I am building an app and I want to use a wildcard domain (e.g. *.domain.com). In order to add this domain to Heroku, I need to obtain a wildcard SSL certificate and import it manually to Heroku. I am using Cloudflare as my domain provider. Where can I obtain a wildcard SSL certificate for this purpose, and how do I go about importing it to Heroku?
Related
I am working in Ec2 instance. I have connected my php files like http://13.57.220.172/phpinsert.php. But it is not secured site. So i want to convert http into https://13.57.220.172.
I have cloudflare ssl. When i try to add ssl certificate. It shows
com.amazonaws.pki.acm.exceptions.external.ValidationException: Provided certificate is not a valid self signed. Please provide either a valid self-signed certificate or certificate chain. Choose Previous button below and fix it.
i have enclose the image with it.
So how can i get the self signed certificate. is there any online tool available.
I think the error message your seeing has to do with this sentence:
If your certificate is signed by a CA, you must include the
certificate chain when you import your certificate.
from https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html.
Since it sounds like you're not yet in "production" mode, I'm guessing you're not particularly attached to your existing certificate, but just want a certificate to be able to do HTTPS on your web server (and don't really care if it's self-signed).
If you want to use AWS Certificate Manager, I think it would be easier to just let them (AWS) issue you a certificate instead of trying to import one from somewhere else. AWS doesn't charge anything for certificates. https://docs.aws.amazon.com/acm/latest/userguide/acm-billing.html
Even if you get the certificate setup in AWS Certificate Manager, that's not going to be installed directly on your EC2 instance, but rather (most likely) on a load balancer in front of your web server, which will add a little complexity to your setup. https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
If all you want to do is use HTTPS on your web server, Let's Encrypt (also free) is probably a simpler option. If you are using AWS Linux 2, there are instructions for getting a certificate here - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html
Well, add to the points which #jefftrotman has already mentioned.
If your expectation is to just secure your IP address using HTTPS you can achieve that using the below approaches:
A SELF SIGNED certificate that you can create using OpenSSL.
You can also get an SSL certificate from a trust signing authority like (GoDaddy or VeriSign) or Let's encrypt.
The only requirement in the second point is that for getting a certificate from a valid signing authority you need to have a domain name like "myphpapp.com" and then use this domain to get the SSL certificate.
The below details are in case you want to use AWS ACM(Amazon Certificate Manager)
If you prefer ACM, you can get the free Public SSL certificate which you can map to the IP address and your web application will be secured.
If your requirement is to add SSL certificates (like PEM files) to a web server like
NGINX or Apache then you first need to create a Private CA using in ACM and then you using this CA you will be able to create Private SSL certificates. After creating those you can export the files and add those files to the configuration file. (try to use Amazon Linux 2) ec2 image for ease.
I found this example of setting up a service to do SSL termination on a backend service as opposed to on the ingress controller, but I don't see where to specify which certificate to use. I'd like to use a certificate I already have in my Google cloud certificate store. Where do I set that? How does this example work without a certificate?
https://github.com/kubernetes/ingress-gce/blob/master/examples/backside-https/app.yaml
More information about frontend vs backend HTTPS: https://github.com/kubernetes/ingress-gce/blob/master/README.md#frontend-https
If the backend service is using a certificate signed by a public CA, then nothing needs to be done. The GKE ingress is just like any other client to your backend- it knows about various certificate authorities and it can verify that your backend certificate was signed by one of those authorities.
If however the certificate in your certificate store is a client certificate, meaning that you want GKE to be authenticating using that certificate to your backend, not sure that is possible.
There is a way to instruct nginx to use client certificates, something along the lines of this answer, which uses self-signed certificates:
https://serverfault.com/a/717926/370529
And there is a way to provide those snippets to an nginx ingress controller. But GKE does not use nginx. I don't know of a way to do the same with the GKE ingress controller.
On my staging server I am connecting to self-signed https api backend. And by default requests can't be made, because browser treat backend as danger.
I have to open backend url in browser
https://my-api-backend.elasticbeanstalk.com
my-api-backend.elasticbeanstalk.com:8443 uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name my-api-backend.elasticbeanstalk.com. Error code: SEC_ERROR_UNKNOWN_ISSUER
After manually confirm that is secure it works. It is fine for me to do this, but not for managers etc. Another thing I was thinking about blocking backend access from outside and allow access only from frontend.
Is there any solution to this problem other than buying domain a sign it properly?
If it is a staging environment it should reflect a production environment so you should use a real domain signed correctly.
Certificates are free through AWS ACM or LetsEncrypt.
Why not use a sub domain like staging.domain.com, it would be free as well. Otherwise domains are cheap and it shouldn't be worth the hassle.
I have WSO2 API manager deployed in AWS EC2 instance.
I have purchased a SSL certificate via sslforfree.com. I tried to import it via keytool command. But its not working and throwing error. It gives me
KrbException: Cannot locate default realm
How can I associate this certificate with the API Manager? I don't have a domain name for WSO2 and I access it via IP address.
Is it possible for have CA signed certificate in this case?
In case if I want a domain name for this EC2, how can I have one?
You can import the certificate inside Carbon. Log into <your_server>:9443/carbon as admin. After that go on Main -> Manage -> Keystores -> List
If you're still using the default settings you'll have the wso2carbon.jks entry here. Click on Import cert, chose your cert file and click on Import. Your certificate should be working after this.
there are several topics in this question:
I tried to import it via keytool command.But its not working and
throwing error.It gives me KrbException: Cannot locate default realm
The keytool gives you this exception? It would be useful to provide the keytool command you've used. There's not reason for that exception.
please not that the certificate CN must be the same as the fqdn (domain name) of the server (how your browser access it).
How can I associate this certificate with the API Manager?
There are two options.
Import the keypair (private key and certificate chain) into a keystore and configure the APIM to use the keystore (in the repository/conf/tomcat/catalina-server.xml)
Have a reverse proxy server (Apache HTTP, NGinx), and configure the SSL on that proxy server. This is my favorite approach .
See: https://docs.wso2.com/display/AM210/Adding+a+Reverse+Proxy+Server
Then you have control over who/where can access the carbon console, store and publisher.
I don't have a domain name for WSO2 and I access it via IP address. Is
it possible for have CA signed certificate in this case?
Certificate authorities don't provide IP based certificate, as they can validate ownership/control of a domain name, but not of the IP address.
You can create (and made trusted) your own CA and certificate (good for PoC, DEV environment, ..) but in long run you'll need a trusted certificate on a hostname.
In case if i want a domain name for this EC2 , how can i have one ?
You can always buy one :D For start - when having EC2 instance with a dynamic IP address, you may use some dynamic dns service (e.g. https://ydns.io/ , just search for more if you wish)
I have a domain that I purchased from Google and a heroku app that I'm trying to send it to.
I've done the steps in this article: https://www.justinvrooman.com/articles/how-to-use-heroku-with-google-domains
and yet when I try to access the site I get a
Your connection is not private
Attackers might be trying to steal your information from www.***.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
What am I doing wrong with my set up or why am I getting this message?
It looks like you've enabled SSL in your Rails app but your site doesn't have an SSL certificate configured. To disable SSL, set the following to "false" in your 'config/environments/production.rb' file.
config.force_ssl = false
In addition, in the same file, don't forget to set your "host" equal to your custom domain.
host = 'www.yourdomain.com'
If you want to run SSL on a custom domain (e.g. www.example.com) you'll need to purchase and configure an SSL certificate for your domain.
If, however, you are fine using Heroku's domain (e.g. example.herokuapp.com), then you can piggyback on Heroku's SSL certificate.
More info on running SSL on a custom domain through Heroku: https://devcenter.heroku.com/articles/ssl-endpoint