http 403.4 error when using https - ssl

I'm getting the http error 403.4 - Forbidden: SSL is required to view the resource error using IIS6, even though the url starts with https.
It's a classic asp site, that used to work until the path to the files was changed. The path had to be changed because the site had to be upgraded. After getting the error; putting back the original path doesn't either.
Does anyone have any idea what I should check to resolve the above mentioned error?

Try following Configuring SSL on a Web Server or Web Site (IIS 6.0) from Microsoft. It specifically mentions the error you get:
If you set your Web site to require
SSL, as in step 6 above, and you have
not completed setting up SSL for the
site, then users browsing your site
will receive this error: "HTTP Error
403.4 - Forbidden: SSL is required to view this resource." To avoid this
condition, either complete all the
steps in the list above, or go back
and clear the Require Secure Channel
(SSL) check box (see step 6).

Related

ArcEnterprise issue with connecting to Developer WAB?

I have been having some issues connecting to the Developer WAB application from the Enterprise instance I am currently using. I have followed all of the steps outlined in the guide provided by Esri here and seem to be running into an authentication loop in my browser.
There is an error in the web page Console that states that there is 'No 'Access-Control-Allow-Origin' header present on the requested resource'.
The error displaying in the Web AppBuilder for ArcGIS says that there is no token found, and so redirects back to the 'setportalurl' page. Any ideas on how this can be resolved?
No token is found, redirect /webappbuilder/ to /webappbuilder/?action=setportalurl
Cheers
As the Developer WAB uses the machine name and port for it's domain, ArcGIS is rejecting the request for security reasons.
If you paste the full domain into the "Allow Origins" section of your portal's security settings and save, this should then work properly.
Might not be applicable to your scenario, but for people getting the same error when working from localhost this can be an issue with WAB Dev Edition's self-signed cert.
The solution for me was to allow the chrome flag:
chrome://flags/#allow-insecure-localhost

Can't fetch API Resource

I have a react-native application which I'm hooking up to an existing API which already has two clients (webapp, chrome extension). For some reason I just get the generic [TypeError: Network request failed] with nothing more.
The requests that are failing are just basic get requests such as
fetch('https://api.mydomain.com/pages/') or axios.get('https://api.mydomain.com/pages/') and they work fine from the webapp and chrome extension that are using this API as well - the requests only fail from the react-native application.
Everything I'm finding on google for this is in regards to localhost or SSL Certificate problems, although these are not my issues because I'm trying to pull from a deployed server and also that server has SSL correctly enabled and I'm using the https endpoint.
Some more notes:
when I do go against localhost (using the IP Address, not localhost address) I get this same error.
I'm getting this error on Android and I haven't touched nor am concerned yet with iOS
I get this same error with fetch and axios
The request goes through OK with this endpoint https://jsonplaceholder.typicode.com/posts/1 and I get back a response
This last note is the most interesting because I believe that means there is some issue with my server, however my server is not receiving any request... I have opened up CORS for testing purposes but have the same issue, although if that were the issue the server would have received the request and responded with 403.
This has to do with Android not trusting my SSL certificate. Apparently Android has some additional trust requirements on top of what web browsers require.
I found this through error.request._response via the axios catch block which showed me the error java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
After figuring that out, the root cause ended up being my SSL Certificate uploaded to AWS didn't have the correct intermediate cert which was fine in chrome, but not in android.

WSO2 Identity Server - Cannot Configure Custom Catch-all Exception Page

WSO2 Identity Server 5.0.0
For things such as a 500 errors and anything unforeseen, I'd like to configure my Identity Server instance to have our own branded error page to hide the server technology for security reasons and also just allow the error a little confusion.
At any rate, this no help: https://docs.wso2.com/display/IS500/Customizing+Error+Messages
I tried editing /repository/conf/tomcat/carbon/WEB-INF/web.xml and added the standard way to define an error page for exceptions:
<error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/NiceError.jsp</location>
</error-page>
and then placed NiceError.jsp in /repository/conf/tomcat/carbon/
So when I make a 500 error reoccurr, things change, but I'm sent to the carbon management console login page. If I decide to login, I get served up with an 405 error like so:
HTTP Status 405 - HTTP method GET is not supported by this URL
type Status report
message HTTP method GET is not supported by this URL
description The specified HTTP method is not allowed for the requested resource.
Apache Tomcat/7.0.55
The URL looks like: https://hostname:9443/NiceError.jsp?sessionDataKey=eabd6c25-7c79-40a9-af87-3cd80a68367e&loginStatus=true
That doesn't help.
How can this kind of thing be setup to work? It can't be hard with the right information. Right? :)
The referred documentation page is to customize error messages for identity related errors as its name sounds. It is not to create custom error pages.
By the way if you need to create custom error page, which is applicable to all web applications in your server instance, you may need to add your error page to web.xml in /repository/conf/tomcat/ directory. It defines default values for all web applications loaded into your instance of Tomcat. As each application get deployed, above file is processed, followed by the /WEB-INF/web.xml deployment descriptor from your own applications.
Thanks

SSL Website showing 404 error over non-SSL (HTTP)

I've set up an SSL site on server 2012 using CCS and SNI. When attempting to navigate to it over a non-SSL link (http), the site throws a 404 error.
How can I get it to show the "This site requires SSL" message?
You need to add HTTP to your bindings in IIS.
Instead of showing "This site requires SSL" you should redirect your user to the equivalent SSL page (e.g. http://twitter.com/about would redirect to https://twitter.com/about).
It is bad for both end-users and SEO to display a message with a message asking the user to change the URL. If you look at different websites on the Web you can notice that this is automatic and doesn't require any action from the user.

why no 403;4 error in IIS6 when user connects to SSL-secured site using plain HTTP

I was under the impression that if a user attempted to visit a website that had been secured with an SSL certificate, but did not use HTTPS and instead used plain HTTP in the address box, a 403;4 error would be generated, and that an errormessage something like this would be presented:
"This page must be viewed over a secure channel"
"The page you are trying to access is secured with Secure Sockets Layer (SSL)."
But that's not happening on our website. You can use http://secure.oursite.com or https://secure.oursite.com and both work fine.
The company that issued the SSL certificate says our certificate checks out OK in their certificate checking tool and that it's "chaining properly" and that this is an IIS configuration issue.
Does this SSL over HTTP error checking have to be explicitly enabled?
I was planning on creating a custom error for the 403;4 condition, pointing to a file, which redirects to https://secure.oursite.com. But the error condition is not being trapped by IIS.
EDIT: I've stopped and restarted the server. Not solved.
Thanks
As per this article have you checked the "Require secure channel (SSL)" box in the properties for your site? This is what triggers the error. You can then create the redirect using a custom error page.
a 403;4 error would be generated
That's not what happens in my site. My site automatically redirects to the HTTPS port. It's done free of charge by Tomcat.