I have my API running under IIS 10. I have applied the server certificate to the site. In IIS I have also enabled SSL and I am requiring a client certificate.
The certificate has the full chain with password. In my postman request I am attaching the same certificate to my request but it always comes back 403 forbidden. If I remove the requirement for client certificate on IIS then postman request hits the API.
What am I missing? Additional folder permissions?
I already have IUSR, IIS_IUSR & the app pool
Or do I need to add something to web.confg ?
Thanks for looking
Related
I've deployed the frontend of a web app to Firebase. Now when I try to make request I see that request is going to https://the_url but the backend link is http://the_url and I get the following error.
Mixed Content: The page at 'https://the_url' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://the_url. This request has been blocked; the content must be served over HTTPS.
I tried to get SSL certificate and import an certificate to AWS to make connection https, but I wasn't able to get it.
I'll attach an image to illustrate what I'm looking to do:
Note: The above photo should say "Redirect to HTTPS"
To preface, this is the following is the technology stack
DNS: GoDaddy
Proxy: Cloudflare
Client: React app hosted on Heroku
Server: Flask API hosted on Heroku
The flow at least to my understanding is this:
User enters in domain.com in browser and GoDaddy forwards all traffic to Cloudflare so that the site is viewed securely
Cloudflare then forwards the traffic to where the client is hosted
Once client is loaded, it makes a request to the server to receive a CSRF token. The CSRF token is generated by a method within flask-wtf. A session is created in the server and in the response, the CSRF token is attached to the header
Here things gets weird
Since the response received on the client never had the CSRF token attached to the header and no cookie was set on the browser, I would assume that the response goes to Cloudflare before the response hits the client. As a result, the CSRF token is never received. Not sure why this is the case.. But after a bit of research, I've discovered that Cloudflare does this by default.
It seems that a work around would be to use Cloudflare Workers, but that seems only available if their DNS is being used. Ideally, I would like to stick with GoDaddy.
I was wondering if anyone else experienced this and found a different solution.
How can I get an URL exposed through AWS API Gateway to trigger the notification popup for certificate selection in the browser?
I have an API Gateway that (I hope) has been correctly configure to use mutual TLS authentication. For example, unless I provide the client certificate, a curl request fails. But, when I try to open an URL directly in Firefox, I only get a blocked request in the developer tools' console, rather a popup asking me to select a certificate to use.
I have found that Firefox does not offer the option to import a certificate if there are none already imported. But, after importing it and reloading the URL, it gives the option to select the client certificate I want to use.
I am using wso2 api manager 2.6.0. I have created a prototyped api. When I try to invoke the api from store api console ,I get an error
TypeError: Failed to fetch
When I take the curl command from the api console and execute it from command prompt on the same server where wso2 api manager is installed I get the expected response.
As it a GET method , If I take the url and execute it on a chrome browser , it takes me the management console page. When I sign in to the management console page , the browser displays Error 405 - Method Not Allowed
When I trigger the endpoint from postman, it returns an html page which is the same management console page.
I have checked that the host and port for the gatewayendpoint and OAuthConfigurations/revokeapiurl are same and the host is whitelisted in the store site.json.
Any idea what is wrong or how can I debug it.
Usually TypeError: Failed to fetch comes because of the self-signed certificate which comes by default with the server. If that is the case, accepting the security certificate from the browser should fix the problem.
From docs[2]:
Troubleshooting
If you cannot invoke the API's HTTPS endpoint (this causes the
SSLPeerUnverified exception), it could be because the security
certificate issued by the server is not trusted by your browser. To
resolve this issue, access the HTTPS endpoint directly from your
browser and accept the security certificate.
If the API Manager has a certificate signed by a Certificate Authority
(CA), the HTTPS endpoints should work out of the box.
[2] https://docs.wso2.com/display/AM260/Invoke+an+API+using+the+Integrated+API+Console
I am using webservice in my .NET based application.The web services are called from control M job which connects to our server where B2B services are hosted and files are fetched. Recently the link between interface and webs service was broken. When I tried to hit the web service in our browser it gave error as SSL certificate got expired.But the website was working fine without any certificate error, and the only certificate bound in the server was not expired. We renewed the certificate and bound it again in IIS, but then we were not able to hit the web service and getting the error page not found. Can anyone tell the reason for it?