To the poste.io users:
The mail server supports multiple subdomain. So far so good. But the ssl cert is always of the main domain. i.e., when opening the webmail using the subdomain's url, I see a security exception.
Isn't is possible to extend the lets encrypt's ssl cert list to also have the subdomains so that we have valid certs per subdomain?
I found the option to manually issue ssl cert with multiple subdomains. After logging into admin console, this option can be found under System Settings -> TLS Certificate -> Change Certificate Settings option.
Related
I'm setting up kerberos with an existing Active Directory as KDC and having an issue communicating to the ldaps server. We have a cluster of servers for AD. let's say server1.example.com,server2.example.com,server3.example.com and the company just uses example.com to connect. I've setup ldap integration with amabri for user access to the portal via the ambari-server setup-ldap, but did it without ssl and I can use ldap://example.com as the ldap server and it works fine. With ldaps, however, ldaps://example.com:636 doesn't work. I get an error in the ambari-server.log: "java.security.cert.CertificateException: No subject alternative DNS name matching example.com found". I have imported the CA cert and each individual server's certificate into my keystore and put the ca in /etc/pki/ca-trust/source/anchors/activedirectory.pem, but I still can't get it to work for example.com. I can get it to work for server1.example.com and all the others individually, but I can't get it to work for the example.com dns name. I don't have control over the certificate creation on the AD ldaps side. These certs were self-signed by the AD server and each server has it's own certificate. Is there anyway to tell ambari to accept invalid certs for the kerberos wizard, or any other way to get the broader domain name to work? Thanks in advance for any help.
So I have made a small script on my website for my telegram bot. Only problem is that if I set my URL as webhook for the bot it gives an SSL error.
Also tried to add an self signed certificate, so has_custom_certificate turned to true, but the same error appeared.
What am I doing wrong?
You have to create a self-signed certificate for deploying your server over https. If you are using flask you can follow this nice tutorial - https://blog.miguelgrinberg.com/post/running-your-flask-application-over-https
The problem is with your certificate.
The error in your getWebHookInfo:
"last_error_message":"SSL error {337047686, error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}"
Is Telegram saying that it needs the whole certificate chain (it's also called CA Bundle or full chained certificate).
How to check your certificate:
You can use the SSL Labs SSL Server Test service to check your certificate:
Just pass your URL like the following example, replacing coderade.github.io with your host:
https://www.ssllabs.com/ssltest/analyze.html?d=coderade.github.io&hideResults=on&latest
If you see "Chain issues: Incomplete" you do not serve a full chained certificate.
How to fix:
You need to add all the three needed files (.key, .crt, and .ca-bundle). The Namecheap has very good documentation of how to install an SSL certificate in your site in many different ways, like Apache, Node.js, Nginx and etc. Please, check if you can follow one of the available ways: Namecheap - How to Install SSL certificates
Anyway, you need to download the full chained certificate for your SSL certificate provider and install this on your webserver.
I don't know which service you are using, but for my example, with gunicorn I solved adding the ca-certs with ca-bundle file sent by my SSL Certificate provider (In my case Namecheap Comodo) on my SSL configuration, like the following example:
ca_certs = "cert/my-service.ca-bundle"
For further information: #martini answer on this thread and the FIX: Telegram Webhooks Not Working post.
I have a win 7 x64 box I recently reimaged and I have installed IIS7.5 and PHP 7. I am trying to set up localhost sites for secure https and I have successfully created a self-signed certificate for this purpose. I have set the IIS bindings for the site to use https over port 443 (IP Address: All unassigned) and selected the new SS cert.
When I go to https://localhost/php_info.php on my computer, I can see the phpInfo content but Chrome displays alerts that site is not secure.
Certificate error: There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
Obsolete connection settings: The connection to this site uses a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and an obsolete cipher (AES_256_CBC with HMAC-SHA1).
What can I do to run secure sites over localhost?
The certificate error can be fixed if you generate another certificate, with Subject Alternative Name (which is required by Chrome). More information can be found in,
https://blog.lextudio.com/why-chrome-says-iis-express-https-is-not-secure-and-how-to-resolve-that-d906a183f0
The TLS cipher should be cleaned up by using a tool such as IIS Crypt,
https://www.nartac.com/Products/IISCrypto
Jexus Manager has SSL Diagnostics, which can provide you hints on what's wrong in your server configuration,
https://www.jexusmanager.com/en/latest/tutorials/ssl-diagnostics.html
I have a domain that I purchased from Google and a heroku app that I'm trying to send it to.
I've done the steps in this article: https://www.justinvrooman.com/articles/how-to-use-heroku-with-google-domains
and yet when I try to access the site I get a
Your connection is not private
Attackers might be trying to steal your information from www.***.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
What am I doing wrong with my set up or why am I getting this message?
It looks like you've enabled SSL in your Rails app but your site doesn't have an SSL certificate configured. To disable SSL, set the following to "false" in your 'config/environments/production.rb' file.
config.force_ssl = false
In addition, in the same file, don't forget to set your "host" equal to your custom domain.
host = 'www.yourdomain.com'
If you want to run SSL on a custom domain (e.g. www.example.com) you'll need to purchase and configure an SSL certificate for your domain.
If, however, you are fine using Heroku's domain (e.g. example.herokuapp.com), then you can piggyback on Heroku's SSL certificate.
More info on running SSL on a custom domain through Heroku: https://devcenter.heroku.com/articles/ssl-endpoint
I am using some of the local machine's resources using COM interop functionality provided in Silverlight 4.0. Hence, naturally I need OOB with elevated permissions. However, in my case I am consuming the WCF services hosted on HTTPS channel. Here is where I am facing the problem. The OOB with elevated permissions applied, doesn't allow me consuming the HTTPS service hosted on either different or the same domain, giving me a NotFound exception. Please note that I have used the self-signed certificate for the development environment. The same is also installed in the Trusted Root folder of the client machine on which I am testing.
Interestingly, when I set the Fiddler options (in Fiddler session, Toos -> Fiddler Options -> HTTPS tab) to intercept the HTTPS traffic, with Decrypt HTTPS traffic checkbox set, I am able to use the same HTTPS service without any exception. But for that, I was told by Fiddler to store a temporary certificate inside my user profile's Fiddler directory, and I must have at least one Fiddler session at that time. Hence, it seems to be a certification issue. But does it relate in anyway to signing of the XAP file with the required certificate ? I am not sure. I tried with a self-signed certificate and bind my layer service URL to use that certificate. Then I install the same certificate to Trusted root folder of the client. But i was not successful in signing the XAP with that certificate.
Please let me know if you have any work-around.
If the code is running in a different user's context, you need to put your "Self-signed" certificate into the Machine Trusted Root store. Start mmc.exe. On the File menu, choose to Add a Snap-in. Add the Certificates snap-in. Pick Local Machine. Import the Self-signed root into the Trusted Root store.
I had the same problem and found out, that the SSL settings in IIS were wrong.
I configured IIS 7.5 to SSL only and to accept client certificates. With this settings, I ended up with the service not found error in OOB. After setting IIS to ignoring client certificates the OOB Application works fine.