HTTPS WebAPI self-host with authentication error - visual-studio-2010

I have following error "The site's security certificate is not trusted!" when i implement project WebAPI mvc4 With Selt-host configuration.
-error detail: http://tinyurl.com/8tj8nek
-all code base on this article: http://tinyurl.com/3mdypd9
-I has do flowing steps to implement https protocol: (all have administrator permission)
STEP01:--------------Register Port For Service.-----------
netsh http add urlacl url=https://+:9900/ user=EVERYONE
STEP02:--------------Create The Root Certificate----------
makecert -sk RootCA -sky signature -pe -n CN=MySVR -r -sr LocalMachine -ss Root MyWebAPI.cer
STEP03:-------------create the server certificate---------
makecert -sk server -sky exchange -pe -n CN=MySVR -ir LocalMachine -is Root -ic MyWebAPI.cer -sr LocalMachine -ss My MyWebAPI_SVR.cer
STEP04:------------register the server certificate--------
http add sslcert ipport=0.0.0.0:9900 certhash=99A8C41444622D6DC2FFB31F867601A75AAA444F appid={76cd6e8c-304a-4614-8aa7-939894c499dd} clientcertnegotiation=enable
what's wrong with me ?

You have to manually add the self-signed certificate to your browser's list of trusted sites otherwise it will be rejected. An alternate possibility for certain testing situations with the Firefox browser is to install the add-on :
https://addons.mozilla.org/en-US/firefox/addon/skip-cert-error/
Here's instructions for adding your cert to the trusted list in Firefox:
http://www.poweradmin.com/help/sslhints/FireFox.aspx

Related

Apache Maven Download using CURL is timed out

curl -O "https://www.apache.org/dist/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz"
This is the command I am using from terminal to download maven but it's either timed out or curl: (7) Failed to connect to www.apache.org port 443: Operation timed out.
If I use browser to download, no issue.
My assumption is the ssl connection or certificate issue. Any idea how can I resolve the curl issue.
Please take note, I am using this in a Dockerfile to create docker image and here is that:
FROM ******/mule-42x:v2.2.1
ENV MAVEN_VERSION 3.6.3
RUN mkdir -p /opt/maven \
&& cd /opt/maven \
&& curl -O "https://www.apache.org/dist/maven/maven-3/${MAVEN_VERSION}/binaries/apache-maven-${MAVEN_VERSION}-bin.tar.gz" \
&& tar xzvf "apache-maven-$MAVEN_VERSION-bin.tar.gz" \
&& rm "apache-maven-$MAVEN_VERSION-bin.tar.gz"
ENV MAVEN_HOME "/opt/maven/apache-maven-$MAVEN_VERSION"
ENV PATH=$MAVEN_HOME/bin:$PATH
I've tried to run the command presented in the question and encountered the following errors:
curl -O "https://www.apache.org/dist/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz"
curl tries to verify the SSL certificate but fails with the following message:
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
So I've added -k flag as the message suggests.
Now this works, however the http call returns and HTML page with 302 (redirect) to https://downloads.apache.org/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz
So the command that has worked for me is:
curl -O -k https://downloads.apache.org/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz
An Important side note:
I'm assuming that you've configured the network right and it has all the proper proxy definitions if you're running behind the proxy in your organization, otherwise you should define proxy first.
All in all I suggest you running this command 'manually' first (from the command line not as a part of the build I mean) outside the docker on the machine where you run the docker build and only when you make sure it works run it in a docker file.

How to install self signed certificate that was created by Makecert.exe in windows for IIS Express?

I'm trying to add https to my local development environment in IIS express for a custom domain. I first created new certificate using the following command in a elevated developer command prompt
Makecert -r -pe -n CN="mycustomdomain.com" -a sha512 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
The problem now is that the mycustomdomain.com is now installed in the local certificate personal store and is telling me that this CA root certificate is not trusted and that I need to install this in the trusted root certification authorities store.
Would simply copying the certificate into the trusted root certification authorities store without the private key be enough? If not, what should I do?

How to use a specific self-signed certificate with IIS Express (rather than the default localhost)

I am having trouble finding a specific example for how I specify a self-signed certificate for IIS Express - Visual Studio 2015 - rather than the default generated 'localhost' certificate.
I'd like to use one from my personal self-signed certificates store to correspond with a specific domain I am using during development.
I cannot locate where to specify the certificate (or its footprint).
You can use makecert to do that, long time ago I wrote a document on how to do that and you can find the blog here:
http://www.hanselman.com/blog/WorkingWithSSLAtDevelopmentTimeIsEasierWithIISExpress.aspx
the key call is:
makecert -r -pe -n "CN=HANSELMAN-W500" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
where you can choose the CNAME that you want there.

Fiddler to use https by default

I need to install fiddler on multiple machines, and I need to enable https by default and install the certificate by itself. I don't want to do it manually using the UI.
Is there such an option ?
Or, is there a command line I use to install the certificate ? I can enable https mode by changing it in the registry directly, but I still need to install the certificate. I tried winhttpcertcfg but it installs the certificate in the Root instead of Personal store.
Automation of this scenario is not presently an officially supported operation.
You can have an installer/batch file create a self-signed root for Fiddler to use, then have it automatically installed in Windows' Trusted Store.
Note you'll need to do this from an elevated command prompt.
makecert -ss my -n "CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -eku 1.3.6.1.5.5.7.3.1 -r -a sha1 -cy authority
certmgr /add /c /s my /n DO_NOT_TRUST_FiddlerRoot /s root

How to create a secure http server in dart?

I am trying to setup my dart http server to run only with https. So I gather I need to use HttpServer.bindSecure but I'm not clear from the description what needs to be passed in as certificateName and whether requestClientCertificate being true makes it more or less secure, or has no impact on security what so ever. The small sample code at the top of the HttpServer page passes in certificateName: 'localhost_cert' but before that it does something with a database, but doesn't seem to use it in anyway. Can anyone explain in more detail what these values are and what they need to be in order to make them secure?
The requestClientCertificate parameter of bindSecure is used to specify a client certificate. Client certificates are used by servers to identify and authorize clients, which appears not to be the objective of this question. It should be noted that there is a known issue with using client certificates in Dart on IE9 and Windows 7.
The certificateName parameter is used to specify the nickname of a certificate that exists in your certificate database. You specify the certificate nickname using the -n <nickname> option when importing a certificate to your database using certutil.
Use the following steps to:
Install the NSS utility (including certutil),
Create a new certificate database in directory <dir> with a password <password>, and
Import your self-signed or purchased certificate identified by nickname <host> such that it can be used to create an HTTPS server using the following sample code. Though the nickname can be chosen arbitrarily, we use the host name in this example. These steps have been confirmed working in Ubuntu 14.04 and Dart SDK 1.6 through (currently last stable version) 1.8.3.
Install the NSS utility
sudo apt-get install libnss3-tools
cd to the directory that will contain your certificate database
cd <dir>
Create a password file to use with the certificate database:
echo "<password>" > pwdfile
Create the certificate database
certutil -N -d 'sql:./' -f pwdfile
Either:
Generate a self-signed certificate:
certutil -S -s "cn=<host>" -n "self signed for dart" -x -t "C,C,C" -m 1000 -v 120 -d "sql:./" -k rsa -g 2048 -f pwdfile
where <host> is the host ("common name") for which to generate a certificate, for example "localhost"
Or, purchase a certificate by first creating a signing request for a real domain <host>, for example "myhost.com":
certutil -R -s "CN=<host>, O=None, L=San Diego, ST=California, C=US" -a -g 2048 -o <host>.csr -d "sql:./"
Then specify the content of file <host>.csr when prompted for a CSR upon purchasing a certificate from a signing authority.
Copy the purchased certificate to a file named <host>.crt
Import the certificate to the database
certutil -A -n <host> -t "p,p,p" -i <host>.crt -d "sql:./"
If necessary to use an intermediate certificate, it can be imported as such:
certutil -A -n my_intermediate_certificate -t "p,p,p" -i intermediate.crt -d "sql:./"
where "intermediate.crt" is the intermediate certificate file downloaded from the signing authority.
Verify that the certificates exist in the database
certutil -L -n <host> -d "sql:./"
certutil -L -n my_intermediate_certificate -d "sql:./"
To use this certificate and create an HTTPS server, do the following:
// Initialize secure socket to use certificate database (note: replace `<dir>`
// with the absolute path to the certificate database directory, and `<password>`
// with the value chosen above)
SecureSocket.initialize(database: "<dir>", password: "<password>");
// Bind secure HTTP server to specified host and port (typically 443)
HttpServer.bindSecure("<host>", 443, certificateName: "<host>")
.then((HttpServer httpServer) {
// Listen for incoming requests
httpServer.listen((HttpRequest httpRequest) {
// TODO: process request
});
})
.catchError((error) {
// TODO: handle error
});
Update
I don't have enough reputation points to respond to the comments, so here are additional details that may help answer the questions: Client certificates are not used to encrypt client-server communication and are not needed in the common scenario of establishing secure communication between a web browser and a webserver via HTTPS. The steps outlined above show how to create an HTTPS server in Dart using bindSecure.

Resources