My Let's encrypt certificate is outdated today.So I try to reinstall the certificate ,and I got:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/awesomes.cn/fullchain.pem. Your cert will
expire on 2016-07-02. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
But I still can't visit.If some cache exist? the site is https://www.awesomes.cn/
Your browser might be fooling you, as pointed out by TAM your URL is working with valid certificate.
Worth to say that you need to restart http server when changing certs, you certainly did this since it is working.
Related
The browser reports that the connection is insecure, so the certificate hasn't loaded correctly. However, then manually opening the website it loads correctly.
Can anyone tell me how to fix Invalid certificate issue, It's result in to launching the wrong URL.
I tried with "chromeWebSecurity": false in my cypree.json, but no luck.
Please help me to solve this issue.
I haven't done this myself, but Cypress docs say that it's expected: You'll notice Chrome display a warning that the 'SSL certificate does not match'. This is normal and correct.
Note, that Cypress allows you to optionally specify CA / client certificate
https://docs.cypress.io/guides/guides/web-security#Examples-of-what-Cypress-does-under-the-hood.
So if the fake Cypress certificates are causing issues for you, you can try supplying your own certificates.
if it is not your website, you cannot fix it.
what you can do is verify why it is invalid, and decide to accept it and still open an https connection with the server although the certificate isn't valid.
usually the steps are:
click Advanced button
read and understand
click Accept or close the tab
the common reasons for a certificate to be invalid are:
domain name invalid, the certificate is installed for multiple vhost, and you have accessed the service for a domain name not defined in the certificate. www. is required, only * is specified without empty domain. totally wrong domain name. etc.
certificate is expired. check the date, it might be expired and decided if that makes sense to you
certificate isn't trusted, self-signed or using an authority not trusted by your browser.
if it is your website, these are the same reason, so you should be able to replace the certificate with an appropriate one.
by the way, this might not be a question for stackoverflow, maybe more for superuser, but I am happy to answer it anyway.
hope this helps you and others
cheers,
I've been trying for weeks now to get this self signed certificate working in several browsers (Chrome, Firefox, Edge, IE).
I managed to create the certificate and install it as a trusted root certificate but in every browser I have to bypass the security to be able to have the test environment (website with xampp).
Today I have focused on Edge and IE (without success), and since the procedure for chrome is slightly different, I will try to make it work in chrome tomorrow.
I tried both to create a new one, and to duplicate an old (working) one, this way:
To create a new certificate, open powershell as admin, then :
New-SelfSignedCertificate -DnsName "127.0.0.1", "localhost" -CertStoreLocation "cert:\LocalMachine\My"
exported as mentioned in this description.
To clone, I used the example in this documentation.
Then I imported the certificates in the 'trusted root certificate' using certlm.msc.
But I got the error codes DLG_FLAGS_INVALID_CA and
DLG_FLAGS_SEC_CERT_CN_INVALID in Edge and IE.
Does someone know a procedure to make this work?
I've been looking al over the net without finding one.
I was trying to do a similar thing and did get the following to work:
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname localhost -FriendlyName "Dev localhost" -NotAfter (Get-Date).AddMonths(240) -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
The 'NotAfter' param extends the cert to 20 years.
The 'TextExtension' param configures the cert for 'Server Authentication' only. Without this, it defaults to Client Auth + Server Auth. I haven't researched, but the Client Auth seems to cause an issue (which is odd since most online examples don't mention it; I only found one that did).
This will create the cert in both the LocalComputer\Personal & LocalComputer\Intermediate Certification Authority. It also allows you to select the cert in IIS.
In order to actually run the site, the cert needs to get into the Trusted Root Certification Authority. To accomplish this, you can either export/import the cert or nav to the site in IE, click on the red security area and work your way thru the screens to import the cert. The link above shows the import/export approach.
Final notes:
I had to close/re-open IE (11.726.15063) to get the security prompt to go away despite IE telling me that the cert was installed.
My site was working fine in chrome (62) after the security warning cleared in IE.
I was using localhost and a non-standard port for my site, not a DNS name. Everything seemed fine.
HTH
I am getting an 'invalid issuer' error when trying to access a local site. As can be seen in the screenshot, the root CA certificate has been imported and trusted. So, why do I still get this error?
The certificate works correctly in Firefox after importing the CA cert.
Mac OS does not support Name Constraints. Removing this property from the root certificate solved this issue in our case. For background see: https://security.stackexchange.com/questions/95600/are-x-509-nameconstraints-on-certificates-supported-on-os-x
(You don't appear to be using this property according to the screenshots, but I'm still posting this as it might be a valid solution for others)
I'm trying to send AJAX requests to the REST API website that uses self-signed certificate.
The problem is that when I first visit that website it is complaining about this certificate issue. When I do an AJAX request (without accepting this certificate first) it fails silently.
The question is what to do in this case? Should I ask the user to go to this website and accept this certificate? Is there a way to do that in elegant way? I know that this certificate should have been signed in the first place, but I don't have an access to that website. Using http is not an option.
I have had this same problem several times. The best I could come up with was something like this: check for a cookie, if they have it, do nothing, if they do not have it, issue a re-direct to the site that generates the cert warning, user accepts the self-signed cert, then the user just needs to go back to your site. If you had any control over the api side, you could probably make it so that you have a bounce back url or something that ends up getting the user back to your site. There really is no elegant way to handle this short of just getting a real SSL cert. On another site, we ended up having to put a link to the service on our page for this very reason, fortunately it was temporary as we had control over the server side too, and planned on replacing the self-signed cert with a real one.
This is security doing its job. It may not being doing a good job as far as handling what the user is supposed to do, but you really should sign your certificate with a valid CA instead.
I have my own SSL for development purposes. Normally when IE would give you the WARNING you could simply install the certificate, resart IE and go back to the server without warning. In IE8 I cannot avoid the warning. I have installed the certificate into every single store without success using both the MMC and cert manager in IE8. WHAT AM I MISSING?!
Add the site to trusted sites. Then you will have the option to install the certificate after clicking the Certificate error box and then View Certificate.
Which certificate are you trying to install?
You must install the ROOT certificate, not the END-ENTITY certificate which is signed by that self-signed root. It should go in the Trusted Root Certification authorities store.
Make sure your cert's CommonName matches the domain name. For example, if you website will be accessed at 'https://www.example.com', CommonName should be 'www.example.com'. If this doesn't match, nothing you do in the second and third step will matter.
Run IE8 in administrator mode and navigate to your HTTPS URL. Continue beyond warning, then view the site's cert to access the 'Install Certificate' button.
Add the cert to Trusted Root CA Certificates.
Restart IE8 in protected mode then navigate to your HTTPS URL again. All warnings should be gone.
I could not install the certificate from IE. I had to finally use MMC (Management Console). Instructions here: http://technet.microsoft.com/en-us/library/cc757688(v=ws.10).aspx