I am trying to automate the certificate renewal process. I am able to generate the certificate then import the certificate to the server and now just need to update the SSL certificate to the new certificate imported for a particular application(ex : ABC). No changes in other property like port number or anything else. Just need to point the SSL Certificate to the new one added for a particular application. I tried doing a lot of research but no luck. Please help
Related
I'm fairly new to the whole certificate shebang and not a versed Linux admin.
In our company, we run a Windows domain, but we also have some CentOS servers for different services.
On one of said servers we have our ticket system, which is browser based. I want to certify it with a certificate, signed by our Windows root CA, but no matter what I do, the certificate is shown as invalid in the browser.
Funny enough, both certificates in the chain (CA -> server) are shown as valid.
I already did the following:
start certificate process from scratch
tried different certificate formats (.cer, .pem)
verified server cert with root cert
checked validity with openssl (OK)
checked SSL connection with openssl, no issues
added root cert to Linux server trusted CA store
recreated cert chain (of 2)
restarted Apache over and over
reset browser cache
tried different browser
checked DNS entries
checked, if root CA is trusted in Windows (it is)
manually installed server cert in my browser
Both the server cert and the root cert show up as valid in the browser, with the correct relation.
I'm completely lost here. Is there some key step I forgot and not one of the ~30 guides I read forgot to mention?
Any help is greatly appreciated
Your question is missing some information:
Did you check the SSL connection from outside the server?
Did you verify the RootCA cert is inside the cert-store of the server (sometimes it is rejected without error messages)?
I would check the reason for rejecting the certificate in the browser (FireFox is usually more informative than Chrome), and look for the error-code.
Reasons can be (some of which you have already verified):
Wrong certificate properties (missing the required values in the "usage" attribute)
Wrong domain name
Expired certificate
Certificate could not be verified on the client-side
See this image as an example of an error code:
https://user-images.githubusercontent.com/165314/71407838-14f55a00-2634-11ea-8a30-c119d2eb1eb1.png
Note: My database works because I am able to migrate and query from within the application.
So I've setup my application and database on digital ocean's new "App" feature. And now I am trying to connect to the production database but I'm getting connection timeout error. Below are the details I inputed, but maybe I am missing my SSL cert ? If yes, how do I go about getting this ? Because I believe digital ocean automatically setup the SSL for me..
Database : postgresql
Tool used to connect : TablePlus
UPDATE
My site is SSL'ed
Checked directly on DO, and there's no certificate stored on my account
So after a few days I gave up and swap to using Droplets. I feel Apps Platform is cool for quick prototypes but I don't have much control in what I want can do in it. I don't think I could even run sudo in the console when I tried.
Here are a few other links I ran through that may or may not help others that was in similar situation if you were using a dev database on digital ocean. And also my support tickets solutions that I received.
Links
https://www.digitalocean.com/community/questions/cannot-connect-with-dev-database-due-to-ssl-issue?answer=67513
https://docs.digitalocean.com/products/databases/postgresql/how-to/connect
How to add an SSL certificate (ca-cert) to node.js environment variables in order to connect to Digital Ocean Postgres Managed Database?
DO Support Replied
I understand that you are trying to connect to the database with an
SSL certificate. Firstly, I want to let you know that you have
attached the dev database to your app "mysite" and not the production
database. However, you should be able to add the following env
variable to store the SSL certificate:
KEYS: CA_CERT VALUES: ${mysitedb.CA_CERT}
Once you add the above env variable then you should be able to use the
"CA_CERT" variable to fetch the SSL certificate in your app.
Additionally, you can view the SSL certificate by running the
following command in the console:
echo $CA_CERT
Thanks for getting back to us. This output would be intended. To use
the contents of that cert you would need to save the env variable to a
file or convert it from string using a method within your application.
You can then specify that file in your configuration and use the
certificate in your connection to the database.
An example of how to do this can be found here:
How to add an SSL certificate (ca-cert) to node.js environment variables in order to connect to Digital Ocean Postgres Managed Database?
Let us know if you have any questions.
Thank you for getting back to us!
From the screenshot, I see you are using the incorrect port number
5432. You have to use port number 25060 to connect to the database.
Regarding the SSL certificate, one thing to note here is that the
database is managed by DigitalOcean and it is not possible to generate
clients key (private key) and certificate (public key) via cloud
panel. That is the reason, you will need to generate those on your
local machine or from whichever client you plan to establish a
connection to the database.
Here is an example of how to use SSL on a client like Navicat, you
will need to download or have OpenSSL installed on your operating
system which you will use to generate Client Key File and Client
Certificate File which will be referred to as private and public keys
respectively
You need the below three files to connect
Client Key File
Client Certificate File
CA Certificate File
https://www2.navicat.com/manual/online_manual/en/navicat/linux_manual/SSLSettings.html
As a guide to establishing a connection
Generate Client Key File and Client Certificate File from your client or the local machine
Copy the certificate from app console to any .crt file and pass that file to connect to database.
Here is how to use the OpenSSL to generate the Client Key File and
Client Certificate File:
https://knowledge.digicert.com/solution/SO27347.html
openssl req -x509 -newkey rsa:2048 -keyout client-key.pem -out
client-cert.pem -days 3650 -nodes -subj '/CN=localhost'
For the Client Key File, Client Certificate, and CA Certificate choose
the directory location you saved them and click on "Test" button in
your client to test the connection.
Please let us know if you have any additional questions, and have a
wonderful day!
I am working in Ec2 instance. I have connected my php files like http://13.57.220.172/phpinsert.php. But it is not secured site. So i want to convert http into https://13.57.220.172.
I have cloudflare ssl. When i try to add ssl certificate. It shows
com.amazonaws.pki.acm.exceptions.external.ValidationException: Provided certificate is not a valid self signed. Please provide either a valid self-signed certificate or certificate chain. Choose Previous button below and fix it.
i have enclose the image with it.
So how can i get the self signed certificate. is there any online tool available.
I think the error message your seeing has to do with this sentence:
If your certificate is signed by a CA, you must include the
certificate chain when you import your certificate.
from https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html.
Since it sounds like you're not yet in "production" mode, I'm guessing you're not particularly attached to your existing certificate, but just want a certificate to be able to do HTTPS on your web server (and don't really care if it's self-signed).
If you want to use AWS Certificate Manager, I think it would be easier to just let them (AWS) issue you a certificate instead of trying to import one from somewhere else. AWS doesn't charge anything for certificates. https://docs.aws.amazon.com/acm/latest/userguide/acm-billing.html
Even if you get the certificate setup in AWS Certificate Manager, that's not going to be installed directly on your EC2 instance, but rather (most likely) on a load balancer in front of your web server, which will add a little complexity to your setup. https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
If all you want to do is use HTTPS on your web server, Let's Encrypt (also free) is probably a simpler option. If you are using AWS Linux 2, there are instructions for getting a certificate here - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html
Well, add to the points which #jefftrotman has already mentioned.
If your expectation is to just secure your IP address using HTTPS you can achieve that using the below approaches:
A SELF SIGNED certificate that you can create using OpenSSL.
You can also get an SSL certificate from a trust signing authority like (GoDaddy or VeriSign) or Let's encrypt.
The only requirement in the second point is that for getting a certificate from a valid signing authority you need to have a domain name like "myphpapp.com" and then use this domain to get the SSL certificate.
The below details are in case you want to use AWS ACM(Amazon Certificate Manager)
If you prefer ACM, you can get the free Public SSL certificate which you can map to the IP address and your web application will be secured.
If your requirement is to add SSL certificates (like PEM files) to a web server like
NGINX or Apache then you first need to create a Private CA using in ACM and then you using this CA you will be able to create Private SSL certificates. After creating those you can export the files and add those files to the configuration file. (try to use Amazon Linux 2) ec2 image for ease.
I have been managing Let's Encrypt's SSL certificates for a domain.
Now I am moving to Amazon API gateway. I will be using the AWS Certificate Manager to generate HTTPS certificates for the root domain and a bunch of subdomains.
If I make the transfer, what happens to my current HTTPS certificate which is associated with my domain. If browsers suddenly start seeing a new HTTPS certificate for a domain, for which they had been getting a different HTTPS certificate until now, would this be a problem?
Also, once I make the shift, what do I do with my current (manually managed) Let's Encrypt certificate? Is there a way to permanently void it?
Szabolcs Dombi says
You can have multiple valid certificates for the same domain at the
same time. Moving from one certificate issuer to another should not
cause a problem.
Toby Osbourn says
SSL certificates don’t last forever, most of them need to be renewed
on a yearly cycle and occasionally you will want to change the type of
the SSL certificate mid-cycle.
Since you are replacing certificates, I suggest you to back up the ones you have.
Once you have backed up the old certificates, just overwrite the .crt and .key files with your new ones. Then, reload your web server so it knows to look at these new certificates, and you should be good to go.
If it's within your interest to know more about how to Generate SSL certificate using Amazon Certificate Manager (ACM), I suggest Barguzar, A. (July 2018). Building Serverless Python Web Services with Zappa. where one can read a good step by step guide. See an excerpt of it below:
ACM is a service that manages and creates SSL/TSL certificates for
AWS-based services and applications. An ACM certificate works with
multiple domain names and subdomains. You can also use ACM to create a
wildcard SSL.
ACM is strictly linked with AWS Certificate Manager Private
Certificate Authority (ACM PCA). ACM PCA is responsible for validating
the domain authority and issuing the certificate.
You can have multiple valid certificates for the same domain at the same time. Moving from one certificate issuer to another should not cause a problem.
This also means that if you create a new certificate the old one still can be used unless it already expired.
i´am using ews-java-api and i need to use self-signed certificate to communicate with exchange-server, which is in same network like me.
Which name for self-signed certificate i should use to match with
exchange server 2010 entry ? it is domainname?
How can i use created certificate by my java-code, where i try to
autodiscovering the endpoint of exchange-server2010?
I´ve only created one certificate by keytool, but no idea how can i use it.
And i guess, that i have to create certificate with the correct name-entry, which is known by the exchange-server2010