Getting ACME error when going for new domain cert - lets-encrypt

I am sure I am doing something stupid here, but I have been going around in circles for a bit. I have Traefik up and running with a cert for url1.ccsilab.com. I am trying to add for url1.ccsicloudsolutions.com that goes to the same place. I tried with two frontends pointing to one backend and now I have two frontends each pointing to their own identical backend. I am getting the following error.
Oct 3 16:15:30 ip-10-230-0-10 traefik[27166]: {“level”:“error”,“msg”:“Unable to obtain ACME certificate for domains \“ccsicloudsolutions.com,url1.ccsicloudsolutions.com\” : unable to generate a certificate for the domains [ccsicloudsolutions.com url1.ccsicloudsolutions.com]: acme: Error -\u003e One or more domains had a problem:\n[ccsicloudsolutions.com] acme: Error 403 - urn:ietf:params:acme:error:unauthorized - Invalid response from http://ccsicloudsolutions.com/.well-known/acme-challenge/UoyASm_w_5Xkdv-xVx8NKi3ndbZ81tls_0eHO8iAD0I [34.194.40.15]: 404\n”,“time”:“2018-10-03T16:15:30Z”}
Below is the acme portion of the config:
[acme]
email = “xxxx#yyy.com”
storage = “acme.json”
caServer = “https://acme-v01.api.letsencrypt.org/directory”
entryPoint = “https”
[acme.httpChallenge]
entryPoint = “http”
[[acme.domains]]
main = “ccsilab.com”
sans = [“url1.ccsilab.com”]
[[acme.domains]]
main = “ccsicloudsolutions.com”
sans = [“url1.ccsicloudsolutions.com”]

Most likely the domain ccsicloudsolutions.com doesn't points to traefik or access to the resource which Let's Encrypt's verification server requested, requires authentication (Error 403).
Make sure the DNS records for the domain are correct and that the http entrypoint doesn't require authentication.
This error message comes up, when Let's Encrypt fails to verify the ownership of the domain.
Also, I'd use the new Let's Encrypt endpoint (https://acme-v02.api.letsencrypt.org/directory)

Related

The Callback URL or Verify Token couldn't be validated. Please verify the provided information or try again later

I have been following the facebook bot setup guide and have setup a callback url that is running on an EC2 instance.
I am getting an error (see title of this) when trying to validate the callback url and verify token.
https://360.finance:1337/webhook is my webhook and the verify token is the same in my environment variable and in my facebook setting.
I set up SSL using LetsEncrypt and from what I can tell, the SSL is not showing as self signed so it looks to be working correctly (please note I'm new to all of this)
Checked at https://www.ssllabs.com/ssltest/analyze.html?d=360.finance&hideResults=on and all looks correct.
I have also included the facebook page token as an environment variable and included in my index.js file
I have tested netcat / telnet into that port on my ec2 ip and it is succeeding
You must return an http response of the hub.challenge token as a plain text.
We need to update the following on Facebook app settings page before adding The Callback URL or Verify Token.
Privacy Policy URL
Category
App Icon (1024*1024)
Its weird that facebook doesn't point our exact error.
check you callback server, if it is running or not ?
the callback and token comes from your server.
For python users you need to use a dot not underscore. I don't get it when I use the underscore version Facebook API cant access challenge but when I replicate the same GET request with postman I can access the challenge.
# Wrong way
challenge = request.GET['hub_challenge']
# Right way
challenge = request.GET['hub.challenge']
return HttpResponse(challenge)
Do not use ngrok or localtunnel.
I tried both, with no luck.
If you really want your local dev server to authenticate - you can port forward over ssh to your public faced server.
ssh -R 4000:localhost:4000 root#your-server-ip
This way you can setup nginx to reverse proxy 443 to 4000 and handle ssl with certbot
sample config for nginx reverse proxy (before running certbot)
server {
server_name my-own-domain;
root /usr/share/nginx/html;
index index.html index.htm;
listen 80;
location / {
proxy_pass http://localhost:4000/;
}
}
So you "only" need:
Your own domain
Your own server
nginx
certbot
SSH Server
And now you have your own private ngrok replacement

Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://

I am implementing Passport Facebook Authentication by linking the Facebook Authentication API route to a button using href like:
Facebook Login
When I click on the button, it redirects to the Facebook Authentication page. But on the page, an error message is displayed saying something like "Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://"
How can I fix this issue?
Amazingly I just started trying to do the same thing like an hour ago and have been having the same issue. If you go into the FB developer portal and go to Settings under Facebook Login there's an option to Enforce HTTPS.
Further Investigation Showed:
"Enforce HTTPS. This setting requires HTTPS for OAuth Redirects and pages getting access tokens with the JavaScript SDK. All new apps created as of March 2018 have this setting on by default and you should plan to migrate any existing apps to use only HTTPS URLs by March 2019. Most major cloud application hosts provide free and automatic configuration of TLS certificates for your applications. If you self-host your app or your hosting service doesn't offer HTTPS by default, you can obtain a free certificate for your domain(s) from Let's Encrypt."
Reference: Login Security
Since you're using passport, also check your auth.js settings, or where ever you keep these settings. Even if your website has a certificate, the following code will still fail:
'facebookAuth' : {
'clientID' : '.............', // App ID
'clientSecret' : '............................', // App Secret
'callbackURL' : 'localhost:9999/auth/facebook/callback',
'profileURL' : 'https://graph.facebook.com/v2.5/me?fields=first_name,last_name,email',
'profileFields' : ['id', 'email', 'name']
},
The problem lies with the callbackUrl.
'callbackURL' : '/auth/facebook/callback'
'callbackURL' : 'http://localhost:9999/auth/facebook/callback'
The statements above will both fail. The callbackUrl needs to start with https. The first one will try to load http://localhost and append the callbackUrl. The second one obiviously loads the full url with http, and both fail to connect with FB. So try one of the following. If your site has a certificate, provide the full url. If you're testing this on a localhost, create your own certificate and access it by https like:
'callbackURL' : 'https://example.com/auth/facebook/callback'
'callbackURL' : 'https://localhost:9999/auth/facebook/callback'
Since Facebook have been requiring usage of HTTPS for our redirect URIs we can use ngrok at localhost for start up a local secure HTTP tunnel. It is a clean and fast suggested alternative for now.
Get official ngrok package
Unzip to your preferred directory
unzip /opt/ngrok.zip;
Make your first HTTP tunnel: /opt/ngrok http 3000
See more great use cases in ngrok docs.
There are 2 ways you can solve that:
First:
You can go to your google Passport strategy and add proxy: true
passport.use(
new FacebookStrategy(
{
clientID: facebookID,
clientSecret: facebookSecret,
callbackURL: "/auth/facebook/callback",
proxy: true
}
)
);
What happens most of the time is that, when you deploy or app through Heroku, for example, they have a Proxy that allows Heroku to direct the requests to your specific server and Passport assumes that if your request goes through a proxy it might not be safe (So... No https).
The second way you can solve that is by using a specific path for your callbackURL.
For example, instead of using:
callbackURL: "/auth/facebook/callback"
you would use:
callbackURL: https://mydomain/auth/facebook/callback
Keep in mind that if you are going to use this approach you might need to create environment variables to hold the values of your specific redirectURL for development as well as for production.
To fix, for local development, generate ssl certs on your machine. Run the commands below(tested on Mac High Sierra, you will need the openssl lib installed on your os) to create a cert.pem and a key.pem file in your working directory.
openssl req -x509 -newkey rsa:2048 -keyout keytmp.pem -out cert.pem -days 365
openssl rsa -in keytmp.pem -out key.pem
Change your node http server to use https. You will need to import the https module in place of the http module.
const https = require('https')
const path = require('path')
const fs = require('fs')
const options = {
cert: fs.readFileSync(path.resolve(__dirname, '<path_to_your_cert.pem>')),
key: fs.readFileSync(path.resolve(__dirname, '<path_to_your_key.pem>'))
}
const server = https.createServer(options, <your_handler_or_app_eg_express>)
server.listen(<your_prefered_port_number>)
Go to the app on your facebook developer console and set the Valid OAuth Redirect URIs to the https version of your localhost domain. Do same for the app domain and site url.
In my case, I modified my package.json file.
"start": "node scripts/start.js" =>
"start": "set HTTPS=true&&node scripts/start.js"
I hope help you.
This for php sdk reference
Now https is required for the web-application to login via Facebook.
Following procedure is required get valid authentication from Facebook.
Basic Seetings
set App Domains as your root domain (www.example.com)
Privacy Policy URL (https://www.example.com/privacy-demo/)
Terms of Service URL (https://www.example.com/terms-demo/)
Set Category
Site URL (https://www.example.com/facebook-login/) facebook-login this folder contain my all facebook login files
Advanced
Server IP Whitelist (your host ip address 124.25.48.36)
Products below Facebook login settings
Valid OAuth Redirect URIs (https://www.example.com/facebook-login/fb-callback.php)
Quick start
Select website put site url (https://www.example.com/facebook-login/)
Save all changes and live your app (ie: on your app) Now your app status will live.
You can refer this code https://github.com/facebook/php-graph-sdk
use a vpn worked for me cyber ghost is free try it
In your passport setting change your redirect url to some https://someUrl
'https' is important

Identity Server - HTTPS binding, SAN Certificate & NLB

I need help regarding Identity Server on the following:
Do reference tokens use Signing Certificate?
On http://localhost application is working fine, on binding to a public URL with https, the login call returns a token, but consecutive WebApi(client) calls return "401 - Authorization has been denied for this request". Is it because of SSL certificate or due to NLB (two different Identity servers are deployed on the backend) - I am using Entity framework for storing the reference tokens. Do multi domain SSL certificate (SAN) work fine for Identity Server?
Do I need to add machine keys on both Identity server config files to sync or is this requirement only for JWT approach?
Thanks.

How to generate a www LetsEncrypt certificate using laravel forge?

I provisioned a server using forge and set the domain to blog.example.com. And I generate a LetsEncrypt certificate for that server and set the site to run on http2. It was perfectly fine.
However, I need to make the server accessible via www.blog.example.com now. So I set a CNAME record to route www.blog to blog.example.com. But I got an error This site can’t provide a secure connection when I try to access the site via www.blog.example.com. So I try to generate a new certificate for www.blog.example.com but forge reply First domain does not match root domain on site.
How can I solve the problem?
Thank you.

Heroku - DNSimple configuration

Trying to set up SSL to work on mydomain.com. Following Heroku documentation I have managed get the SSL working on https://secure.mydomain.com. However actual endpoint created by heroku when i added the SSL is still saying
**Heroku | No such app**
There is no app configured at that hostname.
Perhaps the app owner has renamed it, or you mistyped the URL.
I am a little confused as to how i get the tokyo-2121.herokussl.com to point to my actual application on Heroku.
emet:myapp vezu$ heroku certs
Endpoint Common Name(s) Expires Trusted
------------------------ --------------------- ------------------------ -------
tokyo-2121.herokussl.com secure.mydomain.com 2013-09-09 12:28:05 CEST True
Then
emet:myapp vezu$ heroku certs:info
Fetching information on SSL endpoint tokyo-2121.herokussl.com... done
Certificate details:
subject: /serialNumber=htilpsjjgrrlhyVZ8rbeandz78555bgpWx/FDEVd/OU=GT166968518/OU=See www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=secure.mydomain.com
start date: 2012-09-06 12:38:54 CEST
expire date: 2013-09-09 12:28:05 CEST
common name(s): secure.mydomain.com
issuer: /serialNumber=htilpsjjgrrlhyVZ8rbeandz78555bgpWx/FDEVd/OU=GT166968518/OU=See www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=secure.mydomain.com
SSL certificate is verified by a root authority.
I assume that this means i have installed the SSL correctly. My dnsimple config looks like this
Type Name TTL Points to
ALIAS mydomain.com 3600 proxy.herokuapp.com
CNAME secure.mydomain.com 600 tokyo-2121.herokussl.com
CNAME www.mydomain.com 3600 proxy.herokuapp.com
MX mydomain.com 600 mx00.1and1.co.uk (P:10)
MX mydomain.com 600 mx01.1and1.co.uk (P:20)
How to get the endpoint tokyo-2121.herokussl.com to link to my app? Should i be adding it anywhere on my app?
It sounds like you've configured the SSL endpoint correctly but not told Heroku what domain you will be using. This error message is actually coming from within Heroku meaning that when typing the hostname you're being directed to the correct place but Heroku doesn't recognise the hostname and therefore cannot determine which site to serve.
You need to take a look at the heroku domains command.
You can list the domains using:
heroku domains
If the domain does not appear within the list then you will need to add it. You can do this using:
heroku domains:add secure.mydomain.com
This will add the domain to your Heroku app so that the Heroku servers serve your site for any requests to that host name.

Resources