By default, when the web app is deployed in Azure Static Web App, it will automatically use https. However, the back-end API must use https (web socket must use wss) as well.
I used the self-signed cert to expose the back-end API to let the front-end consume. However, the browser deny with message "TLS handshake error from xx.xx.xx.xx: remote error: tls: unknown certificate"
Must I purchase the CA signed certificate? This is my personal project. And I do not want to spend money to buy a CA signed cert. Is there other way to resolve the problem, such as downgrade the https used in Azure Static Web App to http?
Related
i created a Node.js Rest API for a cordova application to help access the MySQL database. The API does not render web pages just sends JSON data to the application. The hosting service provides certificates if you want to buy and i have used them may tmes to make a website HTTPS. The problem is that the API although it uses the correct SSL certificates for the correct domain is seen as having self signed certificates. That is a huge problem because such traffic both HTTp and with self signed certificates is prohibited by android and the app is not working. What can i do? Thanks in advance for the help!
If you can't use https://letsencrypt.org/getting-started/ with your hosting provider, maybe you could use https://www.cloudflare.com/ssl/ to act as a proxy in front of your website and have a signed certificate.
I moved my stack(nodejs based restapi, UI/UX asp.net mvc by another team) to production mode on AWS.
I have an issue with ssl certificate.
The ssl certificate i use on nodejs is self signed as a result i get "certificate not trusted" issue on the browser while trying to access the client.
When i was looking for IP based CA certificates, i realized it can be issued only for organization based IPs.
Since i am hosting the nodejs server on ec2 this ip doesnt belong to my organization. Please let me know what is the best way out of this
For testing purposes I would like to enable the 'Incoming Client Certificates' option in my Azure App Service (running a WCF webservice), and see if my Client application can still connect to the webservice. Since I am still in a testing phase, my app service still has the .azurewebsites.net domain name.
However, I can't seem to figure out how to get a proper client certificate that the server will accept (without switching to a custom domain name, which I know will work).
Currently, I see 2 possible routes to a solution:
Somehow get my hands on .cer that is signed by a CA trusted by the App Service server.
Generate a self-signed .pfx and .cer with my own self-signed CA. Import the pfx on the App Service and install the .cer on the client.
Both directions have not yielded any success so far. Does anyone have any experience with this?
Per my understanding, the client certificate is used by client systems to make authenticated requests to a remote server. In this case, your webservice is the remote server in a C/S mode. As you point out, "validating this certificate is the responsibility of the web app. So this means that any certificate will be valid as long as you don't validate anything". It does not effect on whether you have a custom domain or not in your web app service.
If you want to use client cert authentication with Azure app, you can refer to How To Configure TLS Mutual Authentication for Web App.
If the server has requested client certificate in its server hello and the client cert has signing capability, then it is expected to send the CertificateVerify message to the server. It contains signed hash of all messages from Client Hello till that point which are buffered on the server side. The server TLS layer will decrypt this using the client public key (which is in the Client certificate received earlier) and compare with its calculated hash. It will call back to application layer if this fails.
The application needs to handle it at that point and return its own error or continue with the session. https://www.rfc-editor.org/rfc/rfc5246#section-7.4.8
One example of this with Wolfssl library is https://github.com/wolfSSL/wolfssl/blob/14ef517b6113033c5fc7506a9da100e5e341bfd4/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs#L145
I deployed an application out to our app service in Azure, and the app needs to have SSL to run, but since it is still in development I did not want to have to purchase a cert yet, so I created a self-signed cert through openssl. The private key is 2048 bits, which should be enough, but when I go to apply the cert to the hostname, it just sits there and never applies.
Is there a special step you have to complete to get self signed certs to work, or, are you not allowed to use self signed certs in Azure App Services?
Try to use ServerCertificateValidationCallback to monitor the verification of server certificate, comparing the certificates between local and server or just returning true.
Now when you invoke the https service in your web app, the verification callback will be invoked automatically. If failed, you will see the errors. If successful, the service response will be returned.
For more details refer this article: http://devchat.live/en/2017/09/29/how-to-invoke-https-service-protected-by-self-signed-certificate-from-azure-app-service/.
My company has external web api service and I want to make it secure using SSL certificate. This service is called by internal application only. Is it secure to use self-signed certiifcate in IIS on production?
Yes it is secure to use a self-signed certificate even.though it is not best practice for Production environment.
Indeed the Root CA will be unknown and the client cannot validate the issuer. Your client will have to accept such a certificate (this means you will have to handle the certification check yourself)
How to ignore the certificate check when ssl
If the API is used only internally, it is not a big deal. If you have some external consumers, you should really just go and buy a certificate.