We are getting this error
"BW-HTTP-100300 Job-29000 Error in [Processes/Services/HTTP Request/Process Definition.process/Send HTTP Request]
An IOException was thrown while trying to execute the Http method
caused by: java.io.IOException: Failed to create secure client socket: Server certificate rejected by ChainVerifier"
I have done the following:
1. Created send http request.
2. Configured everything in the Configuration tab and the Input tabs.
3. Created Identity and imported the same into Identity
4. Downloaded the certificate and imported it in to 'Configure SSL'
5. While running the process I get the error mentioned above.
Am I missing anything?
Please provide me some guidance. Thanks in advance
Downloading the server certificate is not enough, you need to download the whole certificate chain from the root CA down to the server cert.
In the above example, you need to download all certs (except the last one mail.google.com which is optional) and add them to your trusted certificates folder.
Have you enabled VerifyHostName option while making the connection? If yes, then the server name should be in the allowed list too. In most cases you dont need this option enabled.
Related
THIS IS STILL AN ISSUE ANY HELP WOULD BE APPRETIATED
I am having an issue setting up TLS through a custom CA between Kibana and Enterprise search. I have the default x-pack security set up for the interconnection of my Elasticsearch nodes with both Kibana and Enterprise search, which was done according to the following docs: minimal security basic security ssl/tls config. I can successfully run Enterprise search through http, however my issue arises when I enable ssl/tls for ent-search..
When I have https configured for ent-search using this doc, the server is "running", however I receive an error after boot and Kibana throws an error when attempting to connect.
ent-search error (non corresponding with Kibana's hit to the ent-search hostname, this error raises shortly after ent-search is "starting successfully", but isn't fatal)
[2022-06-14T20:37:45.734+00:00][6081][4496][cron-Work::Cron::SendTelemetry][ERROR]: Exception:
Exception while performing Work::Cron::SendTelemetry.perform()!: Faraday::ClientError: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
Kibana error (directly corresponding to when I ping http://obfuscated-dns:5601/app/enterprise_search/overview)
[2022-06-14T20:43:51.772+00:00][ERROR][plugins.enterpriseSearch] Could not perform access check to
Enterprise Search: FetchError: request to https://obfuscated-dns:3002/api/ent/v2/internal/client_config
failed, reason: unable to get issuer certificate
The steps I took to generate said certificate were: I created a csr on my server using elasticsearch-certutil csr along with a yml file which specified the distinguished name, I sent the unzipped csr to my CA (Digicert), uploaded the signed certificate and intermediate certificate provided by Digicert to my server, used openssl to generate a keystore using the signed cert and that private key generated along-side the original csr, then finally converted the keystore to .jks format using keytool.
From my understanding, the path of this keystore is what is needed for the configuration file for enterprise-search and the intermediary cert is what is used in the Kibana certificate authority config field (ca.pem). I have also tried to stuff both the signed and intermediate cert in the same .pem, as well as the private-key, signed and intermediate cert. Below are the relevant configurations:
kibana.yml
enterpriseSearch.host: https://ofuscated-dns:3002
enterpriseSearch.ssl.verificationMode: certificate
enterpriseSearch.ssl.certificateAuthorities:
- /path/ca.pem
enterprise-search.yml
ent_search.external_url: https://obfuscated-dns:3002
ent_search.listen_host: 0.0.0.0
ent_search.listen_port: 3002
ent_search.ssl.enabled: true
ent_search.ssl.keystore.path: "/path/keystore.jks"
ent_search.ssl.keystore.password: "pass"
ent_search.ssl.keystore.key_password: "pass"
I'm starting to feel like I fundamentally misunderstand something here. A lot of the jargon behind SSL/TLS certificates seems to lack standardization. While we are at it, what is a root cert in relation to what I have listed? Is it the intermediate cert? I see there is a master "root certificate" for the Digicert CN I certified under, however I'm unsure where this fits in. The config variable "certificateAuthorities" doesn't document what this .pem file should contain specifically and when searched the concept of a certificate authority is never associated with file contents, but instead is simply abstracted to the entity which provides certification (duh).
To put it succinctly: What does this variable "certificateAuthorities" explicitly entail?
UPDATE 09/28/2022
I have now confirmed that SSL is working when calling enterprise-search outside of the VM its running in. I can utilize its endpoint with my flutter and react app, however Kibana is till throwing the error mentioned above. I have checked that the root/intermediate CA provided to kibana's configuration is indeed the certificate linked with the signed cert provided to enterprise search and even confirmed so using SSLPoke.. This leaves me with the suspicion that perhaps Java is a bad actor in the mix? I've added the root/intermediate CA to the cacerts keystore in the ssl/java directory of the Linux VM, but still no luck. Any thoughts?
I'm trying to install a self-host WCF service on a server with Windows Server 2012.
I was following these steps:
import my pfx file with mmc
run "netsh http add sslcert ipport=0.0.0.0:49000 certhash=e09280ded2322eb858b38b3250e1a488f797b269 appid={4dc3e181-e14b-4a21-b022-59fc669b0914}"
install my service and start it
At first it works well. But after a few hours the ssl crashes and I can only get error msg at client as below
An unhandled exception of type 'System.ServiceModel.CommunicationException' occurred in mscorlib.dll.
Additional information: An error occurred while making the HTTP request to https://servername:49000/WCFServiceName. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.
run "netsh http delete sslcert ipport=0.0.0.0:49000"
and delete the imported pfx and then redo step1 and 2 can make ssl works again, but the problem will still appears in a few hours.
It's definitely not the SecurityProtocol problem, for I have already tried adding
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
before request. And both server and client uses .Net Framework 4.5.2
I've tried "netsh http show sslcert", and got below result:
IP:port : 0.0.0.0:49000
Certificate Hash : e09280ded2322eb858b38b3250e1a488f797b269
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
I've tried delete the sslcert binding on port 49000 and created an empty website binding to port 49000 in IIS and make my service listening to that port then. It works the first time and lasted for about a week before the same error pops out.
Where should I begin to locate and solve this wired problem?
First, we should ensure that the certificate private key could be accessed by WCF. The Network Service account (or Everyone account) should be added in the certificate READ/Writer group, then we run the application (windows service, or console?) with corresponding account.
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-make-x-509-certificates-accessible-to-wcf
Second, as you know, TLS version need OS and Dotnetframework support, the default protocol version is ssl3.0/tls1.0(auto-negotiate, could not be configured). We had better use the latest OS version and .netframework4.7. I think this may be the cause of unstable communications.
Please refer to the below document.
https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
Feel free to let me know if the problem still exists.
So I have made a small script on my website for my telegram bot. Only problem is that if I set my URL as webhook for the bot it gives an SSL error.
Also tried to add an self signed certificate, so has_custom_certificate turned to true, but the same error appeared.
What am I doing wrong?
You have to create a self-signed certificate for deploying your server over https. If you are using flask you can follow this nice tutorial - https://blog.miguelgrinberg.com/post/running-your-flask-application-over-https
The problem is with your certificate.
The error in your getWebHookInfo:
"last_error_message":"SSL error {337047686, error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}"
Is Telegram saying that it needs the whole certificate chain (it's also called CA Bundle or full chained certificate).
How to check your certificate:
You can use the SSL Labs SSL Server Test service to check your certificate:
Just pass your URL like the following example, replacing coderade.github.io with your host:
https://www.ssllabs.com/ssltest/analyze.html?d=coderade.github.io&hideResults=on&latest
If you see "Chain issues: Incomplete" you do not serve a full chained certificate.
How to fix:
You need to add all the three needed files (.key, .crt, and .ca-bundle). The Namecheap has very good documentation of how to install an SSL certificate in your site in many different ways, like Apache, Node.js, Nginx and etc. Please, check if you can follow one of the available ways: Namecheap - How to Install SSL certificates
Anyway, you need to download the full chained certificate for your SSL certificate provider and install this on your webserver.
I don't know which service you are using, but for my example, with gunicorn I solved adding the ca-certs with ca-bundle file sent by my SSL Certificate provider (In my case Namecheap Comodo) on my SSL configuration, like the following example:
ca_certs = "cert/my-service.ca-bundle"
For further information: #martini answer on this thread and the FIX: Telegram Webhooks Not Working post.
I'm having a Windows Store App (Metro App) which I want to connect a web service I built through HTTPS. And I am using a self-signed certificate for my web service. But when I tried to connect it from my App through System.Net.HttpClient.PostAsync I got an exception said
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
Inner exception said
"The remote certificate is invalid according to the validation procedure."
I know this is because I'm using a self-signed certificate. I remembered in .NET I can use System.Net.ServicePointManager.ServerCertificateValidationCallback so that my application can pass the validation if the thumbprint is mine.
But I cannot find the relevant class/method in Windows Store runtime. How can I do that?
First, you should ideally be using Windows.Web.HttpClient. On that API, you can use httpClient.HttpBaseProtocolFilter.IgnorableServerCertificateErrors to set the cert errors that you're willing to accept. You can choose to ignore the Untrusted error, for example, but you should then manually check the thumbprint before actually sending any data.
Attempting to implement client authentication with an SSL cert, according to this HOWTO,
I receive the following errors.
Apache:
Re-negotiation handshake failed: Not accepted by client!?
Firefox:
ssl_error_handshake_failure_alert
I assume it is a configuration error, but have not been able to locate it.
Additional info:
Commercial CA server cert servers secure works without problem in Apache 2.2 & Passenger.
Only client authentication related directives do not work.
Is your certificate signed by verizon or someone like that? If not, you might want to add an exception in firefox. By default it stops you.
pd. doesn't sound like a passenger question
When you require client certificate authorization, you have to point Apache to file containing the root CA (and intermediates also) certificates which issued the client certificate
Also post your client authentication config part.