I have recently got an SSL certificate on my website, on the apache server that I am using to host my website. The website says "Secure" and also works fine when I run it over localhost using the laptops ip address 192.168.*.**. But when I try to port forward this website over the port 443, it somehow says unsecure and your connection is not private. Any help here will be appreciated.
It sounds like you are using a self-signed certificate for your https connection. While modern browsers such as chrome give you errors saying the connection is unsecure and perhaps you even see red lines crossing out the https at the beginning of your url, there is no need to worry. If you are getting your page to render with these characteristics all is working, the reason for the errors is because the certificate is signed only for you.
In a real world production scenario you would have to use a third party service for a public capable certificate. However for your own development purposes, as long as the page runs with https there all is working as it is intended to.
For more try reading this article.
Related
The Problem
browsers have no problem accessing my domain's website (https protocol) from a private network (home WiFi, personal hotspot), but if I try to access from a public network (my University's WiFi or Ethernet network, Costco WiFi, etc.), I get the following error message (happens on Chrome, FireFox, Edge, Safari (error messages are a bit different on Safari and FireFox)):
NET::ERR_CERT_AUTHORITY_INVALID
terp.app normally uses encryption to protect your information. When
Chrome tried to connect to terp.app this time, the website sent
back unusual and incorrect credentials. This may happen when an
attacker is trying to pretend to be terp.app, or a Wi-Fi sign-in
screen has interrupted the connection. Your information is still
secure because Chrome stopped the connection before any data was
exchanged.
You cannot visit terp.app right now because the website uses HSTS.
Network errors and attacks are usually temporary, so this page will
probably work later.
(By the way, it would give me the "because the website uses HSTS" message even before I implemented HSTS)
Background
I have set up an Apache2 web-server on my Linux VPS (Ubuntu 20.04). I recently configured everything so a domain I've purchased is accessible and working on this server:
DNSs redirect to server (domain is with Google Domains; VPS is hosted by Hostinger)
Redirect is achieved with custom records, which are two A records:
1st A record: Host Name: terp.app | Data: <VPS IP address>
2nd A record: Host Name: www.terp.app | Data: <VPS IP address>
Apache server set up with virtual hosts
set up an SSL certificate through letsencrypt.org (certbot)
I selected the option during this process to redirect http to https
configured DNS certificate authority authorization (CAA) so only letsencrypt.org-issued certificates are accepted
Achieved with one CAA record:
CAA record: Host Name: terp.app | Data: 0 issue "letsencrypt.org"
I enabled Strict Transport Security (HSTS)
Not sure if the fact that it is a .app domain has some sort of an impact
Bottom line, when I use ssllabs.com/ssltest/, I get an A+ grade: everything checks out. https connection has zero issues on private networks. I can confirm the problem from public networks doesn't have to do with a captive portal since I'm able to access any other website from these public networks.
Looking for a Solution
Yes, I know that I can navigate to chrome://net-internals/#hsts, and enter my desired domain name into "Delete Domain Security Policies." This is unequivocally not the solution I'm looking for. I want my site to work for users without them needing to do something like that. Other high-profile websites obviously don't have this issue, so...
How can I ensure my users will be able to access my site even when they're on public networks? Could it be because I'm using letsencrypt.org?
I am hosting my nodejs app in heroku and my domain name is in OVH.
I managed to create a subdomain www and a CNAME record that points to my heroku app. It is working fine and SSL is also working fine from heroku.
I added a redirection from all subdomains to https://www.mywebsite.com and everything is working fine.
My problem is when i type www.mywebsite.com, there is no redirection and no SSL.
How can i redirect www.mywebsite.com to https://www.mywebsite.com ?
Thanks !
Unfortunately, No.
DNS maps domain names onto IP addresses, that is, it tells the client that example.com points to 12.34.56.78. HTTP vs. HTTPS is a matter of picking a port, and using the right protocol, and this is negotiated directly between client and server; DNS lookup has already happened before that.
If you want to redirect all plain-http traffic to https, you have to do it on the web server, not the DNS server.
In your situation, you could do this in node.js.
There tons of examples online for node's built-in http server or for frameworks like express. I'd recommend this solution.
But there are also solutions like Cloudflare.
They offer you a DNS Service and a proxy, which can handle such HTTP to HTTPS redirection and they even let you use their own SSL Certificate, so you don't need to buy (or let's encrypt) a SSL Certificate on your own, for example.
I am working to setup my application to watch calendar events through Google's Calendar API. In doing so I must setup a "Push" endpoint on my server that has a valid SSL certificate (not self-signed).
My production environment is running on Heroku so setting up an SSL cert was easy using Expidited SSL. I have two CNames setup in GoDaddy, one for my production application and one for my development environment tunneled through ngrok. I'm using the paid ngrok feature of white labeled domain tunneling (dev.mydomain.com).
Host Points To
www saga-1234.herokussl.com
dev ngrok.com
The problem is that my ssl certificate is recognized when you hit the production application (www.mydomain.com), but it uses ngrok's certificate when you visit the development application (dev.mydomain.com).
How can I setup my ngrok tunnel to use my ssl certificate?
Ngrok's white labeled domain does not support HTTPS if you are using your own domain. Simply because it serves it's own certificate, where you need to serve your domain's. That's why you are getting certificate mismatch issue.
Here's what you could do to watch calendar events on your dev machine:
Point ngrok.mydomain.com to another server, let's say a new EC2
micro instance
Point wildcard CNAME to ngrok.mydomain.com
Compile ngrok server and client to use your certificate (rather than
ngrok.com)
Run the ngroku-server on EC2 instance
On your dev machine config the client to use ngrok.mydomain.com instead of ngroku.com
Run ngrok -subdomain=dev 80
Your local dev machine's 80 port should be accessible via https://dev.mydomain.com
This is really cool and is very helpful when debugging Google's webhooks, which require valid HTTPS and a verified root domain name.
Another interesting trick is to use CloudFlare's universal SSL to have a valid https://dev-machine.mydomain.com pointing to your dev machine without purchasing a certificate. The steps are exactly the same except that you need to issue your own certificate for ngrok client-server communications and use CloudFlare's Flex SSL for dev-machine.yourdomain.com.
ngrok has a new feature that tunnels and terminates SSL. Thus you can use your own domain and HTTPS. No need to open ports in your router or PC. They call it TLS Tunneling. The following is a link to a GitHub repos that describes how to do it.
How to use your own domain to access your home PC over the internet. Use HTTPS without raising SSL errors.
I have a custom soap-service for windows server which listens on a portnumber (for ex. 1024). When I make a call to this service using http:// (ip or domain):1024 the service works well.
When I try to make the same call to https:// (ip or domain):1024 I get the following response:
SSL connection errorUnable to make a secure connection to the server.
This may be a problem with the server, or it may be requiring a client
authentication certificate that you don't have.
When I try to connect to the same ip without the portnumber my IIS responds without any issue (I have a certificate installed).
Any help would be welcome!
Let's clarify:
a)-- Your delphi code is directly opening a socket and listening on a port
or
b)-- Your delphi code is hosted by IIS, and IIS is listening on a port
If it is 'a', then you need to add SSL support to your delphi app, so that your delphi app can speak SSL to clients. E.g. if you use Indy, or remote objects, or whatever, then your SSL work will happen at that level.
If it is 'b' then you go through the standard process of IIS SSL management (e.g. create a request file in IIS, then purchase a cert, then install the cert in IIS.... http://support.microsoft.com/kb/299875 )
This issue is occurring in a C#, .NET 4.0 environment. I tried using Fiddler but it doesn't show up. After searching around, the suggested solution was to change the address of the request from localhost to the machine-name.
This worked on my local machine: after changing the call from localhost to my-machine, fiddler picked it up. The real issue is on a client's staging environment with production code. I can not modify the code there to take this change.
Note, as far as I know, on the client site it should be making the request out to the host name and not localhost anyways.
Also, on my local machine I actually hit localhost in my browser, and it seems to pick those up fine. Just not the request built in code. Why is that?
Thanks!
It sounds like you're saying: "This works fine on the client's PC but not on my dev PC when using Localhost." Is that correct?
In IE9, I changed WinINET to enable Fiddler to capture loopback traffic from the browser. Sadly, the .NET Framework hasn't yet adopted support for the <-loopback> token, which means that traffic sent to 127.0.0.1 or localhost bypasses the proxy.