My wildcard certificate expires in three weeks and I've just renew it and installed the new certificate, so that my IIS has two now.
I have currently more than 30 sites running and I would like to update them one by one to use the updated certificate. Though I dont see a parameter for appcmd set site which allows me to specify which certificate to use. I really would hate to have to delete the old certificate and re-add all sites asap which means my sites would be without SSL for a few minutes.
Seems like there were no other possibilities, I decided to go ahead and update them manually as quickly as possible. When entering the "Bindings" popup for the first website, it warned me (as usual with https bindings) that multiple sites were detected. I ignored the warning and set the new certificate for the first website. That also updated the https bindings on all the other sites apparently. I have checked with various online SSL checkers and the sites all seems to be updated now. Phew.
Related
I've set up my app running on Cloud Run with a Let's Encrypt wildcard certificate to cover subdomains. It works fine, but everytime I run testssl.sh or other similar tools they notice 2 certificates: mine and Google's. The second certificate throws errors regarding name mismatch and from time to time (couldn't reproduce it, it may not be a problem) even browser notice this and say the cert is not valid, but a refresh will fix it.
Is this something common and should I ignore it? Google's DIG shows that the domain has the correct IP as A record and everything else works fine.
Use only one certificate.
A wildcard certificate with Cloud Run provides few benefits. Only domain names that are mapped will be supported so the wildcard does not help. The negative is that you must manually renew the certificate every 90 days.
Use the Google Managed certificates.
My website get traffic drop recently. I found that my user cannot access my website when their computer in wrong set of time. However, they can open other website as usual.
The error said "NET::ERR_CERT_DATE_INVALID" in google chrome and "Warning: Potential Security Risk Ahead" in firefox. So, I assumed that the problem is the SSL. Previously I use free ssl from Cloudflare, thinked that its because its free then the error appeared, I the purchased for Dedicated SSL form Cloudflare. But, I keep get the same Error.
Is there is a solution for this situastion?
Changing the user computer time its not my solution here, because other website working just fine.
Thank You
I found that my user cannot access my website when their computer in wrong set of time.
The expiration of the certificate is checked against the local time of the system. If the local time is wrong the check might fail even if the certificate is not really expired yet.
If it fails depends on how wrong the local time is compared to the expiration time in the certificate, i.e. it might be so wrong that some certificates look expired while others are not yet expired. Some sites use more short-lived certificates and thus are more likely to run into this kind of problems. For example Let's Encrypt certificates are only valid for 3 month, while other CA issue certificates for a year or even longer. And of course sites which only use HTTP instead of HTTPS don't have this problem since no certificates are involved in the first place.
Changing the user computer time its not my solution here, because other website working just fine.
There is nothing you can do against this from the server side. And while some other sites work just fine for the moment it is very likely that there are some sites apart from yours which will not work too. So the problem is not restricted to your site only.
I had AutoSSL by Comodo on my CentOS WHM VPS previously configured and running. After the certificates got expired, I installed Let's Encrypt and tried to renew certificates via that service which failed with error that signified a DCV validation issue due to me to using the server's DNS. Also the HTTP validation was failing too.
Later, I switched back to Comodo AutoSSL and renewed two of the sites while all others failed with same error above.
Now the issue that persists is that I can't access the websites except one (the main account on WHM). All of the sites are showing defaultwebpage.cgi
What might possibly be the issue and what can be done to get the system back up?
Finally got the issue solved. The faults on my setup that made the DCV to fail were (different for different domains).
For a few domains, the DNS had AAA records(with IPV6 values) that prevented the updation.
For another domain the issue was that the DNS was on cloudflare and it wasn't getting auto updated. So, i had to manually enter the record that has name '_cpanel-dcv-test-record' and a value that had a data like '_cpanel-dcv-test-record=UF0zA7G97dxugw_u10XVpkRJ0faQg2bk2UHf2vDJkhKcElawaQqyaLtCL3VsquAGxv' (sample values for reference. not real)
I made the above changes, selected the domains (Inside CPanel for individual account > SSL > SSL Status) that needed the change and pressed the 'Run Auto SSL'.
Hope this helps someone who goes through a smilar situation.
I am using a Debian/Apache webserver with up-to-date software and a SSL certificate to encrypt the communication via HTTPS. In February the old certificate expired and I got me a new one (CA Geotrust via CA RapidSSL). Like the one before.
In Firefox (Chrome, ...) everything works fine. But after the old certificate finally expired after 2 weeks, Internet Explorer says the certificate has expired - leave the page? Appearently the old certificate is stuck in the browser cache and has not been updated since.
And the thing ain't done with clearing the browser cache. I actually had to reset the IE settings to make it reload the new certificate. As it works by now, I guess that the server delivers the correct certificate. But there are still other users who report the same problem - so it wasn't my browser alone.
My best guess is that something in the old cert or my cache suggestions told the IE to store the certificate for a long while. But I have no clue how to solve this - or even what to change so I don't have the same problem next year, again.
Thanks for any ideas!
BurninLeo
I had a similar problem. In fact it is IE under XP who don't support several HTTPS subdomaine on a single IP address.
http://nginx.org/en/docs/http/configuring_https_servers.html#sni
So if you have also several domains or subdomains in same IP you can't solve this on XP/IE you can just choose which certificat is used by XP/IE but it will be the same for all subdomaine.
PiR
I have two "Web Sites" running under IIS6 (Windows Server 2003R2 Standard), each bound to a separate IP address (one is the base address of the server).
I used SelfSSL to generate and install an SSL certificate for development purposes on one of these sites and it works great. I then run SelfSSL to generate a certificate for the second site and the second site works, but now the first site is broken over SSL.
I run SSL Diagnostics and it tells me:
WARNING: You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed
If I re-run SelfSSL on the first site (to fix it), the first site works but then the second site is broken.
It seems like SelfSSL is doing something in a way that is designed to work with only one Website, but I can't seem to put my finger on exactly what it's doing and figure out how to suppress it. I would manually configure SSL but I don't have a certificate server handy, but maybe there is a way to get SelfSSL to just gen the cert and let me install it?
FWIW I have also followed the guidance of several posts that indicate changes to the permissions of the RSA directory are in order, etc. but to no avail. I don't work with SSL everyday so I may be overlooking something that someone with more experience might notice, or perhaps there is a diagnostic process that I could follow to get to the bottom of the issue?
We had a similar problem today. Our IT guy said he solved it by basically using ssldiag instead of selfssl to generate the certs.
See the reply from jayb123 at this URL: http://social.msdn.microsoft.com/forums/en-US/netfxnetcom/thread/15d22105-f432-4d8f-a57a-40941e0879e7
I have to admit I don't fully understand what happened, but I'm on the programming side rather than the network admin side.