Does anyone know how to set up CouchDB to use a GoDaddy SSL certificate? It looks like it just can't get the intermediate certificate. I've checked it with curl and with SSL Checker and it says it can't get the intermediate cert. I've tried concatenating the cert file with the intermediate cert file just like I do with Apache (which works) and it still doesn't work. Any ideas?
Nevermind! Apparently erlang really stinks at SSL. I just set up stunnel and it works perfectly.
Related
mod_md (https://httpd.apache.org/docs/trunk/mod/mod_md.html) works like a charm, but:
How is a newly acquired SSL certificate being made active?
Does this happen automagically?
Or do I manually need to issue an "apachectl graceful"?
I actually found the answer to this question already, and just want to document my finding.
The problem has to do with using Node.js to access CouchDB through HTTPS. The CouchDB server has been configured with a SSL certificate generated by Let's Encrypt. The cert_file specified in local.ini contains both the server certificate and the issue's intermediate certificate. When I verified an URL through the browser, the connection was shown as valid. However, whenever I tried to fetch the same URL from Node, an UNABLE_TO_VERIFY_LEAF_SIGNATURE / unable to verify the first certificate error would be thrown.
I tried adding the root certificate to Node using the NODE_EXTRA_CA_CERTS environment variable. That failed. Then, I tried adding the intermediate certificate to NODE_EXTRA_CA_CERTS, and it worked. I could stop there, but somehow I knew that something was wrong.
After more digging, I finally found that even though the cert_file used by CouchDB includes both the server cert and the intermediate cert, unlike some other servers, CouchDB itself would only send back the server cert. In order to fix this problem the right way, I need to specify the intermediate cert as the cacert_file in the local.ini file as well. Once I did that, the error is gone.
We have a cpanel server that hosts some web sites. we have 2 hosts that use SSL. When I open a non SSL website with http:// everything is ok but when I type https:// , it shows the contents of one of the SSL websites instead of displaying not found error!!
Usually the first one which is defined in httpd.conf.
I also signed up in cPanel forum, but I do not know how to post a new question!! I cannot find post a question or new post or something like that.
Any help is appreciated.
Your question is really confusing. It would be better if you can edit and elaborate your question. Still let me guess your question and answer it.
Your cPanel server has hosted more than one websites, out of them only two have SSL certificate. Let me guess those two sites as abc.com and xyz.com. Now if I have understood your question properly, when you try to access 123.com (which is non HTTPS website) with HTTPS it is showing content of abc.com.
If yes, then this case refers to SSL misconfiguration. To solve this issue, SSL certificate should be installed properly on both websites and only those two sites can be accessible with HTTPS. It is advisable to use SSL Certificate checker for both sites to know whether SSL is installed properly or not.
I have a NodeJS server on Amazon EC2.
I'm trying to set up SSL using certificates from "COMODO RSA Domain Validation Secure Server CA".
I got it working for all browsers except Firefox. Is this a common issure?
Please check that the server provides all intermediate certificates (trust chain). A common issue is to forget the intermediate certificates and then get errors on some browsers an no errors on others. This is caused by the browsers caching the intermediate certificates, e.g. if you've visited a site using the same intermediate certificates before, the browser will dutifully use these cached intermediates if the server forgot to server them. But, if the browser never visited such site before the intermediates are not cached and thus the verification will fail.
A good test is to use openssl s_client -connect your.https.server:443 and look at the chain of certificates it provides. Also, https://www.ssllabs.com/ssltest/analyze.html will point out such problems.
I created the server.key and server.csr files using openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr. I created a SSL certificate with startssl.com which gave me a certificate file. Then in my node.js application I read the key and certificate files:
var app = module.exports = express.createServer({
key: fs.readFileSync('server.key'),
cert: fs.readFileSync('server.cert')
});
But, now I get an empty response from my application, a "No data received" message. What could be causing this? I'm very new to SSL and how it all works, so any help with this is very much appreciated.
More info: I generated the two files, key and csr files, on my VPS server (production server), and now I'm trying to get them to work on my localhost (firstly, before I commit my code to production; I have to test that it works before making a git commit). So, it could be due to the fact that my localhost (development environment) is on a different domain from my VPS server (production environment). Could this be the case? If so, how can I make it to where the localhost and production environment use the same certificate?
Or, would you suggest I create another certificate for my development environment? The only problem I see with that, is that I wouldn't have a domain for my dev environment because it's done locally. I'd rather much use the same certificate (even if that means a broken lock icon or something on localhost) for the sake of simplicity.
I know this is an old question, but I encountered the same thing today. I would get the same result back from express (ERR_EMPTY_RESPONSE).
The fix? Be sure to specify https, and not http, in your test browser (e.g., https://localhost:8443).
If you previously used middleware to forward all http requests to https you wouldn't have seen this problem before. Also, expect your browser to complain about the certificate, but proceed through anyway (in chrome this takes several clicks).
You can troubleshoot errors by connecting to your application with curl --insecure --verbose. Generally you shouldn't use an SSL certificate on more than one host. You can make a self-signed one to test locally and use the startssl one in production. But in any case, the CN in the cert needs to match the hostname used to connect to the site to avoid annoying browser warnings. You can always make up a domain name for your machine like sam.local and put that in your /etc/hosts file and use that in your self-signed certificate as well as your browser address bar.