I got an issue from my client regarding the SSL setup for his website. I'm not familiar with the SSL certification setup process. He is saying that We have an SSL certificate for this server but I can’t tell if it’s setup properly or not.
If I open that website, firefox says Warning: Contains unauthorized content. I am seeing some details in the warning message window which are given below:
Web site: mydomain.com
Owner: This web site does not supply ownership information
Verified by: Not specified
Mainly I want to know whether the SSL certificate used for this site is valid or not. Can anybody suggest a way to check for the SSL certificate validation of a website.
Thanks
Telnet the server on port 443. If it is responding then it is a certificate problem
To install certificate
Check this
Related
https://codesandbox.io/ seems to have an invalid SSL Cert or so my browser suggests. As such, my companies proxy services are blocking this site. Anyone have any info on why this is happening or who we could reach out to to get this resolved?
Can someone kindly help me understand the following and suggest a possible fix?
Problem: Secure websocket (wss) connection fails in Chrome browser, when using a multi domain (SAN) SSL certificate
Details: We have a multi domain SSL SAN certificate that covers, say, webapp.example.com and websocket.example.com. The page https://webapp.example.com/ loads correctly (the domain is verified correctly against the SAN certificate by the browser, and a 'lock' icon is shown to indicate that the connection is secure). However, the said web application on that page also attempts to makes a connection to wss://websocket.example.com/. This connection is failing with ERR_CERT_COMMON_NAME_INVALID.
A weak hypothesis for the failure: This error is possibly because
The browser first opens an SSL connection to https://webapp.example.com after verifying webapp.example.com as a valid domain in the SAN certificate
When a connection is made to wss://websocket.example.com, the name 'websocket.example.com' does not match with the domain that has been previously verified (webapp.example.com).
Question: Is it possible to make this work? If yes, how?
Your hypothesis is wrong. The certificate validation is always done against the domain in the currently accessed URL. It is not done based on some URL previously accessed, even if the provided certificate was the same.
It is more likely that the domain you access is actually not contained in the multi-domain certificate. Note that an entry of webapp.example.com or example.com in the certificate does not cover websocket.example.com or similar in the URL.
I am trying to publish my Alexa skill using Letsencrypt SSL Certificate.
Google Chrome does not show any warning icon if I browse to my https URL using letsencrypt certificate.
However, when I try to test using Alexa console, an error occurs as :
"SSL Handshake failed".
I see on Amazon Alexa forums that there is a buzz around letsencrypt support.
Some posts say it is supported and some say it isn't.
Could someone here clarify whether letsencrypt free SSL certificate is supported for building custom alexa skills ?
Download the contents of your fullchain.pem cert, from /etc/letsencrypt/live/<domain>/fullchain.pem on your server
On your skill config page, select the "SSL" Tab.
Mark "I will upload a self-signed certificate in X.509 format."
Paste the contents of your fullchain.pem file.
I was able to get a Let's Encrypt wildcard certificate working with an Alexa custom skill after choosing the option "My development endpoint is a sub-domain of a domain that has a wildcard certificate from a certificate authority" in the developer console.
I also had an issue with a Nginx reverse proxy configuration that caused a failure in the Alexa Simulator and provided no helpful error. Fortunately you can also use the Manual JSON option which yielded the error "Cannot establish SSL connection to your skill endpoint".
I was able to track the issue down to the ssl_ciphers value in the ssl.conf file. Even though it was compatible with the Intermediate Security recommended setting for TLS 1.2, I had to comment it out to make it work. I hope someone else can determine why Amazon servers reject the certificate when this setting is used, it could be that TLS 1.3 is now required.
I am trying to create an HTTPS-tunnel on my machine. My intention is having all requests to https://localhost:8888/<something> (the port where Fiddler is listening to) be directed to https://myserver.net/<something>. I am using the following script as per Fiddler doc:
static function OnBeforeRequest(oSession: Session) {
// <Fiddler 2 preexisting code>
// HTTPS redirect -----------------------
if (oSession.HTTPMethodIs("CONNECT") &&
(oSession.PathAndQuery == "localhost:8888"))
{
oSession.PathAndQuery = "myserver.net:443";
}
if (oSession.HostnameIs("localhost"))
oSession.hostname = "myserver.net";
// --------------------------------------
// <Fiddler 2 preexisting code>
}
Also in Fiddler settings I checked the decryption check and installed certificates as you can see in the image below:
I restart Fiddler, it prompts me to install its fake certificates, I agree. I can see the certificate in my Windows Certificate System Repository when using certmgr. It is a self-signed certificate.
So What I do is opening a browser and type: https://localhost:8888/mypage.html, and what I get is an error. Internet Explorer reports this:
Error: Mismatched Address. The security certificate presented by this
website was issued for a different website's address. This problem
might indicate an attempt to fool you or intercept any data...
When I get certificate info (basically the certificate presented by the contacted host is being rejected, the same certificate can be displayed), I can see that the rejected certificate was issued by Fiddler and the subject is myserver.net.
So the certificate is ok because it is certifying myserver.net, I see that the problem is that probably my browser was expecting a certificate whose subject is localhost. Is it true?
How to handle this situation?
Assumption
I can understand that the problem is a certificate being issued for a website which I did not ask for. So the solution would be using a certificate certifying localhost:8888?
A certificate is valid if it is directly or indirectly (via intermediate certificates) signed by a trusted CA and if the hostname matches the certificate. If the last condition would not be enforced anybody with a valid certificate from a trusted CA could incorporate any other site.
To make use of fiddler and not run into this problem you should configure your browser to use fiddler as a web proxy and then use the real URL inside the browser instead of ip:port of fiddler.
I have open ssl installed on the server, all the key ,csr and crt on the server. Configured apache conf to the correct path for key and cert but i don't see a lock in the url(firefox 3.6.2).In chrome it shows https crossed out with red.Does this mean the certificate is not working properly? I have apache2 as the web server.
tls provides both encryption and authentication.
Encryption means that outsiders are unable to read your traffic.
Authentication means that you are confident of the identity of the host your are communicating with.
If chrome crosses out the https, it means that you are using tls, and you have probably set up encryption properly, but chrome is not confident in the authentication of the server. Typically, this is caused by an untrusted certificate; either the subject does not match, or the CA is not trusted.
If you are using a self-signed cert, then it's probably an untrusted CA. Installing the CA into chrome should fix the problem.
I face same problem some time ago that I have installed the SSL certificate successfully but still it show cross on browser address bar, I found the issue was caused due to a image and a javascript file which was included as absolute HTTP url. I change absolute URL to relative and now both files were loading over HTTPS and browser show green bar.