SSL certificate for azure cloudapp.net - azure

I know that this question was asked many times but I couldn`t make it work with answers I found on web.
My goal is to make https://my.cloudapp.net to work. So solution for this, is to buy domain and certificate and make this domain point/redirect to my https://my.cloudapp.net. I bought lets say www.example.pl. Downloaded certificate from https://example.pl. Assigned certificate to https://my.cloudapp.net using IIS.
When I visit https://example.pl certificate itself is fine but firefox shows me error:
my.cloudapp.net uses an invalid security certificate. The certificate is only valid for the following names: example.pl, www.example.pl Error code: SSL_ERROR_BAD_CERT_DOMAIN
What I`m doing wrong?
Edit Solution:
I called microsoft support and resolved the issue. The issue was on my domain provider side. My domain example.pl had forwarding wildcard *.example.pl to go to example.pl. Thats why when I made another forwarding from app.example.pl to my cloudapp it went straight to example.pl. Removed the wildcard and it started to working fine.

I attempt to visit the website https://example.pl, it works fine with IE edge or chrome explorer. Also i do a test over at the Qualys SSL Labs to check your certificate. It shows me Incorrect certificate because this client doesn't support SNI and indicate thatThis site works only in browsers with SNI support. It is the browser issue. So you could try another explorer.
You can from here to get more details.

Related

ERR_SSL_PROTOCOL_ERROR with Heroku, Node, Express, SSL

I recently enabled SSL for my Heroku-hosted website, wildcodemonkey.com, but when I visit it in Chrome I see the error "ERR_SSL_PROTOCOL_ERROR".
My research indicated that the SSL connection terminates at Heroku's router, which then passes the request along via HTTP to my express/node site. Consequently, I did not set up 'https' in my server and have been expecting standard HTTP connections.
My SSL configuration is such that my CSR, key and cert were passed along to Heroku. I'm using the SSL option baked into Heroku, not a third-party resource/addon. After enabling SSL in my app's settings I changed my DNS to reflect the new endpoint (wildcodemonkey.com.herokudns.com instead of wildcodemonkey.com.herokuapp.com), this is the endpoint I was told to use when I configured SSL on Heroku, directly copied and pasted from the settings page after setting up ssl.
I do see morgan logging GET requests when I hit the domain, so it does look like everything is making it end to end, so I'm not sure where the issue is occurring.
Any assistance would be greatly appreciated. Thanks ahead of time.
According to the SSLLabs report the certificate chain of this site is incomplete. While desktop browsers often but not always will work around this problem mobile browsers and other applications will usually not. Check the documentation provided by your CA which chain certificates need to be configured.

IIS bindings keep being removed

I'm having a problem where the security certificate for a site is being periodically unbound from port 443 and replaced with another certificate which is sitting on the server. So whenever a user tries to access the site they are met with a 'untrusted' warning.
So when this first happened, I investigated and found the wrong certificate in place so I changed it back. This worked fine for a while but then it happened again. I checked the event logs and the following two warnings are fired:
SSL Certificate Settings deleted for endpoint : 0.0.0.0:443
SSL Certificate Settings created by an admin process for endpoint : 0.0.0.0:443
This happens once or twice a day, and I have to keep rebinding the correct certificate, and I haven't been able to find a solution yet.
The site is running on Windows Server 2012/ IIS 8
According to a couple of online support forums/articles there was an old legacy setting in the ApplicationHost.config file which was supposed to cause this. All references to this that I found referred to a property in the 'customMetaData' section, the property had a specific Id (5506). I couldn't find this specific property anywhere in our ApplicationHost.config file on the server.
Has anyone encountered a similar issue? Or can anyone shed any light on potential causes of this? Having looked around online I'm finding it hard to find much related to my problem, but perhaps I'm not searching for the right thing...
Any advice on this issue would be greatly appreciated.
NOTE:
Have since realised that this happens at 13:00 each day, cant see any significant events that are occurring on the server that might trigger it though...
Resolution
Locate the following property in the section of the applicationHost.config file, and delete it:
<property id="5506" dataType="Binary" userType="1" attributes="None" value="oXiHOzFAMOF0YxIuI7soWvDFEzg=" />
This property is a legacy feature from Internet Information Services (IIS) 6.0 and is no longer needed.
Link to MS Article
If the other answer (property id) doesn't work, follow these steps:
Check if there is an antivirus software in the server. Look for especially HIPS feature. Disable the antivirus and try to reproduce the issue
Check if the site is using a wildcard certificate. This issue occurs when the wildcard certificate has been imported without marking the keys as exportable. In order to solve it, the affected certificate should be uninstalled and it should be imported back again with marking the keys as exportable
Look for System Center Virtual Machine Manager Agent in the server. If it is enabled in the server, disable it and try to reproduce the issue (Reference)
Another process might be using 443 port in the server (Example: Windows Admin Center. Check this post out: 503 Service Unavailable error related to Windows Admin Center)
Check if insecure protocols are enabled. Registry settings are below. Disable these protocols if they are enabled and try to reproduce the issue
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
2.0\Server HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
3.0\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
3.0\Server HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.0\Client
Source: SSL Certificate Settings deleted for endpoint (Event ID 15300)

SSL Configuration Issue on IIS 6

Need help with this odd issue.
I installed an SSL Certificated from GoDaddy for a site hosted on our server (lets call this example.com). This is a Windows 2003 Server with IIS 6 with several domains hosted on it. The SSL installed properly.
However, now if I type any url of a different domain (say example.org) hosted on this same server with HTTPS, I get the following error in Chrome:
Your connection is not private
Attackers might be trying to steal your information from
(for example, passwords, messages, or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID
Firefox will also give similar errors.
example.org has no SSL associated with it and there are no other SSL Certificates for any other sites either.
I am at a loss as to how ALL sites on the server are loading with SSL. Funny thing is that clicking on the link in browser error loads the Site to which SSL is assigned, but URL remains the same.
Ex. I type https://example.org (NO SSL Associated with this site) and type enter
I see the error above
If I click on Proceed to example.org (unsafe), it takes me to https://example.org but the content loads for domain example.com which has the SSL certificate bound to it.
I have checked Metabase for Bindings and seems clean.
I have deleted the SSL certificate and installed a fresh one issued from Godaddy
Tried deleting the site from IIS and recreating the whole thing but still no difference.
No other site has any host headers for SSL Port 443
Any ideas on how this can be resolved so that ALL Sites don't load on SSL? Thanks in advance.
Go to IIS Manager.
Open property page of website where you dont need SSL (example.org as mentioned in question) by right click on website and select properties.
Go to directory security tab
Click Edit button located in ottom section of tab.
Verify if very first checkbox called "Require secure channel(SSL)" is UNCHECKED.

Is it true that ASP.NET MVC Browser link does not work for https (SSL) url?

I am trying the Browserlink feature of ASP.NET MVC 5 and everything works great for non SSL pages. But if I navigate to a SSL page (with https url), I see 0 connections in the Browser link dashboard. So, is it true that Browser link works only for non SSL urls ? Or am I am missing any settings which will allow me to get Browser Link connection for both SSL and Non SSL urls ?
(I am testing from IIS)
According to this link, Microsoft is working on it.
I have been able to get around the issue by following these steps (using Chrome):
When the debugger opens the browser, open the F12 tools.
Go to the Console tab.
There should be an error message that looks something like this: GET https://localhost:[port]/[guid]/browserLink net::ERR_INSECURE_RESPONSE
Open the link in a new tab.
Click Proceed anyway.
Close the Browser Link tab.
Reload the tab with your app.
Browser Link should then start working.
I've also worked around it by getting the script link, reducing it to the root, and browsing there. Once there, accept the cert warning then view the cert and install it into the trusted roots. From then on, the cert will be trusted and the script will load automatically.
It appears that this limitation has been removed in Visual Studio 2015. I do not see any mention of this in the release notes, but Browser Link is fully operational in my dev environment under SSL.
I was unable to get Browser Link, Web Essentials, to work with SSL, even with the mentioned remedies. I was able to find a way, however, to get it work for me.
I am running my app through IIS (not express) and my app was nested under the default website. When debugging the site I saw that Chrome was dumping a connection error with a URL using port 44399. Adding a binding for this port, for https, then allowed the connection to be successful. I also used a local development cert for the SSL Certificate.
DISCLAIMER: Visual Studio tries to be your buddy and not use ports that you've bound to in IIS so once you close and re-open Visual Studio it will likely not use the 44399 port anymore. It looks like it decrements until it finds the next available port. So assuming you're not using 44398 this will be your number. Once you unbind 44399, then close and re-open Visual Studio it will likely rebind to 44399 again.
Hopefully this helps some of you out.
I had a similar issue involving custom domains and subdomains on IIS Express over HTTPS.
(Using SSL certificate I self-signed with support for localhost and my custom domain, installed with self-signed root authority in the trusted certificate store)
I had got IISEx to use the certificate and serve it on port 443 (as admin user), but browserlink was failing with CONNECTION_RESET.
This persisted even after switching back to using localhost as the website url for IIS etc.
Turns out I had forgotten to replace the certificate associated with the other ports IIS Express uses (specifically port 44399), which were still associated with the default development certificate used by IIS Express
http://www.iis.net/learn/extensions/using-iis-express/handling-url-binding-failures-in-iis-express
http://benjii.me/2014/11/run-iis-express-on-port-443-using-ssl-and-wildcard-subdomains/
[Simple Guide but missing the delete existing certificate bindings guidance]
For Windows 10 IIS Express users.
In visual studio click "View in Browser" in Browser Link
Dashboard .
An IIS Express icon will appear in system tray.
Right Click the IIS Express icon.Your application should be listed in both HTTP and HTTPS.
Hope it helps.

SSL certificate error for IE users only

I recently migrated to a new server (CentOS with plesk 11.0) and installed a new SSL certificate for my domain.
Problem now is that any IE user has the error "there is a problem with this website's security certificate" when they try to access the secure area of my site.
I've tested all main configurations - MAC/Windows/mobile plus browsers: FF,Chrome,Safari,Opera,IE and the only combination that gives me this problem is IE on windows. IE 11 works fine, all previous versions (the majority) come up with this error.
where do I start?? I can find no problem with the installation and this is obviously denting confidence in my site.
There are some known issues with IE and Certificates. Check these threads.
1) https://superuser.com/questions/379601/internet-explorer-refuses-to-connect-to-sites-with-untrusted-ssl-certificates
2) IE8 SSL Cert Problems while other browsers work like a charm
I found a work around for this issue. It is necessary to run https proxy which will accept certificate for Internet Explorer. I use a Python HTTP/HTTPS Proxy proxpy. You should point to required certificate file in core.py DEFAULT_CERT_FILE = "./cert/ncerts/proxpy.pem". So you need to use proxy settings in Internet Explorer. It is 127.0.0.1:8080 for ProxyPy by default.

Resources