I´m trying to solve this new problem for internal deployment and testing.
I was successful creating an Internal CA certificate, and a SSL one with it. The host is a local IIS referenced as hostname.domain. I installed the CA certificate on the host and configured the HTTPS for the site (hostname.domain) with the SSL certificate. I tested on MacOS Safari client and it could not verified the site until I installed the CA certificate in the keychain. This means that SSL Certificate and CA are working correctly for the host name…
Then I e-mailed me the CA certificate and installed in my ipad. It is showed as a profile with one certificate, Trusted.
Unfortunately Ipad´s Safari keeps telling me that cannot verify the identity of the hostname.domain, and if I continue to the page accepting it, the OTA download fails with the message “Cannot connect to hostname.domain”
Any idea of what is missing?
Thanks.
The proper way to fix this is by creating a signed certificate that is issued by a Certificate Authority that you also create for your organization. The specifics can be found on this particular answer: https://stackoverflow.com/a/22367111/71079
This command line application will help you set this up: https://github.com/deckarep/EasyCert/releases
Related
Having problems installing PayPalCommerce in OpenCart,
After installing and trying to connect to PayPal I get this error!
"(60) SSL peer certificate or SSH remote key was not OK"
As anybody else come across problem as the server certs are just fine?
As Stated Server Certificats are fine, was thinking of changing the Curl SSL Veerify to False but that would defeat the whole purpose. And as the latest Security 1.2 (whatever abrevation).
Update your certificate authority bundle so that your HTTPS connection to the PayPal API endpoint can verify the connection is trusted.
One can be downloaded here, among other places.
If your attempted connection is using a specific certificate file rather than a CA bundle, delete the old certificate and either obtain the endpoint's current one to use instead or use CA verification of it
I recently changed my IDE from VS 2019 to 2022 and I have not been able to successfully debug an SSL web site without receiving the popup message:
This project is configured to use SSL. To avoid SSL warnings in the browser you can choose to trust the self-signed certificate that IIS Express has generated. Would you like to trust the IIS Express SSL certificate?
After clicking Yes, the following message pops up:
Adding the certificate to the Trusted Root Certificates store failed with the following error: Access is denied.
After doing some research I ran the following command in an administrative prompt:
dotnet dev-certs https --clean
dotnet dev-certs https --trust -v
This resulted in the following:
An error has occurred while trusting the certificate: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access is denied.
at Internal.Cryptography.Pal.StorePal.Add(ICertificatePal certificate)
at System.Security.Cryptography.X509Certificates.X509Store.Add(X509Certificate2 certificate)
at Microsoft.AspNetCore.Certificates.Generation.WindowsCertificateManager.TrustCertificateCore(X509Certificate2 certificate)
at Microsoft.AspNetCore.Certificates.Generation.CertificateManager.TrustCertificate(X509Certificate2 certificate).
There was an error trusting HTTPS developer certificate.
So far, I have tried importing the localhost certificate directly into the Trusted Root Certification Authorities, changing permission on the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder, uninstalling IIS Express and repairing, and uninstalling and reinstalling VS 2022. So far nothing has worked, not sure what to try from here?
For people seeing this post and having the same issue. I 'fixed' this by doing the following:
Go to your Current User certificates store and click the Personal and then the Certificates folder. If you can see there a localhost certificate where the friendly name is something like IIS Express Development Certificate then try to move that certificate to the Trusted Root Certification Authorities --> Certificates folder.
If you get an Access Denied error then try to set the Physical certificate stores checkbox, as per this post: The certificate cannot be pasted into the Trusted Root Certification Authorities store. Access is denied, under (View --> Options), make sure you selected the root certificates file to see the View/Options menu.
Repeat the above steps also for the Local Computer certificates. For some reason sometimes my localhost certificate was stored under Current User and sometimes under Local Computer.
When starting the application the following 'error' should have dissapeard:
This project is configured to use SSL. To avoid SSL warnings in the
browser you can choose to trust the self-signed certificate that IIS
Express has generated. Would you like to trust the IIS Express SSL
certificate?
Though, in my case I got the ERR_CONNECTION_RESET error after doing the above. To fix this I had to manually add the localhost port certificate as per this post: https://stackoverflow.com/a/68804745/3242154
After doing the above it generated another certificate in my personal certificate folder for the specified port, I once again had to repeat steps 1-3 (depending in which certificates store it was created), then it finally worked without problems.
My app connects to Worklight server through HTTPS through self-signed certificate. The app can be launched successfully.
However, when there is direct update which started downloading file from Worklight server, it is failed and I can see that there are error message regarding certification path not found.
May I know if the SSLHandshakeException and direct update error are correlated?
Thanks!
(Environment: Worklight 5.0.6.1, WAS ND 8.5, Testing Device: HTC One)
10-31 21:24:50.897: W/System.err(28746): Catch exception while startHandshake: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
10-31 21:24:50.897: W/System.err(28746): return an invalid session with invalid cipher suite of SSL_NULL_WITH_NULL_NULL
10-31 21:24:50.927: E/WLDroidGap(28746): Failed downloading application update file.
Yes, the use of direct update and the SSL handshake errors are related. Android doesn't allow you to work with self-signed certificates (unless you somehow bypass SSL). Because you can't install a self-signed cert into Android's truststore, the Android client can't establish trust for the server's self signed certificate.
You probably have the following flag specified in your Android manifest file:
android:debuggable="true"
This flag disables SSL validation when going thru the hybrid channels and probably the reason why you don't see the SSL errors earlier. Direct update is handled at a different level, where this flag does not apply, and therefore SSL validation does occur.
You should use self-signed CA certificates instead for dev/test purposes. See the following answer on how to generate a self-signed CA:
https://stackoverflow.com/a/19841469/2494287
Direct update will not work with a self-signed certificate. It is intended to be used in production, therefore it will only accept a valid CA cert.
I've tried setting up SSL for localhost running my azure web role.
What I've done is that I've created my own CA, created a client and server certificate and then installed them all in my certificate store. The server certificate is located in the local computer personal certificates, the client certificate is installed in the current user store under personal and the CA certificate is installed in trusted root certificates in both stores.
I've also configured my IIS website to use SSL and used netsh to bind the server certificate to the ip the site is running on.
However when I try to access my website through the IIS, I get an error:
HTTP Error 403.16 - Forbidden
Your client certificate is either not trusted or is invalid.
I know for a fact that the certificates I use are issued by the same CA, so I cant really see any other reason than that the IIS probably cant access my trusted root store. When I deploy my solution to azure, it works without giving me this error, so I'm positive that its a configuration issue with the local IIS that I cant work out.
Any suggestions on what could be the problem here?
I am trying to run a test of the SAML2 SSO using WSO2 Identity Server 4.0.0 M7 but am not successful.
I tried to use the 3.2.3 binary but ran into the bug about long hostnames and the identity.xml file (http://stackoverflow.com/questions/9600392/unable-to-configure-wso2-identity-server-for-openid).
These are the examples I'm using:
http://sureshatt.blogspot.com/2012/08/saml20-sso-with-wso2-identity-server.html
http://wso2.org/library/articles/2010/07/saml2-web-browser-based-sso-wso2-identity-server
I've stood up a new Tomcat7 server and configured it for HTTPS, which works cleanly in the browser. The certs are signed by our trusted enterprise CA and both the private key and chain certs are installed.
Same for the WSO2-IS host which has a new wso2carbon.jks with the private key signed by the same CA. I've exported the host cert from wso2carbon.jks and imported same into the client-truststore.jks. The trusted CA-signed certs are also in client-truststore.jks (at this point just to be sure). They are also in wso2carbon.jks (used to trust the CA reply).
I've changed the HostName and MgtHostName in carbon.xml to match the CN in the private key; the Carbon console comes up cleanly with no SSL issues and I can log in using the 'admin' user with no problem. From there I've updated the SSO configuration using the above example links as guides. That works with no errors.
When I go to each site (e.g., saml2.demo, avis.com, etc.) they redirect perfectly to IS to authenticate. However when I log in I get the error in the log "Issuer details are not valid. Issuer details should be registered in advance". And then I'm stuck.
What have I missed?
Have you done the 5th step of the topic 2 Configuring the WSO2 Identity Server ? Please check the value you've registered as the Issuer is as same as the one that comes in the SAML Authentication Request message.