I've been tearing my hear out trying to figure out why SSL works in one of my Azure projects but not in another.
When I navigate to my site, say https://foo.com, I can't even connect to the site. Browsers can't connect at all and curl says "couldn't connect to host". However, if I go to my cloudapp.net URL (e.g. https://foo.cloudapp.net), it can connect but browsers will complain and say my cert is for *.foo.com. Note: I am able to connect to http://foo.com without any trouble.
Here's my code with certain values obfuscated.
ServiceDefinition.csdef:
<?xml version="1.0" encoding="utf-8"?>
<ServiceDefinition name="MyApp" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition">
<WebRole name="www" vmsize="Small">
<Sites>
<Site name="Web">
<VirtualApplication name="r" physicalDirectory="../Foo/Bar" />
<Bindings>
<Binding name="Endpoint1" endpointName="Endpoint1" />
<Binding name="Endpoint2" endpointName="Endpoint2" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="Endpoint1" protocol="http" port="80" />
<InputEndpoint name="Endpoint2" protocol="https" port="443" certificate="STAR.foo.com" />
</Endpoints>
<Imports>
<Import moduleName="Diagnostics" />
</Imports>
<Certificates>
<Certificate name="STAR.foo.com" storeLocation="LocalMachine" storeName="My" />
</Certificates>
</WebRole>
</ServiceDefinition>
my cert is uploaded, the thumbprint matches (in this example it's also "1234567890")
ServiceConfiguration.csfg:
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration serviceName="myApp" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="1" osVersion="*">
<Role name="www">
<Instances count="2" />
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" value="UseDevelopmentStorage=true" />
</ConfigurationSettings>
<Certificates>
<Certificate name="STAR.foo.com" thumbprint="1234567890" thumbprintAlgorithm="sha1" />
</Certificates>
</Role>
</ServiceConfiguration>
Azure Console:
I have verified that:
My cert is uploaded
It's SHA1
It's thumbprint matches what I've specified in ServiceConfiguration.cscfg (in this example it's "1234567890")
The certs for the Certificate Authorities are also present (for me it's "PositiveSSL CA" and "AddTrust External CA root")
For the Azure instance, it confirms there are 2 endpoints (port 80 and port 443)
Why would I not be able to connect at all via https://foo.com, but my https://foo.cloudapp.net will load (although triggering a browser warning)? This seem to indicate my configuration is correct but something else is off... ideas?
I think you may be looking in the wrong place for your problem!
How have you mapped foo.com to your site's address?
Note that Azure instances are given dynamic IP addresses - what address your site may be on NOW may not be what its on tomorrow. The recommendation for Azure is to add a "www" CNAME DNS entry in your domain records that points at "foo.cloudapp.net".
This way, when someone browses to www.foo.com, the DNS server will (invisibly) say "hey, actually, that site is as foo.cloudapp.net. The browser will then ask for the IP address of foo.cloudapp.net. This domain is managed by Microsoft who will return the current IP address for your site.
If you want foo.com to still get you to www.foo.com, you'll have to setup DNS redirection so that whenever someone types foo.com into their browser, they're redirected to www.foo.com. This will then cuase the browser to resolve foo.cloudapp.net and then the HTTP request will be sent to your site. Some domain hosters charge for this (typically a nominal fee), some offer it as a free service.
HTH.
Related
This is a re-post of an earlier issue. After a long hiatus with respect to this topic I am back to it again.
I need to make my local dev IIS Express instance available to colleagues for testing purposes. After much reading and many blind alleys, I managed to get a little bit further than I did when this was originally posted, in that I have managed to get VS 2022 to recognise the entries from the applicationHost.config that are needed, unfortunately when I debug the website, IIS Express (or rather MS Edge) responds with:
Hmmm... Cant reach this page
machinename.euro.org.local refused to connect
Note the URL is obfuscated for security reasons.
The applicationHost.config file contains the following entries:
...
<site name="appName" id="1">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="C:\appPath\appName" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:8080:machinename.euro.org.local" />
<binding protocol="https" bindingInformation="*:44379:machinename.euro.org.local" />
</bindings>
</site>
VS confirms that the virtual directory has been successfully created.
I have made the necessary additions to HTTP.SYS:
netsh http add urlacl url=http://machinename.euro.org.local:8080/ user=everyone
and to my firewall settings:
netsh firewall add portopening TCP 8080 IISExpressWeb enable ALL
Where am I going wrong?
We have a Local Service Fabric Cluster running. We are using Windows Security to control who can administer the cluster.
When connecting to the Gateway Endpoint to use the configuration manager, we are currently connecting over HTTP, but we'd like to connect over HTTPS.
We have added an SSL Certificate that we use for connecting to the reverse proxy, and we'd like to use that same certificate to connect to the Gateway Endpoint.
I can see in the generated config on the cluster that the HttpApplicationGatewayEndpoint port is using https, which I think turned on because I set the "ReverseProxyCertificate" setting.
<NodeType Name="NodeType0">
<Endpoints>
<ClientConnectionEndpoint Port="19000" />
<LeaseDriverEndpoint Port="19002" />
<ClusterConnectionEndpoint Port="19001" />
<HttpGatewayEndpoint Port="19080" Protocol="http" />
<HttpApplicationGatewayEndpoint Port="19081" Protocol="https" />
<ServiceConnectionEndpoint Port="19003" />
<ApplicationEndpoints StartPort="20001" EndPort="20031" />
<EphemeralEndpoints StartPort="49152" EndPort="65535" />
</Endpoints>
<PlacementProperties>
<Property Name="NodeTypeName" Value="NodeType0" />
</PlacementProperties>
</NodeType>
How can I make the HttpGatewayEndpoint have Protocol="https" instead of "http"?
With WildFly 8.2.1, I am trying to make existing webservice (JAX-WS) use SSL, but I haven't seen any use of SSL in quickstarts and the information I was able to google is limited. So far I've added this to web.xml:
<security-constraint>
<display-name>Foo security</display-name>
<web-resource-collection>
<web-resource-name>FooService</web-resource-name>
<url-pattern>/foo/FooService</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
and this is in my standalone.xml:
<subsystem xmlns="urn:jboss:domain:webservices:1.2">
<wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
<endpoint-config name="Standard-Endpoint-Config"/>
<endpoint-config name="Recording-Endpoint-Config">
<pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
<handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
</pre-handler-chain>
</endpoint-config>
<client-config name="Standard-Client-Config"/>
</subsystem>
but apparently that's not enough; when I look into standalone/data/wsdl/foo.ear/foo.war/FooService/Bar.wsdl I see:
<service name="FooService">
<port binding="foowsb:FooBinding" name="FooBinding">
<soap:address location="http://localhost:8080/foo/FooService"/>
</port>
</service>
Note that in the EAR/WAR, the soap:address.location is filled just with a placeholder (I suppose that the value is ignored).
I've found some info about setting up security realm, and creating the self-signed certificate using keytool (which I did), but I completely miss how this should be linked together.
I've also tried to setup wsdl-uri-scheme=https, but this is supported only in later versions of CXF.
Seems that the soap:address.location value is not ignored when it's being replaced, since changing that from REPLACE_WITH_ACTUAL_URL to https://REPLACE_WITH_ACTUAL_URL did the trick - now the service got exposed on https://localhost:8443.
There is a couple of more steps I had to do in standalone.xml: in undertow, add https-listener:
<https-listener name="secure" socket-binding="https" security-realm="SslRealm"/>
define the SslRealm:
<security-realm name="SslRealm">
<server-identities>
<ssl>
<keystore path="foo.keystore" relative-to="jboss.server.config.dir" keystore-password="foo1234" alias="foo" key-password="foo1234"/>
</ssl>
</server-identities>
<authentication>
<truststore path="foo.truststore" relative-to="jboss.server.config.dir" keystore-password="foo1234"/>
</authentication>
</security-realm>
Note that I reuse the same keystore for server and clients here. And since my clients are ATM in the same WF node during development, I had to setup the client-side part there, too:
<system-properties>
<property name="javax.net.ssl.trustStore" value="${jboss.server.config.dir}/foo.keystore"/>
<property name="javax.net.ssl.trustStorePassword" value="foo1234"/>
<property name="org.jboss.security.ignoreHttpsHost" value="true"/>
</system-properties>
The last property should be replaced in WF 9+ with cxf.tls-client.disableCNCheck.
I have setup my my cloud using the following
http://azure.microsoft.com/en-us/documentation/articles/cloud-services-configure-ssl-certificate/
and the web role using the following http://msdn.microsoft.com/en-us/library/ms731074%28v=vs.110%29.aspx
My problem that when I use emulator I get an error That the there is a name mismatch between a certificate and the website in this case(127.0.0.1)
What can be done to solve it.
So there are two approaches you could take:
Create a separate cloud project for each environment - This way you could create a self-signed certificate for your development environment and live with the warning that the certificate is not trusted.
Get a wildcard certificate for your application - This is the approach we have taken for our application (along with the 1st one). Basically we took a wildcard SSL certificate and used that certificate in our application. Then we added an entry in hosts file located in C:\Windows\System32\drivers\etc like this:
127.0.0.1 dev.cloudportam.com
Next, we added hosts header in our dev cloud project's csdef file.
<Sites>
<Site name="Web">
<Bindings>
<Binding name="Endpoint1" endpointName="Endpoint1" hostHeader="dev.cloudportam.com" />
<Binding name="Endpoint2" endpointName="SSL" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="Endpoint1" protocol="http" port="8080" />
<InputEndpoint name="SSL" protocol="https" port="8082" certificate="SSL" />
</Endpoints>
Now when we launch the application, it opens up https://localhost:8082/ and we just change the address to https://dev.cloudportam.com:8082 and everything works well.
I have a problem similar to (but not the same) as this:
Azure web role - Multiple ssl certs pointing to a single endpoint
My azure package contains multiple sites. Some of these sites are on domain abc and others are on domain def. I need to secure both domains with SSL but can't figure out how (if it's possible) to do this.
Here's an example of my config:
<Sites>
<Site name="sub1.abc" physicalDirectory="***">
<Bindings>
<Binding name="HttpIn" endpointName="HttpIn" hostHeader="sub1-staging.abc.com" />
<Binding name="HttpsInABC" endpointName="HttpsInABC" hostHeader="sub1.abc.com" />
</Bindings>
</Site>
<Site name="sub1.def" physicalDirectory="***">
<Bindings>
<Binding name="HttpIn" endpointName="HttpIn" hostHeader="sub1-staging.def.com" />
<Binding name="HttpsInDEF" endpointName="HttpsInDEF" hostHeader="sub1.def.com" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="HttpIn" protocol="http" port="80" />
<InputEndpoint name="HttpsInABC" protocol="https" port="443" certificate="abc" />
<InputEndpoint name="HttpsInDEF" protocol="https" port="443" certificate="def" />
</Endpoints>
<Certificates>
<Certificate name="abc" storeLocation="LocalMachine" storeName="My" />
<Certificate name="def" storeLocation="LocalMachine" storeName="My" />
</Certificates>
This configuration gives me the following error:
The same local port '443' is assigned to endpoints HttpsInABC and
HttpsInDEF in role ***.
Any suggestions on how I can work around this without having to host them separately?
Based on #JoelDSouza's answer:
Will using different ports work for you
What are the implications of SSL on ports 444/445/446 etc. in Windows Azure?
You can use multiple SSL certificates and add them all to the same endpoint by automating the process of installing the certificates on the machine and add HTTPS bindings to IIS.
IIS 8 (Windows Server 2012) supports SNI, which enables you to add a "hostheader" to the HTTPS binding.
I'm a Microsoft Technical Evangelist and I have posted a detailed explanation and a sample "plug & play" source-code at:
http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/
I fear you are out of luck - as noted in the article you linked to, one SSL certificate per server IP. I guess by hosting them separately (that feels odd to say considering it's cloud based) you will get two IPs and therefore can add an SSL certificate to each IP address.
You could perhaps move everything to one domain and use folders within that domain to host the separate sites - that's the only way you will be able to secure everything with your SSL certificate without having two hosting packages:
ie instead of:
www.domain1.com and www.domain2.com use www.mydomain.com/domain1/ and www.mydomain.com/domain2/
Will using different ports work for you? You can use SSL cert 1 with myapp.cloudapp.net:443 and SSL cert 2 with myapp.cloudapp.net:8443
If you don't need wildcard certificates you can use a multi-domain certificate. This way you only need one certificate. The downside is that each sub-domain needs to be specified, which can get expensive if you have a lot.