i use Library autocert in my application for generate ssl certificate, problem is 30% of users have problem with my application, my current code is :
fmt.Println("Starting server on " + this.Params.Bind)
if this.Params.SSL {
fmt.Println("SSL Enabled")
m := autocert.Manager{
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist(this.Params.HostsWhitelist...),
Cache: autocert.DirCache(this.Params.CertCache),
}
log.Fatal(autotls.RunWithManager(r, &m))
} else {
r.Run(this.Params.Bind)
}
the errors is :
2018/12/03 12:37:33 http: TLS handshake error from 68.71.48.249:55885: acme/autocert: missing server name
2018/12/03 12:37:33 http: TLS handshake error from 209.213.121.223:38284: acme/autocert: missing server name
2018/12/03 12:37:33 http: TLS handshake error from 209.213.121.223:38283: acme/autocert: missing server name
2018/12/03 12:37:33 http: TLS handshake error from 68.71.48.249:55887: acme/autocert: missing server name
2018/12/03 12:37:33 http: TLS handshake error from 68.71.48.249:55888: acme/autocert: missing server name
2018/12/03 12:37:33 http: TLS handshake error from 209.237.150.145:56842: acme/autocert: missing server name
how i can fix error missing server name ?
Maybe my blog will help you find a difference in your code vs the code I show in my blog.
https://marcofranssen.nl/build-a-go-webserver-on-http-2-using-letsencrypt/
Furthermore I figured out there is a much better library available to manage certificates via Letsencrypt.
https://marcofranssen.nl/use-the-acme-dns-challenge-to-get-a-tls-certificate/
In this second blog I utilize https://go-acme.github.io/lego/ which is supporting more of the ACME challenges. It ships with a cli, but can also be used as a lib in your webserver. In fact it is used in Traefik as well the Caddy webserver project.
You also should NOT use the SNI challenge anymore as it is considered insecure. Instead use the ALPN challenge.
Related
Here's my configuration
[entryPoints]
[entryPoints.http]
address = ":801"
[entryPoints.https]
address = ":802"
[entryPoints.https.tls]
[entryPoints.https.tls.ClientCA]
files = ["/etc/ssl/comodo/bundle.crt"]
[[entryPoints.https.tls.certificates]]
certFile = "/etc/ssl/comodo/www.crt"
keyFile = "/etc/ssl/comodo/www.key"
[frontends]
[frontends.http] # default
entryPoints = ["http", "https"]
backend = "fallback"
passHostHeader = true
Now I'm trying to access https://mydomain:802 and I get following error in traefik debug output
http: TLS handshake error from 111.111.111.111:64463: tls: client didn't provide a certificate
curl error message
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
I can't figure out what I'm doing wrong.
Why would you want to use Mutual authentication (two-way handshake)? For normal SSL connections your server certificates are enough.
In your traefik.toml you're configuring Mutual authentication. If you really want so, you have to provide the certificate within your curl request:
curl --cert client.pem:<password> --key key.pem --cacert ca.pem
If you only want to provide "normal" SSL, you should delete following lines:
[entryPoints.https.tls.ClientCA]
files = ["/etc/ssl/comodo/bundle.crt"]
I'm trying to set up SSL certs for my laravel API so it can connect to my front end project. I'm hosting my server on aws EC2 so Ive been trying to use cloudfront and acm. I get a 502 error when trying to access my api routes using my DNS. In the error code cloud front sends a link and it tells me to use an open ssl command to determine if cloudfront can establish a connection. the command is
openssl s_client –connect domainname:443 –servername domainname
Once I add that with my domain name I get this response.
CONNECTED(00000003)
140306801927832:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 326 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1536682031
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Im not really sure where to go from here because this is my first time trying to set up ssl.
We are running consul through docker and using the HTTP health checks to a URL (https://10.1.24.68:5012/status) with a self-signed certificate. However, I get the following error:
2016/06/10 10:29:42 [WARN] agent: http request failed
'https://10.1.24.68:5012/status': Get https://10.1.24.68:5012/status:
read tcp 10.3.2.11:55549->10.1.24.68:5012: read: connection reset by
peer
It works as well when we use the Script health check with the wget command but this is not ideal. This is the line of code in Consul throwing the above error.
When running the health check to a HTTP URL (http://localhost:5012/status) it works. Could this be a certificate issue? I've added our certificate to both /etc/ssl/certs/ca-certificates.crt and /usr/share/local/ca-certificates.crt.
Halp!
NGINX acting as a caching proxy encounters problems when fetching content from CloudFront server over HTTPS:
This is the extract from the NGINX's error log:
2014/08/14 16:08:26 [error] 27534#0: *11560993 SSL_do_handshake() failed (SSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure) while SSL handshaking to upstream, client: 82.33.49.135, server: localhost, request: "GET /static/images/media-logos/best.png HTTP/1.1", upstream: "https://x.x.x.x:443/static/images/media-logos/best.png",
I tried different proxy setting like proxy_ssl_protocols and proxy_ssl_ciphers but no combination worked.
Any ideas?
I had the exactly same problem and spent a couple of hours...
I guess you are using older version of nginx (lower than 1.7)?
In nginx 1.7 you can use this directive:
proxy_ssl_server_name on;
This will force nginx to use SNI
Also, you should set the SSL protocols:
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
For earlier versions you may be able to use this patch (but I can't verify that that is working):
http://trac.nginx.org/nginx/ticket/229
2019 Update: You should avoid TLSv1 and TLSv1.1 and disable them if possible. I'll leave them in the answer as they are still valid for SNI.
Everything I try and connect to via https fails. Bellow is a curl output, but it does this with git mongo and everything. darwin just doesn't like https.
About to connect() to github.com port 443 (#0)
Trying 207.97.227.239... connected
Connected to github.com (207.97.227.239) port 443 (#0)
successfully set certificate verify locations:
CAfile: /usr/share/curl/curl-ca-bundle.crt
CApath: none
SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS alert, Server hello (2):
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
You might say not a problem just change https to http, yes this is fine when you only have
1 url like git clone but on rvm install about 50 of the required things fails to install because of this. I don't want to go into rvm and change all occurrences of https to http.
Take a look at this post, slightly different, but i think it will answer you questions:
SSL certificate rejected trying to access GitHub over HTTPS behind firewall
You can essentially have OSX ignore the SSL Cert Verify, and accept the connection.
It turned out that my version of curl was using an old certificate to validate https.
I cam across this issue on git for cURL under Leopard:
https://github.com/mxcl/homebrew/issues/11947
And the error went away and I am now able to download https files from cURL.
This looks like an issue with curl itself, rather than OSX. What version are you using? If it's particularly old, then the reference here to a "severely outdated CA file" probably applies.
Try installing up-to-date versions of curl and git from macports.