I'm trying to enable SSL on a Token Vending Machine hosted on Amazon Elastic Beanstalk. However, it tells me I need an SSL certificate if I try to enable a port 443 listener.
This would make sense if I had my own domain, but this is a system machine giving out tokens to a mobile app. The URL is of the form mytvm.elasticbeanstalk.com and will never be seen by an end user, so there's no need to get a custom domain.
Is it possible to enable SSL without the hassle of setting it up on a custom domain name? Pretty much every host I've used before had a wildcard SSL certificate for stuff you ran on a subdomain of their main host. In other words I would expect Amazon to have had setup a wildcard certificate for *.elasticbeanstalk.com. Is this not the case?
The name of your app can be your 'custom domain',
i.e, mytvm.elasticbeanstalk.com.
If you are using a load-balancer with your elastic beanstalk application you can make use the directions here and use openssl to create your own cert. When you've installed openssl and the elastic beanstalk command line interface you can follow the steps by entering your domain name as 'mytvm.elasticbeanstalk.com'
Using the following commands:
C:\>openssl genrsa 1024 > privatekey.pem
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus....
C:\>openssl req -new -key privatekey.pem -out csr.pem
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated....
Country Name (2 letter code) [AU]:us
State or Province Name (full name) [Some-State]:yourstate
Locality Name (eg, city) []:cityname
Organization Name (eg, company) [Internet Widgits Pty Ltd]:youname
Organizational Unit Name (eg, section) []: your
Common Name (e.g. server FQDN or YOUR name) []:**mytvm.elasticbeanstalk.com**
...
C:\>openssl x509 -req -days 365 -in csr.pem -signkey privatekey.pem -out server.crt
C:\>iam-servercertupload -b server.crt -k privatekey.pem -s server -v
Next change your setting to use 443.
Related
the scenario is the following:
I created a selfsigned SAN certificate bundling different intranet-domains, hosted on different machines and OS. The certificate is working as expected when being used by apache-services on CentOS and nginx-services on Docker, but when I tried using the same certificate for a domain being hosted on a Microsoft IIS, I get a 502 Bad Gateway error.
From my understanding, even a faulty certificate should not trigger a 502 error, should it? And seeing as all other domains on different scenarios work just fine, I presume I did something wrong.
So this is my process for creating and exporting the certificate to IIS:
openssl req -x509 -newkey rsa:2048 -nodes -keyout cert.key -out cert-crt -days 365 -config san.cnf
san.cnf is a config describing the different domains I need etc. After creating certificate and private key, I export a .pfx version of the certificate with the following command:
openssl pkcs 12 -export -out cert.pfx -inkey cert.key -in cert.crt
I then import said .pfx file to IIS using the import function in the server certificate feature menu and configure the https:// binding of the domain to use this certificate. After restarting the webservice, I get 502 Bad gateway errors when trying to access the page.
Is there anything I am missing?
Thx in advance for any hints, I suspect it's plain stupidity on my part once again :D
Which kind of web service did you create? For the WCF service, please enable HTTP activation in the Window features.
For the usage of the SAN certificate, we need to configure a binding for every domain name accordingly in the web site binding module.
Like the below figure.
Particularly, there is no need to tick the below option since this kind of certificate support Subject Alternative Name. These bindings use the same certificate.
At last, I suggest you bind another certificate to verify whether the certificate caused this issue.
Feel free to let me know if the problem persists.
I have set up a LAMP server with phpmyadmin. I have apache2 configured (through the Headers mod) to only allow SSL connections, but this is keeping me from accessing phpmyadmin on the LAN. When I setup a subdomain and LetsEncrypt cert I have no problem accessing phpmyadmin (phpmyadmin.example.com), but if I try to access it from the LAN or on the server itself, I can't do so securely, so I can't log in.
Well, on the actual server I can just jam https://localhost/phpmyadmin into the browser and accept the insecure connection warning, but that doesn't work when using a different computer on the LAN (https://server-name/phpmyadmin). I'm not crazy about having phpmyadmin accessible to the outside, even with password protection.
Is there a way to establish a secure connection on a LAN, or do I need some way to exempt the /phpmyadmin folder from the SSL requirement? Can this be done for LAN connections only?
You have to access the URL using the same hostname which was provided as CN or SAN during certificate generation.
Since you want to access the application locally using localhost and any CA will not sign your certificate which has CN value localhost, you need to live with slef sign certificate generated against localhost and import to your keystore.
Command to generate self-signed certificate against localhost:
openssl req -x509 -out localhost.crt -keyout localhost.key \
-newkey rsa:2048 -nodes -sha256 \
-subj '/CN=localhost' -extensions EXT -config <( \
printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
Here is an article on the same.
I am trying to secure my eXist-db app, which means the only port I want to leave open should be 8443 (for using WebDAV and admin app). This is the basic secure port eXist-db have open since the installation. It uses self-signed certificate. I have no problem with replacing default certificate with a new one but the problem is I am not able to do that with CA signed certificate.
I tried:
sudo rm eXist-db/tools/jetty/etc/keystore
cat ServerCertificate.crt Alpiro-TrustProvider-IntermediateCA.crt Root.cer > cert-chain.txt
I cleaned bad ends of lines and verified every certificate starts on a new line.
openssl pkcs12 -export -inkey my-app.key -in cert-chain.txt -out my-app.pkcs12
keytool -importkeystore -srckeystore my-app.pkcs12 -srcstoretype PKCS12 -destkeystore eXist-db/tools/jetty/etc/keystore
After restart, I checked the connection with: openssl s_client -connect xx.xx.xxx.xxx:8443 and everything seems fine. I can see there is my trusted certificate and the connection (handshake) simply works. However, browsers still claim it is not a trusted connection.
When I try to check something over https via XQuery, it throws:
java.security.cert.CertificateException: No subject alternative names matching IP address xx.xx.xxx.xxx found …
The solution is quite trivial. The problem was I had been trying to access the site via IP, not via fully qualified domain name. Certificates are associated with domain names, not IPs!
I have an unusual use case :
a web server on the Internet is serving pages through HTTPS,
inside those web pages, there are calls to XMLHttpRequests to a locally connected device (IP over USB)
the device supports both HTTP and HTTPS,
the device is accessible on http(s)://192.168.0.1
the http calls fail because of insecure content in a https page,
the https calls fail because the certificate is not trusted (self-signed),
Side question: Since the device is locally connected to the PC, the encryption is pretty useless: Does a http header exists that allows insecure connections to a specific URL ? (like CORS for cross domain)
Main question: Is it possible to obtain a certificate for a private IP address ?
Edit: it seems that Plex had a similar problem and solved it the way described on this blog. This is a way too big for me.
Is it possible to obtain a certificate for a private IP address ?
A certificate can be bound to an IP address (see this). You can issue a self-signed certificate to a private address, but a trusted CA will not issue a certificate to a private address because it can not verify its identity.
For example a certificate issued to 192.168.0.1 would be theoretically valid in any context, and this should not be allowed by a trusted CA
Plex solves the problem with a Dynamic DNS and a wildcard certificate. The connection are done using the name (not the IP) of the device which is resolved to the private IP
Does a http header exists that allows insecure connections to a specific URL ? (like CORS for cross domain)
No, it does not exist. The browser blocks your XHR connections because they are HTTP connections initiated from a HTTPS page (mixed-content warning). Non-secure content can theoretically be read or modified by attackers, even though the parent page is served over HTTPs, so is normal and recommended that the browser warns the user.
To fix the mixed-content and https errors, you could serve the content through HTTPS and a self-signed certificate, and request users to import your root CA at browser.
An SSL certificate cannot be issued for Reserved IP addresses (RFC 1918 and RFC 4193 range)/ private IP addresses (IPv4, IPv6), Intranet for Internal Server Name, local server name with a non-public domain name suffix.
You could however use a 'self-signed' certificate. Here's how to create one:
Creating a Self-signed Certificate for a private IP
(example https://192.168.0.1) :
You need OpenSSL installed.
For example, on Ubuntu, you could install it by: sudo apt-get install openssl
(It may already be installed. Type "openssl version" to find out)
For Windows, you could try this: https://slproweb.com/products/Win32OpenSSL.html
Once OpenSSL is installed, go to OpenSSL prompt by entering 'openssl' on the console (LINUX), or the cmd prompt (WINDOWS).
$ openssl
OpenSSL>
Now do the following steps to create: Private key, Certificate Request, Self-signing the certificate, and putting it all together, by using the below commands:
i) Create KEY called mydomain.key:
OpenSSL> genrsa -out mydomain.key 2048
ii) Use the key to create a Certificate request called mydomain.csr
You could accept the default options, or specify your own information:
OpenSSL> req -new -key mydomain.key -out mydomain.csr
iii) use the above to create a certificate:
OpenSSL> x509 -req -days 1825 -in mydomain.csr -signkey mydomain.key -out mydomain.crt
iv) Put all the above to create a PEM certificate:
exit OpenSSL (OpenSSL> q) and go to certificate location and do:
$ sudo cat mydomain.key mydomain.crt >> mylabs.com.pem
mylabs.com.pem is your self-signed certificate. You can use this in requests like https://192.168.0.1 if your server supports https. Remember to check the port number for https(443).
I'm using amazon web service.
I'm using linux instance
I'm using GoDaddy SSL.
I'm following this steps:
http://jafty.com/blog/installing-godaddy-ssl-certificate-on-amazon-ec2/
I'm stuck at this point:
Generating a Certificate Signing Request (CSR) - Apache 2.x
Enter the following at the command prompt:openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr Replace yourdomain with the domain name you're securing. For example, if your domain name is coolexample.com, you would type coolexample.key and coolexample.csr.
what I did was
openssl req -new -newkey rsa:2048 -nodes -keyout 180.21.80.1.key -out 180.21.80.1.csr
I used the public IP address of my t1 instance.
I have generated a key and CSR files.
180.21.80.1.key
180.21.80.1.csr
like this. Now its ready to copy and paste in go daddy.
my question is:
Is what I'm doing correct?
Do I have to create a name for my IP address, like domains?
Is it okay if I make mistakes? It's editable, right?
With reference to the link you mentioned try following steps
Ensure that you have installed mod_ssl and it is running.
Upload your certificates on Instance say /home/ec2-user/ssl
Edit /etc/httpd/conf.d/ssl.conf
Find below lines and replace accordingly (Verify the filename and
path are correct)
SSLCertificateFile /home/ec2-user/ssl/certs/site.com.crt
SSLCertificateKeyFile /home/ec2-user/ssl/keys/site.key
SSLCACertificateFile /home/ec2-user/ssl/ssl_files/gd_bundle.crt
Restart Apache
That looks right. Generally people don't use ip addresses as names of certs and csr's, they use hostnames, but I don't see why it wouldn't work. Also it's SUPER easy to add it to an ELB(aws load balancer) as opposed to configuring apache for it, so if you have your server(s) hidden behind an ELB, or you think you will add more servers at a later point it can be a little more convenient.