I have a working Azure web role which I've been using over an http endpoint. I'm now trying to switch it over to https but struggling mightily with what I thought would be a simple operation. (I'll include a few tips here for future readers to address issues I've already come across).
I have created (for now) a self-signed certificate using the powershell commands documented by Microsoft here and uploaded it to the azure portal. I'm aware that 3rd parties won't be able to consume the API while it has a self-signed certificate but my plan is to use the following for local client testing before purchasing a 'proper' certificate.
ServicePointManager.ServerCertificateValidationCallback += (o, c, ch, er) => true;
Tip: you need upload the .pfx file and then supply the password you used in the powershell script. Don't be confused by suggestion to create a .cer file which is for completely different purposes.
I then followed the flow documented for configuring azure cloud services here although many of these operations are now done directly through visual studio rather than by hand-editing files.
In the main 'cloud service' project under the role I wanted to modify:
I imported the newly created certificate. Tip: the design of the dialog used to add the thumbprint makes it very easy to incorrectly select the developer certificate that is already installed on your machine (by visual studio?). Click 'more options' to get to _your_ certificate and then check the displayed thumbprint matches that shown in the Azure portal in the certificates section.
Under 'endpoints' I added a new https endpoint. Tip: use the standard https port 443, NOT the 'default' port of 8080 otherwise you will get no response from your service at all
In the web.config of the service itself, I changed the endpoint binding for the service so that the name element matched the new endpoint.
I then published the cloud project to Azure (using Visual Studio).
At this point, I'm not seeing the results I expected. The service is still available on http but is not available on https. When I try to browse for it on https (includeExceptionDetailInFaults is set to true) I get:
HTTP error 404 "The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable"
I interpret this as meaning that the https endpoint is available but the service itself is bound to http rather than https despite my changes to web.config.
I have verified that the publish step really is uploading the new configuration by modifying some of the returned content. (Remember this is still available on http.)
I have tried removing the 'obsolete' http endpoint but this just results in a different error:
"Could not find a base address that matches scheme http for the endpoint with binding WebHttpBinding. Registered base address schemes are [https]"
I'm sure I must be missing something simple here. Can anyone suggest what it is or tips for further trouble-shooting? There are a number of stack-overflow answers that relate to websites and suggest that IIS settings need to be tweaked but I don't see how this applies to a web-role where I don't have direct control of the server.
Edit Following Gaurav's suggestion I repeated the process using a (self-signed) certificate for our own domain rather than cloudapp.net then tried to access the service via this domain. I still see the same results; i.e. the service is available via http but not https.
Edit2 Information from csdef file... is the double reference to "Endpoint1" suspicious?
<Sites>
<Site name="Web">
<Bindings>
<Binding name="Endpoint1" endpointName="HttpsEndpoint" />
<Binding name="Endpoint1" endpointName="HttpEndpoint" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="HttpsEndpoint" protocol="https" port="443" certificate="backend" />
<InputEndpoint name="HttpEndpoint" protocol="http" port="80" />
</Endpoints>
<Certificates>
<Certificate name="backend" storeLocation="LocalMachine" storeName="My" />
</Certificates>
Related
I've received an email from Amazon Web Services regarding certificate rotation. I need to know whether I should make any changes to my EC2 or Web.config to make it support the new database certificate.
Rotating your SSL/TLS certificate: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
Updating Applications to Connect to Microsoft SQL Server DB Instances Using New SSL/TLS Certificates: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/ssl-certificate-rotation-sqlserver.html
A sample connection string from the Web.config that I use (sensitive data omitted).
<add name="temp" connectionString="Server=someaddress.us-east-3.rds.amazonaws.com;
Port=3306;Database=somedatabase;Uid=someuserid;Pwd=somepassword" providerName="MySql.Data.MySqlClient" />
All my websites have a similar connection string that connects to the RDS database server.
Is there any change needed to be made to the web.config or the EC2 server to make my websites support the new certificate rotation.
You don't need to make any changes since you are not using SSL certificate to connect to RDS. your website will continue to work as it is now without making any changes to your config. But you can consider using SSL to connect to your RDS in order to improve security in the future.
As long as you aren't using an SSL connection to your database, the certificate won't be used and you can update the certificate without any side effect.
This would have been the case if your connectionString included an sslmode as required:
<add
name="mySql"
providerName="MySql.Data.MySqlClient"
connectionString="...;SslMode=Required;" />
Since this is not the case, you can update your certificate right away.
Yes Web.config needs to changed definitely.The changes required are listed below.There might be additional changes based on the security group and vpc setup you have done.
You need to add SslMode=Required parameter to the connectionString
Also add a parameter SslCa=ca.pem
Download the https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem file from aws.
I am creating an ASP.NET web application and currently running it with Visual Studio's built in IIS Express. It normally starts up on localhost and runs just fine. However, one of the external API's I'm calling requires the callback of my application redirect to 127.0.0.1 instead of localhost (it uses the OAuth2 flow for authentication). I realize localhost is just an alias for 127.0.0.1 but for some reason I cannot get my application to run on 127.0.0.1.
I have gone into the project settings under the "Web" tab and changed Start Action > Start URL and Servers > Project URL both to http://127.0.0.1:25436 and even went into IIS Express's applicationhost.config and changed the bindings from this:
<bindings>
<binding protocol="http" bindingInformation="*:25436:localhost" />
<binding protocol="https" bindingInformation="*:44300:localhost" />
</bindings>
to this:
<bindings>
<binding protocol="http" bindingInformation="*:25436:127.0.0.1" />
<binding protocol="https" bindingInformation="*:44300:127.0.0.1" />
</bindings>
I even tried putting the IP before the port like 127.0.0.1:25436: as suggested by another article I read to solve this problem.
When I start the project I get this problem:
I can't figure out how to get around this. Please help!
For the sake of future generations -
HTTPS on your local pc requires a certificate.
Usually something called a "Self signed certificate" is enough.
IIS Express usually creates one for you the first time it's installed.
Windows Start > type "mmc".
File > Add snap-in > Certificates > Add > Computer account > Next/Finish/OK Enter the "Certificates" section > Personal > Certificates
You should see an IIS Express Certificate.
If not, you need to re-install IIS Express and it will add a new certificate for you.
Double-click the IIS Express certificate and scroll down to the Thumbprint Field.
Copy the entire thumbprint into an editor and remove all spaces.
(you can simply do a search&replace " " and replace by "") (see attached image)
Now, with the CMD open with Admin rights, run this:
netsh http add sslcert ipport=0.0.0.0:44300 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}
As far as I know, the appid isn't critical.
Make sure you add the correct https port number.
Make sure you didn't add hidden characters or else this will fail.
Now, as a last step, you need to drag this certificate to the "Trusted Root Certification..." section.
Done.
Two possible options to get rid of this issue
Use Self Sign certificiate
Remove domain security policy: Steps for Chrome -
Go to : chrome://net-internals/#hsts
Query HSTS/PKP domain for localhost
Use Delete domain security policies option to delete configuration for localhost
I encountered a version of this today, and the answer I found to prove fruitful was over at https://aboutssl.org/fix-google-chrome-error-err_ssl_protocol_error/.
"If the SSL State is not cleared, it might block SSL connection and cause the SSL Connection Error. Follow the steps below to clear the SSL state.
Go to Start Menu > Control Panel > Network and Internet > Network and Sharing Center
Now click on Internet Options from the bottom-left corner.
A new Internet Properties window will appear.
Now move to the Content tab and click on Clear SSL State.
“The SSL cache was successfully cleared” alert should be on your screen.
Again, restart Chrome and check if ERR_SSL_PROTOCOL_ERROR is still there."
On one computer I have 2 projects - a client application and another that holds the identity server and identity manager. When I run the client site on this computer everything works. I am able to sign in, register etc. This project was already set up and working.
I made a copy of the projects and put them on another computer. I have set the sites up in IIS and created a self signed certificate.
When I run the client site and attempt to sign in I get the yellow asp.net error page with the message "The remote certificate is invalid according to the validation procedure". When stepping through with the debugger I also see: "The underlying connection was closed: could not establish trust relationship for the ssl/tls secure channel"
I figure the errors have to do with the certificate so in MMC I made sure that the certificates are installed in the trusted root certification authorties folder.
The other thing I did was check the web.config files in the projects.
In the client site I have something like:
<oidcClient clientId="codeclienthere"
clientSecret="secrethere"
signingCertificate="keythatmatches_certificate_hash_here"
issuerName="https://identityurlhere/issuer"
...
Then in the identity server and identity manager web.config files I have something like:
<appSettings>
<add key="owin:AppStartup" value="startup" />
<add key="Issuer" value="identity_url_here/issuer" />
<add key="Thumbprint" value="keythatmatches_certificate_hash" />
<add key="WebClientId" value="codeclienthere"/>
<add key="WebClientSecret" value="secrethere"/>
...
I changed the signing certificate and thumbprint values to match the certificate hash. For the attribute "issuerName" and key "Issuer" I tried leaving it the same, setting it the name of the certificate and prepending "CN=" to the name of the certificate. I am unsure what value should go here. I am also unsure what other things I should check.
The problem here was that there were hidden characters in the thumbprint that I did not notice. I had pasted in a text editor to compare or something and they got removed so when I pasted them back in the config file they did not match as needed.
I'm using Azure Cloud Services, not Web Sites.
I would like to know if storing sensitive data (passwords) in Azure Service Configuration Settings is secure.
I really don't want to implement the 4-part blog series required to encrypt the web.config in Azure Web Roles, so I'm thinking I could just keep my settings in Azure config and then access them through RoleEnvironment.GetConfigurationSettingValue().
These settings are in a config file much like web.config, so my question is whether this config file is just used to build the cloud service and then discarded, or if it stays on disk during the life of the instance (thereby exposing sensitive data to attack).
I like the ability to update these settings at runtime through the Portal and I consider the Portal a secure endpoint, so I'm OK with it. However, if the file stays on disk then it is no more secure than the web.config file IMHO.
We encrypt/decrypt Azure config settings and other content using the domain certificate installed on the web roles. I posted a full example on my blog here: Securing Azure ServiceConfiguration values for Enterprise Deployment.
I created a feature request: http://feedback.azure.com/forums/34192--general-feedback/suggestions/9025255-certificate-based-settings-encryption
This is similar (but more idiomatic, imho) to what Remote Desktop plugin does. Remote Desktop adds:
<ConfigurationSettings>
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.Enabled" value="true" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountUsername" value="<name-of-user-account>" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword" value="<base-64-encrypted-password>" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountExpiration" value="<certificate-expiration>" />
<Setting name="Microsoft.WindowsAzure.Plugins.RemoteForwarder.Enabled" value="true" />
</ConfigurationSettings>
<Certificates>
<Certificate name="Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption" thumbprint="<certificate-thumbprint>" thumbprintAlgorithm="sha1" />
</Certificates>
RDP plugin "knows" Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword value is encrypted will use the certificate Microsoft.WindowsAzure.Plugins.RemoteAccess.PasswordEncryption to decrypt it.
My feature request is to add attribute named thumbprint to <Setting /> node. Calls to CloudCloudConfigurationManager.GetSetting() would seamlessly decrypt the value using the certificate indicated.
How wonderful that would be...
I am creating a wcf service. When i add the service as a "Web reference" to my web site (I do this by using the url: http://localhost/myservice.svc?wsdl ) and then call the web methods exposed by the service, I get a "Operation has timed out" exception. However when i add the service as a "Service Reference" to the site, the calls work fine.
The reason iam adding it as a web reference is, i want to expose the wcf service to all clients like java, php .....
I have looked at the article in "http://blogs.msdn.com/juveriak/archive/2008/03/18/wcf-proxy-that-works-with-different-clients.aspx", but i have not tried converting the wsdl to a typed proxy as suggested by this article.
Any ideas on why i get a time out error when using it as a web reference?
Likely you're using WsHttpBinding rather than BasicHttpBinding. .NET 2.0 web services cannot consume a WsHttpBinding service.
The problem is one of protocol. Web service protocols are constantly changing, adding security, federated identity, and so forth. As they change, older technologies can't communicate using the newer protocols.
Thankfully, WCF will allow you to use multiple protocols in a single service -- just set up separate endpoints for each protocol you want to use. Be wary, however, as some are more secure than others.
Regarding versioning, the MessageVersion class is a good starting point.
Edit: I should have mentioned that you need to use MessageVersion as part of a custom TextMessageEncodingBindingElement binding, like so:
<bindings>
<customBinding>
<binding name="MyBinding">
<textMessageEncoding messageVersion="Soap11WSAddressing10"/>
<httpTransport/>
</binding>
</customBinding>
</bindings>