I have an app on a custom domain on Google App Engine and I need to capture JSON packages.
I am using http://www.hurl.it/ to test and the url is like: https://subdomain.website.net.au/folder/
This give a server error however if I remove the S and just use HTTP the request works fine. What does Google need in order for this to work?
Update:
Using Curl and running the following command:
curl --verbose --data "#json.txt" --header "Content-Type:application/json" "https://subdomain.website.net.au/folder/"
I get the error: "unable to get local issuer certificate"
When I download the cert file from http://curl.haxx.se/ca/cacert.pem and run:
curl --verbose --cacert "cacert.pem" --data "#json.txt" --header "Content-Type:application/json" "https://subdomain.website.net.au/folder/"
It works fine and as expected. Does this mean the issue is with hurl.it? if so what is the issue exactly, I have a customer trying to send me data and it is not working either.
Update2:
The issue ended up being that the client did not support SNI so I had to use a VIP instead. This costs money, is an older method but more compatible.
There is an article on how to setup SSL for custom domains on developers.google.com.
Basically you need two things:
An SNI or Virtual IP Certificate
Your domain has to be a payed Google Apps domain to install the certificate
Your certificate, your Google Apps Domain and using the certificate with App Engine will cost you. If you can use the YOURAPPID.appspot.com domain instead you get SSL for free. If you need your custom domain i recommend the above website.
After Updating your Question:
It looks like the Certificate Authority (CA) is unknown or untrusted to the client. This can be fixed by using a commercial certificate from thawte or verisign. Or, you can add the CA certificate to the certificate store of your operating system or client application.
In other words: Install the CA cert as trusted root certificate in your operation system or app. That should do.
Oh and your assumption is right. hurl.it does not know the CA and thus rejects your certificate as invalid or unknown issuer.
Update 2:
Craig, your GeoTrust cert should be fine. Please try the following:
Please verify if you can visit this or any other page hosted by your app with a normal web browser. It should not complain about the certificate. If it does and you need to add an exception rule for the certificate then something is still wrong configuration wise.
I haven't done this in a while but last time i used an SSL certificate i concatenated the actual certificate and the CA somehow, i'm sure there are tutorials for this. Because the CA.cert isn't found it makes sense to provide it in this manner.
From developers.google.com:
'A certificate file can contain at most five certificates; this number includes chained and intermediate certificates.'
See also wikipedia
Since it does work with curl when you supply the CA manually that is a temporary solution for your customer to upload data.
Note that not all applications use the system store for certificates. Firefox for example has its own certificate store and it completely ignores all changes you do in the root certificate store of the operating system (at least under windows that is the case)
Once you have verified that the website works with HTTPS (see 1) you can create a simple form in that app containing a textarea in which you can paste your JSON data and send it to your app using jquery or something. While this is not ideal it is an excellent test to verify that your app and SSL setup works and the issue is somewhere else.
If upload is all you need at the moment you could always package curl and the CA.cert together and add a small batch file that makes the appropriate call.
This is all the information i can give you without having a look at your actual setup. My advice is to fiddle around with clients and certificates because that's definetly where this issue is. It has nothing to do with the JSON data.
Related
I'm creating an API using node js and express. As we are moving towards production, I decided to encrypt the api using ssl, (simply adding the require 'https' option and creating the requires key and cert files using openssl).
I want to continue working on the API using postman (chrome plugin), so to enable me to do this, I visited the API using Chrome, saved the cert for the API to disk and then imported that cert file (cer format) to the "personal" certificate store in Chrome. So far, so simple.
I was then able to start using the API over ssl as expected. Great.
Now, where it is starting to get a bit odd is that if I want to then remove that certificate from my personal certificate store in chrome, I was expecting to be able to just open up the settings - > htttps - > manage certificates and then to be able to remove the certificate, however the certificate is not visible in the list of certs. It's clearly been imported and is working, it's just not showing in the list. The machine in question is running win 10, so I also checked the certificate management console for the machine and I searched for the cert and cannot find it anywhere.
I think that this should be really simple, so where is that cert that I imported (and which is clearly imported and working) so that I can remove it?
Thanks!
So, I finally found the solution to this. From the command line start "certmgr" and from there I can see the installed certificate and remove it. Not sure why it doesn't show up when viewed from within Chrome?!
I've been trying to use Openshift Online v3 to host a web app. It works fine with the red hat-provided domain, but I can't get the routing working to get it to work on any other domain. all I get is:
Application is not available
The application is currently not serving requests at this endpoint. It may not have been started or is still starting.
Possible reasons you are seeing this page:
The host doesn't exist. Make sure the hostname was typed correctly and that a route matching this hostname exists.
The host exists, but doesn't have a matching path. Check if the URL path was typed correctly and that the route was created using the desired path.
Route and path matches, but all pods are down. Make sure that the resources exposed by this route (pods, services, deployment configs, etc) have at least one pod running.
Does anybody know how to do a custom domain in Openshift v3?
Step 1: Create two routes in openshift v3 console. One provided default by the openshift (*.openshiftapps.com) and create another route with the host name as your domain name.
Step 2: Go to domain registrar and add a CNAME record for your domain which points to *.openshiftapps.com domain
Wait for the CNAME addition to take effect and access your domain name from the browser, now it should get the page loaded properly.
As was the case with OpenShift Online Developer Preview, the GA free OpenShift Online starter tier does not support custom domains. Custom domains will only be available when the full paid tier is available. The only option in the interim is to use a proxy in front. One option is to use Cloudflare as that proxy.
Take a look at these docs.
$ oc create route edge --service=frontend \
--cert=${MASTER_CONFIG_DIR}/ca.crt \
--key=${MASTER_CONFIG_DIR}/ca.key \
--ca-cert=${MASTER_CONFIG_DIR}/ca.crt \
--hostname=www.example.com
For starter (free) plan, you may try hidden redirected URL. Some DNS providers provide such service.
I moved recently my app to a scalable gear, I was using a custom domain with a startcom certificate and it worked fine.
Now Android devices mark the certificate as invalid, I was googling and the problem occurs if you don't configure the ssl chain properly. I have configured it right but I did it one more time, however the problem remains.
According to this ssl checker https://cryptoreport.websecurity.symantec.com/checker/ the chain is not sended and Android continue showing https://refly.xyz as invalid.
It's very possible that you have not combined your ssl certificate & chain certificate correctly. You need to combine them into the same file (ssl certificate first i believe) and then upload that as your certificate, and your key file. Don't upload anything into the chain form field.
I want to authenticate users with X.509 certificates to my web site.
I can generate an RSA key pair with keygen element of HTML, and then send the SignedPublicKeyAndChallenge structure to the server. The server can then check and sign the public key and generate a X.509 certificate for that key, for the client.
Now, when I signed up at StartSSL, the HTML pages there installed the certificate into my browser’s store without me doing more than clicking a button and I want to do the same. How do I go about that? Send the certificate with a certain Content-Type? Do it with client-side scripting? How do the browser know it’s supposed to install a client certificate?
I know I can tell the user to install it manually, but if it can be automated, then I want to make it so.
You want return the signed certificate file with the application/x-x509-user-cert mime type. The browser should then offer to download or install that client credential.
For further reading, see https://pki-tutorial.readthedocs.org/en/latest/mime.html.
I am working on a very similar application for my own websites.
I have created a certificate request for code signing purposes. The sys admins told me they have never given one before and told me they need to set up local windows certificate issuing to hand out certificates for code signing purposes. They have sent me a certificate base 64 encoded once it is enabled. I imported cert into my pc and tried to sign the microsoft access. Microsoft access claims the digital signature is not valid.
When I look at the signature, it looks valid. Is there anyway I can debug why the cert is no good for code signing purposes ? Thanks.
That was dumb but here's what happened. When I went through the certmgr, it did not let me request a certificate through the AD policy. I had to create a request using the custom request. What I did not realize is that, I was issuing the command from another computer and sending the request and then importing the certificate from another computer.
Basically I did not have a private key on the other computer to sign the certificate, the certificate looked ok but the prompt that says "you have a private key ..." was not there. When I went in and imported the certificate, on the same computer that I have created the request from, the private key was found and I was able to sign it. That was stupid but you think, I would get a more descriptive warning.
Of course now that I have signed my access 2007 package, I figured out it, it still gives me a warning about macros and asks me to still enable.. My understanding was that signing your package will let others to run the content without running into trust center issues... Fudge....