I had never installed SSL onto a Windows Server before, now I ran into a problem.
I had a website hosted by Smarter ASP, and I got a SSL certificate from them. Then I moved the website into Azure as a App Service, without creating a virtual server myself. I imported the pfx file into Azure, and it worked.
Now I want to move the website into AWS.
I created a Windows Server EC2 instance in AWS. I did all the A Record and CNames changes. Now when I request "www.teacherspet.net.au", the home page is returned without any problem.
I then did the following to import the SSL certificate into the AWS EC2 server:
On "Server Certificates", I imported the pfx file using "WebHosting" as the certificate store;
I added a HTTPS binding on the site, with ip address being "*" and host name being empty;
I checked the "Require SSL" checkbox on "SSL Settings".
I have also added the same pfx file into intermediate certificate:
However, when I requested "https://www.teacherspet.net.au", I got
This site can’t be reached
www.teacherspet.net.au took too long to respond.
Why? I can't figure out what went wrong. Please help!
I am terribly sorry for the silly mistake - when I created the Network ACL inbound rule, instead of selecting "HTTPS (443)", I accidentally selected "HTTPS* (8443)". Once I corrected it, everything works. Thank you disflux for your help!
Related
If I make a request to my Daphne/Django server in Postman or the Android app we're developing, Daphne serves the certificate, but it's rejected. If I first make a simple get request to https://letsencrypt.org/ and then make a request to my server, the certificate is accepted.
How can I make sure a client will trust my certificate, even if it's the first time this client is seeing a certificate issued by this CA?
Everything bellow can serve as a history of how I studied the problem.
Original title: SSL Certificate works in browser but can't be verified by Postman
I have an AWS EC2 instance running Ubuntu 18.04, with python 3, Django, a bunch of project dependencies, Daphne running with ASGI, with a certificate by Let's Encrypt. Daphne is using port 8000 for HTTP and por 4430 for HTTPS, iptables is configured to redirect requests from port 80 to 8000 and from port 443 to 4430. Django is configured to enforce secure connections with SECURE_SSL_REDIRECT=True in the settings.py file.
There's a "Site in Construction" temporary page being served, and it's properly accessible from every browser and every device I tested so far. If I explicitly type http, I get redirected to https and the certificate is accepted. Every browser I tested (Firefox, Brave, Chrome, Chrome for Android) says cert is good.
Curl outputs the HTML content returned from the server. I don't know if it accepts the certificate or ignores it.
The Problem
Postman, however, says "Error: unable to verify the first certificate". Only works when I disable "SSL certificate verification", which doesn't answer my question: why Postman is unable to verify my Let's Encrypt certificate?
I'm building an API that runs on the same server, using the same domain, and it's meant to be consumed by a mobile app. Currently, the Android app is throwing a "TypeError: Network request failed", which I suspect could be caused by the same thing Postman is complaining about.
When I spin the server locally and configure 1) the app to use http://localhost:8000 and 2) the server not to enforce SSL, it works in browsers, Postman and in the Android app.
I've being looking for answers in many places for days, so any clue will be very welcome.
EDIT
Interesting clue:
If I make a request to my Daphne/Django server, it servers the certificate, which is rejected. But if I first make a request to https://letsencrypt.org/ and then make a request to my server, it works!
This pattern holds true in both Postman and our Android app.
It also happens when I first make a request to https://alloy.city (instead of letsencrypt.org), which is served by a Node.js app, and uses a certificate also issued by the Let's Encrypt CA.
So maybe the question should be: how to configure my server to politely invite clients to add the CA that issued my certificate if they hadn't done it yet?.
Apparently, that's what my Node.js server does.
Yes, in settings, tap ssl verification off
File > Settings > General > SSL Certificate Verification > off
So I have a very weird problem, I have a website and when I'm connected through wifi everything is fine, chrome and Mozilla are loading my website.
But when I switch to LTE internet my website is working fine only on Mozilla. Chrome is throwing ERR_CONNECTION_RESET error. I tried turning off firewall and restarting the server, but it doesn't change anything. The website was made in Django.
On the other hand, when I'm connecting directly to IP, it's working (I see 404 from apache, but that's because it's configurated to work with domain).
I'm using also certbot, but it's not looking like certbot fault. It's rather something connected with domain configuration.
I'm using OVH services both for server and domain. In domain I added only ip4 and ip6, DNS servers were left in the default configuration.
Ok, so to fix it I removed IPv6 redirect from the domain. And now it's working. I hope that it will help someone :)
I need to be able to hit a web service using SoapUI to inspect the request and response. I was previously provided with a certificate in the form of a .PFX file, along with the keystore password, which I could import into SoapUI and successfully hit the service.
The certificate I was provided recently expired, and my company has now deployed a new certificate via SCCM to my machine. I have the certificate installed in both Local Machine and Current User.
My question is:
Is there a way to use an installed certificate (meaning I can't export it first) to complete the SSL/TLS handshake when making a request via SoapUI?
Everything I've been able to find on the web has referenced exporting the certificate and setting the SSL settings in SoapUI (like I did before). Unfortunately, I do not have required authority to export the certificate to a .PFX file with a keystore password...
I assume there has to be a configuration setting of some sort in SoapUI that will let me hit the service with my installed certificate, but I can't find it for the life of me. Any help is greatly appreciated!
Even confirmation that it's impossible is appreciated; just not as much as I would appreciate a solution ;)
Thanks in advance!
I have a test server that I can ping successfully although I'm not able to see a hello world test page I've created and mapped in IIS. I've also created an Inbound rule in the windows firewall. Is there something else I'm missing? I'm browsing http://x.x.x.x:888
Any advice greatly appreciated.
Many thanks,
Update
This is a AWS server
Have tried telnet from a client machine but I get Operation timed out
Nothing in IIS logs (C:\inetpub\logs\LogFiles\xxx)
Port 888 is what I assign the test website to in IIS
Have also moved the test file (index.htm) into the default website within IIS and tried browsing http://x.x.x.x:80/index.htm but I get This site can’t be reached
browsing http://localhost on the server displays the 'hello' message test page.
In windows explorer I've gone to the security settings by right clicking on the website folder and allowing 'everyone' read access
Firewall screen shot
Important update
the IP http://x.x.x.x:888 is the public IP within AWS for the server, not the interal IP of that actual server
On windows 10, I found a firewall issue for my testing server, this worked for me: go to Windows Firewall -> Advanced Settings -> Windows Firewall properties and set a public profile to allow incoming connections.
I keep getting Connection Failed when trying to request data from a page that is on an https:// domain. I did install the ssl cert using the built-in section of the railo admin at https://[mydomain]/railo-context/admin/server.cfm?action=services.certificates however I still get Connection Failed. How should I go forward with debugging this? I have confirmed that this server in particular does have access to the domain I am trying to request from.
You probably need some additional certs installed as Jason has said. Take a close look at the cert and it's chain. Go to the cert issuers site and look for some documentation.
To troubleshoot you can add some logging to your jvm args. I think it's something like:
-Djavax.net.debug=all
The results are either in the OUT log or the server.log. This post on SSL 3.0 has some debugging tips. It's possible that your cert needs to handshake at a lower security level than CF allows (SSL 2.0 instead of 3.0/TLS for instance) and that could cause this behavior - but it's more likely that you simply need an intermediate cert installed.
The problem ended up being the permissions weren't setup properly on the machine. After we had the server administrator fix our permissions to access the Railo-Tomcat Service Control, the requests started working. I'm assuming he fixed some other permissions while he was in there.