SSL certificate unconfigured, but web server still defaults to https

Similar Messages

• SSL implementation on iplanet web server 6.0

  Hi,
  we've successfully implemented verisign SSL certificate on iplanet web server 6.0 and we have configured the a parent directory to non-ssl class and the a sub directory to the ssl-class. when we tried to run a JSP page, we are getting an error that the page is not found.
  if both are configured for the same directory (ie.. the parent directory then its working fine)....
  can anybody tell me what went wrong with the implementation...
  thanks in advance,
  regards
  Ramachandran

  How did you configure one directory use ssl and another director not? Are you using only one listener?
  I would like to configure my iws to work like this:
  a directory like server/app uses ssl3
  another directory like server/appler uses ssl3 without client authentication. Important: I�m not able to create another listener. I must use listerners already created.

• Unable to install SSL Certificate - ADMIN4118: Only one server certificate can be installed at a time

  Hi,
  We are trying to install SSL certificate (Verisign Class 3) on iPlanet Web Server (version 7). However, at the final step we are getting the error "ADMIN4118: Only one server certificate can be installed at a time"
  We are following the below steps,
  Under "Server Certificates" tab,
       -> Click on "Install" button.
       -> On "Select Configuration" click on "Next" button.
       -> On "Select Tokens and Passwords", select default token as "internal" and click on "Next" button.
       -> On "Enter Certificate Data", select option as "Certficate File" and give path to the certificate file which is having .p7b extension
       -> On "Certificate Details" we are getting warning as "Duplicate Server Details Found" and it's by default using the existing certificate's nickname.
       -> On "Review" page after clicking "Finish" button, an error is displayed saying "ADMIN4118: Only one certificate server can be installed at a time"
  There are multiple sub-domains availble and the new certificate we want to install contains one more sub-domain.
  So, say currently the subdomains present are,
  1.abc.com
  2.abc.com
  so on...
  and now we are trying to install a SSL certificate having one more subdomain say 10.abc.com.
  Please let us know if you have solution to this problem.
  Thanks,
  Rajesh

  Hi Rajesh,
  That error is most commonly seen when you are trying to install a certificate chain into the Web Server.
  The chain should be installed using the "Certificate Authorities" tab per the following steps:
  1) Login to the Admin Console.
  2) Click Edit Configuration from Common Tasks > Configuration Tasks.
  3) Click the Certificates > Certificate Authorities tab from the Configurations page.
  4) Click the Install... tab from the Certificate Authorities (CAs) page.
  An Install CA Certificate Wizard opens. The wizard guides you through the settings available for installing a Certificate Chain. Select Certificate Chain when prompted for Certificate Type.
  You should then see the CA and intermediate certificate(s) listed in the security database.
  If you have access to MOS, more details can be found in the MOS KM Note:
     Oracle iPlanet Web Server - 'ADMIN4118: Only one server certificate can be installed at a time' When Installing Certificate Chain (Doc ID 1925025.1)
  regards
  Tracey

• SSL Certificate on 10.6 Server

  I've just been migrating services off a G5 Xserve running 10.5 Server, to a Mac Pro running 10.6 Server.
  It dawned on me it'd be a good idea to get an actual SSL certificate. Because of the lack of funds available, I've gone for PositiveSSL.
  Here are the steps I took to get it:
  1. In Server Admin > Certificates I chose Generate CSR
  2. I pasted this in to Comodo's page and chose Apache + MOD SSL
  3. Took the .crt file emailed to me and chose "replace with signed certificate", dropped it on and clicked "replace certificate" (replacing the old, self signed one).
  This all seemed to work fine. HOWEVER, the web service doesn't seem to be playing ball with it at all and because of this I'm scared to propagate it around any other services.
  These are the errors I'm receiving: (not that Server Admin notices anything wrong!)
  [Wed Jan 19 05:59:58 2011] [error] Init: Pass phrase incorrect
  [Wed Jan 19 05:59:58 2011] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2iASN1SET:bad tag
  [Wed Jan 19 05:59:58 2011] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1CHECKTLEN:wrong tag
  [Wed Jan 19 05:59:58 2011] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1ITEM_EXD2I:nested asn1 error
  [Wed Jan 19 05:59:58 2011] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
  Now I'm aware there needs to be a pass pharse, I saw the box in Server Admin 10.5, but it's gone from Snow Leopard.
  ...and therefore I'm stumped.
  Is there any easy how-to guide for actually getting this sorted and having SSL up and running?
  Thanks in advance

  I'm not sure if this will be helpful or not but the information in this post really helped me to get SSL working on my server...
  http://discussions.apple.com/thread.jspa?messageID=12447818&#12447818

• How to get the ssl-certificate trusted on lion-server

  I'm in the process of setting up lion server to create a small (international) research group collaborating on a project.
  So I want to use the server to exchange data, use a common calendar, address-book etc.
  To do so you need to get a SSL-certiifcate (unless you do everything on VPN).
  So I selected the server in server.app (Hardware) and selected SSL certificate edit
  created a certificate signing request that I exported and saved on my computer
  I received a ssl.crt that I also saved and dragged into the window and replace the original certificate with the signed one
  and also imported the certificate in to the keychain
  All following the steps described in:
  Managing iOS deviceswith OS X Lion Server by Arek Dryer
  the book describes that the certiifcate should now be trusted and valid. However, I keep the message "This certificate was signed by an unkown authority"
  So I somehow did something wrong.
  Any suggestions what I should do?

  ok let me add some info in the hope I will get some guidance:
  using the site http://www.sslshopper.com/ssl-checker.html
  I was able to check on the status of the certificate:
  The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.
  since it is a non-commercial server I used a 'free?' SSL-certificate provider that will charge you when you contact them, so you have to figure it out by yourselve
  I guess I would be helped if there is a step by step manual how to install a root certificate

• How do i "re-trust" the SSL certificate sent from a server I previously marked as untrusted?

  I use Citrix Receiver to access my workplace Windows environment remotely from home, where I run Firefox 7.01 on Ubuntu 11.10. Two days ago the SSL certificate expired, so when I tried to logon remotely it failed. Now the company have renewed the certificate, but now when I try to logon I get an error from the Citrix ICA Client saying "You have not chosen to trust Verisign Class 3 Public Primary Certification Authority - G5, the issuer of the server's security certificate (SSL error 61)"
  I have found a couple of similar queries here, but neither had a solution which worked for me. The entry for Verisign Clas 3... G5 is in /etc/ca-certificates.conf, also there's a link to it in /etc/ssl/certs to an existing ...G5.crt file in /usr/share/ca-certificates - Firefox seems to recognise the issuer as a valid existing certificate issuer. Firefox displays the certificate for the page when I use menu options Tools -> Page Info -> Security -> View Certificate, and the certificate shows as valid for today - for the life of me I can't find a way to make Firefox trust the darn issuer.
  I get the same fault with Firefox 3.6.23 on Ubuntu 10.04.
  (I'd rather not tell everyone here the URL of my company's remote access website)

  Thanks for the swift reply, cor-el - unfortunately, no joy with this approach.
  A. As my named user (called "greg", surprise, surprise, no secret there...)
  Run Firefox; select Edit > Preferences > Advanced : Encryption:
  Here I get no option for Certificates, but I do get View Certificates - then tabs for:
  - Servers, under which my company's remote logon URL is listed - Edit button is grey
  - Authorities, under which the Verisign...G5 entry may be edited; 3 options:
  1. may identify websites (ticked)
  2. may identify mail users (unticked)
  3. may identify software makers (ticked)
  I ticked 2, tried again - same failure. Unticked it.
  B. As root.
  Run Firefox; select Edit > Preferences > Advanced : Encryption:
  Here I get no option for Certificates, but I do get View Certificates - then tabs for:
  - Servers, under which my company's remote logon URL is NOT listed
  - Authorities, under which the Verisign...G5 entry may be edited; 3 options:
  1. may identify websites (ticked)
  2. may identify mail users (unticked)
  3. may identify software makers (unticked)
  I ticked 2 and 3, tried again - same failure. Unticked them.
  Maybe a solution would be, in some way, to add my company's remote logon URL to the list of Servers while running Firefox as root. The Export and Import buttons may help here. However, when I first declined their certificate I was running Firefox as greg, not as root, so I am a bit suspicious there - what can be done as greg should be undoable as greg.
  This is doing my head in. Maybe it's time to step back and think a bit. Maybe try Citrix's online help (already spent a fair amount of time there with no joy either).
  So, thanks again for the reply - I've generally tried to provide a good list of what's up, and your reply has given me food for thought. OK, I'll keep trying.

• Ssl certificate vpn, revoking user cert still letting user login

  hey guys,
  i have this asa with ssl vpn for remote clients. we configured asa to work with windows ms ca.
  everything seem to be working, users can't login until they obtain their own certificate. Confguration on our end set to authenticate using AAA and CERT.
  however after i go to MS CA and revoke users certificate, i am still able to establish ssl vpn connection.
  we have CRL configured for trust point, but that seem to be rather for checking actual trust point rather then user's certs.
  i looked over a documentation but fail to see what i am missing.
  any help will be greatly apreciated!  could it be that this CAN"T be done and user need to be deactivated rather then the cert being revoked? it's just makes me think that this two factor auth a little off... as if user cert is no longer valid. but trust point still ok - it let a person in.
  thanks again!!

  Tim,
  I will read through the article more thoroughly; I've already been through parts of it -- won't hurt to go through again.  I did initially have the IP address in my XML file, and immediately removed it when I noticed that it was using the IP address in the FIddler dump.  It hasn't had any effect unfortunately -- even with uninstalling and re-installing the AC client locally.
  The only other article/post I've come across on Cisco's site that comes close is here:
  Cisco Support Community: ASA VPN Load Balancing/Clustering with Digital Certificates Deployment Guide
  which seems to suggest that I will need a UCC certificate (which seems ridiculous) to do some of what I need to do.  However the issue with that post is that it still wouldn't fix the issue where the AC client is using the IP address.
  I will let you know if I find any smoking guns in the doco link you sent.  Any other thoughts appreciated.  I can't believe Cisco made the setup of the AC client this convoluted.
  Thanks!
  -Matt

• Problem Installing a SSL Certificate on a RD Server

  I'm trying to install a 3rd party SSL Certificate (GoDaddy) on my RD Session Host server (2008 R2).  I generated the request through IIS, received the cert from GoDaddy and imported it into [Certificates(Local Computer)\Personal\Certificates]. 
  I then went to RD Session Host Configuration,  and RDP-Tcp, and chose to select certificate.... however, I'm not given a choice...instead I receive a dialogue box saying "There are no certificates installed on this Remote Desktop Session Host server". 
  Any ideas why I cannot choose the cert?  Do I request the cert improperly ?  I'm stuck here...  thanks in advance for any tips!
  Scott

  It looks like you have the correct certificate but perhaps didn't import it the correct way. Did you create the Certificate Request on the same machine as you imported it? Otherwise you don't have the private key. If not them import the certificate on the
  same where you created the CR and then export the certificatye and make sure you select to export the private key as well and then import it on the RDS. If you followed the import steps correctly I suggest you contact GoDaddy to make sure the delivered
  a valid certificate.
  Kind regards,
  Freek Berson
  http://microsoftplatform.blogspot.com/

• SSL Certificate Error in AIX server~~~SCOM 2012 R2

  Hi Everyone,
  While installing SCOM client i am getting below error. Plz suggest.
  Agent verification failed. Error detail: The server certificate on the destination computer (FQDN(Server Name):1270) has the following errors: 
  The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
  The SSL certificate is signed by an unknown certificate authority.      
  It is possible that:
     1. The destination certificate is signed by another certificate authority not trusted by the management server. 
     2. The destination has an invalid certificate, e.g., its common name (CN) does not match the fully qualified domain name (FQDN) used for the connection.  The FQDN used for the connection is: FQDN serve 
     3. The servers in the resource pool have not been configured to trust certificates signed by other servers in the pool.
  The server certificate on the destination computer (FQDN(Server Name:1270) has the following errors: 
  The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
  The SSL certificate is signed by an unknown certificate authority.      
  It is possible that:
     1. The destination certificate is signed by another certificate authority not trusted by the management server. 
     2. The destination has an invalid certificate, e.g., its common name (CN) does not match the fully qualified domain name (FQDN) used for the connection.  The FQDN used for the connection is: FQDN serve.
     3. The servers in the resource pool have not been configured to trust certificates signed by other servers in the pool. 

  Hi Pawan
  Have you exported/imported scx certificates?
  Check out Kevin Holmans blog on installation of UNIX/Linux agents:
  http://blogs.technet.com/b/kevinholman/archive/2012/03/18/deploying-unix-linux-agents-using-opsmgr-2012.aspx
  www.coretech.dk - blog.coretech.dk

• Partial SSL implementation for iplanet web server

  Hi,
  I would like to make a web server SSL enabled partially.
  Say something like this
  https://mysite:8080/htmlfiles/log.html
  Only the above url should be SSL protected.
  Other urls like http://mysite:8080/entryservlet shouldnt be SSL enabled
  Thanks in advance
  Regards
  Thameem

  iWS4.x:
  Create two instances - one on Port 80 and runs without SSL, and one on Port 443 that uses SSL. Configure your docs roots such that htmlfiles/log.html is not part of the doc-root for the insecure instance.
  iWS/S1WS6.x:
  Create a single instance with two listen sockets and two virtual servers. Otherwise the same as above.

• SSL Certificate appears valid in Server Admin, but as expired in browsers

  I've imported a certificate from Thawte that expires June 29 2008. It shows the correct dates within the Certificates tab of Server Admin, and everthing looks fine, but when I load an https: page on my server, the browser tells me that the certificate expired June 30 2007.
  This is a fairly new Mac Pro running OSX 10.5.2 Leopard Server, and Apache 2.2.
  If you click on the embedded icon from Thawte that links to their site for verification, it also shows that the certificate is valid.
  I've deleted and re-imported it a few times, and rebooted the server, but it always shows as expired in browsers.
  Sample page with link to Thawte;
  https://cstore.uvic.ca/index-ssl.lasso
  Thanks in advance to anyone who can help me get this fixed.
  Brad.
  Message was edited by: FastCompany

  Camelot,
  Thanks for the reply. I'm not offended by your suggestion that it's something simple that I've overlooked, rather I'm hoping that it is.
  I have selected the certificate on the appropriate site on the web panel. When you visit the site link In my original message, you'll see that the correct certificate is being served, but it appears as expired to the browser, even though it shows as valid in Server Admin.
  I also found it in the Keychain utility, and it also shows as a valid certifcate there. I did find an entry in the Keychain utility for an earlier attempt at installing an expired certificate, so I deleted that entry.

• Web server always defaulting to /var/empty

  Hi,
  After the upgrade from Snow Leopard (Server) to Lion (Server) I got the webserver working immediately. Then I restarted the service (serveradmin web stop; serveradmin web start) and somehow everything is not working.
  I looked at /etc/apache2/sites and there are some weird things going on:
  0) in the Server Admin (UI App) I cannot edit at all the site (I can create new ones, but not edit this one)
  1) 0000_any_80_.conf just redirects to an SSL site (ok, this is fine)
  2) 0000_any_443__shadow.conf seems to be regenerated everytime I restart the web service and has the DocumentRoot point to /var/empty
  Why is this happening (the rewrite)? And where should it point to to just have the default MacOSX webserver page (with links to Wikis, Users, Calendars, ...) ?
  Thank you a lot.

  There is already a thread about that that suggest to
  issue a "sudo su",
  type your password
  then run the command
  echo NameVirtualHost\ \*:80 > /etc/apache2/sites/00000_MoreTestingRequired.conf
  or if you have SSL enabled run
  echo NameVirtualHost\ \*:443 > /etc/apache2/sites/00000_MoreTestingRequired.conf
  you can access this thread by goingg to :
  https://discussions.apple.com/thread/3190398?start=15&tstart=0

• Why we need SSL Certificates for configuring App Server in Sharepoint

  Hi Support,
  We are planning to have a separate server for Apps, while configuring the server its asking for certificate. The main scenario is while configuring server inside the same firewall why we need SSL for configuring.
  Could you please let me know the reason why we need SSL for configuring App Server.
  Thanks in Advance,
  Regards,
  Pradeep

  Hi  Pradeep,
  SSL (Secure Sockets Layer) is a transaction security standard that provides encrypted protection between browsers and App Servers. When SSL is enabled for an App Server, browsers communicate with the App
  Server by means of an HTTPS connection, which is HTTP over an encrypted Secure Sockets Layer. HTTPS connections are widely used by banks and web vendors for secure transactions over the web.
  Secure Sockets Layer  is a requirement for web applications that are deployed in scenarios that support server-to-server authentication and app authentication. This is such a scenario. As a prerequisite
  for configuring Task Synchronization, the computer that is running SharePoint Server must have SSL configured.
  Reference:
  http://blogs.technet.com/b/speschka/archive/2012/09/03/planning-the-infrastructure-required-for-the-new-app-model-in-sharepoint-2013.aspx
  http://corypeters.net/2013/03/ssl-and-sharepoint-2013/
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• Sending SSL Certificate to external Web service in BizTalk 2010

  Hi,
  We are facing issues in calling the external web service(SAP I Web service) which is authenticated using the SSL self signed certificates.
  When BizTalk sends the request to SAP it fails with HTTP 401 error, and in SAP PI the log says calling application not sending the client certificate. Please help us in sending the request to external web service by signing with the client
  certificate.
  Below are the details,
  1. This is a 2-way SSL communication authenticating based on the client Certificate.
  2. BizTalk server public key certificate is shared to SAP PI and using SAP PI certificate public key in biztalk
  3. Configuration done at BizTalk as given below
  1. Created BizTalk Certificate using makecert command
  2. Client and Server Certificate Installation
  - Installed BizTalk Client Certificate in Certificates Store under
  a. Current User--> Personal (Private Key)
  b. Current User --> Trusted Root Certification Authorities (Public Key)
  c. Local Computer --> Personal (Private key)
  d. Local Computer --> Trusted Root Certification Authorities (Public Key)
  e. Current User--> Other People
  Installed SAP Server Certificate in Certificates Store under
  a. Current User --> Trusted Root Certification Authorities
  b. Current User --> Trusted People
  c. Local Computer --> Trusted Root Certification Authorities
  d. Local Computer --> Trusted People
  e. Current User--> Other People
  3. BizTalk Status Solicit Response Send Port(used to call the SAP PI Web service) Configuration
  - Transport Type  WCF-Custom
  - Binding  BasicHttpbinding
  Security Mode : Transport
   Client Credential Type : Certificate
   Proxy Credential Type : None
   Realm : localhost
  • Message
   Client Credential Type : Certificate
  Client CredentialsClient Certificate
   findValue : CN=< Thumbprint >
   x509Findype : FindByThumbPrint
  • Server Certificate
   findValue : <Thumbprint>
   x509Findype : FindByThumbPrint

  Hi All,
  The reasons why the trigger from BizTalk is failing and the trigger from SoapUI is successful.
  In SoapUI configuration we select the Private key of the client certificate and provide the password for the same.
  In BizTalk we only have the option of selecting the certificate and we cannot provide the password. Below is the MSDN article for the same
  In one of the Site  , its mentioned as below, Kindly let us knwo whether the below mentioned will work or not
  Organization Security Restrictions::
  Each organization may have restriction on using client certificates for security reasons . One such restriction is when a user requests a client certificate a password prompt is displayed . A client certificate can be used only if the correct password is provided
  becuase Biztalk Server uses services and services cannot interact with dialog boxes so do not use client certificates requiring password validation.
  To Prevent the issue , configure the policy so no password are prompted when a certificate is used this setting is enforced by the Group policy Object (GPO) system cryptography: Force strong Key protection for user keys stored on the computer . If setting
  this policy , then the value should be set to "User input is not required when new keys are stored and used "
  Kindly let us know whether setting needs to be done in the system cryptography
  Thanks

• Unable to set (ssl) certificate on a SQL Server 2012 clustered instance

  Hello everyone!
  I'm trying to encrypt the SQL Server communication with SSL but I can't add the certificate in the configuration manager. I've found and tried a lot of different explaination but none of them worked. I'll described what I've done and hope someone will point
  out what I'm missing.
  Here is my situation:
  - SQL Server 2012 Enterprise Edition. Instance name = INSTANCE, FQDN =  SQINSTANCE.mydomain.com. The instance is running under a customized service account: mydomain\sql_sa
  - Two cluster nodes running Win Server 2008R2: NODE1.mydomain.com and NODE2.mydomain.com. Cluster itself is CLUSTER.mydomain.com
  What I've done:
  1) Asked the team in charge to generate a certificate issued to "SQINSTANCE.mydomain.com" with aliases to "NODE1.mydomain.com", "NODE2.mydomain.com" and "CLUSTER.mydomain.com". I get a certificate with "p7b"
  as extension
  2) Connect on "NODE2.mydomain.com" with account "mydomain\sql_sa". Opened MMC and added the certificate under "Personnal" folder. I tried to add it with "Current user" and "Local computer" settings. Saw both
  on internet since I use a specific service account
  3) Get the thumbprint of the certificate and add it under HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL11.INSTANCE\MSSQLServer\SuperSocketNetLib\Certificate. (I triple checked to remove blanks or special characters)
  4) Reboot the node
  5) Open the SQL Server Configuration Manager, go to the network properties. Certificate does not appear in the list
  I tried to check with certutil and saw the certificate in the output. Some guys talked about some private key but I don't see this particularity in my situation. I tried to check if the certificate is valid and, according to the criterias, it is.
  Does anyone can help me with this?

  Hi,
  Are you sure you've got the certificate correct?  http://msdn.microsoft.com/en-us/library/ms191192.aspx
  To use encryption with a failover cluster, you must install the server certificate with the fully qualified DNS name of the virtual server
  on all nodes in the failover cluster. For example, if you have a two-node cluster, with nodes named test1.<your
  company>.com and test2.<your
  company>.com, and you have a virtual server named virtsql, you need to install a certificate for virtsql.<your
  company>.com on both nodes. You can set the value of the ForceEncryptionoption
  toYes
  In your case, shouldn't it be created for CLUSTER.mydomain.com?
  Thanks, Andrew
  My blog...