I'm using amazon web service.
I'm using linux instance
I'm using GoDaddy SSL.
I'm following this steps:
http://jafty.com/blog/installing-godaddy-ssl-certificate-on-amazon-ec2/
I'm stuck at this point:
Generating a Certificate Signing Request (CSR) - Apache 2.x
Enter the following at the command prompt:openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr Replace yourdomain with the domain name you're securing. For example, if your domain name is coolexample.com, you would type coolexample.key and coolexample.csr.
what I did was
openssl req -new -newkey rsa:2048 -nodes -keyout 180.21.80.1.key -out 180.21.80.1.csr
I used the public IP address of my t1 instance.
I have generated a key and CSR files.
180.21.80.1.key
180.21.80.1.csr
like this. Now its ready to copy and paste in go daddy.
my question is:
Is what I'm doing correct?
Do I have to create a name for my IP address, like domains?
Is it okay if I make mistakes? It's editable, right?
With reference to the link you mentioned try following steps
Ensure that you have installed mod_ssl and it is running.
Upload your certificates on Instance say /home/ec2-user/ssl
Edit /etc/httpd/conf.d/ssl.conf
Find below lines and replace accordingly (Verify the filename and
path are correct)
SSLCertificateFile /home/ec2-user/ssl/certs/site.com.crt
SSLCertificateKeyFile /home/ec2-user/ssl/keys/site.key
SSLCACertificateFile /home/ec2-user/ssl/ssl_files/gd_bundle.crt
Restart Apache
That looks right. Generally people don't use ip addresses as names of certs and csr's, they use hostnames, but I don't see why it wouldn't work. Also it's SUPER easy to add it to an ELB(aws load balancer) as opposed to configuring apache for it, so if you have your server(s) hidden behind an ELB, or you think you will add more servers at a later point it can be a little more convenient.
Related
the scenario is the following:
I created a selfsigned SAN certificate bundling different intranet-domains, hosted on different machines and OS. The certificate is working as expected when being used by apache-services on CentOS and nginx-services on Docker, but when I tried using the same certificate for a domain being hosted on a Microsoft IIS, I get a 502 Bad Gateway error.
From my understanding, even a faulty certificate should not trigger a 502 error, should it? And seeing as all other domains on different scenarios work just fine, I presume I did something wrong.
So this is my process for creating and exporting the certificate to IIS:
openssl req -x509 -newkey rsa:2048 -nodes -keyout cert.key -out cert-crt -days 365 -config san.cnf
san.cnf is a config describing the different domains I need etc. After creating certificate and private key, I export a .pfx version of the certificate with the following command:
openssl pkcs 12 -export -out cert.pfx -inkey cert.key -in cert.crt
I then import said .pfx file to IIS using the import function in the server certificate feature menu and configure the https:// binding of the domain to use this certificate. After restarting the webservice, I get 502 Bad gateway errors when trying to access the page.
Is there anything I am missing?
Thx in advance for any hints, I suspect it's plain stupidity on my part once again :D
Which kind of web service did you create? For the WCF service, please enable HTTP activation in the Window features.
For the usage of the SAN certificate, we need to configure a binding for every domain name accordingly in the web site binding module.
Like the below figure.
Particularly, there is no need to tick the below option since this kind of certificate support Subject Alternative Name. These bindings use the same certificate.
At last, I suggest you bind another certificate to verify whether the certificate caused this issue.
Feel free to let me know if the problem persists.
This error seems to be a rare one since google doesn't cough up anything. (There do exist questions and answers for different Telegram Webhook error messages.)
So this is mine:
{"ok":true,"result":{"url":"https://blablabla.com:8443/mytgmhook",
"has_custom_certificate":false,
"pending_update_count":22,
"last_error_date":1535648677,
"last_error_message":"SSL error {
error:14095044:SSL routines:ssl3_read_n:internal error
}","max_connections":40}}
For context:
I am running a newly set up Amazon Linux 2 on EC2.
I have created SSL certificates using LetsEncrypt and Amazon's instructions. I have verified the setup on ssllabs.com and it's all green.
I have opened the ports 443 and 8443 and tested them, they work, traffic gets through.
The site is accessible via https on both domain.com and www.domain.com
This error message is preventing me from getting and parsing the bot inputs. They never arrive to my server. Note that it didn't stop working -- it never worked.
Any ideas please?
EDIT:
I have discovered that if I keep refreshing the getWebhookInfo, the above error is sometimes replaced with this one:
"last_error_message":"SSL error {
error:1408F10B:SSL routines:ssl3_get_record:wrong version number
}","max_connections":40}}
I have launched a brand new EC2 instance, with Ubuntu this time, and I get the same error.
I am still at a loss as how to solve this.
1 - use openssl req -newkey rsa:2048 -sha256 -nodes -keyout YOURPRIVATE.key -x509 -days 365 -out YOURPUBLIC.pem -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=YOURDOMAIN.EXAMPLE"
to create your certificate;
2 - remember to put the IP address of your server in YOURDOMAIN.EXAMPLE
The cert I have from StartSSL comes with a key file. But from GoDaddy, I get only the 2 .crt files. GoDaddy's instructions are for CentOS and explicitly do not work for Ubuntu.
How do I export the private key ... or get it from somewhere ... so I can use it with Apache SSL? The question that is ALMOST the same as mine assumes use of a Mac Keychain application. I don't run a Mac and I'm trying to do everything on the Ubuntu command line. I know there's a way to do this ... can anyone help me find it?
Thanks!
Follow this steps.
First of all Generate the Private key and CSR using the following command.
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
You'll be asked the questions like the Country, State, City, Company Name, Domain name and all. Just fill up the details and your Private key will be ready as server.key in the directory you are going to run this command.You'll be asked to enter Challenge Password, You can enter any secure Password in there.
2.
Login into GoDaddy and ReKey the Certificate, You'll have to Submit the CSR we've generated with the Private Key.Once you'll Rekey the Certificate, you'll be able to Install the certificate using the crt file you got, ca-bundle you got and the Private key we just made!Let me know if you have any questions about this. PS: You have to use this method when you lose your Private key.
This is my first time setting up HTTPS (2016. Scary, I know) and I am having trouble migrating a certificate from a server running CPanel.
There seems to be no Export button so I assume I can create myself an SSL certificate simply by copying the different keys I have:
Unfortunately I dont know how the file should be saved (I assume as *.domain.com.crt as mentioned in DigitalOcean. Yet I see they need other certificates (such as intermediate cert). Anothe unfortunality is that the site was hosted and run by an external manager so I dont have root access to export the ssl certificate using CLI.
How can I get around this?
Do I have to buy a new certificate?
Thanks
Copying an SSL from server to server is, sadly, no easy matter. The SSL was generated from a CSR specific to the server itself, so it is very likely the SSL certificate itself is not valid on the new server.
If the SSL was self-signed, you can just make a new one on the new server using this command:
openssl req -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt
If it was a SSL you paid for, contact the SSL provider to work with them to regenerate it for the new server.
Alternatively, you can use cert-bot to make a whole new SSL on the new server pretty quickly.
I am actually trying to create a test ssl certifcate for my webserver.
I started with this tutorial.
But when I try to create a certificate with the following command:
openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt -subj '/O=Company/OU=Department/CN=www.10.9.11.99/lebenmittel_test'
The following errors appears:
Generating a 1024 bit RSA private key
..............++++++
.................................++++++
writing new private key to 'server.key'
-----
end of string encountered while processing type of subject name element #3
problems making Certificate Request
I think the problem is, that I am trying to create a certificate for a IP address ... :/
I tried the same command with www.example.com and it worked.
Is there a way to create a certifcate for a IP address?
Your problem is that 'lebenmittel_test' is not a valid attribute syntax. Additionally, 'CN=www.10.9.11.99' is definitely dodgy for a CN.
Why not just assign a valid name for the CN, and then tweak your /etc/hosts file to point to the IP address using that name?