i guess my .NET application needs to be signed or something. how do i get rid of that prompt unknown publisher when someone tries to install my app?
If it's the prompt I'm thinking of, you'd start by getting a certificate from someone like Verisign and use their certificate to sign your assembly.
You may be able to do a self-signed assembly using the information from these pages:
http://weblogs.asp.net/fbouma/archive/2003/12/23/45396.aspx
http://msdn.microsoft.com/en-us/library/ms247123(VS.80).aspx
http://blogs.msdn.com/junfeng/archive/2006/03/11/549355.aspx
I'd recommnd reading up and going from there.
Related
I'm getting errors, such as the one below, in my /var/log/mail.log file.
Apr 9 18:28:29 blueberry postfix/smtps/smtpd[13294]: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1544:SSL alert number 45:
I'm 100% sure the certificates are valid since I'm using them on my websites, all of which couldn't be happier with them. Postfix was also happy previously, but since I renewed the certificates it's been spamming this when my Nextcloud server tries to (and can't) connect to the mail server, despite my mail client still working (although without rDNS as I didn't manage to get my provider to set it up).
I assume the blame is somewhere with Nextcloud - presumably the php handler for mail. Another thing that could be at fault that I tried to check is OpenSSL, but I have no idea how to replace its certificates with my own (generated by Acme.sh).
Both dovecot and postfix have in their config mentioned the correct path to my keys, hence the assumption above.
EDIT: Fixed it.
So, turns out, when I updated my certificate locations when I changed the method of acquiring them (certbot vs acme.sh), I got a typo in one of the filenames. /etc/dovecot/conf.d/10-ssl.conf was correct and so was /etc/postfix/main.cf, but /etc/postfix/vmail_ssl.map had a typo which I didn't see previously - and so was throwing a certificate error.
We have an application that auto-generates a certificate and binds it, using httpapi, to a selected port. Under Windows 7, and 2003/2008 Servers this works like a charm. The certificate can also be rebound to other ports by un-binding, then binding to the new port.
Under Windows 8, however, only unbinding from the old port succeeds. An attempt to bind the certificate to the new port value fails with error code 1312 revealing the message "A specified logon session does not exist. It may already have been terminated."
What's odd here is that when trying to add a bound certificate through netsh it also fails, in elevated console, with the same error and message ("SSL Certificate add failed, Error: 1312|A specified logon session does not exist. It may already have been terminated."), regardless to the port number.
To add suspense, the application has an installer that initially binds the certificate on install, and unbinds it on uninstall. And this thing never fails! The installer works in "Windows 7" operating system context, while the application is under "Windows Vista", if this can be a clue. The console is under "Windows 8" context.
Has anyone had a similar problem under this OS? Any ideas why this might be happening?
Any help is highly appreciated, thank you in advance!
In our certificate generating code, we used X509Store class' methods to add the certificate to the store. Under Windows 8 this rendered the certificate "untrusted" even if the application was run as administrator. The cause might be either different implementation of the class in .NET 4.5 or imposed limitations due to the OS context the application was running in.
Solved the problem by invoking "certutil.exe" through a Process class to add the certificate to the store.
I have a simple cfhttp request (a login) going out to an SSL server:
<cfhttp url="https://www2.[domain].com/api/user/login" method="POST" port="443" >
<cfhttpparam type="formfield" name="username" value="[username]" >
<cfhttpparam type="formfield" name="password" value="[password]" >
</cfhttp>
The request fails before it begins, and the ColdFusion server says:
I/O Exception: peer not authenticated
Both development environments work smashingly. They receive the login session and then hand that to the collector process which successfully taps the remote web service for data.
After I spent a day trying to get the correct certificate into the ColdFusion stores, I had the bright idea to actually compare them to the working development environments. I looked at them (keytool -list), and they are identical.
Now that the obvious is absolved the questions I'm left with are twofold:
Is there some other certificate repository I need to check, or alternately, is there a place where I can get ColdFusion to tell me what certificate repository it needs to find the certificate IN (on the off chance it can and has been altered) or if that is even possible.
Identify and correct else could be causing this.
Are the development and production environments the same? Are they all, for example, ColdFusion 9 Standard or ColdFusion 8 Enterprise?
In my experience, this error is usually caused by one of two things:
The administrator failed to install the certificate into the cacarts repository, or they installed it into the wrong one.
ColdFusion Enterprise and ColdFusion Developer edition (for ColdFusion 8 and ColdFusion 9 both, I believe) have an issue with the built-in BSafe CryptoJ library that is installed and certain types of certificates (I have not yet been able to determine a pattern) that causes this error. There are some workarounds if this is the case.
First, I would explore the possibility that you are importing into the wrong certificate repository. It can be hard to tell which repository is being used. In your CF Admin under "Setting Summary" you should be able to find the location of the JRE that is being used. It is listed under "Java Home". Take that directory and add lib/security to the end of it and that should be the location of the cacaerts file that is being used. I say should because I have seen at least one weird situation where it was not.
I HAD the same problem and I tried everything and can't fix it. Strange is that everything worked fine then suddenly stopped working. It might be a Java update on the server causing the problem or a change of the certificate from the website the CFHTTP is trying to access.
Anyway, here is a link I setup for a "demo" of this problem:
http://www.viaromania.eu/https.cfm
As you can see, I am trying to access a HTTPS service using CFHTTP tag. And it is not working. I deleted the certificate from C:\ColdFusion9\runtime\jre\lib\security\cacerts, generated a new one from the website URL, imported back, installed "certman" under CFID/admministrator, checked the certificate, it's there... and it's listed in my test page.
If you scroll to the bottom of my test page, you'll see a similar CFHTTP to https://www.google.com and this works fine, even if there is no certificate installed on the server.
It is important to mention that the request is working just perfect on my development machine, and here I also don't have any certificate installed...
AND THIS HOW I FIXED IT
1. Updated ColdFusion 9.0.2 with this - https://helpx.adobe.com/coldfusion/kb/cumulative-hotfix-1-coldfusion-902.html
2. Installed Java JDK 1.7.0_79 from here http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
3. Changed the Java Home in ColdFusion Administrator / Server Settings → Java and JVM from "C:\ColdFusion9\runtime\lib\jre" to "C:\Program Files\Java\jdk1.7.0_79\jre"
That's it. I don't know if it uses any certificate or not. They were installed in the "C:\ColdFusion9\runtime\lib\jre\lib\security\cacerts" and not moved from there or anything.
I've searched through web for couple hours on this issue, and none of the answers I found didn't really fit into my problem, so here's me, asking my first-ever question in SOF.
So, I'm trying to open a web-browser from a java program using the htmlunit library. The web site I need to connect requires SSL connection, and the certificate is stored in a USB key. Its iKey2023 product.
The system used to work(I did not write it), but one of the certificates in the USB key expired, so it automatically moved on to the next one (there were 4 certificates in total), and it suddenly stopped working.
It is giving me javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated error.
I'm back home now and I forgot the exact name of the method, but I remember the following.
Browser instance is created, using IE8
browser.setWebConnection method was called. This method, according to the API, is an internal API.
Make connection to the website by passing the URL as parameter
It's throwing the exception at step 3.
Some more details. The little details might be incorrect but I'm trying to describe a big picture.
At step 2, the method requites WebConnection object as a parameter, and there is a implementation of that interface. Within this implementation, a keystore is created using sun.security.pkcs11.SunPKCS11(configFileInputStream) (did I spell that correctly?)
It was sth like this.
Provider p = new sun.security.pkcs11.SunPKCS11(configFileInputStream);
Security.addProvider(p);
And create a keystore from this provider.
Using this keystore, within the WebConnection implementation, it creates a SSLSocket.
So, after the certificate has been switched to a new one, it's not picking up the certificate correctly.
Here's what I've tried.
I've tried to use different methods in the htmlunit library, something like setSecurityProvider, and I tried to put the Provider object created in above code snippet. I got class cast exception.
I tried to manually set the system properties(trustStore, trustStorePassword, keyStore, etc). In order to do this, I wanted to export the certificate out of the USB key, but it did not let me export the private key out from it, so I could not really create a valid PKCS12 file out of it (openSSL wanted a private key file along with .pem file for conversion, and I did not have that key file).
They did not work, and I'm so stuck right now.
I have a similar issue. In my case, an admin changed the certificate and I began encountering the same SSLPeerUnverifiedException.
I found that I can set the WebClient to use insecureSSL (prior to calling getPage())and I will no longer get the exception.
webClient.setUseInsecureSSL(true);
This however, doesn't resolve the issue as the server basically doesn't authenticate the client.
Its as if the WebClient is storing something that doesn't work with the new certificate.
Our code-signing certificate recently expired. It's been renewed, but now whenever I try to package the app with the renewed cert (whether I attempt a migration of the expired cert or not), after installation, I get the following message any time I try to run the app:
"This installation of this application is damaged. Try re-installing or contacting the publisher for assistance."
Opening up the package contents, the publisherid file inside Resources/META-INF/AIR is blank. This is apparently the problem, because if I manually edit it to contain our previous publisherID, the app will run.
But of course, it's not like we can tell all our users "oh install it then manually edit this file inside the package."
Has anyone encountered this or know how to fix it?
Ah, after a bit more banging my head against my desk I got it.
For anyone who comes after me:
I had to change a couple things in my app descriptor file.
First I had to change the namespace to point at AIR 1.5.3 instead of 1.5
<application xmlns="http://ns.adobe.com/air/application/1.5.3">
And then I had to manually specify our old publisherID in the descriptor as well
<id>OurAppID</id>
<publisherID>OurOldPublisherID</publisherID>
Now it works just as it's supposed to, installs as an update to our old version instead of a new app, and actually runs instead of just throwing that error.