lack of Secure Tab URL error - facebook-graph-api

I keep getting the error below even though I do have a secure tab url, and it is updated in the page settings..
(I have installed the ssl today, and when I try entering the website via Https It works)
Please Update Your Secure Tab URL
To make sure users can view your app over a secure browser connection (https), please visit the developer console to update your Secure Tab URL.

You need to use a real SSL cert (costs money) rather than a self-signed cert (free) to be in compliance.

Related

Connecting localhost to a remote dev server (CORS, same-site, secure and other headaches)

I'm currently working on a React project. The development server (Bottle/Python) for the project is hosted remotely, and my React dev-server is localhost. Part of the authentication process for the application involves setting a cookie on login, but because of same-site and secure rules that cookie is not being set, meaning that my dev frontend can't access any of the data that it needs.
Myself and the server engineer have added SameSite=None to the cookie as well as secure, but because my localhost is not https the cookie is still not being stored properly (I get the error message "this Set-Cookie" was blocked because it had the "Secure" attribute but was not received over a secure connection").
There are no issues when the app is deployed because everything is on the same domain, but for now we're stuck - we've been trying to solve the issue for several hours but can't seem to get it.
My question is - what is the best development practice if you need to access a non-local development server, but can't actually just have your own version of the server running on your local machine?
Do I:
Need to make my localhost https somehow?
Need to make the dev-server domain https?
Need to install the server locally because there's just no way to do this?
Apologies if this is a noob question, it would be great to have some advice.
Many thanks.
The short answer is:
No
Yes
No
You can run your app on http://localhost:port. Assuming response from your dev server has in response headers Set-Cookie of the cookie which has Secure flag, your dev server URL has to be https in order to have the cookie accepted by the browser.
I have this setup and it works just well.
Regarding CORS (as mentioned in the title of the question): you have to have you server configured to accept credentials and to have allowed origins configured. The client app when doing XHR request has to have withCredentials:true. Check the points 2 and 3 in my post for details.
Also note, that if you are using Chrome you can bypass for development purposes the requirement to have SameSite=None and Secure by disabling the flag "Cookies without SameSite must be secure", also detailed here

How to configure a Daphne server to invite clients to add the Certificate Authority that issued my certificate if they hadn't done it yet?

If I make a request to my Daphne/Django server in Postman or the Android app we're developing, Daphne serves the certificate, but it's rejected. If I first make a simple get request to https://letsencrypt.org/ and then make a request to my server, the certificate is accepted.
How can I make sure a client will trust my certificate, even if it's the first time this client is seeing a certificate issued by this CA?
Everything bellow can serve as a history of how I studied the problem.
Original title: SSL Certificate works in browser but can't be verified by Postman
I have an AWS EC2 instance running Ubuntu 18.04, with python 3, Django, a bunch of project dependencies, Daphne running with ASGI, with a certificate by Let's Encrypt. Daphne is using port 8000 for HTTP and por 4430 for HTTPS, iptables is configured to redirect requests from port 80 to 8000 and from port 443 to 4430. Django is configured to enforce secure connections with SECURE_SSL_REDIRECT=True in the settings.py file.
There's a "Site in Construction" temporary page being served, and it's properly accessible from every browser and every device I tested so far. If I explicitly type http, I get redirected to https and the certificate is accepted. Every browser I tested (Firefox, Brave, Chrome, Chrome for Android) says cert is good.
Curl outputs the HTML content returned from the server. I don't know if it accepts the certificate or ignores it.
The Problem
Postman, however, says "Error: unable to verify the first certificate". Only works when I disable "SSL certificate verification", which doesn't answer my question: why Postman is unable to verify my Let's Encrypt certificate?
I'm building an API that runs on the same server, using the same domain, and it's meant to be consumed by a mobile app. Currently, the Android app is throwing a "TypeError: Network request failed", which I suspect could be caused by the same thing Postman is complaining about.
When I spin the server locally and configure 1) the app to use http://localhost:8000 and 2) the server not to enforce SSL, it works in browsers, Postman and in the Android app.
I've being looking for answers in many places for days, so any clue will be very welcome.
EDIT
Interesting clue:
If I make a request to my Daphne/Django server, it servers the certificate, which is rejected. But if I first make a request to https://letsencrypt.org/ and then make a request to my server, it works!
This pattern holds true in both Postman and our Android app.
It also happens when I first make a request to https://alloy.city (instead of letsencrypt.org), which is served by a Node.js app, and uses a certificate also issued by the Let's Encrypt CA.
So maybe the question should be: how to configure my server to politely invite clients to add the CA that issued my certificate if they hadn't done it yet?.
Apparently, that's what my Node.js server does.
Yes, in settings, tap ssl verification off
File > Settings > General > SSL Certificate Verification > off

Facebook : HTTPS is required for all Redirect URIs

I am trying to use facebook sdk for facebook login.
I gave http://localhost as Valid OAuth Redirect URIs but it throws the following error
HTTPS is required for all Redirect URIs.
I used this future few days ago it worked fine. but now it throws this error
And I am not able to disable
Enforce HTTPS
option
I ran into this issue with my Rails app that I usually run with http://localhost:3000.
To use https, I used ngrok which allows you to use https by providing a tunnel. To do this:
I went to their website and downloaded their program
I extracted the file for the program
In my console, I went into the directory where ngrok was extracted to and entered 'grok http 3000' on my Windows machine, others may use './grok http 3000'
After entering that, ngrok provided a https address which I put into the Valid OAuth Redirect URIs field in Facebook
Then I started my server and was able to access it using that https address instead of localhost:3000
yep, they changed that recently :-(
For testing the login flow locally I installed a self-signed certificate
https://letsencrypt.org/docs/certificates-for-localhost/
btw, I doesn't have to be trusted by the browser if you're OK with a one time security warning.
Don't use this certificate in production!

Calling web service over SSL Domain Name

Hey all i seem to be having problems with calling my web service over SSL. Calling it from a non-ssl URL works just fine.
When trying to connect to the web service in VB.net it gives me this:
So i go ahead and choose the first option (10/7/2012 to 10/7/2013.
However when i do that i get this error in the web browser:
Going to the SSL website of mine (https://www.xxxxxxx.com) asks the same question (Select a Certificat) and then it shows the same browser error as it did in VB.net.
Is there something i need to include in the web.config file?
My IIS certificates look like this that i created:
Going to my normal website (http://www.xxxxxxx.com) works just fine.
What have i forgotten to do in order for it to work over SSL?
Most likly you've likley over-configured IIS (unless you really want to use SSL with client authentication as noted by Arun).
There is setting somewhere that says something "require client certificate:none/accept/require" which defaults to none for regular SSL. The only place you needed to add certificate is in site bindings...
Side note: http://serverfault.com could be better place...
You seem to be using SSL with client authentication .. Make sure you have added the CA certificate and the user certificate[that u choose in the prompt] to the user's list in the server before trying to access the website . I know how to do this in apache but not IIS but the concept is the same.

Using CFHTTP with HTTPS domain in Railo

I keep getting Connection Failed when trying to request data from a page that is on an https:// domain. I did install the ssl cert using the built-in section of the railo admin at https://[mydomain]/railo-context/admin/server.cfm?action=services.certificates however I still get Connection Failed. How should I go forward with debugging this? I have confirmed that this server in particular does have access to the domain I am trying to request from.
You probably need some additional certs installed as Jason has said. Take a close look at the cert and it's chain. Go to the cert issuers site and look for some documentation.
To troubleshoot you can add some logging to your jvm args. I think it's something like:
-Djavax.net.debug=all
The results are either in the OUT log or the server.log. This post on SSL 3.0 has some debugging tips. It's possible that your cert needs to handshake at a lower security level than CF allows (SSL 2.0 instead of 3.0/TLS for instance) and that could cause this behavior - but it's more likely that you simply need an intermediate cert installed.
The problem ended up being the permissions weren't setup properly on the machine. After we had the server administrator fix our permissions to access the Railo-Tomcat Service Control, the requests started working. I'm assuming he fixed some other permissions while he was in there.