I have a problem with a self-signed SSL certificate not being accepted on my Windows 7 box. I need this because the QuickBooks web connector will not address my CRM except over HTTPS, and the CRM is hosted on an intranet-only Linux server.
I followed the instructions here, and then used certmgr.msc to import the certificate on the client machine. The import appeared to be successful, and I can see the certificate in the "Trusted Root" store:
The problem is that it doesn't work; QBWC still reports it can't connect due to an authentication error, and my browser still rejects the certificate:
Could someone please give me an idea what I'm doing wrong? Thanks in advance!
The correct answer was propounded by #RickK - I had issued the certificate in my own name, instead of the domain of the server. The prompts in Apache make this rather confusing; it really looks like you're supposed to put your own name in the "Common Name" field, and the tutorial I followed seems to advise the same thing.
Anyway, I reissued the certificate, changing the CN field to "apps," and everything is working now. Thanks to #RickK and #pulkitsinghal for your helpful input. (And sorry for the delay in my response - this project got pushed to the back burner for awhile.)
Related
I got problems with my custom domain setup on readthedocs.
Suddenly custom domain (https://docs.joinrpg.ru) stops working with SSL_ERROR_NO_CYPHER_OVERLAP.
Variois SSL checkers report that they "Failed to communicate with the secure server".
Readthedocs panel say that SSL certificate status: restricted_name_failure: Use of one or more domains on the certificate is restricted.
There was partial block by local authorities of readthedocs in Russia, but it (a) was on DNS-level (b)seems to be solved now, and (c) problem seems to reproduce outside russia.
What can I do to diagnose issue?
It was a bug with Cloudflare doesn't allow to issue certificates for "ru" domain zone.
It have been switched to Let's encrypt thanks to readthedocs team.
https://github.com/readthedocs/readthedocs.org/issues/9149
I'm working on automating a web application (F# and Canopy). Getting 'Your connection is not private' screen upon launching the website/ after providing login credentials. Tried a few workaround to have the same disabled, but none did the job. Please help.
The best approach here is not try to hide or cover up the problem, but to fix it properly so you don't have to. Solutions that involve hiding the issue are necessarily going to adversely affect your security.
Note the wording of the error code: ERR_CERT_AUTHORITY_INVALID. That tells us that the certificate for the site is signed by a non-standard or unknown certificate authority.
You mentioned localhost in your comment; you're not going to be able to get a certificate for that, but you could create a self-signed one, however, if you've enabled the localhost exemption and you're still getting the error, it suggests that you may not be using localhost after all.
So, if you have a certificate signed by a real CA and you're seeing this error, it's likely that your local OS or browser has an outdated CA root certificate bundle. you can usually get the latest one by making sure your OS packages are up to date.
If your certificate is self-signed, then the 'advanced' button will allow you to add an exemption. I you have set up your own CA and signed the certificate with that, you need to add that CA's public key that signed it to your OS.
If you've got a "regular" commercial certificate from verisign, letsencrypt, comodo or whoever, then a run through a testing tool like testssl.sh or Qualys SSL labs will tell you more about what's going wrong. Without knowing the actual domain we can't test anything for you.
Added the following argument and it did the job:
options.AddArguments("--ignore-certificate-errors")
I am posting this question on SO instead of ServerFault, because all my previous efforts to get Magento 2 issues sorted out, ended up being hacking some or other code in the Magento or template source.
I have configured a basic install of Magento 2 with a theme for a client.
Magento is running on IIS and Windows. (Not WAMP), shared IIS hosting on windows (My own server).
I configured the shop to use SSL, and the complete shop runs over SSL without any issues.
However, when trying to use the market place, I get a weird SSL issue:
"SSL certificate problem: unable to get local issuer certificate"
This error is shown on the Magneto shop (which is currently running over ssl), when trying to sign in to the market place.
I have found lots of hits on this issue, but all answers seem to lead to a self-signed certificate that isn't trusted or adding intermediary and/or root certificates. This is all based on XAMP, WAMP or native 'nix installations.
I do not understand what the exact issue is. I also do not know how to troubleshoot this further as the error description is very vague.
I would appreciate some feedback.
Thanks
This error happens because cURL cannot find a cacert.pem file from which take the trusted signatures.
There are some ways to set this file in cURL:
• Pass the cacert.pem file path directly to cURL when making the call;
• Set the path to the cacert.pem file in the php.ini.
You could follow below post:
• https://serverfault.com/questions/633644/adding-a-self-signed-cert-to-the-trusted-certs-within-curl-in-windows
• https://magento.stackexchange.com/questions/97036/magento-component-manager-ssl-certificate-problem-unable-to-get-local-issuer-c
• https://mage2.pro/t/topic/988
Regards,
Jalpa.
The domain in question is https://prophpbb.com
The certificate previously worked without issue. There have been no recent changes or cPanel updates. When trying to debug, the ssl cert being requested is clearly not what I have installed. In fact, it looks empty aside from some cryptic stuff, like the issuer email (see point 2). I suspect there might be DDoS mitigation going on either with HostDime, my datacenter, or globalsign, but I'm really spitballing at this point. I'm basing that on these findings:
I can't ping prophpbb.com, but I can ping addaforum.com (on same server)
SSL error returns net::ERR_CERT_AUTHORITY_INVALID and when I inspect the certificate, the issuer email is shown as: protect#DDoS-Filter.domain and the domain it's supposedly returning is "server" which is obviously not correct. The cert is issued by globalsign through the alphassl reseller ssl2buy.
What I have done to try to resolve this:
1. revoke the original certificate and reinstall it
2. rebuild cPanel's SSL cache via /scripts/rebuildinstalledssldb
3. restart apache
4. update cPanel from v60 to v62
5. disabling the software firewall (CSF)
I cannot find anything on Twitter regarding a globalsign outage. I put in a ticket at ssl2buy and at HostDime for good measure. Can you help me to understand what this issue is attributed to?
*edit - received a reply from HostDime. This was, indeed, caused by their DDoS mitigation. They resolved it quickly.
I edited the original post to note that it was resolved by the datacenter and it was due to DDoS protection. Replying here to mark it as solved.
I am using a Debian/Apache webserver with up-to-date software and a SSL certificate to encrypt the communication via HTTPS. In February the old certificate expired and I got me a new one (CA Geotrust via CA RapidSSL). Like the one before.
In Firefox (Chrome, ...) everything works fine. But after the old certificate finally expired after 2 weeks, Internet Explorer says the certificate has expired - leave the page? Appearently the old certificate is stuck in the browser cache and has not been updated since.
And the thing ain't done with clearing the browser cache. I actually had to reset the IE settings to make it reload the new certificate. As it works by now, I guess that the server delivers the correct certificate. But there are still other users who report the same problem - so it wasn't my browser alone.
My best guess is that something in the old cert or my cache suggestions told the IE to store the certificate for a long while. But I have no clue how to solve this - or even what to change so I don't have the same problem next year, again.
Thanks for any ideas!
BurninLeo
I had a similar problem. In fact it is IE under XP who don't support several HTTPS subdomaine on a single IP address.
http://nginx.org/en/docs/http/configuring_https_servers.html#sni
So if you have also several domains or subdomains in same IP you can't solve this on XP/IE you can just choose which certificat is used by XP/IE but it will be the same for all subdomaine.
PiR