Webserver refuses to take SSL cert

My SSL cert is installed on my server and when I go to Settings pane in Server.app for the host and edit "SSL Certificate" and choose my cert, the UI will collapse the pane below showing the various services. This is because it applies the cert to all services. When I click OK to accept the setting, it should show my cert right after "SSL Cert:" because should now be applied to all services.
Instead it shows "Custom". When click th "Edit" button again to see whats going on, it shows that all services are using my cert - except the last one - "Websites (Server Website - SSL)"
For that, is simply shows "None". Changing it to my cert then clicking OK, has no effect. It just reverts back to "None".
Apache wont start because there is no cert specified and specifying it manually in ..
"/Library/Server/Web/Config/apache2/sites/0000_any_443_.conf"
..does no good because OS X simply overwrites it from some place.
So at this point it's impossible to get Apache going on this host. The Server application refuses to accept my cert for the website. I dont get any errors and I dont see any in the logs either pertaining to some failure to apply the setting.
Any ideas?

I forgot to mention that when the Certificate Assistant ask for the Issuer in one of its screen, choose the Intermediate CA certificate. Also, the four PEM files is created in /etc/certificates.
On a fresh Server app install after your get OD Master running or after you have done the web:command=restoreFactorySettings, visit Server app Certificates screen and Custom select the just created Leaf SSL Certificate next to the Web (Default Server - SSL). This will create the default SSL certificate in the Web service window.
Also, if any one of the three *conf files are missing in the sites folder, Server app will hose the folder by renaming it as sites-unusable-nnnn and recreate a fresh sites folder with fresh copies of the *.conf files. In addition, if you read the comments within the 0000_any_80_.conf and 0000_any_443_.conf files, there are certain apache http directives which are off-limits to administrator as Server app will modify their values. It suggests that you create a .conf files with your amendments (of course, they must be within the Virtual Host context) and use an Include directive or through the use of the WebApps mechanism.
Furthermore, you must not set a specific IP address for all your virtual hosts but use Any instead. Since I want to use the built-in Wiki service, I have added wiki.domain.com as Additional Domains for both the Default Servers (since the Default Servers refuse to use ServerName). For my case, since I have multiple IP addresses, I have to specifically amend the virtual_host_global.conf file with a static IP address for the Listen 80 and 443 directives, and since Server app will undo the amendment within the sites folder, I have to bring the virtual_host_global.conf file up one level to the apache2/ folder, amend httpd_server_app.conf to load this virtual_host_global.conf file instead...see below the relevant section of my httpd_server_app.conf file:
<IfDefine WEBSERVICE_ON>
    Include /Library/Server/Web/Config/apache2/sites/0000_*.conf     <--- instead of "*.conf"
</IfDefine>
<IfDefine !WEBSERVICE_ON>
#    Include /Library/Server/Web/Config/apache2/sites/virtual_host_global.conf
    Include /Library/Server/Web/Config/apache2/sites/0000_any_80_.conf
    Include /Library/Server/Web/Config/apache2/sites/0000_any_443_.conf
</IfDefine>
Include /Library/Server/Web/Config/apache2/virtual_host_global.conf
Include /Library/Server/Web/Config/apache2/httpd_server_app_tweaks.conf
The httpd_server_app_tweaks.conf file is my performance tweaks (e.g. StartServers, MinSpareServers, etc.)
So Server app can happily modify the virtual_host_global.conf file within the sites folder but my settings remain safe one level up.

Similar Messages

  • SSL Cert

    I have a NetWare 5.1 server running the Apache 1.3.x webserver and Tomcat
    servlets. This is the webserver for my GroupWise WebAccess interface.
    I have an SSL cert on the box to encrypt the data for WebAccess and
    everything works nicely.
    However, I must change the IP address of this server very shortly. I don't
    remember there being anything IP specific when I setup the certificate so
    I'm hoping not to have to do anything with it.
    I was wondering if I'll need to do anything with the SSL certificate to
    take into account the new address?

    Matthew wrote:
    > I have a NetWare 5.1 server running the Apache 1.3.x webserver and
    > Tomcat servlets. This is the webserver for my GroupWise WebAccess
    > interface.
    >
    > I have an SSL cert on the box to encrypt the data for WebAccess and
    > everything works nicely.
    >
    > However, I must change the IP address of this server very shortly. I
    > don't remember there being anything IP specific when I setup the
    > certificate so I'm hoping not to have to do anything with it.
    >
    > I was wondering if I'll need to do anything with the SSL certificate
    > to take into account the new address?
    Delete the cert and run pkidiag and restart apache. (I presume you use
    mod_JK, if not, restart tomcat as well)
    Cheers,
    Edward

  • WebServer 6.1 SP3 SSL reverse proxy to Sun One Application Server 7

    I have an application in the appserver7 that requires SSL authentication. I have already installed a self cert in the appserver7, and the authentication works fine when I browse directly to the appserver.
    The appserver7 has both listener for port 80 and 443 enabled.
    I'm currently setting up a webserver (WebServer 6.1 SP3) to act as a reverse proxy to the appserver7. The reverse proxy for the basic jsp pages found in the appserver worked fine.
    When I try to access the login page, in the appserver, in ssl mode, I am unable to do so. I then try changing the obj.conf to the following, from http to https:
    <Object name="passthrough">
    ObjectType fn="force-type" type="magnus-internal/passthrough"
    Service fn="service-passthrough" method="(GET|HEAD|POST)" servers="https://172.2
    8.48.53"
    However, it still doesn't work.
    Do I need to install a self cert in the webserver and enable the ssl listener as well?
    Do I need to install any reverse proxy addon for the appserver? Any
    setup for the obj.conf in the appserver?
    Any ideas how to get this done?
    Thanks.
    Mac.

    The Web Server 6.1 SP3 Reverse Proxy Plugin is supported, but it sounds like you're trying to do something that simply isn't possible.
    If you want the Reverse Proxy Plugin to perform SSL mutual authentication with the Application Server using the client's certificate, that's impossible due to the nature of SSL mutual authentication. If the plugin could impersonate the client, then SSL would be vulnerable to MITM (Man In The Middle Attacks). Fortunately, SSL isn't vulnerable to such attacks because the plugin doesn't know the client's private key.
    If you simply want the Reverse Proxy Plugin to pass information about the client's certificate along to the Application Server, that hapens automatically. There's nothing special to configure. Note that the plugin will not authenticate to the Application Server in this case. Rather, it will simply copy the X.509 certificate into the proprietary Proxy-auth-cert: HTTP request header.
    The application running on the Application Server can inspect the Proxy-auth-cert: header using standard Servlet APIs. Alternatively, you can use Application Server 7's auth-passthrough AuthTrans SAF to cause the contents of the Proxy-auth-cert: header to be copied to the javax.servlet.request.X509Certificate Servlet attribute.

  • Coldfusion 11 SSL Certs applied - The APR based Apache Tomcat library which allows optimal performance in production environments,

    Coldfusion 11
    Windows Server 2012 R2
    Both the Coldfusion admin and additonal site work fine on HTTP.
    As soon as I attempt to enable SSL websockets and install SSL certs, the Coldfusion 11 Application service will not start. I followed the steps below....
    Coldfusion 11 - Web Sockets via SSL
    The Coldfusion-error.log shows
    Jan 26, 2015 3:21:23 PM org.apache.catalina.core.AprLifecycleListener init
    INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path
    Server was a cloned VM of the test server with developer copy of CF11, but license has been purchased and applied. SSL certs have been imported successfully, paths are correct in CF Admin to the cert file etc.
    Do I need to install another version of Coldfusion to get around this issue or is there a download update I need to apply?
    If i reconfig the \cfusion\runtime\conf\server.xml to comment out the SSL sections it works fine.
    Any assistance welcome - I can't allow this site to made publicly available with using SSL.
    SM

    @Scott, first are you running update 3? If so, let’s clarify at the outside that, as that bug report (you point to) does indicate in the notes below it, there is a fix for a problem where this feature broke in that release.  And as it notes, you can email [email protected] to request the fix (referring to that bug), or you can wait for it to be released publicly as part of a larger set of fixes.
    If you are NOT on update 3, or you may apply the fix and find things still don’t work, I would wonder about a few things, from what you’ve described.
    First, you say that the CF service won’t start, and you offer some lines from the ColdFusion-error log. Just to be clear, those particular error messages are common and nothing to worry about. They definitely do NOT reflect any reason CF doesn’t start. But are you confirming that that time (in the log lines) is in fact the time that you had started CF, when it would not start? I’d suspect not.
    Look instead in the coldfusin-out.log. What does THAT log show at the time you try to start CF and it won’t start? You may find something else there. (And since you refer to editing the server.xml file, you may the log complains that because of an error in the XML it can’t “parse” the file. It’s worth checking.
    You say also that you have confirmed that “paths are correct in CF Admin to the cert file”. What path are you referring to? There’s no page in the CF admin that points to the CACERTS file in which the certs are stored. Do you perhaps mean on the “system info” or “settings summary” page? Even so there’s still no line in there which refers to the “cert file”.
    Instead—and this could be a part of your problem—the cert file is simply found WITHIN the directory where CF’s pointed to to find its JVM. Wherever THAT is, is where you need to put any certificates. So take a look at the CF Admin, either in the ”java and jvm” page (and the value of its “Java Virtual Machine Path”), or in the “settings summary” or “system information” pages and their value for “Java Home”. Is that something like \coldfusion11\jre? Or something like \Java\jdk1.7.0_71\jre? Whichever it is, THAT’s where you need to put the certs, within there (in its \lib\security folder).
    Finally, when you say that if you “comment out the SSL sections  it works fine”, do you mean that a) CF comes up and b) some example code calling your socket works, as long as you don’t use SSL?
    To be clear, no, you don’t need any other version of CF11 to get websockets to work. But if you are on update 3, that may be the simple problem. Let us know how it goes for you with this info.
    /charlie

  • How to get OS X to accept an SSL Cert the way other UNIX clients do?

    I'm hoping some of the network gurus can suggest a solution for me. My current config is 10.5.4 on PPC.
    I have a host that I need to connect to using SSL but their certificate has a host name mismatch (they are a small org, and can't afford another SSL cert for the moment). I know the cert is valid, so I'm not worried about the security implications of using it.
    On other *NIX clients, I simply have to add the cert into the root chain (e.g. /etc/ssl/certs/ca-certificates.crt), restart the application, and all apps will then accept it as valid.
    On OS X, I've imported the cert into Keychain Access, marked it as "Always Trusted" and set up a policy to "alias" it to the URL I need to access with my application (not a web browser) (ref: KB article: HT1679) in both the login and the System keychains, yet the client application still errors out and refuses to connect to the URL.
    How can I configure client SSL on OS X to work like other UNIX configurations? There doesn't seem to be a way to override the extremely restricted behavior.
    I have MacPorts installed and am open to an application specific "hack" if necessary, ala "LDLIBRARYPATH", if anyone thinks that's feasible (which is what I am looking at now). Conceivably I could recompile the client application since it's OSS, though I'd rather avoid that if possible.
    Any suggestions would be appreciated.
    Thanks in advance--
    =N=

    when you connect with a web browser to an https site that has a mistmatched cert it warns you and you have to tell the browser to ignore the security issue to let you carry on.
    what unix apps are you using to connect to this server?

  • SSL Cert Renewal w/Org Name Change

    Hello,
    We get our SSL certs from a central agency that deals with Verisign. The central agency changed their name, which changes the Organization Name on the cert. That prevents the cert from being imported by the server. On the advice of a Windows admin, I tried to fake it by creating a new site on that server, importing the new cert (all good), but then the new server won't start.
    Is there a better way to get the new-org-named cert accepted by the original site?
    Steve Kayner

    Are you talking about changing your SMTP domain name? Or you want to change AD DS domain name? If you want to change/add SMTP domain that you Exchange is using, just add accepted domain that you wish to use.
    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Damir

  • WLC Virtual Interface config for a public SSL cert for Web Authentication

    I'm trying to get a cert loaded on my 5508 WLC running 7.6.130.0 so when a Web-Auth users tries to authenticate they don't get the SSL cert error.
    In the document "Generate CSR for Third−Party Certificates and
    Download Chained Certificates to the WLC"
    Document ID: 109597 it states the following
    "Note: It is important that you provide the correct Common Name. Ensure that the host name that is
    used to create the certificate (Common Name) matches the Domain Name System (DNS) host name
    entry for the virtual interface IP on the WLC and that the name exists in the DNS as well. Also, after
    you make the change to the VIP interface, you must reboot the system in order for this change to take
    effect.
    Here are my questions.
    1. I have always had 1.1.1.1 as the address of the Virtual interface, should that change or can I leave it as 1.1.1.1?
    2. In the "DNS Host Name" Field do I simply put the domain or the FQDN?  Example. Company.com or hostname.company.com

    Hi,
    1) You can change that if you want. Normally it is non-Public and non-routable in your network.
    2) Put the Host name for which you are going to give in your company DNS server where that Host name would be mapped to the Virtual ip address.
    Regards
    Dhiresh
    ** Please rate helpful posts**

  • Multiple SSL Certs in one SSL Proxy/VIP

    Guys
    I have a requirement to be able to provide SSL for two different sites that will resolve to the same VIP.  Ive created alot of SSL sites before and these work a treat with HTTP to HTTPS redirection.
    However Im not sure how are take two different SSL certs, and bind them to the same SSL Proxy, inorder for me to add them to the same VIP.  The customer wants to use only port 443.  I had thought about using a secondary port something like 8443, and adding another class under the multi-match policy.
    Is this possible at all?  I use a standard L4 class-map in the multi-match policy, that then nests down into L7 class-maps, for URL load balancing.
    Because this is a multi-match policy can I just create another L4 Policy, which in turn nests down to a different L7 class-map, allowing me to match the second URL. And thus because I have another L4 policy I can assign a new SSL Proxy?
    Thanks

    Cathy
    Thanks for the reply, thats what i was thinking. we use wild card certificates for several of the other domains, how we need to provide  certificates for www.website.com and ww2.website.com due to cost.
    Is it possible to replace the L4 policy map, with a straight L7 so that we are load balancing directly on URL as apposed to verifying L4 matches first?  Or would this not be advisable / possible.  I always thought it was the L4 policy that made the VIP proxy?
    Can SAN certs not be used in this example?
    Thanks

  • Creating "Valid" SSL Cert

    Hi.
    I have a small webserver and I want to run ssl for my webmail and I created a ssl cert by running
    openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
    Firefox 2, and IE 7 both give me a nice warning that the cert might not be valid. Firefox 3 (cvs) however completely blocks from going the site. So how can I make a "valid" ssl cert?
    Thanks!

    Well I found how to do it...
    http://boblord.livejournal.com/18402.html wrote:To override the error, you need to create an exception. The SSL exception dialog is located in the Preferences window, under Advanced/Encryption/View Certificates. Once there, click on the Servers tab, and then on "Add Exception...". The UI should be straightforward from there.
    It suppose to be a new feature, but I do hope they add some button to easily add a cert or else I'm afraid the user base might drop drastically as there are many sites that have "untrusted" ssl certs.
    For those interested in seeing what the error looks like... http://mezoko.net/stuff/fxsslcerterror.png

  • Remote Desktop Services Single SSL Cert with multiple hosts

    I am trying to use a single SSL Cert from a third party issuer.  I have 3 servers in my deployement all are 2012R2.  One contains the RD Web Access role, RD Gateway role, RD Licensing role, and RD Connection Broker role.  The other 2 are
    RD Session Hosts.  I have the SSL cert for the server that has the Gateway and other roles.  My deployement is primarily focused on deploying RemoteApp to Windows 8 Thin clients with GPO through the default URL.  It works currently with the
    exception that the user gets a certificate mismatch error because it is seeing the cert for the gateway server but is connecting to the host servers so the names don't match.  Is anyone else using a similar setup and had success with it?  I am trying
    to avoid buying an expensive wildcard cert to cover all of them.

    Hi,
    Please verify that the .rdp file embedded in the RDWeb IE page matches the same one from RADC.  To do this, log on to RD Web Access using IE, right-click and choose View Source.  Find the goRDP function for the icon you want to examine and copy
    the text between the ' marks.  Next paste this into the escape text box the below page:
    http://www.web-code.org/coding-tools/javascript-escape-unescape-converter-tool.html
    Click complete unescape to get the plain text version.  After that you can select all of the text in the clear text box, paste it into a blank Notepad window, then save as a .rdp file.  Once you have the .rdp file created you can compare
    it to the other ones and see if any of the names are different, see if it gets the certificate error as well when you double-click it, etc.
    Do you have any proxy or other non-default network configuration on your Windows 8 embedded clients?
    Thanks.
    -TP

  • SSL Cert for 2008 R2 Reporting Services that is installed on a Failover Cluster - server address mismatch?

    I utilized the idea from
    http://www.mssqltips.com/sqlservertip/2778/how-to-add-reporting-services-to-an-existing-sql-server-clustered-instance/ to install 2008 R2 Reporting Services on a new Clustered SQL instance.  In short, create the new Clustered SQL instance on Node1,
    installing Reporting Services with it.  Then on Node2, Add a Failover Cluster Node (without choosing Reporting Services); following that up with starting the SQL setup.exe with a cmd to bypass a check so that I can then install the Reporting Services
    feature on Node2.  It points out using the SQL Cluster Network name for connecting to Reporting Services.
    I verified upon failover that I could still access the Reports and ReportServer URLs.  However, when wanting to add an SSL certificate to the RS configuration, I run into the warning of "mismatched address - the security certificate presented by
    this website was issued for a different website's address", where I can continue and get to the Reports or ReportManager URLs.
    I played with different certs (internal CA created) and SANs and other things, but I still get this error with the cert.  The Reports URL, for example, is <a href="https:///Reports">https://<SQLClusterNetworkName>/Reports, and the
    cert has a CN and Friendly Name of SQLClusterNetworkName (with SAN of DNS: SQLClusterNetworkName.<domain>), but the error still happens.
    What am I missing to eliminate the mismatched address warning when using the SQLClusterNetworkName as the base of the URLs?

    I got it working by using the FQDN as the common name on the SSL cert, with FQDN in RS URLs.

  • Expired internal SSL cert on SGD 4.5?

    Upgraded Solaris SGD from 4.41.to 4.5. I use a SSL cert for our site, which is working fine. SGD login prompt appears and cert can be viewed and verified.
    However after logging in, I get a security warning on tcchelper saying that Sun's own Verisign certificate expired on 8/29/2010. Is a current cert available?

    yes, please open a case with Oracle Support and we will provide you an update on SGD 4.50.933.

  • Is there any way to treat expired SSL certs in HTTPS connections as non-secure?

    Is there a way of navigating HTTPS websites as though they were HTTP, without adding any SSL exceptions?
    Obviously an expired/self signed SSL cert over HTTPS is no more dangerous than no encryption at all over HTTP.
    The Untrusted Connection dialog is a usability nusance, particularly for those of us who understand HTTPS.

    Check out:
    http://docs.iplanet.com/docs/manuals/enterprise/60sp1/ag/esecurty.htm#1008113
    You will need to turn on Client Auth as described above. Hope it helps.

  • Using internal SSL Certs for Webview and Reskill (ICM 7.2.X)

    Hi,
    I would like to use corporate ssl certs for webview and reskill to avoid the user having to install the self signed certificate on the local machine. Has anyone any experience of this? Can it cause any unforseen problems?
    My plan for webview is to create the certificate request in IIS for the default website, use this csr to generate the cert, then complete it by uploading the certificate.
    For reskilling, I will assume I will have to do some command line stuff here ...
    eg: keytool -genkey -keyalg RSA -keystore hostname.key
    to create the key,
    keytool -certreq -keyalg RSA -keystore hostname.key -file hostname.csr
    to create the csr, and
    keytool -import -trustcacerts -alias tomcat -file hostname.cer -keystore hostname.key
    to import the new cert
    Suggestions or comments for anyone who has tried this before would be appreciated.
    Regards,
    Brian

    I've never done it on a version so old, but at the end of the day it's just IIS and Tomcat and importing an SSL cert is very standard.
    david

  • Use Wildcard SSL Cert to Monitor Non-Domain COmputers

    Hello,
      I was wondering if a Wildcard SSL Cert from GoDaddy or another Provider can be used to monitor Non-Domain Computer on SCOM 2012R2?
    TIA,
    Jim

    Hi,
    The Operations Manager agents support two types of authentication method, Kerberos or certificate based authentication. In order to monitor servers and clients located outside the Operations Manager’s native Active Directory domain, you will need to configure
    certificate authentication using either an internal Certificate Authority or through a 3rd party Certificate Authority.
    Regards,
    Yan Li
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Maybe you are looking for