I am getting the below exception when I invoke a jax ws webservice from my application deployed in WebSphere Application Server 6.1
SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=yyy.com, OU=For Intranet Use Only, OU=Web Hosting, O=xx, L=xx, ST=xx, C=xx" was sent from target host:port "*:9445". The signer may need to be added to local trust store "F://../trust.p12" . The extended error message from the SSL handshake exception is: "No trusted certificate found".
The enpoint url has https.
With the same enpoint url I am able to get a response from SOAP UI(Tool) without any certificate configuration etc..
Could you help me on this ?
I finally was able to fix this small issue.The Server certificate needs to be added to the websphere appserver truststore.This can be done from the admin console of websphere by providing the server domain and port.
Related
If I make a request to my Daphne/Django server in Postman or the Android app we're developing, Daphne serves the certificate, but it's rejected. If I first make a simple get request to https://letsencrypt.org/ and then make a request to my server, the certificate is accepted.
How can I make sure a client will trust my certificate, even if it's the first time this client is seeing a certificate issued by this CA?
Everything bellow can serve as a history of how I studied the problem.
Original title: SSL Certificate works in browser but can't be verified by Postman
I have an AWS EC2 instance running Ubuntu 18.04, with python 3, Django, a bunch of project dependencies, Daphne running with ASGI, with a certificate by Let's Encrypt. Daphne is using port 8000 for HTTP and por 4430 for HTTPS, iptables is configured to redirect requests from port 80 to 8000 and from port 443 to 4430. Django is configured to enforce secure connections with SECURE_SSL_REDIRECT=True in the settings.py file.
There's a "Site in Construction" temporary page being served, and it's properly accessible from every browser and every device I tested so far. If I explicitly type http, I get redirected to https and the certificate is accepted. Every browser I tested (Firefox, Brave, Chrome, Chrome for Android) says cert is good.
Curl outputs the HTML content returned from the server. I don't know if it accepts the certificate or ignores it.
The Problem
Postman, however, says "Error: unable to verify the first certificate". Only works when I disable "SSL certificate verification", which doesn't answer my question: why Postman is unable to verify my Let's Encrypt certificate?
I'm building an API that runs on the same server, using the same domain, and it's meant to be consumed by a mobile app. Currently, the Android app is throwing a "TypeError: Network request failed", which I suspect could be caused by the same thing Postman is complaining about.
When I spin the server locally and configure 1) the app to use http://localhost:8000 and 2) the server not to enforce SSL, it works in browsers, Postman and in the Android app.
I've being looking for answers in many places for days, so any clue will be very welcome.
EDIT
Interesting clue:
If I make a request to my Daphne/Django server, it servers the certificate, which is rejected. But if I first make a request to https://letsencrypt.org/ and then make a request to my server, it works!
This pattern holds true in both Postman and our Android app.
It also happens when I first make a request to https://alloy.city (instead of letsencrypt.org), which is served by a Node.js app, and uses a certificate also issued by the Let's Encrypt CA.
So maybe the question should be: how to configure my server to politely invite clients to add the CA that issued my certificate if they hadn't done it yet?.
Apparently, that's what my Node.js server does.
Yes, in settings, tap ssl verification off
File > Settings > General > SSL Certificate Verification > off
A different thread pointed out a couple of services that would require a client MTLS certificate, accept any cert, and then respond with information about the SSL handshake/certs.
HTTPS test server that checks client certificates
These endpoints both return HTML. Does anyone know of anything similar that returns application/json?
The URLs below will return application/json content upon successfully mutual TLS client certificate authentication. If no authentication is peformed, then HTTP error 403 is returned in the HTTP headers and the response is empty:
https://certauth.idrix.fr/json (TLS 1.2 only)
https://certauth.cryptomix.com/json (TLS 1.2 and TLS 1.3)
The json returned in case of success contains various technical information about the established connection.
This is my first time creating a WCF service. I need to use HTTPS as I will be using MembershipBinding. The steps I have taken up to this point are:
Created a certificate authority using the makecert.exe application - from this I have created a server certificate and a client certificate.
Added the certificate authority to the Trusted Root Certification Authorities within Microsoft Management Console.
Added the client and server certificates to my personal certificates within Microsoft Management Console.
Created a https binding for the service in IIS using the server certificate.
Set the appropriate permissions for the app pool on the server certificate.
Defined the service certificate within the serviceBehaviours node in the web.config.
I am now testing the service using the WCF Test Client but I am getting the message:
Error: Cannot obtain Metadata from https://localhost:444/Service.svc If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address. For help enabling metadata publishing, please refer to the MSDN documentation at http://go.microsoft.com/fwlink/?LinkId=65455.WS-Metadata Exchange Error URI: https://localhost:444/Service.svc Metadata contains a reference that cannot be resolved: 'https://localhost:444/Service.svc'. Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost:444'. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.HTTP GET Error URI: https://localhost:444/Service.svc There was an error downloading 'https://localhost:444/Service.svc'. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.
The error suggests that there is an issue trusting the certificate but I have trusted the certificate authority used to create it so I don't know how to resolve it. The service worked fine when I was using http.
Thanks in advance.
As your certificate is self-signed, you need to add a hack to your client call :
using (MyWCFServiceClient client = new MyWCFServiceClient())
{
#if DEBUG
ServicePointManager.ServerCertificateValidationCallback = TrustAllCertificatesCallback;
#endif
client.MyCall();
}
And the definition for TrustAllCertificatesCallback :
internal static bool TrustAllCertificatesCallback(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors)
{
bool isValid = true;
// TODO logic to check your self-signed certifiacte
return isValid;
}
The TrustAllCertificatesCallback callback should be deactivated on your production environement.
I have tried various configuration settings but still no luck
I’m getting the below error when I tried to run a report from SSRS server.
HTTP Error 403.7 - Forbidden
The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.
processing!ReportServer_0-2!1084!03/26/2015-13:21:18:: e ERROR: An exception has occurred in data set 'DistributionComponents'. Details: Microsoft.ReportingServices.ReportProcessing.ReportProcessingException: Query execution failed for dataset 'xComponents'. ---> Microsoft.ReportingServices.DataExtensions.XmlDP.XmlDPException: Failed to execute web request for the specified URL.
Forbidden: The remote server returned an error: (403) Forbidden. ---> System.Exception: The remote server returned an error: (403) Forbidden.
Setup:
Configuration:
WCF Service:
In the WCF Service I have bindings configured as Transport, and the pretty much like described in the below article
http://www.codeproject.com/Articles/348595/Use-Mutual-SSL-Authentication-in-WCF
I can browse to the service and view WSDL without no issues. I have also checked the WCF trace and no errors.
SSRS Web Service Configuration:
SSRS Web Service Data Source has been configured to execute the HTTPs WCF Web Service URL.
SSRS also configured to use a valid SSL Certificate.
I can access the ReportsManager URL and View reports successfully using HTTPs URLs.
I have tried many configuration settings, including disabling the firewall and virus scans still no luck. I have also search on the Web but there is no much direction on this particular issue.
Can some please point me to the right direction?
To be more precise I would have said the SSRS installed in the Native mode. Nevertheless I figured it out that this is not supported. In other words 2-Way SSL between SSRS (acting as a Client) and the WCF (Service) is not supported.
I have created an Ejb endpoint WebService (.EAR) using metro and glassfish 3.1.2(b5) .
The wsdl file is published and accessible via https .
I generated the client artifact from the secured url and when I Run the client I get this error (server side):
ATTENTION: Invalid request scheme for Endpoint my_web_service. Expected https . Received http
This how I configured the secure connexion:
<glassfish-ejb-jar>
<enterprise-beans>
<ejb>
<ejb-name>my_web_service</ejb-name>
<webservice-endpoint>
<port-component-name>my_web_service</port-component-name>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</webservice-endpoint>
</ejb>
</enterprise-beans>
</glassfish-ejb-jar>
If I change the implementation to a servlet endpoint (.war) everything run ok so I think that I'm missing something in the configuration.
To make this work you need to update the bundled version of grizzly in glassfish to 1.9.55 .