I have my API running under IIS 10. I have applied the server certificate to the site. In IIS I have also enabled SSL and I am requiring a client certificate.
The certificate has the full chain with password. In my postman request I am attaching the same certificate to my request but it always comes back 403 forbidden. If I remove the requirement for client certificate on IIS then postman request hits the API.
What am I missing? Additional folder permissions?
I already have IUSR, IIS_IUSR & the app pool
Or do I need to add something to web.confg ?
Thanks for looking
I do have a Stripe webhook which is successfully caught and processd in Stripe's TEST MODE, on http local host server.
However, when switching to Stripe's LIVE MODE DATA, the webhook returns status code 500, while the EC2 instance is untouched, no logs being generated.
There is no issue with Signing secrets or Stripe keys, the event never reaches the HTTPS endpoint of the EC2 created using a Load Balancer.
Stripe's support cannot pronounce to this so any suggestions of why this could happen or how to handle it is very welcome.
The error displayed on Stripe is:
HTTP status code 500 (Internal Server Error)
Response Failed to connect to remote host
I have added a whitelist middleware to the express server running on EC2:
app.use((req, res, next) => {
console.log('Always inside ', req.originalUrl);
next();
});
before handling the stripe webhook URL
app.use('/afterpayment', bodyParser.raw({ type: 'application/json' }), afterPaymentRoutes);
in order to see if Stripe event reaches the server, which is not happening.
However, if i manually enter into browser the Stripe Webhook URL, domain/afterpayment, the result is as expected: whitelist middleware prints the message and webhook handler takes over.
I was having a similar problem, and watching this thread. In my case, the issues were a few different things. I'm forcing https to my site (elb is redirecting any traffic from 80 to 443). The app on my ec2 was accepting connections over port 80. Access to the site was working. I thought maybe stripe sending the webhook data to the elb was breaking because of the redirect. This wasn't the case. However, I had a security group that was only allowing access from my IP address (for testing). Changing this to 0.0.0.0/0 from the internet (actual production access) didn't completely fix the problem but I wanted to get things set up to as close as real-world as possible. In the stripe dashboard I created a new webhook pointing to the app endpoint I exposed for testing. From the Stripe dashboard I hit the "Send a test webhook" button. This time instead of getting a timeout the error was invalid signature. So, I knew that exposing the site to the internet was part of the problem., (Yes, I could have created a security group that only allowed access from the IP addresses where the webhook data originates from, but again - I wanted to keep this as close to production as possible thanks #justin-michael for the nudge in the right direction). My app was still using the test webhook I set up for development. When I created the new webhook it also created a new signing secret. I pulled this new webhook signing secret into my app then ran the "send test webhook" again and it was successful. So, allowing the correct access from Stripe and making sure the signing secret was correct fixed the problem for me.
The problem was that the domain was not properly exposed on the internet.
So I have Elastic Beanstalk environment running a node.js server app on which I set a Load Balancer and exposed the server over HTTPS.
While trying to catch a webhook sent by a 3rd party app, like Stripe, nothing arrived on the server, even though I could successfully simulate POST request to the domain endpoint. The domain was also accessible through browser (or so it seemed).
The issue was that the domain name linked to load balancer was not resolvable publicly on the internet. Here are 2 useful links:
https://www.ssllabs.com/ssltest/index.html
https://dns.google.com/query?name=&rr_type=ALL&ecs=
Running tests on them unveiled problems related to DNSSEC configuration of my domain, which was not enabled on my domain.
While following this instructions i did:
On Hosted Zones, under DNSSEC signing -> Enable DNSSEC signing.
Created KSK and Customer managed CMK
Under DNSSEC signing, copied the information from View information to create DS record
On Route 53, on Registered Domains -> on the domain -> DNSSEC status, created a new key with info from previous step
After this, all tests passed and the webhook was successfully handled.
How can I get an URL exposed through AWS API Gateway to trigger the notification popup for certificate selection in the browser?
I have an API Gateway that (I hope) has been correctly configure to use mutual TLS authentication. For example, unless I provide the client certificate, a curl request fails. But, when I try to open an URL directly in Firefox, I only get a blocked request in the developer tools' console, rather a popup asking me to select a certificate to use.
I have found that Firefox does not offer the option to import a certificate if there are none already imported. But, after importing it and reloading the URL, it gives the option to select the client certificate I want to use.
I am using webservice in my .NET based application.The web services are called from control M job which connects to our server where B2B services are hosted and files are fetched. Recently the link between interface and webs service was broken. When I tried to hit the web service in our browser it gave error as SSL certificate got expired.But the website was working fine without any certificate error, and the only certificate bound in the server was not expired. We renewed the certificate and bound it again in IIS, but then we were not able to hit the web service and getting the error page not found. Can anyone tell the reason for it?
Scenario:
A client calls WebService A on the LAN. WebService A is running under an App Pool with Identity "Network Service".
WebService A does some work, prepares to call WebService B.
WebService B requires a client cert (*.cer) and SSL.
WebService A is on a dedicated Windows 2003 server.
Everything works in the Dev environment as it should (but the developer with Administrator privileges is always logged on locally (no surprise!).
The certificates are stored on disk at C:\MyCertificates\
The certificate is being applied at runtime successfully in Dev with this snippet: myWebService.ClientCertificates.Add(new X509Certificate.CreateFromCertFile(certPath));
Problem:
WebService A is calling WebService B, and the returned exception is:
The request failed with HTTP status
403: Forbidden
This really means that the certificate was not sent in the request to WebService B.
I am under the assumption that installing this cert into the browser is not a solution. The browser settings typically are per-user, and I need to give the certificate to the user whose credentials the web service is running under. (e.g. Network Service, System, or whatever is in the IIS AppPool settings).
Question: How can I grant access or association to my certificate living at the specified directory location to the Network Service or other non-user account?
This Microsoft knowledgebase article may be of use:
How to call a Web service by using a client certificate for authentication in an ASP.NET Web application (MS KB901183)
Your web service 'A' would effectively be the ASP.NET application calling the web service as described in the article.