Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
Im new to hosting sites with ssl certificates and i wanted to know, if the server is running an iis server with a site and i now install apache on the same server, does the certificate apply to both hosts and if not, if i use the same dns/site address will it then apply?
After the responces i have gotten i would like to add that in order to run apache and iis i have to change the port number of the apache site, does the cert apply to this, so if iis is host www.123.co.za and apache www.123.co.za:8080 - does the cert apply, espicially considering ssl is on its own port ??
On the conceptual side, an SSL certificate establishes identity; that is it verifies that the person or organization who owns a particular domain name (hostname) approves of the actual server that the client is communicating with. Thus, the certificate itself is not tied to any particular server, but it is tied to a hostname or set of hostnames (for example, a *.example.com certificate would be valid for www.example.com and test.example.com.
On the practical side, if both server programs are set up with the certificate, and both have domain names within the scope of the certificate, it should work just fine.
An SSL certificate in this context is used to certify the host name. As long as you have the key pair and the certificate, you should be able to use the same certificate in IIS, Apache or any other SSL server.
You will however run into problems if you want to run several sites under different host names on the same ip and tcp port.
So, from a technical point it should be perfectly possible to use the same certificate in IIS running on www.123.co.za:443 and Apache running on www.123.co.za:9443.
It depends on type of your certificate (is it a wildcard certificate?) and a license you bought it under.
As far as I can see a typical cheap certificate apply for any ports on the host it is issued for. So, yes, www.example.com and www.example.com:8080 can both use same certificate.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 3 years ago.
Improve this question
My site has a Let's Encrypt cert that is installed using certbot and is perfect for HTTPS connections (port 443). Works great.
I also have a node server running and I use socket.io for websocket connections, which requires its own certificate. So I give it the Let's Encrypt certificate, and that seems to work for me, though I am not 100% confident it works for all my site's users.
What has me concerned is this: when I check my cert at https://whatsmychaincert.com/ and specifically add port 2998 with my domain, I'm told my certificate chain is "misconfigured." (When I use that web site to just check my domain with no port, or specifically adding the normal SSL port :443 to the domain name, it says the chain is perfect.)
I googled quite a bit but can't find a clear answer: does Let's Encrypt support the secure web socket protocol (wss://) that runs on port 2998? (And if not, how can I find an SSL cert that will work?)
Asking if Let's Encrypt supports WebSockets or not is simply invalid. They're just an issuer. You receive a perfectly valid X.509 certificate, you can use it anywhere you want where such certificate is applicable. You can get one elsewhere too. The port under which a service is running doesn't matter as well.
Without knowing your SSL configuration we can't help you to debug this.
Turns out I was giving my https server (inside node.js) the cert.pem file, instead of the fullchain.pem file. Changing to use the full chain fixed the misconfiguration issue.
This question already has answers here:
Is it possible to have SSL certificate for IP address, not domain name? [closed]
(7 answers)
Closed 11 months ago.
I wonder why I am getting certificate error if I try to access a site with ip address instead of domain name. Lets say for example nslookup says google.com is 173.194.43.96, so I tried to browse https://173.194.43.96 and I got certificate error saying that the security certificate presented by this website was issued for a different website's address. Why is that so?
This is because an SSL certificate is issued for a particular domain name. If the certificate name doesn't match the visited domain, the browser will show an error.
One of the main functions of SSL is to prove to the user that they are really connecting to the site they requested, and not to an attacker masquerading as the end site. Without linking the domain name to the certificate this would not be possible.
It is conceivable that the browser certificate system could have been designed to include the IP address in the certificate, but this would make it difficult to use DNS load balancing or even to change hosting providers, as a new certificate would have to be issued each time this happened. If the certificate included just the IP address and not the domain, this would leave the user defenseless against DNS spoofing attacks. So the only way forward really was to use the domain alone.
As a matter of interest, it is possible to obtain an SSL certificate for an IP address - and as Google is their own certificate authority, they could issue themselves a certificate for 173.194.43.96 and thus make it possible to browse google securely by ip address, so long as they used SNI to serve up the correct certificate. It seems implausible that this would be worth the additional complexity however...
This is a nice introduction to SSL if you want to read more:
https://timnash.co.uk/guessing-ssl-questions/
On MAC High Sierra and Python 3.6.4, I tried the solution: requests toolbelt:HostHeaderSSLAdapter 1st, unfortunately, it doesn't work for me, then I tried
forcediphttpsadapter, got it works finally.
The author explains everything in the readme part and has provided a sample script and it can be followed easily.
1.Install the library by pip install requests[security] forcediphttpsadapter
2.run the sample script:
import requests
from forcediphttpsadapter.adapters import ForcedIPHTTPSAdapter
session = requests.Session()
session.mount("https://example.com", ForcedIPHTTPSAdapter(dest_ip='1.2.3.4'))
response = session.get(
'/some/path', headers={'Host': 'example.com'}, verify=False)
Note: For some cases, you may need to remove the prefix: 'www' from the url.
What happens is that the certificate is issued to www.google.com, and not to its IP address. Hence, your browser won't be able to verify the certificate, which lists www.google.com as entity.
For more info, see: www.digicert.com/ssl-support/certificate-name-mismatch-error.htm
The Common Name is typically composed of Host + Domain Name and will look like www.yoursite.com or yoursite.com. SSL Server Certificates are specific to the Common Name that they have been issued to at the Host level. The Common Name must be the same as the Web address you will be accessing when connecting to a secure site. For example, a SSL Server Certificate for the domain domain.com will receive a warning if accessing a site named www.domain.com or secure.domain.com, as www.domain.com and secure.domain.com are different from domain.com.
I am going to use an SSL certificate on my chat application based on XMPP(ejabberd) which is hosted on an IP.
So, I will be using the IP as the common name when I am generating my SSL certificate. But the server that has everything hosted on it, refers to the IP using a hostname as abcd.yourserver.net.
Therefore, I am confused as to if I have to use the IP or this weird hostname while generating my SSL certificate and if in future I decide to use a domain name instead of the IP for my application, will I have to buy a new SSl certificate or can I regenerate the old one. Also, can I change the type like wilcard or single certificate?
P.S. I have never bought an SSL certificate, so forgive me if the question is newbish.
When generating an SSL certificate for an XMPP server, you have to use the domain name of your XMPP service.
I am quite confused here:
I use DNSMadeeasy to manage my DNS. I have two apps.
One is Heroku hosted, and has https on https://example.com - Heroku has many great tutorials to setup the certificate, it hasn't been a problem.
The other one is a wordpress, hosted in 1and1 (though it shouldn't matter here), and is reachable at http://subdomain.example.com and we want it to be available at https://subdomain.example.com
1and1 does sell SSL certificate, but their automated setup works only when one uses their services for DNS also, as they say. Their support says it should be DNSMadeEasy which should be hosting our SSL certificate. I have the feeling it is not true, because for https://example.com, DNSMadeEasy was never involved.
Questions:
When does certificate querying occurs? Before, After, or in parallel of DNS resolution?
Who is hosting a certificate? The DNS provider? The server (accessible like a sitemap.xml at the root for instance)? A third party?
To enlarge the case, in general if I have a personal server with a fix IP, how can I communicate through https with a valid certificate?
In my case, how can I get my way out of it to make https://subdomain.example.com work?
You are right for not believing the 1and1 suggestion.
To answer your questions:
When does certificate querying occurs? Before, After, or in parallel
of DNS resolution?
A client resolves domain name to an IP address first. So DNS resolution happens first.
Who is hosting a certificate?
The server (in simplistic terms) hosts the certificate.
When a client wants to connect to your site (via HTTPS) it will first establish a secure connection with that IP address on port 443 (this is why usually (without SNI) you can only have one SSL certificate per IP address). As part of this process (which is called handshake) a client can also specify a server name (so-called server name extension) - this is a domain name of your site. This is useful if you have an SSL certificate that is valid for multiple domains.
A good/detailed explanation how it works can be found here
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
if I have a personal server with a fix IP, how can I communicate
through https with a valid certificate?
Your server will need to be able to respond on port 443 and have/host an SSL certificate for a domain that resolves to that IP address.
In my case, how can I get my way out of it to make
https://subdomain.example.com work?
You need to purchase a certificate for subdomain.example.com and install it on the wordpress server.
Usually in hosted solution like yours you have 2 options:
Buy the SSL certificate via the provider (1and1 in your case) - a simpler option, they will configure everything for you.
Buy the SSL certificate yourself. Here you will most likely need to login to your 1and1/Wordpress management interface and generate a CSR (essentially a certificate request). Then you purchase the SSL certificate using this CSR and then you can install it via the same management interface.
The process will look similar to this:
http://wpengine.com/support/add-ssl-site/
I'm implementing mutual SSL between service A and service B. Service A uses both 1-way and 2-way SSL. 1-way for the communication between a user and website A, and 2-way SSL to forward requests from that user to the service B in a secure way.
1-way SSL in service A is specified in Tomcat server.xml. 2-way SSL is implemented using JSEE secure socket communication on the client side (service A), and Tomcat config (service B). Atm. when I try to access service A I get ssl_error_rx_record_too_long error.
According to this answer ssl_error_rx_record_too_long and Apache SSL one of the reasons may be the fact that I'm using more than one SSL certificate for the same IP. Is this really the case that you can't use the same IP for several certificates? Even if one certificate is a server certificate (for 1-way SSL) and another is a client certificate (for 2-way SSL)?
This may not be the cause of my problem, but I just want to make sure if it's actually possible to have several certificates for the same FQDN. Thanks for help!
ssl_error_rx_record_too_long generally has nothing to do with certificate configuration, but the fact that what's talking on that port isn't actually using SSL/TLS.
The answers (and even the update to the question) in the question you linked to also point to this problem (e.g. missing SSLEngine on). You probably forgot something like SSLEnabled="true" in your connector configuration.
As I was saying in an answer to your other question, being able to configure two server certificates on the same IP address isn't really a problem for your case.
it's actually possible to have several certificates for the same FQDN
It is possible to configure multiple certificates on the same IP address and port using the Server Name Indication TLS extension, but both servers and clients would need to support it. In particular, this is not supported by the JSSE in Java 7 on the server side (only on the client side), but there are workarounds if you're willing to put a reverse proxy in front of your Java server.
This wouldn't be possible to do this with the same FQDN, since it's what allows to pick the certificate. This being said, having multiple server certificates for the same FQDN on the same IP address is generally pointless. Supporting multiple certificates is precisely useful when you need to support distinct names.