Laravel application deployed on Kubernetes and making requests to https://maps.google.com/maps/api/geocode/json failing with:
SSL routines:tls_process_server_certificate:certificate verify failed
The same application works when running on Docker.
I have appended Google's Root CA certs from here https://developers.google.com/maps/root-ca-faq#what_is_happening to the server's trust store but no luck there either.
I can disable verification but that's not the correct approach.
Any ideas would be much appreciated.
Thanks.
According to the OP, the solution was:
The issue was that our security team scans external certificates and
re-package them with the company's own cert. Once I added the
company's cert to the trust store, everything worked fine. It seems
it's only an internal issue.
Related
I have written a restful API project which is developed using spring boot and I am using the embedded tomcat and running a jar on a linux server.
The APIs are live at:
https://api.arevogroup.com:8089/api/regions
and I can see the verified and correct SSL as well as in the given screenshot.
but I am getting an this exception in the postman when I call these apis.
These APIs are consumed by a Xamrin based app which seems to work all good when consumed using iPhone but gives this same exception when the APIs are accessed via android.
I guess, the way I have generated the ssl certificate has some issues.
I have used a pfx file and my SSL config in properties file looks like this:
###SSL Key Info
security.require-ssl=true
server.ssl.key-store-password=PASSWORD
server.ssl.key-store=classpath:ssl_pfx.pfx
server.ssl.key-store-type=PKCS12
I have 2 questions, if disable the ssl verification, would the communication still be encrypted or not? (man in the middle attack is still possible but the info will still be encrypted, right?).
If not, how can I fix this?
You can't disable the verification of the server certificate. No browser will allow you to do it, except on an exceptional basis (the user must confirm the exception). If the client disables the verification, than the communication will be encrypted (i.e. no passive attack will be possible).
The errors you see are cause by a misconfiguration of your server.
Your certificate chain contains just the certificate for your server and lacks the intermediate certificate CN=Go Daddy Secure Certificate Authority - G2. You need to download it from Go Daddy (it is the one named gdig2.crt.pem) and add it to your keystore.
Refer to this question on how to do it.
Some browsers cache intermediate certificates and are able to verify your site even if one certificate is missing. However you should not rely on it.
security.require-ssl=true
server.ssl.key-store-password=PASSWORD
server.ssl.key-store=keystore.jks
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS
Used the jks file instead of pfx and it worked all good. Thought to share with others too.
I've applied my PKCS12 certificate to my gateway.
My certificate is a wildcard certificate and i'm trying to apply it
to the gateway so I don't have do this for all my micro-services.
These are the settings in my properties file for development:
server.port:8443
server.ssl.enabled=true
server.ssl.key-store=integration.domain.net.p12
server.ssl.key-store-password=*********
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=integration.domain.net
The dev server starts up and SSL is enabled. When I open the connection to https://localhost:8080/ I am redirected to :8443 as I expect. However, the browser is indicating the connection is 'Not Secure'.
I can see that my certificate is being used so I'm a bit confused as to why this is not working. I'd like to know how to resolve this so that our clients see that our gateway is properly secured.
Does anybody have any ideas or suggestions?
thanks,
Nevermind. I figured this out. My certificate is obviously looking for a valid domain or subdomain that corresponds to the information contained therein. So of course, localhost is not there. I just added a dev-integration.domain.net to my /etc/hosts file for development and everything is just fine.
Sorry if I wasted anyone's time.
I have been working with web services connecting to URLs provided by different clients and so far it has all been done using one-way authentication. Now I'm asked to enable 2-way (mutual) authentication for one of the clients. I did a lot of research and reading but still confused about a lot of things.
I could test successfully on my local machine following instructions from various different articles. But the problem is now to deploy it in production.
Here's what I did for testing: I created a test Web service Host and assigned it a self-signed certificate and created a client to test this. After this I created a client certificate using makecert and verified that this is installed via MMC. I then modified my Host app to only allow clients with certificate and tested from client to see the connection refused due to not providing the client certificate. Then I modified the bindings in the client application to include the certificate name and I was able to connect to the Host successfully. So this completes local hosting.
Now the real problem. The tech team is going to create a certificate in "cert store" on the server. And I need to test again to make sure everything works as expected. We have a few different developers who all want to test on their machines on their local code. Can we all use the same certificate somehow? I don't think we would be allowed to import the certificate but what suggestions could I give them so all of us can use the same certificate?
I'm also confused about issues like difference between windows certificate and IIS certificate. What advantages would the IIS certificate provide?
Thanks for help!
Edit: Could one of the differences between installing on IIS be so that the hosted sites be accessed via SSL connection? This would mean we don't really need to install on IIS if it's just a client certificate. Is this correct?
I'm about at the end of my rope with Windows Azure Tools and SSL configuration in the ServiceDefinition/ServiceConfiguration files in a cloud project.
At first, I had a web role with RDP enabled (and certificate configured, etc). All that worked for a long time. Then I added an SSL certificate for an https endpoint. It wouldn't deploy because of certificates not being installed in my localmachine/personal store, etc. After messing with it, somehow I've gotten into a bad state where even if I completely remove all configurations having to do with RDP or SSL, I still get this from the emulator:
Windows Azure Tools: Warning: The SSL certificate 'Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption' for endpoint 'HttpsIn' of role 'My.Web' was not found in the local machine's certificate store.
Windows Azure Tools: Warning: Certificate identification setting 'Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption' for role 'My.Worker' specified in the service configuration file is not declared in the service definition file in the Certificate or as part of an SSL endpont
Like I said, there is no such configuration in any of my files, and when there were, they hadn't changed from the time that they worked until this. I tried deleting the dftemp directory where the deployments get placed, I've cleaned and rebuilt the cloud project, I've killed visual studio and the emulator(s), and still always wind up back in the same place.
Has anyone else seen this?
I'm not sure what happened, but after leaving for the day and coming back this morning, I found that a system reboot seemed to clear the issue. I have no idea why, but this seems to have resolved itself.
for first error, you have to remove certificate from certificate section of your service configuration file(cscfg). This certificate is used for encrypting your RDP password.
For second error, I think if you remove above section, it will automatically disappear. Also ensure that you have removed modules RemoteAccess, RemoteForwarder from service definition file(csdef)
I am running windows server 2003 standard and have installed the ssl cert as per Godaddy's instructions. Let me know what information you need from me. Attempting to access the website securely outside of our network the page does not load. Thanks in advance!
Although it would help if you provided more information (like what error the clients are getting), I’m going to guess that you are missing the intermediate certificates that GoDaddy uses. These need to be installed on the server where the SSL certificate is installed.
Follow the procedure here.