SPA122 1.3.2(014) HTTPS ssl cert profile problem

Similar Messages

• ACE: HTTP followed by HTTPs/SSL termination, stickiness

  Dear Helpers,
  I'm trying to figure out the best sticky/persistence method for the following for ACE,
  Client X ----(HTTP)--------------------------------------------ACE LB ---to----Server 1
  Client X -----(HTTPs)---ACE/SSL termination ------ACE LB ---to---- Server1
  Both HTTP and HTTPs use the same VIP for HTTP and HTTPs)
  The same client to stick/persist to the same server using both HTTP and HTTPs. HTTPs/SSL is terminated by ACE.
  Could you point me to sample configurations for this requirement, please.
  Thank you
  SS

  HI Gilles,
  thanks for the response. Sorry had gotten distracted with a bunch of other things, didn't get a chance to get back to this. Anyway, so, I can generate the 302 response in my web-servers except I need to turn it around to a different domain name. Now assuming I use URL re-write when I see this coming back from the web-server, I can rewrite this to https and send to the client? A few questions about this and the links you sent above with using redirect service.
  a) can I do a a redirect to an https address or does it only do http (considering I only saw examples configs only using www.domain.com/index.html type redirects without specifying the protocol to use)?
  b) If not, then I use URL rewrite in conjunction with the 302 from the web-servers. But for my SSL off-load in a pair of CSS using VIP and Virtul Interface redundancy, do I buy 2xSSL Certs for the same domain-name or do I buy ONE (i.e. generate the key-pair/CSR in Master CSS) and import the same rsakey and SSL Cert recd. from CA into both CSSs?
  c) Does the CSS handle a wildcard SSL Cert without problems?
  Thanks again,
  \R

• Is there any way to treat expired SSL certs in HTTPS connections as non-secure?

  Is there a way of navigating HTTPS websites as though they were HTTP, without adding any SSL exceptions?
  Obviously an expired/self signed SSL cert over HTTPS is no more dangerous than no encryption at all over HTTP.
  The Untrusted Connection dialog is a usability nusance, particularly for those of us who understand HTTPS.

  Check out:
  http://docs.iplanet.com/docs/manuals/enterprise/60sp1/ag/esecurty.htm#1008113
  You will need to turn on Client Auth as described above. Hope it helps.

• Http Analyzer connecting to server with self-signed SSL cert

  When making webservice calls using Axis 1.3 to our development site that uses a self-signed SSL cert I am getting the following error when running the Http Analyzer:
  javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  Works fine if I turn off proxy in run configuration for project or when used against a site with a purchased cert. I assume the problem is with Http Analyzer not being able to find the server cert in a local keystore, is there a way to import the cert so that I can run Http Analyzer against the site?
  Tried adding server cert to <jdkhome>/jre/lib/security/cacerts keystore but still have the problem.
  Am using JDeveloper 10.1.3.
  Thanks,
  John

  I fixed that by getting certs from: https://www.startssl.com/?app=1.
  The certs are free and work fine.
  Since Iphone 4 apple does not accept unknown CA Authorities.

• Remote Desktop Services Single SSL Cert with multiple hosts

  I am trying to use a single SSL Cert from a third party issuer.  I have 3 servers in my deployement all are 2012R2.  One contains the RD Web Access role, RD Gateway role, RD Licensing role, and RD Connection Broker role.  The other 2 are
  RD Session Hosts.  I have the SSL cert for the server that has the Gateway and other roles.  My deployement is primarily focused on deploying RemoteApp to Windows 8 Thin clients with GPO through the default URL.  It works currently with the
  exception that the user gets a certificate mismatch error because it is seeing the cert for the gateway server but is connecting to the host servers so the names don't match.  Is anyone else using a similar setup and had success with it?  I am trying
  to avoid buying an expensive wildcard cert to cover all of them.

  Hi,
  Please verify that the .rdp file embedded in the RDWeb IE page matches the same one from RADC.  To do this, log on to RD Web Access using IE, right-click and choose View Source.  Find the goRDP function for the icon you want to examine and copy
  the text between the ' marks.  Next paste this into the escape text box the below page:
  http://www.web-code.org/coding-tools/javascript-escape-unescape-converter-tool.html
  Click complete unescape to get the plain text version.  After that you can select all of the text in the clear text box, paste it into a blank Notepad window, then save as a .rdp file.  Once you have the .rdp file created you can compare
  it to the other ones and see if any of the names are different, see if it gets the certificate error as well when you double-click it, etc.
  Do you have any proxy or other non-default network configuration on your Windows 8 embedded clients?
  Thanks.
  -TP

• Coldfusion 11 SSL Certs applied - The APR based Apache Tomcat library which allows optimal performance in production environments,

  Coldfusion 11
  Windows Server 2012 R2
  Both the Coldfusion admin and additonal site work fine on HTTP.
  As soon as I attempt to enable SSL websockets and install SSL certs, the Coldfusion 11 Application service will not start. I followed the steps below....
  Coldfusion 11 - Web Sockets via SSL
  The Coldfusion-error.log shows
  Jan 26, 2015 3:21:23 PM org.apache.catalina.core.AprLifecycleListener init
  INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path
  Server was a cloned VM of the test server with developer copy of CF11, but license has been purchased and applied. SSL certs have been imported successfully, paths are correct in CF Admin to the cert file etc.
  Do I need to install another version of Coldfusion to get around this issue or is there a download update I need to apply?
  If i reconfig the \cfusion\runtime\conf\server.xml to comment out the SSL sections it works fine.
  Any assistance welcome - I can't allow this site to made publicly available with using SSL.
  SM

  @Scott, first are you running update 3? If so, let’s clarify at the outside that, as that bug report (you point to) does indicate in the notes below it, there is a fix for a problem where this feature broke in that release.  And as it notes, you can email [email protected] to request the fix (referring to that bug), or you can wait for it to be released publicly as part of a larger set of fixes.
  If you are NOT on update 3, or you may apply the fix and find things still don’t work, I would wonder about a few things, from what you’ve described.
  First, you say that the CF service won’t start, and you offer some lines from the ColdFusion-error log. Just to be clear, those particular error messages are common and nothing to worry about. They definitely do NOT reflect any reason CF doesn’t start. But are you confirming that that time (in the log lines) is in fact the time that you had started CF, when it would not start? I’d suspect not.
  Look instead in the coldfusin-out.log. What does THAT log show at the time you try to start CF and it won’t start? You may find something else there. (And since you refer to editing the server.xml file, you may the log complains that because of an error in the XML it can’t “parse” the file. It’s worth checking.
  You say also that you have confirmed that “paths are correct in CF Admin to the cert file”. What path are you referring to? There’s no page in the CF admin that points to the CACERTS file in which the certs are stored. Do you perhaps mean on the “system info” or “settings summary” page? Even so there’s still no line in there which refers to the “cert file”.
  Instead—and this could be a part of your problem—the cert file is simply found WITHIN the directory where CF’s pointed to to find its JVM. Wherever THAT is, is where you need to put any certificates. So take a look at the CF Admin, either in the ”java and jvm” page (and the value of its “Java Virtual Machine Path”), or in the “settings summary” or “system information” pages and their value for “Java Home”. Is that something like \coldfusion11\jre? Or something like \Java\jdk1.7.0_71\jre? Whichever it is, THAT’s where you need to put the certs, within there (in its \lib\security folder).
  Finally, when you say that if you “comment out the SSL sections  it works fine”, do you mean that a) CF comes up and b) some example code calling your socket works, as long as you don’t use SSL?
  To be clear, no, you don’t need any other version of CF11 to get websockets to work. But if you are on update 3, that may be the simple problem. Let us know how it goes for you with this info.
  /charlie

• SSL Cert for 2008 R2 Reporting Services that is installed on a Failover Cluster - server address mismatch?

  I utilized the idea from
  http://www.mssqltips.com/sqlservertip/2778/how-to-add-reporting-services-to-an-existing-sql-server-clustered-instance/ to install 2008 R2 Reporting Services on a new Clustered SQL instance.  In short, create the new Clustered SQL instance on Node1,
  installing Reporting Services with it.  Then on Node2, Add a Failover Cluster Node (without choosing Reporting Services); following that up with starting the SQL setup.exe with a cmd to bypass a check so that I can then install the Reporting Services
  feature on Node2.  It points out using the SQL Cluster Network name for connecting to Reporting Services.
  I verified upon failover that I could still access the Reports and ReportServer URLs.  However, when wanting to add an SSL certificate to the RS configuration, I run into the warning of "mismatched address - the security certificate presented by
  this website was issued for a different website's address", where I can continue and get to the Reports or ReportManager URLs.
  I played with different certs (internal CA created) and SANs and other things, but I still get this error with the cert.  The Reports URL, for example, is <a href="https:///Reports">https://<SQLClusterNetworkName>/Reports, and the
  cert has a CN and Friendly Name of SQLClusterNetworkName (with SAN of DNS: SQLClusterNetworkName.<domain>), but the error still happens.
  What am I missing to eliminate the mismatched address warning when using the SQLClusterNetworkName as the base of the URLs?

  I got it working by using the FQDN as the common name on the SSL cert, with FQDN in RS URLs.

• Safari will not load selected https/ssl sites

  Hello all,
  I seem to be having what I believe to be an SSL certificate issue with the site https://my.pocketsmith.com/login . I am able to load the front page just fine (www.pocketsmith.com), but I have been totally unable to load either of the secure my.pocketsmith.com (pricing & login) pages which are linked at the top of the front page.
  I am also unable to load the certificate info data when I click on the "lock" in the address bar after the page fails to load. It's like Safari doesn't want to deal with the certificate at all.
  As far as I can tell the certificate is issued by GeoList and checked by Experian - I think that's how it works - for my.pocketsmith.com.
  I'm running Windows 7 through a straight connection (no proxy).
  I am able to access both of the SSL pages without issue on Chrome and IE 8.
  I have no Safari 5 extensions or add-ons installed.
  The error message Safari displays is:
  "Safari can’t open the page “https://my.pocketsmith.com/login” because Safari can’t establish a secure connection to the server “my.pocketsmith.com”."
  I've eliminated as many things as I can think of, to include updating the Thawte, Experian & GeoTrust root certs, deleting ALL SSL certs and starting over, resetting Safari (clear cookies, history, cache, etc.) several times, uninstalled/reinstalled Safari, uninstalled my antivirus software (NOD32), disabled Windows firewall, deleting all of the Safari 5 DNS pre-fetch files (the entire Safari folder in my user folder actually), switched my DNS server settings to both the Google and OpenDNS addresses, uninstalled/reinstalled Java (latest release), uninstalled/reinstalled Flash.....umm, that's all I can think of off the top of my head.
  Still no joy.
  I've read in a couple forums that it's possible there's a java script running that may not be compatible with Safari 5's security settings. Have also heard that it's possible the SSL cert. on the back end needs to be updated. No idea how plausible either of those theories are, but I've written PocketSmith to see if I can find out.
  In the mean time I'm stuck using either IE or Chrome, neither of which I'm overly fond of. Just wondering if anyone has had a similar issue that they were able to get to the bottom of (I read the 1st 20 pages of the forum and wasn't able to find the exact same issue).
  Thanks in advance.
  EDIT: I forgot to mention that I also read somewhere that someone had traced a similar issue to a problem with TLS 1.x (don't remember which, sorry...) and/or SSL 3.0. In other words, it's possible that it's a protocol problem and not necessarily a certificate problem. However, Safari doesn't seem to have an option to check these settings built in - does it just use whatever the IE settings are or is there some way to manipulate them directly in Safari?
  Thanks again.
  Message was edited by: abn.geek

  Hi
  From your description, it seems the proxy server codes are correctly established in your System Preferences>Network panel, otherwise Camino would not work (uses the same Network settings as Safari).
  I suspect the problem exists with the Proxy server relative to Safari. Have you spoken with your IT department, or whomever is in charge of the Network?

• How to get OS X to accept an SSL Cert the way other UNIX clients do?

  I'm hoping some of the network gurus can suggest a solution for me. My current config is 10.5.4 on PPC.
  I have a host that I need to connect to using SSL but their certificate has a host name mismatch (they are a small org, and can't afford another SSL cert for the moment). I know the cert is valid, so I'm not worried about the security implications of using it.
  On other *NIX clients, I simply have to add the cert into the root chain (e.g. /etc/ssl/certs/ca-certificates.crt), restart the application, and all apps will then accept it as valid.
  On OS X, I've imported the cert into Keychain Access, marked it as "Always Trusted" and set up a policy to "alias" it to the URL I need to access with my application (not a web browser) (ref: KB article: HT1679) in both the login and the System keychains, yet the client application still errors out and refuses to connect to the URL.
  How can I configure client SSL on OS X to work like other UNIX configurations? There doesn't seem to be a way to override the extremely restricted behavior.
  I have MacPorts installed and am open to an application specific "hack" if necessary, ala "LDLIBRARYPATH", if anyone thinks that's feasible (which is what I am looking at now). Conceivably I could recompile the client application since it's OSS, though I'd rather avoid that if possible.
  Any suggestions would be appreciated.
  Thanks in advance--
  =N=

  when you connect with a web browser to an https site that has a mistmatched cert it warns you and you have to tell the browser to ignore the security issue to let you carry on.
  what unix apps are you using to connect to this server?

• Webserver refuses to take SSL cert

  My SSL cert is installed on my server and when I go to Settings pane in Server.app for the host and edit "SSL Certificate" and choose my cert, the UI will collapse the pane below showing the various services. This is because it applies the cert to all services. When I click OK to accept the setting, it should show my cert right after "SSL Cert:" because should now be applied to all services.
  Instead it shows "Custom". When click th "Edit" button again to see whats going on, it shows that all services are using my cert - except the last one - "Websites (Server Website - SSL)"
  For that, is simply shows "None". Changing it to my cert then clicking OK, has no effect. It just reverts back to "None".
  Apache wont start because there is no cert specified and specifying it manually in ..
  "/Library/Server/Web/Config/apache2/sites/0000_any_443_.conf"
  ..does no good because OS X simply overwrites it from some place.
  So at this point it's impossible to get Apache going on this host. The Server application refuses to accept my cert for the website. I dont get any errors and I dont see any in the logs either pertaining to some failure to apply the setting.
  Any ideas?

  I forgot to mention that when the Certificate Assistant ask for the Issuer in one of its screen, choose the Intermediate CA certificate. Also, the four PEM files is created in /etc/certificates.
  On a fresh Server app install after your get OD Master running or after you have done the web:command=restoreFactorySettings, visit Server app Certificates screen and Custom select the just created Leaf SSL Certificate next to the Web (Default Server - SSL). This will create the default SSL certificate in the Web service window.
  Also, if any one of the three *conf files are missing in the sites folder, Server app will hose the folder by renaming it as sites-unusable-nnnn and recreate a fresh sites folder with fresh copies of the *.conf files. In addition, if you read the comments within the 0000_any_80_.conf and 0000_any_443_.conf files, there are certain apache http directives which are off-limits to administrator as Server app will modify their values. It suggests that you create a .conf files with your amendments (of course, they must be within the Virtual Host context) and use an Include directive or through the use of the WebApps mechanism.
  Furthermore, you must not set a specific IP address for all your virtual hosts but use Any instead. Since I want to use the built-in Wiki service, I have added wiki.domain.com as Additional Domains for both the Default Servers (since the Default Servers refuse to use ServerName). For my case, since I have multiple IP addresses, I have to specifically amend the virtual_host_global.conf file with a static IP address for the Listen 80 and 443 directives, and since Server app will undo the amendment within the sites folder, I have to bring the virtual_host_global.conf file up one level to the apache2/ folder, amend httpd_server_app.conf to load this virtual_host_global.conf file instead...see below the relevant section of my httpd_server_app.conf file:
  <IfDefine WEBSERVICE_ON>
      Include /Library/Server/Web/Config/apache2/sites/0000_*.conf     <--- instead of "*.conf"
  </IfDefine>
  <IfDefine !WEBSERVICE_ON>
  #    Include /Library/Server/Web/Config/apache2/sites/virtual_host_global.conf
      Include /Library/Server/Web/Config/apache2/sites/0000_any_80_.conf
      Include /Library/Server/Web/Config/apache2/sites/0000_any_443_.conf
  </IfDefine>
  Include /Library/Server/Web/Config/apache2/virtual_host_global.conf
  Include /Library/Server/Web/Config/apache2/httpd_server_app_tweaks.conf
  The httpd_server_app_tweaks.conf file is my performance tweaks (e.g. StartServers, MinSpareServers, etc.)
  So Server app can happily modify the virtual_host_global.conf file within the sites folder but my settings remain safe one level up.

• Install GoDaddy Wildcard SSL cert on GW WebAccess - ver.8

  I have followed all of the documentation regarding generating a CSR, creating the new eDirectory object from which that CSR is generated, then subsequently downloading and doing the "read from file" SSL cert installation, and it won't validate.
  I have a NetWare 6.5, SP8 server running Apache/Tomcat and it's our GroupWise WebAccess server (version 8).
  I want to encrypt the sessions as well as the authentication from the GW WebAccess login screen (right now, it's just http://).
  Our institution purchased a wildcard, unlimited subdomain, SSL certificate from GoDaddy to use for this, and other, SSL cert. needs.
  No matter what I do, it won't work.
  I am using ConsoleOne to create the new eDirectory object according to the documentation, generate the CSR, and install the certificate, but to no avail.
  Can anyone help?

  Originally Posted by AndersG
  Fmcunningham,
  > > I am looking at installing a cert as well. I have NOWS SBE 2.0
  > > upgrading to SBE 2.5 this weekend and would like to add a CA Cert. Do I
  > > need a Wild card cert to be able to accomplish this?
  >
  Only difference between a wildcard and a regular (apart from price) is that
  a wildcard covers all hosts in a domain,. Ie *.acme.com, whereas a regular
  cert only covers a named host, homer.acme.com
  - Anders Gustafsson (Sysop)
  The Aaland Islands (N60 E20)
  Novell has a new enhancement request system,
  or what is now known as the requirement portal.
  If customers would like to give input in the upcoming
  releases of Novell products then they should go to
  http://www.novell.com/rms
  I am running SBE 2.0 upgrading soon to SBE 2.5. I am not using sub domains, so I think I should be fine with just a normal cert. The real reason I want to go with a cert from a CA instead of a self signed is for webaccess.

• Wildcard SSL cert on ASA

  Is it possible to use a wildcard SSL cert on an ASA? That is, instead of getting a specific cert with the FQDN of the ASA, we would use the wildcard cert issued?

  Absolutely, it's especially needed in ASA vpn load balancing environments. When you connect to a FQDN that translates to a load balancing IP, one of the ASAs will do an http redirect to its individual hostname, your browser (or AnyConnect) will attempt that connection and ASA needs to have a certificate for that specific hostname. Having a wildcard cert on all ASAs resolves this. I've got this running on several customers.
  If you need help with configuration, let me know.
  You can either generate private keys on the ASA (and later export it to another ASA or other non-cisco devices), or you could import an existing wildcard certificate with the private keys (in PKCS12-BASE64 format)
  Regards,
  Roman

• SSL cert error on exchange 2013.

  Hi,
  Can I please have some help to avoid the following two error messages appears on opening outlook 2013 on windows 7 connected directly to the server 2012 domain.
  Godaddy SSL cert is installed on mail.domain.com and firewall forwarding is properly setup.
  There is NO error message if we connect through outlook (AnyWhere) on a system which is not part of the domain and connecting from outside.
  Error Box 1
  Security Alert
  servername.localdomain.local
  Information you exchange with this site cannot be viewed or changed...................
  The security certificate is from a trusted certifying authority.
  The security certificate date us valid
  X The name on the security certificate is invalid or does not match the name of the site....
  Error box 2
  Microsoft Outlook
  There is a problem with the proxy server's security certificate.
  The name on the security certificate is invalid or does not match the name of the target site servername.localdomain.local
  Outlook is unable to connect to the proxy server. (Error Code 10)
  Any quick help will be highly appreciated!
  Many thanks

  Hi,
  Are you using a Single domain cert by GoDaddy, if thats the case we cannot add more than one domain to your cert. I believe you have added the outlook anywhere domain name to your cert since your outlook anywhere connection is prompting any errors.
  You have two options, one is purchase a UCC Cert and add all URL's required or Please have a look on these below Virtual Directories on the exchange server and modify the the URL's so you will not get the Cert errors.
  use the shell to view the internal and external URL's,
  Get-ActiveSyncVirtualDirectory | fl internalurl,externalurl
  Get-AutoDiscoverVirtualDirectory | fl internalurl,externalurl
  Get-ECPVirtualDirectory | fl internalurl,externalurl
  Get-OabVirtualDirectory | fl internalurl,externalurl
  Get-WebServicesVirtualDirectory | fl internalurl,externalurl
  Change all your internal URL's similar to the external URL's, use the Set command as the example below.
  Get-AutodiscoverVirtualDirectory -server EXCHANGE | Set-AutodiscoverVirtualDirectory -ExternalUrl ‘https://mail.domain.com/Autodiscover/Autodiscover.xml’
  make sure all your servername.localdomain.local URL's are changed to match primary certificate name.
  Regards
  Boniface

• SSL cert on ASA 5512 from Thwate or Digitcert

  I ran into the issue when I install SSL123 cert from Thwate . I did not have issue with SSL cert from DIgitcert- their process and steps are simple and using better encryoption - SHA256. Compare to Thwate - their support did not let me use SHA2 and I had to use SHA1 - according to some organisation SHA1 will be retired soon 
  Let me explain how to install SSL123 from Thwate into ASA 5510- you can follow their instruction - but generate CSR with 2048 - with 4096 did not work .Once you apply into their portal use SHA1 ( SHA2 did not work ) . Before you get email with their CA -  install Root and Secondary intermidiate certificate - located in their website . After you get email with the new cert - you can install under Idendity certificates where still says pending .Note - there are CSR checker tools - before you apply it into CA _ google CSR checker - make sure your CSR does not have any errors
  Note - When you install each certificate - trustpoint association could be in different order - example - ASDM_trustpoint0 , ASDM_trustpoint1 , ASDM_trustpoint2   etc . If you use the same ASDM_trustpoint0 for all certs- root , intermidiate and signed certificate - Did not work and you are getting ERROR - :Failed to parse or verify imported certificate
  here is the link you can follow - https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO16141&actp=search&viewlocale=en_US&searchid=1429125296765
  Finally you can check your SSL cert - google SSL checker to see if your chain as good all the way and what need to be fixed 

  First of all, you don't need the server names in the cert if your Exchange urls are configured to a load balanced url. Going forward, you will not be able to get a certificate from 3rd party with internal urls (server fqdn) in it.
  When you export the certificate from CAS1, make sure that you include the private key as well (there will be a check box to tick) and import it back on CAS2.
  If not, you can just import the certificate into CAS2 by selecting Import Exchange certificate in EMC and select the 3rd party cert (just like you imported on CAS1).
  Yes, you need the certificate on both servers, otherwise you will get certificate errors on clients (assuming that there is some form of load balancing in place - NLB or hardware).

• How to setup SSL cert for SharePoint apps in a three tier farm with nlb

  I am having trouble understanding how to setup the SSL certificate on SharePoint apps or in general its configuration

  Please check the below thread..
  https://social.technet.microsoft.com/Forums/sharepoint/en-US/53465d30-10b2-48c9-9541-5ade738156b4/how-to-setup-ssl-cert-for-apps
  Don't forget to mark it as an Answer if it resolves your issue and Vote Me as helpful if it useful.
  Mahesh