Import Fiddler certicicate - iis-7

Im trying to get Odata service in Power Bi and i always get this error
OData: Request failed: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
But when I do run the Fiddler and I add its certificate ,everything works perfect.
and when I close the Fiddler I get the same old error. How should I solve it, should I add this certificate to the IIS in case yes how!.
I added the Fiddler and the service link to the Trusted Root. But it did not work.
always after closing Fiddler the connection is gone.

Related

Docusign Connect / webhook error: The underlying connection was closed: An unexpected error occurred on a send

Not sure if this is a Docusign or ngix question.I'm working on integrating an application with Docusign and I keep seeing this somewhat vague error below in the Docusign Connect logs. In our nginx logs I see that a POST to our application's /webhook endpoint was attempted but doesn't go through. I've specified TLS 1.2 and have tried increasing our nginx timeout but that doesn't seem to fix it.
One theory I have is that our server's certificate isn't chained to a Microsoft trusted CA but I would expect a different error if that was the case.
Any help or guidance would be greatly appreciated.
This most likely would require you to get the IT folks managing this server and networking involved. And yes, they may need to install a certificate, but other errors can be related to the firewall blocking certain requests, an anti-virus blocking requests and even DNS related error preventing the HTTP request from being sent and received by the server.
We highly recommend to use a public cloud for Connect and we have plenty of examples how this can work, while still having your code run on your own IT server.

API request and Error in curl::curl_fetch_memory(url, handle = handle) : SSL certificate problem: certificate has expired

I was running the code for months without any issues, and couple days before.
GET(url="myurl", query)
Today I've got an error
Error in curl::curl_fetch_memory(url, handle = handle) :
SSL certificate problem: certificate has expired
The SSL cert on the site is active and ends in a year.
Also the same GET request is working via browser....
What is the issue? 🤷‍♂️
Try testing your server with this tool: https://www.ionos.com/tools/ssl-checker and see if it says that it is "not installed correctly".
If you find that it has been working historically but recently stopped, you likely have an invalid chain of trust. Recently, a common root CA certificate expired. Your server may be using this and sending it as part of it's chain of certificates it sends to clients. If that is the case, and it is this recently-expired root CA, your fix will most likely look like removing that root certificate from your bundle. So you'd include the intermediate certificates still, but exclude the root. You can then use these tools to revalidate if things are setup correctly.
You can also see the chain and some of the validity information using this tool: https://www.sslshopper.com/ssl-checker.html

Microsoft EDGE - Security certificate required to access this resource is invalid

We are getting following error in Microsoft EDGE in our Dev environment when we run our ASP.NET Application Hosted in IIS 8 in Windows 2012 R2 Server.
Error:
XMLHttpRequest: Network Error 0x800c0019, Security certificate required to access this resource is invalid.
Following are more details about implementations and environments.
Our application runs on 2 different secured ports (HTTPS). In IIS both apps are hosting as different Web Applications and using same certificate. The certificate is generated using OpenSSL SHA2 encryption and it has been added in Secured Certificate Store.
From `Microsoft EDGE when we first load our application, it issues certificate warning message, and we are allowing to proceed. Once page is loaded, on a button click we are calling an API using AJAX call and that is hosted on different port.
In EDGE it is not allowing to proceed that API and giving above mentioned error.
In Chrome and IE 11 also, we are getting same warning message but from there it is allowing to execute next API.
Any help would be appreciated to fix the issue.
If you know your certificate is valid, a possible reason this might happen is if you have a tool running in the background somewhere that hijacks the SSL connections through a proxy, such as Fiddler.
Since such a tool is effectively using a man-in-the-middle attack to report the requests, the warnings are "normal". It's pretty easy to forget them running, too.

QsslSocket: Cannot access peer (client) certificate on other peer (server)

This is the follow-up to my original problem: Qt Server+Client App: encryption fails (updated with code)
Also posted this to Qt Forums: http://qt-project.org/forums/viewthread/41293/
Hi,
my goal is establishing two-ways authentication for Server+Client apps. I am having a strange problem however. Using certificates generated by XCA and OpenSSL for testing purposes in my Server+Client apps using Qt 5.2.0.
Note: I do not use QSslSocket::ignoreSslErrors() to get past the errors.
2 scenarios:
1)
Client has valid clientCA, valid local certificate (signed by serverCA, client template) and valid private key set.
Server has valid serverCA, valid local certificate (signed by clientCA, server template) and valid private key set.
2)
Client has valid clientCA.
Server has valid local certificate (signed by clientCA, server template) and valid private key set.
———————-
ad 1)
I can establish secure connection fine but only if I set QSslSocket::peerVerifyMode to VerifyNone on server side (automatically VerifyPeer on the client).
If I do NOT do that I get assigned automatically VerifyPeer mode even though the socket is correctly evaluated as server side (checked SslMode for this). That is apparently contrary to the documentation as it says it should be automatically QueryPeer if the socket is server side. However even setting the socket to QueryPeer manually does not help and the handshake fails the same as with VerifyPeer.
Now the error I get is:
QSslError::CertificateSignatureFailed (4) “The signature of the certificate is invalid”
Inspecting the peer certificate on SSL error (and/or encrypted) on the server reveals that no certificate was presented by the peer (the peerCertificate() yields null certificate) so it is no wonder it fails with this error. I cannot get the peer certificate on client side either in this case.
BUT even if VerifyNone is set on server and encryption succeeds I still get the above mentioned error due to peer (client) not presenting its certificate despite the fact that it should NOT be requested in the first place. On client I can get peer (server) certificate in this case.
———————-
ad 2)
This is documentation style scenario, that should be capable of one way authentication only (client authenticating the server). In this case the peerVerifyMode is again selected as VerifyPeer on server by default.
However peerVerifyMode does NOT have any effect on the handshake on server side! Even when set to VerifyPeer it succeeds despite the fact that client has not presented any certificates.
No matter the setting of peerVerifyMode the error occurs the same as in #1 plus two new errors, therefore I get on server:
QSslError::CertificateSignatureFailed (4) “The signature of the certificate is invalid”
QSslError::UnableToGetLocalIssuerCertificate (11) “The issuer certificate of a locally looked up certificate could not be found”
QSslError::UnableToVerifyFirstCertificate (12) “No certificates could be verified”
Despite these the SSL handshake succeeds regardless of peerVerifyMode on the server side. I get no errors on the client. This once again is contrary to the documentation that clearly states that in case of ANY SSL error the connection is dropped unless they are ignored.
———————————————
I do not understand this behaviour nor how to fix it since I am fairly sure the certificates are ok (the test handshake using the openssl.exe succeeds with verify return code 0 (Ok)). It seems to me that the settings of peerVerifyMode is often ignored though and that in some cases errors are automatically ignored as well. Since they are related to unsent (or not received) peer (client) certificate on the server side I can understand it but not if the peerVerifyMode is set to VerifyPeer.
Can anybody help? Thank you!
I have been able to solve this issue in unusual way. It was caused by bug in Qt, I think this one https://bugreports.qt-project.org/browse/QTBUG-7200 since it matched the symptoms of my latest attempts (same error in Qt while openssl succeeded in verifying the certificates etc.).
Update from 5.2.0 to 5.3.0-beta solved it (bug was apparently solved in 5.2.2).

SoapUI and web service testing with windows authentication

Blockquote
I'm trying to test an already deployed web service through SoapUI. The service URL is https://hostname:82/Service.asmx. I modified the test Endpoint to reflect this. Web requests go through a proxy that uses Windows Authentication.
First I attempted to run the test directly but without success. All I got was an error:
401 - Unauthorized: Access is denied due to invalid credentials
Next, I entered proxy details and domain username/password into SoapUI proxy settings. This creates another error:
status# HTTP/1.1 502 Proxy Error ( The specified Secure Sockets Layer (SSL) port is not allowed. Forefront TMG is not configured to allow
SSL requests from this port. Most Web browsers use port 443 for SSL requests. )
I wasn't really paying attention to this until now so I ignored the error and went on to install Burp Suite hoping that this would help with Windows Authentication. I got the Internet working through Burp Suite but soapUI still doesn't do anything and I can't run any tests. This time the error is a bit different:
XML Parsing Error: syntax error Location:
https://hostname:82/Service.asmx Line Number 1, Column 1:Burp proxy
error: failed to connect to IP.
What am I doing wrong? :)
Figured it out in the end. I configured Burp proxy the wrong way. Instead of redirecting to my WS server, I was redirecting to our internet proxy which of course didn't know what to do.

Resources