Is there any way to create a self sign SSL certificate for multiple domains? My environment is jboss-5.1.0.GA.
I already created a self sign SSL certificate for single domain using the following java keytool commands.
keytool -genkey -alias jbosskey -keypass changeit -keyalg RSA -keystore server.keystore
*Answer the prompts. Use myHostname when asked for first/last name
keytool -export -alias jbosskey -keypass changeit -file server.crt -keystore server.keystore
keytool -import -alias jbosscert -keypass changeit -file server.crt -keystore server.keystore
Then I enable SSL in JBOSS server.xml as follows;
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="7443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="changeit" sslProtocol = "TLS" />
This is working fine. Now I need to add another separate domain name to this certificate.
Please note that this is not a wildcard certificate I’m talking about which support sub domains.
What I need to do is, add totally separate domain names to single keystore file.
P.S.
I’m working on apache + JBOSS environment. The apache server works as a proxy.
I can give separate SSL certificate files in apache httpd-ssl.conf configuration for different domains. But when I come to JBOSS, I’m not sure how to handle it.
If we use apache as a proxy (That means configure ssl in apache), can we ignore SSL from JBOSS?
I tried to ignore entry (keystoreFile="${jboss.server.home.dir}/conf/server.keystore") but it gives an error.
If not is there any way to handle this situation without a SSL certificate that support for multiple domains?
Thanks
If I understand this correctly, you may be able to let your Apache server handle the SSL authentication and then Jboss can ignore the SSL cert if the proxy is handling it upfront (the JBoss design is to allow control/ auth of SSL certs from the deployment, which doesn't sound necessary in this case)
I have a similar setup, whereby a proxy hosted elsewhere deals with the SSL authentication & just forwards the requests through the DMZ to the JBoss server, which can ignore the certs then.
If I may give an additional answer - a very common setup for Apache+JBoss is to use Apache as some kind of loadbalancer/reverse proxy infront of the JBoss. The SSL communication is completly done by Apache. And a prefered way is, to use AJP between Apache and JBoss instead of HTTP because it sets all necessary informations in the Servlet request instead of using X-forwarded-... information as additional headers that need to be read explicitly.
In this case (either with mod_jk or mod_cluster) you can also manage multiple instances of JBoss behind the Apache very easy. Of course - the communication between Apache and JBoss is not encrypted (as I know AJP doesn't support SSL).
If you want to have encrypted communication and the Apache is still making all the external SSL communication, then the internal communication between Apache and JBoss needs only be covered by one certificate and Apache needs to trust that certificate.
And one more - you can put more then one certificate/privatekey into a keystore just by importing them into the already existing keystore. With keystore -list you can review the content of the keystore. What I never tested yet, is, if the JBoss will use SNI to identify the correct certificate/key to the incoming request. But the newer JBoss and Java supports SNI by default.
Related
I want to set up a telegram webhook and I need to receive https requests.
How can I make my ip an accessible url?
I was doing this in Python with aiohttp.
You should configure Apache web server or Nginx as a web proxy and run it with Genie.jl as a backend.
According to the Telegram webhook documentation https://core.telegram.org/bots/webhooks you need to provide an SSL server (so you will need certificate etc.). While HTTP.jl provides some SSL listen capability, almost in any integration scenario I can think of you will end up needing some options that only robust servers such as Apache or Nginx can support.
Similarly, you want to have Genie.jl as a backend of the Apache/nginx proxy (rather than HTTP.jl) - as this is a standard integration scenario for webservices in Julia and this is a higher level interface than HTTP.jl with error handling for production systems etc. You can find a detailed tutorial for Nginx setup with Genie.jl here: https://genieframework.github.io/Genie.jl/dev/tutorials/92--Deploying_Genie_Server_Apps_with_Nginx.html if you are experienced with Apache you will not have problems applying the same approach to Apache web server
Try HTTP.jl, you can start from these examples.
I purchased a custom domain mydomain.com w/Google Domains last year. Until earlier this week, I was hosting a small single-page React app on that domain (in a Cloud Storage bucket) that connected to a GAE Flask app backend. Wasn't using SSL anywhere. All was well.
I now wish to use SSL. Since I'm new to all of this stuff, I followed the documentation to map my custom domain and secure it with SSL using Google-managed SSL certs. During this process, I created my first load balancer in GCP, then updated my domain's DNS entries for # A and www A to the LB's IP. The guides didn't say anything about changing the # AAAA entries, so I left them in place. Cloud CDN is disabled. Google Domains DNS Settings:
When creating the Google-managed SSL cert, I entered both mydomain.com and www.mydomain.com since I want both addresses to be secured w/SSL. After a few hours, the domain status for www.mydomain.com became active, but the status is FAILED_NOT_VISIBLE for mydomain.com. Guessing this is the source of my problems? Google SSL Cert Statuses:
Troubleshooting tips for this error:
The SSL Certificate isn't attached to the load balancer's target proxy. To resolve this issue, update the load balancer configuration. Done, and confirmed via both the GCP UI and the gcloud cli.
The domain's DNS record doesn't resolve to the IP address of the Google Cloud load balancer. To resolve this issue, update the DNS records to point to the load balancer's IP address. Thought I did this too, see my GAE custom domain settings below:
Attempting to load to mydomain.com or www.mydomain.com in the browser yields:
This site can’t provide a secure connection
www.mydomain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
It's been ~40hrs since I created the LB and updated the DNS settings for my domain, so I suspect the issue is my config and not DNS propagation. Where am I going wrong?
EDIT
Editing to clarify a few critical things:
I'm hosting my UI as a static website in a Google Cloud Storage bucket. Cloud Storage doesn't support HTTPS on its own, and therefore requires an HTTPS load balancer to work with custom domains.
If I wanted to go down this path, I'd need to ensure the load balancer pointed to my Cloud Storage bucket, which wasn't mentioned in my original post.
To roll back all changes from this SSL attempt, I'd need to update the # A DNS entry to the GAE IP, then update the www CNAME entry to c.storage.googleapis.com.. Note this CNAME entry is for Cloud Storage, not for GAE.
I ended up aborting the SSL idea and going with #3 (for now). The app in question is for a personal project that doesn't deal with any sensitive info, so SSL really isn't necessary.
You’ve gone through the process and receive the message:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I’ve found some information for you. The main points are listed below.
Verify SSL Status of Website,
Check for Certificate Name Not Matching
Verify TLS Version
Verify RC4 Cipher Suite
Manually Inspect Security Certificate
There is more detail in this document here
I am an University student. And today I am dealing with different web services. I am using apache2 service for starting page and running it with my letencrypt certificate and all works perfect. But my apache redirect user to ReactJs service on another port (:3000) i am use https connection also, but on this port my valid certificate gone and React use some self-signed certificate. How i read in google, react can't use SSL and i must somehow configure apache to serve this port with valid SSL, maybe i am wrong. SOS guys
So my question is:
How i can setup valid SSL for my ReactJS app on :3000 port?
How i can even setup certificate for another ports than apache?
Is it possible somehow run ReactJs with SSL?(i am using HTTPS=true npm start)
I Hope somebody can help me, i am already spent all day looking and reading. No answers at all.
Is it possible to configure valid certificate to an HTTPS acceptable ReactJs service?
P.S By the way i am using Ubuntu 16.04 on a Virtual Machine.
I am trying to add an SSL Certificate to my Virtual Machine Instance on Google Compute Engine I created the key file and generated a CSR File, which I copied into GoDaddy to request a SSL Certificate.
I copied what they sent me and pasted it into a file name example.csr
I then ran this line in the instance:
gcloud compute ssl-certificates create certificate1 --certificate example.csr --private-key example.key
When I list my ssl-certificates I get:
NAME CREATION_TIMESTAMP
certificate1 2017-03-08T09:21:04.166-08:00
But I can't figure out why my webapp is not secure yet. When I go into my url it still says not secure.
EDIT
Source: SSL Certificates, Compute Engine Documentation
Although I've never used Google Compute Engine, I believe (after reading the documentation you linked) that you've just added the certificate, but you still need to configure it:
To use HTTPS or SSL load balancing, you must create an SslCertificate resource that can be used by your target proxy.
Note: SslCertificate resources are used only with load balancing
proxies such as a target HTTPS proxy or target SSL proxy. See that
documentation for when and how to use SslCertificate resources.
SslCertificate resources are not used on individual instances. On an
instance, install the normal SSL certificate as described in your
application documentation.
I suggest reading the links provided by the docs (above), depending of what you want to do (use a HTTPS proxy, SSL proxy or individual instance).
Short Answer:
We can't do that yet.
Medium Length Answer:
I had to actually install the SSL certificate directly on my application.
Do you need to embed your site SSL Certificate inside your app if your
using HTTPS to connect to your Server.
My SSL Certificate is configure to accept *.Domain.name from GoDaddy.
Currently I have Ignore SSL enabled in order to test my application.
Anyone know how this can be done?
You can import your SSL cert onto the Android device - just look under your Settings -> Security tab. (But that's only if you need to) Your device may make you enable a form of access security afterwards (like forcing a PIN or pattern).
If you are only accessing your webserver with that cert installed, then it shouldn't need to be installed on your local hardware.