app I am deploying to a Digital Ocean Ubuntu server via MUP. It works great without SSL, but I can't figure out the SSL part.
I Purchased a Comodo SSL Cert. They sent me 4 .crt files. I can the following command:
cat cert1.crt cert2.crt cert3.crt mydomain.crt > ssl.pem
I then put that ssl.pem file in the root directory locally. Added "ssl": {"pem":"./ssl.pem"} to my mup.json file and ran mup setup -- everything is succesful until:
[45.55.225.190] x Verifying SSL Configurations (ssl.pem): FAILED
-----------------------------------STDERR-----------------------------------
Trying to initialize SSL contexts with your certificatesError loading rsa private key
-----------------------------------STDOUT-----------------------------------
----------------------------------------------------------------------------
I'm not even sure how to troubleshoot this. I ran a quick find on the server and the ssl.pem is there, so mup successfully sent the file over, but it seems stud is not verifying the file or not finding it?
Turns out I was running into two different problems. First, you have the put the certificate files in a very specific order. Second, I was not including my key file. The command to create the .pem file needed was:
cat mydomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt mydomain.nopass.key > ssl.pem
This blog post at DeveloperSide.NET helped me tremendously.
Related
I have installed LetsEncrypt on Ubuntu 16.04 Apache server. It generated 4 .pem files under its letsencrypt/live directory. I am using the public and certificate pinning mechanism and dumping them into the iOS app bundle. To avoid updating the app on renewal i have read that it has to be renewed using a --csr flag but couldn't get much help on this. Can letsencrpyt renew the way i want to or i need to use some other client? Do i have to regenerate all the certs as am sure it generated only pem and no csr files while creating certificates with Letsncrypt. Thanks.
The csr generated by LE can be found out in /etc/letsencrypt/csr. I picked the latest csr file (usually the one which has the highest integer is the latest, e.g.: 0005_csr-letsencrypt.pem will be latest to 0004) and renewed the certificate with the above command:
letsencrypt certonly —csr /etc/letsencrypt/csr/0005_csr-letsencrypt.pem
This will generate 3 files called in the same directory:
000x_chain.pem - has same PubKey but new expiry (what we need)
000x_chain.pem - has some CA information
000x_cert.pem - the cert which will match the PubKey of the cert
I used the 000x_cert.pem for my app bundle. So every time i renewed the certificate i could hit the server even though i dont replace the 000x_cert.pem in the app. It works as the public key will be same. Thanks.
So I am trying to make my IIS8 webserver https, yet I can't seem to get it to work.
I have tried almost anything... but nothing seems to work.
DON'T WORRY THE FILES BELOW ARE FAKE!
PICTURE 1 KEY
PICTURE 2 PEM
First of all, what do I need to do with these 2? It says to save them as .key and .pem files, so I thought they mend: put the private key in a text file and save it as .key and same for the certificate and save it as .pem.
I tried to convert them to .pfx because that is what I need, right?
First I tried using openssl, but I saw a nice site, so I started using that instead: https://www.sslshopper.com/ssl-converter.html. That gave me an error at first, but then I saw cloudflare also had something called DER:
Which gave me an .CRT file if I downloaded it, so now I had a .PEM, a .KEY and an .CRT file, I went back to the website and used the .CRT file and the .KEY file, and put in a password!
Now I've gotten my .PFX file, which I wanted! I installed it on my windows server, but got this:
Why is it not verified?!
What files do I need to verify this?
Am I saving the files correct?
Within IIS you'll need to create a Certificate Signing Request (CSR) and export it.
In the Crypto app, scroll down to the Origin Certificates card and click 'Create Certificate'. Select 'I have my own private key and CSR', add the hostnames you'd like to be covered by the certificate. Once you've completed all the steps in the Wizard you can go back to IIS and click " Complete Certificate Request".
A step-by-step breakdown of these instructions is available on the Cloudflare Knowledge Base: Managing Cloudflare Origin CA certificates
Additionally, you'll need to install the Origin CA root certificates for CloudFlare on the server outline in Step 4 of the KB tutorial. This is fix the warning message:
Windows does not have enough information to verify this certificate.
There are two locations which these certificates may be installed: Current User or Local Machine.
To target the Current User open the certmgr.msc program, otherwise open certlm.msc
Expand 'Trusted Root Certification Authorities'
Right-click 'Certificates'
Select 'Import...' from the 'All Tasks' menu
Import both the ECC and RSA .pem files
I have an issue after I installed the SSL Certificate in WorldClient, MDaemon 12.
I followed the link in installing the SSL, SSL installation was fine. Then, I followed the link to use the SSL in WorldClient. I use 888 for TCP port and 443 for https port.
When I call the webmail (http://mail.mydomain.com.sg:888) in browser, it opens properly. But, if https://mail.mydomain.com.sg:888, Secure Connection Failed error message is shown.
Any Ideas, please? Thanks.
I have solved this problem.
If you read all instruction from the link you given in your post carefully until finished, you'll get the answer.
Note: MDaemon will only display certificates that have private keys
using the Personal Information Exchange format (PKCS #12). If your
imported certificate does not appear in the list then you may need to
import a *.PEM file, which contains both a certificate key and private
key. Importing this file using the same process outlined above will
convert it to the PKCS #12 format.
You should make a PKCS#12 file from generating the (certificate) .csr and private key (.key) you have. If you on windows, install the openssl first on your PC. After successful generate the PKCS#12 file, follow the instruction again to install the SSL certification on MDaemon.
If you success, you'll see the certificate appear in the MDaemon.
Remember to restart your server or webserver to apply the changes.
Regards
I am trying to upload the SSL certificates for my OpenShift gear's alias. I used the instructions here: http://cloudhostingsource.com/setup-ssl-certificate-openshift/
I am stuck however at the uploading part - I have already genereated the CSR, activated the certificate. Every time I try to upload the files it takes me back to the same page without so much as a notification.
Comodo SSL sent me 4 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
myApp.crt
How do I upload these? There are three fields to upload for Openshift... Which do I load into SSL Certificate? Certificate chain? I have my private key and I know the keypass.
Thanks
Just wanted to post an update for this for users who run into this issue in the future... I'm not sure if it was because I had added a public SSH key via the RHC setup but nothing I did (no permutations of copy paste chaining, switching files around) would work via the file uploader.
In the end, before deciding to call Red Hat and QQ, I used the command line console to add the SSL files...
Here is the command I used:
rhc alias update-cert php www.myapp.com --certificate myApp.crt --private-key myApp.key --passphrase mypass
This link includes more info: https://access.redhat.com/documentation/en-US/OpenShift_Online/2.0/html/User_Guide/Using_Custom_SSL_Certificates1.html
TLDR: You don't need to combine any of the Comodo files, just use your file #4, your privatekey, and your passphrase (if you have one)
Thats right!
First combine public with bundle:
cat dom_com.crt dom_com.ca-bundle >> dom_com.ALL.bundle
and upload both:
rhc alias update-cert app dom_com \
--certificate dom_com.ALL.bundle \
--private-key dom_com.key
And then you will obtain an A at https://www.ssllabs.com/ssltest/
You need to combine 1,2, and 3 into one chain certificate (in the correct order) and upload them in the chain certificate field, the key goes in the key field, and the myApp.crt goes in the certificate field.
I had a similar problem, and after some back and forth emails with the Certificate issuer, what helped me was to combine my site certificate with the Certificate chain into one file, and uploading it into the "SSL Certificate" field in OpenShift. I left the "SSL Certificate Chain" field blank, but of course I uploaded my public key in the "Certificate Private Key" field.
I've set everything up to secure my domain with ssl, I've received a certificate from my provider and I added the endpoint addon to heroku, however I'm having difficulties with uploading the certificates to heroku..
I have the following files:
CompleteCABundle.crt
www.domainname.crt
and some generated server.key and server.pass.key files.
I've tried to upload these to heroku with the certs:add command but so far it does not seem to be working.
What steps should be taken and which files exactly should be uploaded to heroku?
I haven't used Heroku before but I imagine a problem could be that you haven't combined the CA Bundle and your domain's certificate together into a single file before trying to upload them.
According to the Heroku docs here: https://devcenter.heroku.com/articles/ssl-endpoint there are only two arguments to the certs:add command.
You can combine the two .crt files with the following:
cat www.domainname.crt CompleteCABundle.crt > total-crt-chain.crt
Then try certs:add again (with this new bundle and your private key) and maybe see if this works.