I have two "Web Sites" running under IIS6 (Windows Server 2003R2 Standard), each bound to a separate IP address (one is the base address of the server).
I used SelfSSL to generate and install an SSL certificate for development purposes on one of these sites and it works great. I then run SelfSSL to generate a certificate for the second site and the second site works, but now the first site is broken over SSL.
I run SSL Diagnostics and it tells me:
WARNING: You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed
If I re-run SelfSSL on the first site (to fix it), the first site works but then the second site is broken.
It seems like SelfSSL is doing something in a way that is designed to work with only one Website, but I can't seem to put my finger on exactly what it's doing and figure out how to suppress it. I would manually configure SSL but I don't have a certificate server handy, but maybe there is a way to get SelfSSL to just gen the cert and let me install it?
FWIW I have also followed the guidance of several posts that indicate changes to the permissions of the RSA directory are in order, etc. but to no avail. I don't work with SSL everyday so I may be overlooking something that someone with more experience might notice, or perhaps there is a diagnostic process that I could follow to get to the bottom of the issue?
We had a similar problem today. Our IT guy said he solved it by basically using ssldiag instead of selfssl to generate the certs.
See the reply from jayb123 at this URL: http://social.msdn.microsoft.com/forums/en-US/netfxnetcom/thread/15d22105-f432-4d8f-a57a-40941e0879e7
I have to admit I don't fully understand what happened, but I'm on the programming side rather than the network admin side.
Related
My website get traffic drop recently. I found that my user cannot access my website when their computer in wrong set of time. However, they can open other website as usual.
The error said "NET::ERR_CERT_DATE_INVALID" in google chrome and "Warning: Potential Security Risk Ahead" in firefox. So, I assumed that the problem is the SSL. Previously I use free ssl from Cloudflare, thinked that its because its free then the error appeared, I the purchased for Dedicated SSL form Cloudflare. But, I keep get the same Error.
Is there is a solution for this situastion?
Changing the user computer time its not my solution here, because other website working just fine.
Thank You
I found that my user cannot access my website when their computer in wrong set of time.
The expiration of the certificate is checked against the local time of the system. If the local time is wrong the check might fail even if the certificate is not really expired yet.
If it fails depends on how wrong the local time is compared to the expiration time in the certificate, i.e. it might be so wrong that some certificates look expired while others are not yet expired. Some sites use more short-lived certificates and thus are more likely to run into this kind of problems. For example Let's Encrypt certificates are only valid for 3 month, while other CA issue certificates for a year or even longer. And of course sites which only use HTTP instead of HTTPS don't have this problem since no certificates are involved in the first place.
Changing the user computer time its not my solution here, because other website working just fine.
There is nothing you can do against this from the server side. And while some other sites work just fine for the moment it is very likely that there are some sites apart from yours which will not work too. So the problem is not restricted to your site only.
First let me state that I am a Linux noob. I am learning as I go here. Here is my situation. I have an Ubuntu 16lts server, with apache. The software we just installed comes with "samples" These samples are stored in the same directory structure as the program. The instructions have you add an alias and a directory to the apache2 config file. Like so
Alias /pccis_sample /usr/share/prizm/Samples/php
This actually worked :)
However now we want to make sure this site is SSL. I did manage to use openssl to import to Ubuntu the certificates we wanted to use. (i am open to using self signed though at this point its non prod so i dont care)
In trying to find out the right way to tell Apache i want to use SSL for this directory and which cert i want to use. Things went wonky on me. I did manage to get it to use ssl but with browser warning as one would epexct with a self signed cert. I had thought that i could just install the cert on our devs machines and that would go away. But no dice. Now in trying to fix all that i just done broke it. SOOOO What I am looking for is not neccessarily and spoon fed answer but rather any good tools, scripts, articles tips tricks gotchas that i can use to get this sucker done.
Thanks
You need to import your certificate(s) into the browsers trusted store. For each browser on each machine you test with. "What a pain!" you probably think. You are right.
Make it less painful - go through it once. Create your own Certificate Authority, and add that to your browsers trusted certificates/issuers listing. This way, you modify each one once, but then any certificate created by your CA certificate's key will be considered valid by those clients.
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
Note that when configuring Apache or other services, they will still need an issued/signed certificate that corresponds correctly to the hostname that is being used to address them.
Words of warning - consider these to be big, red, bold, and blinking.
DO NOT take the lazy way and do a wildcard, etc. DO keep your key and passphrase under strict control. Remember - your clients will implicitly trust any certificate signed by this key, so it is possible for someone to use the key and create certificates for other domains and effectively MITM the clients.
I've just started my linux security classes and my task is to set up an apache2 server (nginx is allowed aswell but chose the first one) with configuration listed below:
There is one domain (localhost) with different subfolders:
/ssl (any user can access, force redirect to https)
/ssl/user_1 (access with certificate "user_1")
/ssl/user_2 (access with certificate "user_2")
/ssl/any (access with any certificate (user_1, user_2))
/no_ssl (access without certificate)
I don't have much experience with apache2 but succesfully managed to set it up and configured basic ssl. However, I managed to set just one certificate for all folders/subfolders - I've been digging through whole Google (I have three pages of results marked already as visited..) but could not find a proper solution, tutorial or docs how to set up few different certificates, each for a different folder. I found few but it's often the case that the code was written few years ago and does not work anymore in the new version.
I'm not asking for a full solution but I'd appreciate if someone could point me in the right direction or provide some good tutorials/docs about the matter. Some configuration snippets would be awesome aswell of course!
Thank you so much in advance,
F.
I don't think I'm giving too much away when I say you are misunderstanding that part of the question. You are assuming that user_1 and user_2 are server certificates.
This is about client certificates - otherwise options 1 and 4 are the same. Also I think this is implied with the certs being user_1 and user_2 rather than server_1 and server_2. So go read up about client certificates.
Saying that I still don't know how to do this simply for options 2 and 3 so it's still a tricky question. Let us know how this is done after the assignment is finished for my own curiosity and good luck figuring it out yourself!
Some users trying to visit my website are getting a warning explaining "This is probably not the site you are looking for".
One of them sent me a screenshot (I'm sure we've all seen this screen before at some stage):
I'm using an SSL cert signed by StartSSL. It's signed for shareshaper.com and www.shareshaper.com.
You can see that the screenshot says that the user attempted to reach www.wamrc.com. I've never heard of that site before. For some reason though, when I visit www.wamrc.com I end up on my staging server.
I've tested my SSL setup with a number of online testing sites and they all report that everything is fine. I can't seem to replicate the issue myself.
What could be causing this error?
Some Other Thoughts
I have another StartSSL certificate I use on my staging server. This one is valid for staging.shareshaper.com and (I assume, can't quite remember) shareshaper.com.
One user who get the warning was using iPad Safari. Another OS X Chrome.
wamrc.com appears to belong to some dude called Oscar Arbelaez.
The issue was initially reported in this Reddit thread
For example it could be an incorrect DNS A-record for www.wamrc.com (pointing to your IP), or an incorrect cname for the same one, but all this is essentially included in the message in the screenshot.
Your server is misconfigured. Its reporting itself as www.wamrc.com.
You need to talk to your hosting provider.
My wildcard certificate expires in three weeks and I've just renew it and installed the new certificate, so that my IIS has two now.
I have currently more than 30 sites running and I would like to update them one by one to use the updated certificate. Though I dont see a parameter for appcmd set site which allows me to specify which certificate to use. I really would hate to have to delete the old certificate and re-add all sites asap which means my sites would be without SSL for a few minutes.
Seems like there were no other possibilities, I decided to go ahead and update them manually as quickly as possible. When entering the "Bindings" popup for the first website, it warned me (as usual with https bindings) that multiple sites were detected. I ignored the warning and set the new certificate for the first website. That also updated the https bindings on all the other sites apparently. I have checked with various online SSL checkers and the sites all seems to be updated now. Phew.