I tried to show js problem at my https://streamgeeks-rebranded-dev.cloudns.cl/ site
But I got a feedback from one of users :
My connection block that site ^^
The security system of the network operator blocks me saying that it is "a possible malware" –
service
sslshopper.com/ssl-checker.html#hostname=https://streamgeeks-rebranded-dev.cloudns.cl
shows :
streamgeeks-rebranded-dev.cloudns.cl resolves to 18.198.221.45 Server Type: Apache/2.4.41 (Ubuntu) The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed). The certificate was issued by Let's Encrypt. The certificate will expire in 6 days. The hostname (streamgeeks-rebranded-dev.cloudns.cl) is correctly listed in the certificate.
I run manually :
sudo certbot renew --dry-run
after that I read :
The certificate will expire in 66 days
Could you please to run my site and say if you have any problems opening it ?
Thanks!
Related
I'm fairly new to the whole certificate shebang and not a versed Linux admin.
In our company, we run a Windows domain, but we also have some CentOS servers for different services.
On one of said servers we have our ticket system, which is browser based. I want to certify it with a certificate, signed by our Windows root CA, but no matter what I do, the certificate is shown as invalid in the browser.
Funny enough, both certificates in the chain (CA -> server) are shown as valid.
I already did the following:
start certificate process from scratch
tried different certificate formats (.cer, .pem)
verified server cert with root cert
checked validity with openssl (OK)
checked SSL connection with openssl, no issues
added root cert to Linux server trusted CA store
recreated cert chain (of 2)
restarted Apache over and over
reset browser cache
tried different browser
checked DNS entries
checked, if root CA is trusted in Windows (it is)
manually installed server cert in my browser
Both the server cert and the root cert show up as valid in the browser, with the correct relation.
I'm completely lost here. Is there some key step I forgot and not one of the ~30 guides I read forgot to mention?
Any help is greatly appreciated
Your question is missing some information:
Did you check the SSL connection from outside the server?
Did you verify the RootCA cert is inside the cert-store of the server (sometimes it is rejected without error messages)?
I would check the reason for rejecting the certificate in the browser (FireFox is usually more informative than Chrome), and look for the error-code.
Reasons can be (some of which you have already verified):
Wrong certificate properties (missing the required values in the "usage" attribute)
Wrong domain name
Expired certificate
Certificate could not be verified on the client-side
See this image as an example of an error code:
https://user-images.githubusercontent.com/165314/71407838-14f55a00-2634-11ea-8a30-c119d2eb1eb1.png
I easily installed an SSL certificate the first time through, but I am unable to get it to renew.
I scheduled the terminal command to automatically renew the certificate each month, but it is responding with an error. I also get the same response when running it manually.
Terminal Command
curl -X POST https://forge.laravel.com/api/servers/<serverNumber>/sites/<siteNumber>/ssl/renew?api_token=<my-token>
Response
Cloning into 'letsencrypt1462928414'...
nginx stop/waiting
nginx start/running, process 10734
# INFO: Using main config file /root/letsencrypt1462928414/config.sh
+ Generating account key...
+ Registering account key with letsencrypt...
Processing donniebrandt.com with alternative names: www.donniebrandt.com
+ Signing domains...
+ Creating new directory /root/letsencrypt1462928414/certs/donniebrandt.com ...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for donniebrandt.com...
+ Requesting challenge for www.donniebrandt.com...
+ Responding to challenge for donniebrandt.com...
ERROR: Challenge is invalid! (returned: invalid) (result: {"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://donniebrandt.com/.well-known/acme-challenge/JdG5PtzEcqZMMDVhx2VNN5Wmvldwtl84B6q3j1AQcP0 [104.18.50.184]: 526"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/S6oIx5ZFyzu80fkpjoCcAgVDp7p8aLo6UGLLt7flP-g/81801388","token":"JdG5PtzEcqZMMDVhx2VNN5Wmvldwtl84B6q3j1AQcP0","keyAuthorization":"JdG5PtzEcqZMMDVhx2VNN5Wmvldwtl84B6q3j1AQcP0.0N_sDHF2rXqfyPHGi4ZmXDAkrmwbMJ-S_ZghYPtSN2g","validationRecord":[{"url":"http://donniebrandt.com/.well-known/acme-challenge/JdG5PtzEcqZMMDVhx2VNN5Wmvldwtl84B6q3j1AQcP0","hostname":"donniebrandt.com","port":"80","addressesResolved":["104.18.50.184","104.18.51.184"],"addressUsed":"104.18.50.184"},{"url":"https://donniebrandt.com/.well-known/acme-challenge/JdG5PtzEcqZMMDVhx2VNN5Wmvldwtl84B6q3j1AQcP0","hostname":"donniebrandt.com","port":"443","addressesResolved":["104.18.50.184","104.18.51.184"],"addressUsed":"104.18.50.184"}]})
I also verified that the .well-known/acme-challenge directory exists, but it doesn't change the error.
The error message shows your website is offline for one of the domains:
ERROR: [...]"Invalid response from http://donniebrandt.com/[...]526"},[...]
Try access http://donniebrandt.com and you will get error 526 (invalid SSL certificate).
As cloudfare states:
The HTTP Error Response Code 526 occurs when CloudFlare is unable to successfully validate the SSL certificate on the origin web server and the CloudFlare SSL configuration on the website is set to "Full SSL (Strict)".
In other words, the CDN you´ve setup in front of your server tries to reach your server through HTTPS, however your SSL certificate is invalid (maybe expiered or root CA not trusted by Cloudfare CDN). So Cloudfare will not fetch content from your server.
I am not familiar with Cloudfare but you can do one of the following:
disable temporally strict SSL in cloudfare until you renew your certificate and, next time, renew before it expires so there is no need to disable it again.
temporally redirect your DNS direct to you server instead of CDN, renew certificate and redirect it again. The downside here is that DNS propagation might take sometime and you will loose benefit of CDN for a long period depending on DNS setup.
Since you said you got SSL working first time I am assuming Cloudfare trusts LetsEncrypt (or it would not work for the first time). However worth check it.
It's not really a fix, but I skirted the issue by recreating the site in Forge and reinstalling an SSL.
This should no longer be an issue since Forge now handles SSLs better.
Forge will now automatically renew LetsEncrypt certificates for you
every week. You no longer need to manually add a scheduled job to
perform the renewal. To generate an auto-renewing LetsEncrypt
certificate, simply obtain and activate a new certificate using the
form above.
I have been using a wildcard SSL certificate for several of my company's B2B websites for some time. Recently, we noticed that Google Chrome started displaying a red unlocked lock with HTTPS crossed out for all of these websites. The solution I found was to reissue the certificate from the provider (Network Solutions). So, I did this, and updated the certificate for each of the websites, and the Google Chrome issue went away (HOORAY!). However, when visiting any of these websites in Firefox, it displays a security message stating the website is using an invalid security certificate:
How can I resolve this so that our users are not confused when visiting these websites?
P.S. These websites are running on IIS6.
It looks as if the certificate chain is incomplete and, thus, Firefox (and likely other browsers) cannot verify the site certificate. Normally browsers store intermediate certificates they have seen in the past - that might be a reason why it works in Chrome.
You can test using https://www.ssllabs.com/ssltest/analyze.html.
Depending on the server software (here, for Apache httpd and other servers which read the certificate in PEM/DER format), you can just paste the intermediate certificates together with the certificate in one .pem file (which is used as Certificate file).
The chain (intermediate certificates) is/are normally provided by your CA. In your case you could also use Chrome the review the certificate and then store/extract all intermediate certificates from the certificate view.
You can get this certificate is not trusted error if server doesn't send a required intermediate certificate.
Firefox automatically stores intermediate certificates that servers send in the Certificate Manager for future usage.
If a server doesn't send a full certificate chain then you won't get an untrusted error when Firefox has stored missing intermediate certificates from visiting a server in the past that has send it, but you do get an untrusted error if this intermediate certificate isn't stored yet.
You can inspect the certificate chain via a site like this:
http://www.networking4all.com/en/support/tools/site+check/
I followed the instructions at enter link description here, to import the intermediate certificates.
In IIS, there is an option under Directory Security to "Enable certificate trust list". I enabled it and added the "AddTrust External CA Root" to the CTL certificates list and this appears to have fixed the issue.
Full disclosure, I asked this question over at Ask Different (https://apple.stackexchange.com/questions/96776/always-get-a-security-error-for-internal-https-website) but didn't get much helpful feedback. I'm hoping this question fits better here.
My company recently changed an internal site to use HTTPS instead of HTTP (it is our Jira site in case that matters). From what I can tell, this site is using an internal certificate. On our work computers this certificate appears to be pre installed so the website comes up without trouble in IE, Firefox, and Chrome. However, my personal computer is a Mac (OS X 10.8.4) and I am having major troubles accessing the site through any browser. I have followed instructions to install the certificate in my Keychain and I believe I have successfully done that, but I am still not able to access the site.
When Accessing the site I Get:
Chrome: Invalid Server Certificate You attempted to reach jira.surescripts.local, but the server presented an invalid certificate.
Safari: Safari can't open the page Safari can't open the page "https://jira.local:8081/" because Safari can't establish a secure connection to the server "jira.local"
In Chrome when I view the certificate information it I see: Intermediate certificate authority. Expires: Thursday, May 21, 2015 1:19:28 PM Central Daylight Time. This certificate is valid
To make sure that it wasn't something strange with our company's VPN, I installed a Windows 7 virtual machine on my Mac and installed the certificate in Windows and am able to successfully log on to the site how I always would.
I am not much of an expert with certificates and I really don't know where to go from here. Any help would be greatly appreciated! Thanks.
It almost sounds like you need to trust a self-signed certificate? Perhaps follow: https://confluence.atlassian.com/display/SOURCETREEKB/Resolving+SSL+Self-Signed+Certificate+Errors
Sefl signed certificate always triger warnings in web browsers.
To validate a server certificate you must have in the client browser the CA certificate wich was used to sign the SSL server certificate.
Your company should create a CA cert, then create a server SSL cert. signed with the CA and put it on the web server. The clients install public part of the CA cert in "Trusted CA" certificate store. When client conect to the web server the server sent the signed SSL certificate, the client check if it is a "trusted" cert (was signed by a trusted CA) and if everithing is Ok the client doesn't show the warning.
You ended with this cert chain:
CA cert->SSL cert
CA cert public part is installed in client broser as trusted CA. SSL is put in the web server. Client validate SSL cert agaist its Trusted CA certs installed in its Certificate Stores.
It is like CyberTrus CA. You can see how you have Baltimore Cyber Trust Root and Cybertrust Public SureServer SB CA installed in your computer and when you enter into https://www.bancosantander.es/cssa/Satellite?pagename=SantanderComercial/Page/SAN_Index you can see that *.bancosantander.es certificate is valid because you are trusting in the chain.
Your company needs to create the root, then create the SSL signed by the root. The root (public part) is distributed to the client for install. The server sends the SSL to client in HTTPS protocol.
Check this link for more info.
The problem is probably the encryption protocols that your Mac and the company web site don't match up.
Safari Browsers for OS X before Safari 7 (up to 6.0.7 which was on OS X 10.8.4) use the SSL 3.0 protocol, which has vulnerabilities and is considered insecure. Most newer and well-designed web sites use TLS 1.1 and/or TLS 1.2.
Browser encryption capabilities for Safari 6.0.4
Find out from your company if that is what is set up. The same site that has the specs I linked to allow you to enter a web site, and they'll throw a battery of test transactions at it to test it's security and what will connect, but I doubt you can use that for an internal site. Ask your IT folks what encryption protocols they are using.
As a solution, I believe there are versions of Firefox and/or Chrome that can run on 10.8.4 that use TLS 1.2.
List of major browser versions that support TLS 1.2
I'm running mitmdump (from mitmproxy) on my Macbook Pro, and I'm connecting to the proxy through my Windows desktop PC.
However, Chrome (running on the PC) refuses to connect to so many sites because of the invalid certificates which mitmproxy provides.
Chrome throws the error: ERR::NET_CERT_AUTHORITY_INVALID
Here's what mitmdump shows:
But why? What's wrong with mitmproxy's certificates, why can't it just send back google's as if nothing happened?
I'd like to know how I can fix this and make (force) my desktop PC to connect to any website through my Macbook's mitmproxy.
Answering this question for people who may find this important now. To get the proxy working, you have to add the certificate as trusted in your browser.
For windows follow this: https://www.nullalo.com/en/chrome-how-to-install-self-signed-ssl-certificates/2/
For linux follow this: https://dev.to/suntong/using-squid-to-proxy-ssl-sites-nj3
For Mac-os follow this: https://www.andrewconnell.com/blog/updated-creating-and-trusting-self-signed-certs-on-macos-and-chrome/#add-certificate-to-trusted-root-authority
There are some additional details in the above links; tldr; import the certificate in your chrome://settings url and add the certificate as trusted. That shall do.
This will make your browser trust your self-signed certificate(mitm auto generated certificates too.)
The default certificates of mitmproxy is at ~/.mitmproxy/ directory.
Per the Getting Started page of the docs you add the CA by going to http://mitm.it while mitmproxy is running and selecting the operating system that you are using. This should solve your problem and will allow https sites to work with mitmproxy.
This is the expected behavior.
mitmproxy performes a Man-In-The-Middle attack to https connections by providing on-the-fly generated fake certificates to the client while it keeps communicating to the server over fully encrypted connection using the real certificates.
This way the communication between client and proxy can be decrypted. But the client has to actively approve using those fake certificates.
If that wasn't the case then SSL would be broken - which it isn't.
The whole story is very well explained here:
http://docs.mitmproxy.org/en/stable/howmitmproxy.html