I bought a SSL Cert which should work with iE 5+, but it doesn`t. All other browsers i tested work perfectly - no errors - just the site I want to display. But IE8 and smaller versions show an Error on the https...(they need to accept the ssl cert) site and destroy the layout on http version of the site (no https links included).
Non SSL
minol-fb.de/facebook-suche/
SSL
minol-fb.de/facebook-suche/
Ok it seems that browser < IE8 still use the self signed certificate..
You must have configured multiple certificates using Server Name Indication without knowing it.
If you use this, you get a self-signed certificate:
openssl s_client -showcerts -connect www.minol-fb.de:443
If you use this (with the server name), you get the correct certificate:
openssl s_client -showcerts -connect www.minol-fb.de:443 -servername www.minol-fb.de
You probably get a different behaviour with older versions of IE because you're testing them on XP. No version of IE supports SNI on Windows XP unfortunately. Other browsers (with sufficiently recent versions) do, at least independently on the OS version they run on.
If you don't need that other host, you can probably remove that configuration, so as not to have to rely on SNI at all.
Something odd is going on; if you use the link below you will see that the server is not returning the server cert and intermediate cert, but a single self signed Parallels Plesk Panel CA cert.
http://certlogik.com/ssl-checker/www.minol-fb.de
Using the openssl command below, I get the same Plesk certificate returned:
openssl s_client -showcerts -connect www.minol-fb.de:443
Perhaps this may help:
http://knowledgelayer.softlayer.com/questions/457/Installing+a+SSL+Certificate+in+Plesk+9
UPDATE:
Looks like you've sorted out the config; using the above tool I can see the correct certs are now being returned.
I ran into a similar situation where the cert was working OK on all browsers except for IE (of course!). This is on Apache and the SSL cert had been issued by RapidSSL. Turned out in my case, that I had virtual host file default-ssl active, so somehow IE was picking up on that on the default self-signed cert instead of the rapidSSL cert referred to in my site virtual host.
Deactivated ssl-default, reloaded apache and that did it.
Related
I am witnessing a weird issue with regards to mutual authentication.
I have setup mutual authentication on BigIP loadbalancer to accept 2 different CAs.
This means that we only accept certificates that has been issued by those 2 CAs.
I have tried providing those certificates to LB using OpenSSL and it works fine by this i mean i have 2 certificate, Using IE it works fine as well, FireFox it works fine as well. but when i use chrome, browser asks for certificate but it doesnt send the certificate to the LB, as it has been observed in wiresharks (Picture to follow)
I have access to both certificates, so i extacted the certs and key and used
openssl s_client -connect Host:port -cert "cert.pem" -key "key.pem"
It works fine, and i can see connection is ok.
Using same certificates in IE, it works as well.
Postman works as well.
FireFox Works as well.
Chrome however it shows certificate length as 0
And as you can see same certificate is used by OpenSSL and it is sending.
Any idea what might be the problem?
Update :
I started chrome with debug and saw this, it seems chrome cannot parse my key or cert.
[14836:18604:0927/172254.921:ERROR:ssl_platform_key_util.cc(70)] Could not parse public key.
[17536:16164:0927/172255.100:ERROR:ssl_client_socket_impl.cc(941)] handshake failed; returned -1, SSL error code 1, net_error -117
In my case, there was a problem with the ASN.1 encoding of the Algorithm Parameters in the certificate. The encoding missed a NULL value. If you upload your certificate, we can double-check.
First I want to point out that this works fine with Internet Exporer 11. But for some reason I just can't get FireFox to play nice!
So I already added my own rootCA security certificate and under Internet explorer it works fine and my website with self-signed cert is trusted.
But on Firefox v61.0.1 and also v65.0 even though my root certificate is already added, and in addition security.enterprise_roots.enabled is set to true (in about:config), I still get the "your connection is not secure" message and I have to add a security exception just to view my site.
In the area with the message and button to add exception, Firefox says:
"xx.xxx.xx.x uses an invalid security certificate. The certificate is only valid for xx.xxx.xx.x. Error code: SSL_ERROR_BAD_CERT_DOMAIN"
Now the xx.xxx.xx.x is an internet reachable IP address and both instances in the above line have exactly the SAME IP address, I've used IP for the CN field.
clicking on SSL_ERROR_BAD_CERT_DOMAIN shows:
"Unable to communicate securely with peer: requested domain name does not match the server’s certificate. HTTP Strict Transport Security: false HTTP Public Key Pinning: false Certificate chain: -----BEGIN CERTIFICATE----- ......."
Anyway, I am guessing that in its current configuration, Mozilla FireFox is CONFUSED that the site has an invalid certificate when in fact it is valid and the reason for its confusion is perhaps it expects a domain-NAME not IP address.
If so, is there a way I can tell Firefox to honor IP Address based ssl certs?
Again, current config is working perfectly fine with Internet Explorer for me.
As you know many tools like built-in IDE svn and other source control clients really do not like it when there's something to complain about in an ssl-cert.
That's the reason I went through trouble of creating and loading own Root CA Authority in windows. And no please do not recommend letsencrypt, needs renew often and I don't have incoming OPEN ports which it seems to require to renew.
thx!
Hooray! Success :) I went by my what I thought was confusion over IP vs name and discovered that my extfile under the [alt_names] section I had used DNS.1 = xx.xxx.xx.x
So I simply edited my extfile and changed DNS.1 = ... to now be IP.1 = xx.xxx.xx.x
Then I simply recreated my webserver's cert. For anyone wondering, here's actual command:
openssl x509 -req -in mywebserver.csr -CA myrootCA.pem -CAkey myrootCA.key -CAcreateserial -out ./certs/mynginxwebserverIP.crt -days 2555 -sha256 -extfile myextfile.cnf
That overwrote my current .crt file and all I needed to do was nginx -s reload and bingo!
Well hope that helps someone cuz it was driving me crazy!
Now it works just fine in Firefox and I get that comforting nice green lock :)
And internet explorer didn't know/care about the difference, worked both ways :D
I have learnt about SSL and SSL certificates used on client and server side. I pretty much understand how things work and have generated server and client certificates and keys. I have studied how can I use my own CA with https in Android.
I want to setup a server where I can put the server certificate and then access it from my android device to make an emulation of what I have learnt so far.
Is there any server available where I just need to put cert and key and it will start working? I have gone through wamp and apache configuration stuff but unfortunately I am unable to make it work properly.
If you're using OpenSSL it includes a very simple server named s_server which is very useful for this kind of experimentation. Here's an example that might get you started
$ openssl s_server -key test.key -cert test.crt -accept 8443 -WWW
This will serve up files in the current working directory from https://localhost:8443/
The manpage for s_server should give you all the info you need. I think you'll want the -CApath or -CAfile options if you're also experimenting with client certs.
Working with a standard MediaTemple server setup with an installed GeoTrust domain certificate I am getting different responses from openssl and web requests.
Visiting the site from a site checker site I get a good response and see my domain certificate and the full Geotrust certificate chain.
When using
openssl s_client -connect subdomain.domain.com:443 -showcerts -ssl3
from my local machine I see
Server certificate
subject=/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels
Panel/CN=Parallels Panel/emailAddress=info#parallels.com
issuer=/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels
Panel/emailAddress=info#parallels.com
and Verify return code: 18 (self signed certificate)
openssl version -d = OPENSSLDIR: "/etc/pki/tls"
It's a Centos 6.x box.
The apache httpd.conf file points to a certificate and CA list in a completely different location: /usr/local/psa/var/certificates/ which would seem fine to me.
Where is the openssl s_client finding the Parallels certificate? It is not located in /etc/pki/tls. Is there a way to configure the box so that the openssl requests and apache use the same server certificate?
Thanks in advance!
openssl s_client gets the certificate from the server during the SSL handshake. OPENSSLDIR is only the place where any (optional) configurations for the openssl tool gets stored.
Note that you might get a different certificate with openssl than you have configured on your server because you need to use SNI (Server Name Indication) like the browser do. This feature is used if you have multiple certificates behind the same IP. To use this feature with openssl add the -servername hostname parameter and provide the name you expect. You must also remove the -ssl3 option since this restricts the connection to SSL 3.0 which is not only insecure but also does not support SNI.
Turns out that on MediaTemple servers they maintain certs in two locations. The apache server has a location for the CA file in its conf files that is different from where openssl maintains its CA files.
You can find the apache location in the conf files and the openssl location with
openssl version -d
Within MediaTemple's web administration pages you can use plesk to install the domain cert into the openssl location as the "server's" cert. The apache server should already have the cert and CA files in the right location. The MediaTemple custom apache configuration overrides the standard apache setup which sets apache's cert locations to be the same as openssl's.
We purchased an SSL certificate through DNSimple and installed it on our Heroku SSL endpoint. Now navigating to the app via SSL works fine on Chrome and Safari, but Firefox shows a "This connection is untrusted" error. Why would an SSL cert be untrusted by Firefox only?
We figured out the problem:
The Heroku docs point to the following bundle.pem file, which DOES NOT WORK FOR FIREFOX:
https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem
The CORRECT bundle.pem file is at:
https://knowledge.rapidssl.com/library/VERISIGN/INTERNATIONAL_AFFILIATES/RapidSSL/AR1548/RapidSSLCABundle.txt
as indicated on the RapidSSL site.
Heroku docs need to be updated. Hopefully this saves someone else some time..
UPDATE: We reported this to Heroku and they updated their docs, so this is no longer an issue.
Mozilla include a list of Certificate Authorities (CA) with their products, as do Google, Apple, Microsoft and others. If your certificate can be traced back to one of these than the browsers will trust it. If not, you have to add an exception, or import the certificate into your browser.
The list of included CAs is created at the whim of the different browser makers. Some include the root CA for your certificate, and it seems Mozilla do not.
You can get a list of CAs included by Mozilla here. Check your certificate details. If the root CA is on this list file it as a bug with Mozilla. If it's not you could try asking them if they'll include it for the next release.
It's a problem of rapidssl but not yours.
you should not only provide the server certificate, but should concat your server certificate and INTERMEDIATE ca certificate.
do
$ cat ca_certificate.crt >> server_.crt
and restart your nginx.
you can find the ca certificate on what site you buy certificate.