I'm using Amazon Load Balancer with SSL configuration. everything when fine except on Firefox that show the exception page. It looks not self to user.
This article suggest to put the Certificate Chain to the configuration section.
My SSL provider is Comodo (InstantSSL). They provide two files .crt and .ca-bundle only.
How can i generate the Certificate Chain?
You can cat the .crt and the .ca-bundle file together. That's what we wound up doing using a service called OpDemand, which is backed by AWS.
cat certfile.crt bundle.ca-bundle >> chain.crt
chain.crt should be the file you're looking for. Also, the order is important. The certificate.crt file has to be first.
Use Root.crt and Intermediate.crt content and arrange them in following order. you can create this file manually as well
-----BEGIN CERTIFICATE-----
<Root content>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Intermediate content>
-----END CERTIFICATE-----
More Information
Comodo should provide you with the Certificate Chain. This is not something that you can generate yourself. A quick google looks like you should be able to download it from here: https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1
Related
I need to make a request to a soap service and it is protected with certificates.
I have installed the certificates as far as I am able to tell. However the soap request fails with handshake errors.
I have a bunch of certificate files given to me but I have no idea which ones are which.
So I have as follows (names changed to protect information)
MyCertificationAuthority.pem
MyCert.pem
MyCert2.pem
then I have what looks to be the same things in a different format.
MyCertificationAuthority.p7b
MyCert.p7b
then I have a single file named MyCert.pem but is smaller in file size than the other one of the same name and contains simply
-----BEGIN NEW CERTIFICATE REQUEST----- a lot of characters
-----END NEW CERTIFICATE REQUEST-----
I was told that this was the private key file, however if I check it using
openssl rsa
then it errors.
I have double clicked on the p7b files and installed the certificates in them using the default options and I have those certificates in the Certificate Management app in windows.
3 are in the Third Part Certification Authorities folder
1 ended up in the Other People folder (which I have also copied into the Trusted Root Certification Authorities Folder)
4 have ended up in the Intermediate Certification Authorities Folder
All were installed for local computer rather than current user.
Now I am led to believe I should have a private key file too. However I can not find where this could be.
What am I doing wrong? Where would I normally get the private key file from?
I would have thought the service side has the private key in order to verify that our certificate is valid?
MyCert.pem is as follows (with the actual data removed for privacy reasons)
subject=CN=********************** issuer=CN=************************
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE----- subject=CN=**************** issuer=CN=*****************
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=CN=********************** issuer=CN=***********************
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
I've been getting this error for a long while:
POST to https://www.xxxxxx.com/hook/mandrill/quotations/opened failed: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I got my certificates re-newed by Comodo recently & ever since, I've been getting these errors.
It still seems to work though, but I'm worried some of the webhooks might not get through.
Is someone getting these errors as well? Might it be a problem on their side? Cause I have checked my website on https://www.sslshopper.com/ssl-checker.html and it's seems to be perfectly fine..
Also I'm hosting my website on Amazon
Thanks
This is an issue with your installed SSL certificate. You most likely did not combine the .crt file and the .ca-bundle file they provided to you and only installed the .crt file. Comodo provides the following two files in the zip package they make available to you:
_yourdomain_com.crt
_yourdomain_com.ca-bundle
The .ca-bundle includes all your intermediate certificates. You need to combine the contents of the two above files together. Your output .crt file would look something like:
-----BEGIN CERTIFICATE-----
contents of original crt file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
contents of 1st cert in ca-bundle file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
contents of 2nd cert in ca-bundle file
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
etc...
-----END CERTIFICATE-----
You must list the original certificate as the first certificate in the output file. Then comes the intermediate certificates in your bundle.
Replace the .crt file that your server is pointing to with the above output .crt file. No need to change any of the web server configurations for either Apache or Nginx - both support bundled certificates. Make sure to restart your web server once the changes are made.
Before you make any of the above changes, you can actually see whether or not the missing .ca-bundle is causing your error by running a SSL test against your domain. In the results section after the test finishes, look for Additiona Certificates. The results will state that you are missing certificates if you do not have the appropriate intermediate certificates in your .crt file.
I am wondering if anyone has any experience with Zevenet Load Balancers.
I have setup the community version (V4). I have 2 web servers with replicated content, I have a virtual IP setup in the system which points to the 2 IP addresses of the web servers. The load balancer works for HTTP and HTTPS traffic correctly but shows an cert error when trying to get to the servers via HTTPS.
I want to combat this by adding a certificate to the load balancer. To do this I have followed the these steps:
https://www.zevenet.com/knowledge-base/howtos/manage-certificates-with-zen-load-balancer/ (ignoring the bit about purchasing a cert from SofIntel as we use JISC for our Certs)
Basically I created a certificate in the load balancer, generated the CSR, purchased a certificate from JISC by uploading the CSR generated from the load balancer.
I then downloaded the ZIP file from JISC which contains the crt for the domain, as well as the root certificates required also in the ZIP.
I tried uploading the ZIP to the load balancer and it pops up an error showing that the certificate needs to be created in a PEM format.
I then found this here:
https://www.zevenet.com/knowledge-base/howtos/create-certificates-pem-format/
I am not really sure what this is asking me to do....does this mean the original CSR that I generated is irrelevant now? The instructions on the above link say that the PEM file needs to be the following:
-----BEGIN RSA PRIVATE KEY----- Private Key (without passphrase) -----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE----- Certificate (CN=www.mydomain.com) -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- Intermediate (Intermediate CA, if exists) -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- Root (ROOT CA, who signs the Certificate) -----END CERTIFICATE-----
Essentially I already have the domain certificate, the intermediate and the root all from JISC now. But is there any way can go about getting the Private key from the load balancer so that I can just create the PEM file manually.
I am pretty new to cert stuff, not sure why it wont just let me upload the zip file.
We have a password-protected pfx file, expiring in a few days, which we use to sign our exes.
We have renewed our SSL certificate from Symantec, but all we have received is a bunch of data:
Below is your Code Signing certificate:
-----BEGIN CERTIFICATE-----
base-64 encoded data
-----END CERTIFICATE-----
Below is the intermediate CA certificate:
-----BEGIN CERTIFICATE-----
base-64 encoded data
-----END CERTIFICATE-----
Below is your certificate in pkcs7 format:
-----BEGIN CERTIFICATE-----
base-64 encoded data
-----END CERTIFICATE-----
I have seen a few tutorials to create pfx files from .cer and .key files, but the fun part is, Symantec doesn't use the same terminology as the rest of the world. So I don't know which is which. And no single tutorial explains what should be in the files, so I can't go from there either. So, I don't know how to create the .key file, for instance.
Thanks!
It turns out that the main requirement is to install the certificate on a browser, from the computer that has made the request for a new certificate.
Then, most browsers (IE, FF, Chrome) can export it to PFX from the installed certificates list.
More info can be found here:
http://blog.ksoftware.net/2011/07/exporting-your-code-signing-certificate-to-a-pfx-file/
http://blog.ksoftware.net/2011/07/exporting-your-code-signing-certificate-to-a-pfx-file-from-firefox/
https://knowledge.verisign.com.sg/support/code-signing-support/index?page=content&id=AR190&actp=search&viewlocale=en_US&searchid=1360582675798
I am trying to add an SSL cert to Heroku. The cert was purchased from Network Solutions. I went through all of the steps and created a .csr file, uploaded that file to NetworkSolutions, downloaded their bundle of .crt files (MYSITE.crt, AddTrustExternalCARoot.crt, NetworkSolutionsDVServerCA.crt) and then combined the site cert & the intermediate certificate (AddTrustExternalCARoot.crt) bundles. When I try and add the final.crt file I produce to Heroku I get:
! Expires at can't be blank
! Pem is invalid
Using Preview I can clearly see that "Not Valid After" is set so I am not really sure what is going on here.
For what its worth I also tried combining NetworkSolutionsDVServerCA.crt with MYSITE.CRT & also combining all 3. All with no luck.
This kind of thing isn't my strong point (I am sure you can tell) so its very possible I am missing something but if you have any ideas on what it might be I would appreciate it.
Thanks
I faced the same problem today.
Below are the steps I followed to fix it.
Combine the certificate files in the below order (from the site
certificate to root certificate) into a .crt or .pem file. Lets assume you name it Mysite_combined.crt.
MySite.crt, NetworkSolutionsDVServerCA.crt, AddTrustExternalCARoot.crt
Open Mysite_combined.crt the content of the file will look like
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
..
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
Now, Insert line feed between each certificate. Make sure there is no white space or blank line in the edited file. The content should now look like
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Now add the certificate to Heroku using the command
heroku certs:add Mysite_combined.crt Mysite.key
Note: Since Network solution certificate does not have a pass code, you can ignore the steps to remove pass code in heroku site. If you use a key which has pass code refer to this article which details how to setup the SSL for heroku. You should do the step 2 above in any case.
Its likely their was an error in cat'ing your cert together with the intermediate. You should look to see that there was not a missing line break, or extra line breaks that may have caused the error.
I had this problem as well and in my case it turned out to be the order of the arguments. Apparently the heroku utility expects the .crt file to precede the .key file.
In other words:heroku certs:add server.crt server.key
When I got this error, I had to add a newline at the end of my site.crt before running this command:
$ cat site.crt ca_bundle.pem > final.crt