I have recently created an Azure Virtual Network to test connectivity between a VM on Azure with a client server on premise (point-to-site connection).
First I followed the tutorial here: https://azure.microsoft.com/documentation/articles/vpn-gateway-point-to-site-create/
Next, I provisioned another VM on Azure but not part of the Virtual Network. I downloaded the AMD64 Client VPN Package and installed it onto this VM and connected to the VPN. The connection was successful and I could point my browser to the VM1's IIS that was created within the virtual network.
Finally, I downloaded the x86 Client VPN Package and installed it onto my local machine running Windows 7 and tried to connect via VPN. Instead, I got the error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
(Error 0x800b0109) For customized troubleshooting information for this connection, click Help.
The logs are:
Operating System : Windows NT 6.1 Service Pack 1
Dialer Version : 7.2.7600.16385
Connection Name : TestVirtualNetwork
All Users/Single User : Single User
Start Date/Time : 01/05/2013, 23:02:34
Module Name, Time, Log ID, Log Item Name, Other Info
For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up
[cmdial32] 23:02:34 22 Clear Log Event
[cmdial32] 23:02:36 04 Pre-Connect Event ConnectionType = 1
[cmdial32] 23:02:36 06 Pre-Tunnel Event UserName = TestClientCert Domain = DUNSetting = TestVirtualNetwork Tunnel DeviceName = WAN Miniport (SSTP) TunnelAddress = azuregateway-66437671-fb05-4fac-83a7-1ae2313d717f-0.cloudapp.net
[cmdial32] 23:02:37 21 On-Error Event ErrorCode = -2146762487 ErrorSource = RAS
I was experiencing the same issue and came across this blog post describing what appears to be a bug in the VPN installer generated by Azure site:
https://nbevans.wordpress.com/2014/03/01/point-to-site-p2s-azure-vpn/
Effectively, the issue is that there is an additional certificate needed to trust the Azure gateway for your virtual network. That cert is bundled inside the VPN installer .exe generated by the Azure Virtual Network page.
Extract the VPN installer .exe generated by the Azure site (I used 7-zip)
Inside you'll find a .cer file
Install the certificate in the "Trusted Root Certification Authorities" of the "Computer account"
Open mmc.exe
Add the "Certificates" snap-in
Be sure to choose "Computer" account for the Local computer
Right-click the "Trusted Root Certification Authorities" node, All-Tasks, Import, and browse to the .cer file you extracted from the VPN exe
This will likely be needed on all clients you intend to connect to the virtual network.
I want to post a different answer from the ones above since I came across the same issue but in a different situation since the VPN connection presented the issue long way after it had been configured for the first time. So I had installed all the certificates needed in order the VPN to function but as things changes too often I double checked all the certificates were where they supposed to. After doing that, I review the log and although the error points to a certificate issue I paid attention to the connection details and specially one, the Tunnel address (the one with the prefix azuregateway with a lot of hex numbers and the domain cloudapp.net) and realized that the domain was being blocked by a firewall/web filter appliance. Allowing this domain in the appliance allowed to be able to connect using the VPN tunnel again. That's about it.
You need to make sure that you install the client certificate on your local computer. Also ensure that the root certificate you created is installed in your trusted root store.
To find out if your certificate is trusted, run mmc, click 'File', 'Add/Remove Snap In', double-click Certificates, select "My user account" and press Finish. Open 'Certificates - Current User', 'Personal', 'Certificates' and find the client certificate you created.
If it is not there, please follow the step to install it. If it is there, double-click it and click Certification Path. You should see no warnings or errors. If you do, it is probably because your root certificate is not installed correctly.
If that is the case, double-click the root certificate .cer file you created earlier, and choose in the import wizard select 'Place all certificates in the following store', click Browse and choose 'Trusted Root Certification Authorities' and then finish.
There were several answers i found. Here is the one worked for me:
Install root & client in current user->personal folder.
Install the certificate which come along with VPN client(extracted using 7z)
in local machine -> trusted root.
worked charm:)
Related
we have an web application(WAMP stack) on a local Windows server. There are several dependencies and an Oracle db running on this server and the server is closed to outside internet traffic.
Clients access the app on LAN using the server's IP, but we plan to create a virtual hostname in active directory to enable access using a hostname on entire local network.
We would like to secure the traffic and switch to https, thus we need a SSL certificate, preferably from a trusted CA to avoid any confusing warnings to the users.
Is there a way to get a Trusted CA SSL certificate for a local host? I was thinking of getting a certificate for a public domain, say myapp.net, then map this domain to actual ip of the local server running the app and install the certificate in apache... would that work?
Thank you for any ideas.
Alexander
You have several options:
The public CAs that your browser trusts by default will only sign keys for DNS names. And you can totally have a DNS name that is not accessible from the public internet (e.g. one that resolves to a local IP). In case you're using CAs like LetsEncrypt (Domain Validated), you will need to make the server available publicly during the key exchange/certification time, but can change the IP immediately afterwards (*). Or simply use one of the other available validation techniques - typically they're paid.
As you're on the intranet, you might be in a situation where you can install your own internal trusted CA on your users' computers. In that case, you can mint such a certificate yourself. This is a scenario that's common in case there's a proxy running internally that's also inspecting https traffic.
And, of course, in case you can install trusted root CAs on computers, you can also install individual trusted keys/certificates for a single machine. But that seems not to be what you'd like to do.
So, for https://myapp you'll have to do some minting/installation yourself. For https://myapp.example.com, you have options with (already) trusted root CAs
(*) that is for the commonly used and documented mode-of-operation. See Patrick's comment below
I'm trying to create a new certificate for my website which is hosted on Windows server 2012.
Currently, I have a self signed expired certificate. I would like to try Let's Encrypt SSL cert. So, I've downloaded latest version of Lets Encrypt from https://github.com/PKISharp/win-acme/releases and ran wacs.exe from unzipped folder.
When I select N=Create new certificate and entered my domain, I'm getting below error.
Expected: Certificate installed
Actual: Authorization failed error
It looks like the server is not reachable from the Internet. Your server must be accessible from Internet in order to allow Let's Encrypt systems to verify the ownership of the domain.
According to the error which appears (NXDOMAIN), it may be that the website is too new (DNS registers can take up to 48 hours to replicate), the DNS are not properly configured to point to your server, or maybe you have a firewall or filter which disallows external connections.
Make sure that you can reach your domain from Internet first and it points to your server, then try again to request a certificate.
I'm trying to test my website locally using SSL with IIS Express. It has the following properties set:
SSL Enabled set to 'true'
SSL URL is set https://localhost:44354/
But whenever I open the https address, I get the following error:
In "Microsoft Edge":
In Google Chrome:
I've read article after articles, including some on SO but to no avail. I've tried the following:
I've deleted my IIS Express Development Certificate
I've repaired IIS Express 10 via the Control Panel
I've removed the localhost certificate I had created manually.
I've added <binding protocol="https" bindingInformation="*:44354:localhost" /> to the bindings section the applicationhost.config
I've stopped and restarted IIS Express.
Some suggest to change the port to 443 but my SSL URL is read-only in .NET IDE.
Some articles I've read:
Running IIS Express without Administrative Privileges
How do I fix a missing IIS Express SSL Certificate?
IIS Express — Getting SSL to Work
and many more...
Any help would be greatly appreciated.
Thanks.
I finally figured it out by following this article How to trust the IIS Express Self-Signed Certificate but a few additional steps:
Export IIS Express Development certificate to a local from. This certificate can be found in the Server Certificates section in IIS 10.0.
Open the Certificate console by calling mmc.exe certmgr.msc from File|Run.
Delete all instances of localhost under the Trusted Root Certification Authorities|Certificates.
Import the newly created certificate. You will get prompted with the following:
Once imported, I went back to Asp.Net MVC 5 project, recompile it and ran it. When I ran it, I got prompted with the following:
This is when I knew I was on the right track as this was the first time I had ever seen this prompt! Click Yes, and now this prompt appears:
And click Yes on this prompt as well. Your project will then launch the relevant browser.
Go to the https address defined in your .net project, in my instance, https://localhost:44354/, and you will now see the padlock displayed in the address bar to indicate that it is a secure site:
Most of these answers were already available in different answers provided on SO but the points that were missing or that I missed were that I had to export my IIS Express Development certificate, delete all localhost entries (which I had done) and then re-import this certificate. Once done, .NET detects the change and you get prompted accordingly.
Anyway, I hope this will help others.
Self signed certificates need to be trusted or browsers won't accept them. You can easily use Jexus Manager to configure that,
https://www.jexusmanager.com/en/latest/tutorials/self-signed.html#to-trust-self-signed-certificate
While if you prefer manually, you can import the certificates to the Trusted Root Certificate Authority store in Windows.
Learn more about SSL, certificates, stores and so on (Google each of them and learn them thoroughly), so that next time you really understand what is the culprit before trying so many irrelevant things.
Jexus Manager also has an SSLDiag feature to identify potential issues,
https://www.jexusmanager.com/en/latest/tutorials/ssl-diagnostics.html
But you need to know enough so as to interpret its output correctly.
I have configured Web Deploy for my IIS installation on Windows Server 2008 R2.
I did this before buying a valid certificate for the domain, so it was normal to get a Visual Studio warning about self-signed certificate the first times.
However, after we bought a valid certificate for the domain, I do not know how to tell Web Deploy to use the new certificate (I publish directly to https://www.example.org). The warning is about the computer's self-signed certificate using the computer name as the host name.
The server is not in an AD domain or somewhat.
Any help? Thanks
In case you did not find the answer yet:
You have to go to the servernode. Click Security/Managment Services.
There you can select the IP-Adress for Web Deploy and the Certificate you want to use. In order to Change it you have to stop the Service.
See: https://technet.microsoft.com/en-us/library/cc770458(v=ws.10).aspx
regards
Lothar
It is 2020, and I also ran into this problem. The solution that worked for me is this:
Open IIS Manager
Click on your server on the left hand side
Open the Management group
Open "Management Service"
If the service is currently running, click stop on the right hand side. This enables the configuration of the Management Service.
In the "Connections" section, there is a dropdown for SSL Certificate
Choose the appropriate certificate
Start "Management Service" once again by clicking on the start button on the right hand side.
I have been trying to get my MSMQ to pass messages over HTTPS without success. All outgoing messages sit in a queue with status "Waiting to connect".
This is not the case for messages over HTTP, they are received without issue.
I've created a Certificate Authority on the receiving machine, downloaded the cert chain and CA cert, installing under Trusted Root (Local Computer and Current User profiles).
I then exported the CA cert and installed that on the sending machine (under TRCA - Local Computer and Current User)
I have been able to navigate to the target MSMQ using internet explorer, this usually give a 501 not implemented error.
I don't really know why this isn't working and it's pretty fraustrating.
What other approaches can I take to get this to work??
Cheers
Niall
The screenshot shows that the server isn't properly accepting the HTTPS connection from the client.
You'll need to add more information to your question, including details of how you attempted to bind the Server Authentication certificate to the endpoint on which your server is listening.