Really hope this hasn't been asked before, but here goes.
I am installing and configuring a server to use as a webhost for all their projects. I am also installing and configuring an additional identical server for redundancy (replicated via rsync and mysql replication). What I'd like to know is, can I configure the same SSL EV certificate on both servers or do I need separate ones for each server?
It's a basic LAMP server if that is relevant.
It is possible to use the same certificate on all hosts which need it.
Related
Apologises in advance for such a question.
I have looked around for some time but still have no clarity.
I have the Raspberry Pi. I use nginx to host my web server.
I have created a local ssl using openssl so that browsers can view it without complaint. But I read that you should not use local.cert for a production server. if i do not use a domain name for my server i cannot pay for a genuine ssl certificate.
So what are my options?
I suggest that in the near future all web server will require genuine ssl certifcation.
Any suggestions i will be very grateful for. i will also post back anything i discover myself.
Thanks!
I have a client site set up on AWS with multiple servers running HTPPS behind an Elastic Load Balancer. At some point, someone from the client's team attempted to update the SSL Cert by installing a new one directly on one of the servers (instead of in the ELB).
I was able to upload a new cert to the ELB, but when traffic is directed towards the server with the improperly installed cert, it triggers a security warning.
No one can seem to answer who attempted this install, how they went about, or where they installed it.
What's the best way to go about finding and removing it?
Thanks,
ty
If it's installed on the server, it has very little to do with AWS. I see you tagged the question with apache so I assume the server is running Apache Web Server. You will have to connect into that server and remove the SSL settings from the Apache Web Server configuration, just like you would with an Apache Web Server install anywhere else.
I have an Nginx web-server running on EC2 and an amazon RDS mysql instance with encryption enabled at instance creation time. This is using an encryption key I create using IAM.
Question 1: What's the purpose of this encryption key? It is just to encrypt data at rest?
Then I'm trying to use SSL provided by RDS (rds-ca-2015-root.pem) to encrypt data in motion between Nginx web-server and RDS mysql instance.
Question 2: Do I have to copy .pem file to Nginx server and do some configuration? Please list the steps if possible.
After, I want Nginx web-server to communicate with visitors browser over HTTPS when submitting login info and other sensitive information.
Question 3: How can I do this? Do I need another SSL certificate from a CA and how do I configure this in Nginx server?
Thank you.
Question 1: What's the purpose of this encryption key?
It looks like it's for SSL communication to your MySQL instance. To talk to securely talk to your instance, you must configure your MySQL client with that .pem file.
It is just to encrypt data at rest?
No, for that, you just check a checkbox at RDS database instance creation time. There is nothing else to do.
to encrypt data in motion between Nginx web-server and RDS mysql instance.
Nginx doesn't talk to MySQL. (Well, maybe you have some strange nginx module?) Whatever is talking to MySQL must be configured for SSL mode (and for security, must be given the public key .pem file to verify it's talking to the right server.)
Question 2: Do I have to copy .pem file to Nginx server and do some configuration? Please list the steps if possible.
Yes. Since Nginx doesn't talk to MySQL directly, you need to figure out what is talking to MySQL. (Is it some nginx module? Look at that module doc for directives. Otherwise, nginx is probably fronting for some other app such as PHP-FPM, etc. That app must be configured for SSL to MySQL.)
Question 3: Do I need another SSL certificate from a CA and how do I configure this in Nginx server?
Yes, there is a complex dance you need to do to get SSL working. There are many pages on how to do that. You'll need to ask a specific question if you want help with that.
I have the following implementation in testing environment,
Front-end Server [IBM HTTP Server + IBM Websphere plugin],
WLServer1 [IBM Worklight 6.2 + IBM DB2 10.1+ Liberty Farm 8.5.5.1] and
WLServer2 [IBM Worklight 6.2 + IBM DB2 10.1+ Liberty Farm 8.5.5.1].
plugin-cfg.xml has been generated from each Worklight server and merged.
The request[http] from multiple devices has been directed to worklight server's alternatively, once the merged plugin-cfg.xml has been deployed in Front-end server's IBM Websphere plugin.
How I can implement the same to serve HTTPS request.
And also I have implemented the "UserCertificateAuthenticationProject" from the Worklight modules which connects the device[HTTPS] to Worklight server directly.
Note Tested it on Android only.
Help me to understand, How I can achieve HTTPS in Test environment via IHS.
What should be the procedure in Production environment?
Note IBM Worklight 6.2 supports Android, IOS, Blackberry & Windows, so I have to implement in all platforms.
It sounds like the problem you are having is similar to this one: https://stackoverflow.com/a/21914147/2245921 The Unresponsive Host error occurs for one of two reasons:
Your device cannot reach your server (they are not in the same network)
The device does not trust the server's certificate
Since you can connect to your HTTP connection, it is not #1, so it should be #2. The answer to the other question I pointed to above should fix your problem. Make sure to turn on trace-level logs in the WL Logger so that you can see the exceptions regarding untrusted certificates.
Edit: To expand on this answer; to use HTTPS, your server needs an SSL certificate to identify itself, otherwise the device has no proof that it is connecting to the right server and not to some random server that could be malicious. You should already have a certificate that you are using in your server; if you don't, then read on.
You usually get an SSL certificate from one of two places: you either use a certificate issued to you by a trusted Certificate Authority (e.g., Verisign), or you create one for internal testing purposes. In your case, you probably want to create your own, so you should follow the "Client X.509 Certificate Authentication and User Enrollment" getting started here, specifically the parts that talk about generating the server certificate.
Once you have that certificate set up, you should configure your server to use it; for that, follow the instructions here. After doing this, the last step is to have your device trust your server's certificate. For this, follow the last part in the getting started above, which shows you how to make your iOS/Android device trust the server. You would have to look up how to do this on Windows and Blackberry, too.
After this, you should now be able to connect successfully via HTTPS. (Always make sure that when you get an "Unresponsive host" error, that you can still connect to the HTTP console via the browser, to make sure that you are connected to the same network as your server. I know you already did this as you specified in your question, I'm just mentioning it as a reminder since it is easy to forget this.)
Am trying to use SSL Offloading to to allow https on our webfarm. The only way we can get the SSL to work is to install the the certificate and and bind it in IIS on each server. However our farm is scalable and we need to be able to create servers and drop them as traffic levels change. We can't include the certificate in the server template because it corrupts and won't work properly.
However if I understand it correctly we should only have to install the certificate on the ARR server and SSL offloading should apply to all the other servers. However this doesn't seems to be working.
Whilst we can install the certificate wach time we create a server, this is an added hassle and seems like there should be a better way of doing it.
Any thoughts?
You can use SSL Offloading which would only require the SSL certificates be installed at the ARR level, allowing you to add servers to your webfarm without certificate configuration.
What exactly isn't working when you try to do this?