I have deployed my app for about 3 months now, but I'm still seeing different SSL certificate. Also, it seem that it has renewed it using different domain. Is this still normal? If yes then how long does it normally take to complete a provisioning? Is there a way use my own certificate instead? ... Since it's just using LetsEncrypt after all.
Domain connected:
Domain mismatch:
Any idea?
It looks like they take advantage of an extension to the X.509 standard known as Subject Alternative Name. From the Firebase documentation:
Your domain will be listed as one of the Subject Alternative Names in the FirebaseApp SSL certificate, which is publicly viewable. While the domain is provisioning, you may see an invalid certificate with that does not include your domain name. This is a normal part of the process and will resolve once your domain's certificate is available.
Indeed, you name appears in the list, along with several others.
(Sorry, my system is in Italian)
EDIT: by the way, Firefox shows the right (alternative) name in the Page Info tab and so does Edge, so it's much more likely to be a Chrome related glitch, but the certificate is valid.
Related
In the HERE platform, I added an App under Apps in the Access Manager. I then generated an API key for this app. This API key works when using it on our webapp.
However, when I add a "Trusted domain" and "Enable trusted domains", the key no longer works. I added all variations of our domain:
sub.domain.com
https://sub.domain.com
domain.com
I have waited multiple hours between different attempts and it still doesn't work. When I disable trusted domains, it works again...
The following question seems related but there is no solution: HERE Maps specific domain feature not working
Is this feature not working properly, or am I doing something wrong?
you would need to pass the "Referer" + Your trusted domains in the header.
Example: If you have your IPV4 address in the trusted domain and use some tools like postman to test it. Then add Referer and the IP in the headers. It should work. Thanks
I’m building a web application where users can create their own websites. Users have the option to point their own domain names at these sites. A prototype for the application already exists; Apache accepts requests on all hostnames and the actual domain mapping and resolution happen at the application level (a simple database lookup grabs the site that matches the requested hostname).
Where I’m stuck is how users’ SSL certificates might fit into this equation. What steps would I need to take to allow a user to upload their SSL certificate such that the application could successfully handle secure HTTP requests to their hostname? Is this even something the application alone could handle?
I think you cannot handle this in your application alone.
It's a CA problem, except you are an intermediate CA company, or you cannot get the user's domain SSL certificate and sign for user's domain.
The typical user, and IMHO even more the user's who are going to create a web site of this system as opposed to setting up their own WordPress or other site on their own server (or their own paid shared server hosting account), will have absolutely no idea how to setup a proper SSL certificate, so getting it to your securely so that you can install it wouldn't even be an issue because they will never get that far.
However, you should be able to use Let's Encrypt to do exactly what you need. As part of the process of adding a domain, once the domain is pointing to your server (the users will have to figure out how to do that with their domain registrar), you can create a Let's Encrypt certificate and validate it. My favorite web hosting company (I won't name it as that is not relevant - anyone can do this with some effort) provides this capability as part of their Control Panel. They also provide paid certificates with a few of the big issuers, as they have for many years, but for most small sites Let's Encrypt works very well and is totally free. The setup literally takes only a minute. The key is that you have to give the user an IP address or CNAME first so that they can point the domain. Once the domain is resolving to your server, you can get the Let's Encrypt certificate.
I have a running website (based on ASP.NET MVC) on some domain, let's say mydomain.com
Yesterday I was looking into site access logs and I noticed very weird logs: inside it, I saw different domain!
Something like anotherdomain.com/somePage
And I saw exception text in my log saying that 404 - anotherdomain.com/somePage can't be found. It looks like somehow my code running on some other domain (Request.URL show different domain).
How it is possible? Does that means that someone somehow got access to my host (I running on Azure) and steal my binaries and deployed on another host? Or maybe my website opened from iframe?
I need to understand in order to determine whether I have a breach.
If I had to guess, I would bet that someone accidentally set their domain's DNS records to point at your server. You can check where the A record for the domain is pointed with nslookup or whoisfrom the command line. If they are in fact mis-configured, you should contact the site administrator to let them know. This kind of mis-configuration, while uncommon, can happen more frequently with cloud services due to the inherently transient nature of the servers and routes used.
It's actually possible to make a GET request to access other domains, via your domain, to check if there's a badly configured proxy. Since you're not, it simply returns a 404 Not Found because you are not actually hosting those pages.
Scans like these happen all the time and is an unfortunate side effect of being connected to the internet, but does not mean that you are under attack or that someone has access to your host.
When I try to get data in a mobile flex app from a secure site, I get following alert:
A secure connection with this site cannot be verified. Would you still
like to proceed? The certificate you are viewing does not match the
name of the site you are trying to view.
For each call, I get the popup. If I keep on clicking Yes, the app works fine (but I would like to avoid that ;-)).
Any ideas? Apparently, the url from where the request comes, is not the same as defined in the certificate... But what is the url if called from a mobile app (standalone)? It's neither an error, because you can click on yes. So it's more that the client gives a warning. The annoying thing is that you can't accept it permanently...
This is the same whenever a cert is not correct and chrome or firefox alerts you and asks if you want to proceed. You cant accept a faulty cert on the behalf of your users. The easiest way to fix this is to tell the site owner to get a proper cert.
Check with your system administrators of website whether certificate installed is issued for your domain. It appears that certificate is issued for a domain https:///xxxx where as it is installed on https://yyyy
Bypassing is OK for testing , it seems finally you will have to get this corrected
In my experience this only comes up with self-signed certs, expired certs, and when you are calling the cert by a URL that is not identified in the cert.
With most certs they are associated with a single host/domain combination, i.e. https://www.domain.com
That means that they cannot be used with any other domain host combination. Not even http://domain.com or https://sub.domain.com.
There are certs that will support different hosts on the same domain (www.domain.com, sub.domain.com, etc). They are called wildcard cert. They are very expensive compared to normal single domain certs.
My guess is that in the browser you are calling www.domain.com but in your AIR app you are calling domain.com or calling some other host. That or you have permanently accepted the improper cert in the browser.
I have never have a problem with anything improperly identifying a valid cert. Not a browser, Flex app, AIR application. Ever.
If you view the cert in the browser you should be able to see what domain/host it is registered to. Make sure you are using exactly that. Any variation will cause the error.
As a temporarily solution I added some exceptions to the URL Rewrite Module, so that communication by Mobile App can be done with HTTP. But it's no longer secure, so I would rather use HTTPS.
I have also faces this issue and simple solution is fixed the certificate issue. If not possible then forget about using the HTTPS use HTTP only. So you never get any complain about any certificate issue.
Im trying to share a wildcard SSL cert across many applications. The way it would work is users would have websites with thier domain, but when they need a secure connection they would be redirected to a designated SSL site like https://client422.domain.com
Can session data be shared across the domains even if I place both domains on a single site and a single App Pool?
I wrote a blog article on creating a wildcard cert with OpenSSL (although the article could have a typo or two in the openssl config part, if you figure out the config, it will work as far as the openssl commands are concerned).
http://codingathome.blogspot.com/2008/11/creating-self-signed-certificate.html
If my article is too difficult, and if you have linux available, i've heard that tinyCA is the way to go.
Now, as far as 'session data' sharing goes, thats a whole different ball of wax. I'd say its possible if you store session data on server side.