I have been able to access Service Fabric Explorer with no problem, using a client certificate generated from Azure. The client certificate is still valid.
We recently added a new server certificate with a new thumbprint and set it to primary. (The previous server cert is secondary and hasn't been removed, if that matters.)
Now when I visit https://<name>.centralus.cloudapp.azure.com:19080/Explorer I get an error that varies by browser. There's no link to click through and ignore the warning.
In Edge: The website’s security certificate is not secure. Error Code: 0
In Chrome: You cannot visit <name>.centralus.cloudapp.azure.com right now because the website sent scrambled credentials that Google Chrome cannot process.
I can connect using the new certificate thumbprint via PowerShell.
You will need to add the certificate thumbprint under the cluster's client security.
Related
I'm trying to get Jira service desk to pull mail from our server but im having certificate issues, I think.
When I try and pull mail from our server Jira pops up
SunCertPathBuilderException: unable to find valid certification path
to requested target
which seems to indicate a problem with the certificate not being trusted. So went off and grabbed a new trusted cert as the old one was self certified for "ES2010" which is the name of the server.
AFAIK the new certificate has been installed but.
It seems like *.domainname.co.uk is where the trusted cert has been issued for is taking precident over owa.domainname.co.uk.
If I goto https://www.digicert.com and check out the cert it seems ok BUT if I use the Portecle app from Jira
Examine the SSL / TLS connection on port 993 (secure imap) it shows as being issued by CN=ES2010
Can anyone kindly help?
I have installed SSL on node server. I have made changes in app.js too.
Now when i am trying to run my website
example.com
I am getting Popup like this
Why i am getting this popup?
Is certificates doesn't installed correctly?
Thanks
The browser is asking you if you wish to authenticate yourself to the server using a certificate.
Clearly you have a certificate and a public/private key pair attached to your local account, or it wouldn't be asking you.
Simply click cancel if this is not intended.
Use the Windows Certificate Manager to check what certificate it is. In all likelihood you have installed the server certificate as a personal certificate on your account.
In the Server
I have configured a intermediate certificate .pfx file in the IIS and created a https (443) port using binding option. I use certificate for Authorisation also I am expecting a client certificate from the client , I enabled the Require SSL and clien certificate required option in the IIS.
I checked the Intermediate certificate authorities for the root certificate and they also presents, checked the .pfx file installed in the certificate store (Local Machine) also presents.
I created .cer file from the above .pfx file with include private key option and shared the .cer file with my client and he has to attach the .cer file for authorisation .
Above is the REST wcf service with POST.
In the Client Side
I tested this application after getting the .cer file, attach that to my request in my client.exe and calling the service - it returns .403 fobidden error.
In the IIS log it is logged as 403.16 , sc-win32-status code = 2148204816 error
Please help me my above approach is correct and how to avoid this error.
Is configuring CTL is the option , or I need to get a separate client certificate for use from my client side.
You need to make small steps to debug this.
First import SSL server certificate to LocalMachine\My store. Verify
that certificate is trusted (by double-clicking it and verifying
chain).
Setup SSL binding in IIS. Verify that you can access the https site (even WCF service gives some documentation page on http/s).
Import client certificate in client CurrentUser\My store. Verify that certificate is trusted (by double-clicking it and verifying
chain).
Set SSL require mode on your WCF service on IIS. Verify that when you access https site of the WCF service a certificate is prompted and no trust error is returned (again, the documentation page should be displayed)
Server certificate must have Server Authentication extension. Client certificate must have Client Authentication extension in it. Client has to trust server certificate. Server has to trust Client certificate. This means that CRLs from both chains must be reachable.
I'm new to mutual SSL. Therefore my understanding how client certifcates might be wrong.
When using Client certificates in IIS, do they need to be issued from the same certificate (or CA) as the IIS HTTPS binding has configured?
My dev IIS has a self signed certificate.
For the client certificate, I've created a CA and a Client certificate according to
the post here.
The CA is in my "Trusted Root Certification Authorities" of the local Computer.
The Client certificate is in my personal certificate folder.
On IIS I've set Client certificates to accept.
The first strange Thing is that when I browse to my page, the IE always shows me 403.7. Even I've disabled the IE setting "Don't prompt for client certificate selection...", there is no window opening for the certificate selection.
Also when accessing the page with a HttpWebRequest with Client cert attached, the response is always 403. Unfortunately there I did not figure out how to get the sub status.
Why doesn't IIS accept my Client certificate when the RootCA of the Client certificate is in the trusted root store?
Is there a way to get more details where the problem might be?
Thanks
Thomas
Finally could solve the issue:
The CA and Client certificates which I generated according to the tutorial here did NOT have the private key assigned in the certificate store. I had to remove the certificates from the cert store and Import the PFX file including the private key.
Second, the client certificate needs to be in the Current User/Personal store so IE does pick it up. I initallly generated it in the Current Computer/Personal store.
There might be a direct way how to create the two certificates including Private key with makecert. But the PFX import was the easiest way for me.
After 3 days of try and error on my side: If you use IIS10 on Windows2022, TLS1.3 is turned on by default.
The SSL handshake seems not to be implemented correctly in browsers/curls/.... for this case.
For testing reasons turn off TLS1.3
In
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
Add:
DisabledByDefault as Dword with 1 and restart the server (not only IIS!)
I am developing one asp.net website and I will be hosting the site on windows azure. My requirement is when user access the site like www.xyz.com\admin then live id authentication should happen but when the user access the site www.xyz.com then no need do authentication.
After referring to an MSDN document I come to know about ACS with WIF, so I created the namespace and did so on so on.
But whenever I am accessing the federation URL (https://xyz.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml) I am getting error:
ID:1089 unable to connect the remote server.
I unfortunately deleted the certificate and keys and service identities in windows azure I don't know how to get it back, also I don't how do fulfill my requirement.
If you deleted the certificates and keys they all you need is to just create new one(s). You can either use Self Signed certificates, or use X.509 certificates issued by a trusted Certificate Authority. Once you get your X.509 certificate (it shall include a private key) you can upload it in the ACS management portal (which is locate at https://xyz.accesscontrol.windows.net/):
The FederationMedatadata.xml cannot be generated without the Token Signing certificate.
Or, the easiest for you, would be to just delete that namespace and create a new one.