I have a web application developed with spring boot and Angular. The frontend is running on ngnix web server , the backend is running on embedded tomcat for spring boot , both of them are hosted on a Debian VM on ovh cloud, so it's secured with ovh basic Let's Encypt basic security for ssl offered by OVH.
My problem is that the certificate is regenerated (each 3 months ovh regenerate a new one ) and my backend could not recognize anymore the calls coming from the front end.
I made some researches on how to use the certificates generated by ovh ( use the privatekey.pem and fullchain.pem (under /etc/letsencrypt/live/mydomain) with openssl to generate a PKCS12 file to be put on the backend server )
I put the generated .p12 file in my spring app and configured mu application.properties but with no success!
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=classpath:keystore/my-keystore.p12
# The password used to generate the certificate
server.ssl.key-store-password=mypassword
# The alias mapped to the certificate
server.ssl.key-alias=myalias
So how do I generate a trusted SSL certificate for my backend server?
I don't know if I'm in a good way with these steps or not, since I'm totally new with all this stuff but If someone could explain me the flow, how to proceed I will be so much grateful !
Thanks in advance
Related
I have written a restful API project which is developed using spring boot and I am using the embedded tomcat and running a jar on a linux server.
The APIs are live at:
https://api.arevogroup.com:8089/api/regions
and I can see the verified and correct SSL as well as in the given screenshot.
but I am getting an this exception in the postman when I call these apis.
These APIs are consumed by a Xamrin based app which seems to work all good when consumed using iPhone but gives this same exception when the APIs are accessed via android.
I guess, the way I have generated the ssl certificate has some issues.
I have used a pfx file and my SSL config in properties file looks like this:
###SSL Key Info
security.require-ssl=true
server.ssl.key-store-password=PASSWORD
server.ssl.key-store=classpath:ssl_pfx.pfx
server.ssl.key-store-type=PKCS12
I have 2 questions, if disable the ssl verification, would the communication still be encrypted or not? (man in the middle attack is still possible but the info will still be encrypted, right?).
If not, how can I fix this?
You can't disable the verification of the server certificate. No browser will allow you to do it, except on an exceptional basis (the user must confirm the exception). If the client disables the verification, than the communication will be encrypted (i.e. no passive attack will be possible).
The errors you see are cause by a misconfiguration of your server.
Your certificate chain contains just the certificate for your server and lacks the intermediate certificate CN=Go Daddy Secure Certificate Authority - G2. You need to download it from Go Daddy (it is the one named gdig2.crt.pem) and add it to your keystore.
Refer to this question on how to do it.
Some browsers cache intermediate certificates and are able to verify your site even if one certificate is missing. However you should not rely on it.
security.require-ssl=true
server.ssl.key-store-password=PASSWORD
server.ssl.key-store=keystore.jks
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS
Used the jks file instead of pfx and it worked all good. Thought to share with others too.
I was able to configure Gravitee API Gateway, Management and UI successfully and I successfully created sample API's which were tested in postman. Now I need to enable SSL for all the three Gravitee services running on ports Management-UI - 8000, API-gateway - 8092 and Management - 8093. Can some one help me to configure wild card domain certificate for all of these services?
This is the only official documentation which i see about ssl configuration for gravitee:
https://docs.gravitee.io/am/2.x/am_installguide_configuration.html
Any help is much appreciated, I have certificates in PKCS12/PEM formats.
FYI, DNS mapping is configured for the server.
I eventually figured it out. The solution was to generate a keystore and truststore for my domain certificate and then add the certificate to gravitee.yml configuration file for both gateway and management-api. update the paths in management ui - constant.json file and restart the services.
Hope this helps some one.
I have been working with web services connecting to URLs provided by different clients and so far it has all been done using one-way authentication. Now I'm asked to enable 2-way (mutual) authentication for one of the clients. I did a lot of research and reading but still confused about a lot of things.
I could test successfully on my local machine following instructions from various different articles. But the problem is now to deploy it in production.
Here's what I did for testing: I created a test Web service Host and assigned it a self-signed certificate and created a client to test this. After this I created a client certificate using makecert and verified that this is installed via MMC. I then modified my Host app to only allow clients with certificate and tested from client to see the connection refused due to not providing the client certificate. Then I modified the bindings in the client application to include the certificate name and I was able to connect to the Host successfully. So this completes local hosting.
Now the real problem. The tech team is going to create a certificate in "cert store" on the server. And I need to test again to make sure everything works as expected. We have a few different developers who all want to test on their machines on their local code. Can we all use the same certificate somehow? I don't think we would be allowed to import the certificate but what suggestions could I give them so all of us can use the same certificate?
I'm also confused about issues like difference between windows certificate and IIS certificate. What advantages would the IIS certificate provide?
Thanks for help!
Edit: Could one of the differences between installing on IIS be so that the hosted sites be accessed via SSL connection? This would mean we don't really need to install on IIS if it's just a client certificate. Is this correct?
I have the following issue: I have a domain that hosts a) a website on port 443 (Apache) and b) a web app with Spring Boot (Tomcat) on port 8443. Both are using the same certificates. For Tomcat I generated a keystore that consists of the private key/certificate, intermediate and root certificate. Visiting the website is not an issue at all.
Now, when I visit the webapp from e.g. Chromium or from my smartphone I can access it and https works just fine (certificate is trusted and I can view the certificate chain). If I instead try opening it in Firefox or use openssl s_client -connect domain.com:8443 the connection is not secured and only my certificate, but neither the intermediate and nor the root certificate are provided.
Now I don't understand how that happens, whether maybe Chrome recognizes the certificate chain from the issuer field of the certificate or asks the app server to provide further parts of the chain, and Firefox/openssl do not.
Any hint about how to make this running would be greatly appreciated!
BR Johannes
BTW about the keystore creation: I created an empty keystore, added the root, then the intermediate and then my certificate + key.
Seems I made a mistake on how to create the keystore, just importing the certificate chain and the key pair wasn't enough. I had to append the certificates of the chain to my certificate (using KeyStoreExplorer or as described in this answer.
How it came that Chromium accepted the certificate anyway is still a mistery to me, though.
I am currently working on a project that has the following components (all .NET 2.0)
Client Application
Web Service Invocation API
Web Service
In summary the Client Application creates and instance of the API and this calls the Web Service. Nice and simple and this all works exactly as I want it to.
The next stage of the project was to secure the Web Service with SSL. So I have created a "Self Signed CA" and from this signed a server certificate for IIS. Again, nice and simple and this all works exactly as I want it to.
The next stage of the project is to secure the Web Service by requiring the invoker to supply a client certificate. So I have created a client certificate (via the Self Signed CA). I am then adding this to the Web Service invocation call in the API:
WSBridge.Processor processor = new WSBridge.Processor();
processor.Url = this.endpoint;
processor.ClientCertificates.AddRange(this.clientCertificates);
processor.Timeout = (int)Settings.Default["DefaultTimeout"];
In debug I can see that this.clientCertificates contains the certificate I created. So in theory it is being presented to the web server.
However, when I attempt to call the Web Service I get the following exception in the API:
The request failed with HTTP status 403: Forbidden.
Fairly self explantory, but I have no idea what is causing the problem.
Other relevant information:
In my dev environment Client, API & Web Service are all running on the same machine
If I attempt to access the Web Service Description in IIS I get the following error (I am not prompted to choose a client certificate):
HTTP Error 403.7 - Forbidden
The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.
The client certificate is loaded into the Personal store for the current user, the CA root is in trusted root for the local machine and current user.
If I switch off "Require SSL" and put "Client Certificates" on accept in IIS I can make my request. However when I look at HttpContext.Current.Request.ClientCertificate.Count in the Web Service this comes back as 0.
I need to be able to run my development with client certificates as portions of the service code use the CN of the client certificate to perform various actions. I could hack it in but it would be nice to be able to do a real end to end.
All the certificates mention here were generated using OpenSSL. I am developing on Windows 7 so I do not have the facility to install Microsoft CA
So, does anybody have any ideas as to the cause of this problem?
As an aside (not worth creating a new question for this) - for some reason when I enable SSL for the Web Service Visual Studio is no longer able to debug the service.
EDIT : Some more information
The client certificate has an intended purpose of <All>
Although I am working on localhost the server certificate for the web server was issued to devserver.xyz.com so I have changed my hosts file to point that to localhost. As such I can now browse (with client certs switched off in IIS) to my service descriptor page without seeing any SSL certificate warnings.
Well I have solved the problem, in summary this was due to the format of the client certificate this should have been PKCS12.
More Detail
Although the MMC Certificate plugin was showing the client certificate in the personal store for the current userm I noticed that when viewing the same store via Internet Explorer (Tools -> Internet Options -> Content -> Certificates) the certificate was not present.
After a little Googling it seems that IE will only accepts PKCS12 format for client certificates, so I convert the certificate with the following OpenSSL command:
openssl pkcs12 -export -in client_alpha.cer -inkey client_alpha.key -out client_alpha.p12
I then imported the p12 file into IE which allowed me to browse to the Web Service description page with full client/server certificated TLS.
Once I had made this change, I then retried by client application and this now works aswell. This is due to the fact that IIS, like IE, will only accept client certificates in PKCS12 format.