I am trying to verify the server domain for Apple Pay. I have placed apple-developer-merchantid-domain-association.txt as per the Apple pay instruction and I can access this file with that URL as well.
But when i am going to verify the domain it shows me following Error:
Domain verification failed. Unable to access verification file on server. Confirm that the file is in the correct location, proxies and redirects are not enabled, and the documented Apple Domain Verification IP addresses can access your server.
I don't know what's wrong in configuration.
By the way, This Website is hosted on AWS behind Load balancer.
Wo Got solution of it:
It sounds weird but it worked. Earlier we were using the amazon provided SSL from ACM. And Apple was not able to verify the domain because of SSL related issue. After that we taken new SSL from GoDaddy and setting up on server and it solved our issue.
Seems like Apple was not able to verify domain from the free SSL provided by the AWS.
Related
I'm a relatively new programmer to backend security so very much in the dark about how to set up HTTPS. I'm currently writing an IOS app that is sending http requests to my public EC2 backend domain, however I'm trying to transition this to HTTPS. Right now the backend is running on the developmental Flask server using HTTPS with a self signed certificate. However the problem is that on the IOS app side, it rejects this as invalid so I'm unable to test HTTPS dependant features. I tried to use the domain exception with the infoplist and ip.xip.io but it still complains that someone could be pretending to be this address. Could someone list in a very systematic way how I should approach building this out,i.e are there any free CA's, do I need a cert from a CA, and how to go about properly connecting the app and backend with HTTPS using my ec2 public ip.
Perhaps the iOS app will authenticate properly using a free community certificate. Investigate free certificate authorities, like letsencrypt. There are several. These work like the commercial CAs such as GoDaddy.
Actually the easiest solution was to just use Ngrok
I've got a site that was originally running on a non-heroku server that I moved to heroku. The site was using a bare domain before (example.com). Heroku requires non-bare domains (www.example.com) as per this article: https://devcenter.heroku.com/articles/apex-domains
My question is: I have a bunch of links out there currently like this: https://example.com which throw a browser error now that I am using non-bare domains.
This excerpt from heroku confirms the error is widespread.
SSL
Traffic routed over SSL behaves, at the DNS level, identical to unencrypted traffic and suffers from the same naked domain limitations.
However, applications requiring SSL encryption should use the ALIAS/ANAME configuration on the root domain. Subdomain redirection will cause a browser error when the root domain is requested over SSL (i.e. https://example.com).
How can I redirect people to the right domain without them experiencing a browser error?
EDIT:
I emailed heroku and this was their response:
I'm afraid only the ALIAS/ANAME style records will be able to reference an SSL endpoint at the apex and from my understanding Namecheap do not support those record types. We have a few examples for various providers here. But if your domain provider doesn't support ALIAS/ANAME we can only recommend you switch to another provider that does. A URL redirector doesn't work for SSL, the CNAME type breaks email, and raw A records can break after only a few minutes.
So I moved providers from Namecheap to Cloudflare, CNAME'd instead of redirected, and everything now works as expected.
If you don't have an SSL endpoint provisioned then your visitors will get a 'certificate mismatch' error as Heroku will serve their default herokuapp.com certificate. You can't redirect https without a valid certificate as browsers first check the validity of the certificate. If you're moving to Heroku and want to respond to those requests you will need a valid certificate, SSL endpoint provisioned and a DNS provider that supports using CNAMEs on Apex records.
I pushed a Spree Rails app to Heroku and I see it's using ssl withhttps:// and has a yellow padlock in the browser. Clicking on this shows "Identity verified" and the Certificate Information says Issued To: *.herokuapp.com
This is great. With no configuration or expense at the Heroku end, my app is using SSL with a valid looking certificate. Ok it's a yellow rather than green padlock but hey, not bad for free.
I'm sure this is a stupid question..but how can I run another Rails app on Heroku with a verified certificate without paying for the SSL add-on and purchasing my own certificate?
The TLS/SSL connection your browser is establishing is due to the fact the you are connecting to your app via appname.herokuapp.com. This is standard and will automatically work for any app you create out of the box. Heroku provides SSL encryption as you may be sending sensitive information to the server and it is better practice to encrypt data that you may not necessarily deem sensitive, but your client may. All reputable providers (SAS, Web Hosts, Email Providers) will have a wildcard SSL certificate installed to the base domain (*.herokuapp.com) as it is a single certificate that is relatively inexpensive and will secure all the sub-domains automatically.
That being said Apps are SSL-enabled already and can be accessed simply by using https, e.g., https://appname.herokuapp.com, but you would want to go with the SSL endpoint option when you want to establish the trusted relationship with your clients. Both ways are as secure as the other, but with the wildcard SSL (also referred to as a shared SSL certificate) the trust is established between the client via their browser and Heroku not your App/Site. With the SSL signed to your domain.com the clients can connect to your domain and not the Heroku sub-domain and see your site's information in the connection information on the browser. If your site is needing disambiguation from Heroku then is when you will want to proceed with an SSL setup outside the default.
As for what SSL type and issuer to use I would not recommend https://www.startssl.com/ as they do not offer SSLs with high browser ubiquity as they are not fully signed by an external root authority. Comodo and the consumer standard Rapid/GeoTrust are the best choices as far as assurance, recognition, and easy of use and concerned. You only need a DV (domain validated) SSL and they can be had for a few domains a month.
More on this and the Heroku SSL configuration can be found here
I recently spent some time setting this up. It can be done using CloudFront and a proxy to Heroku. This is probably best used for small projects but seems to be working great so far! See my post here:
http://ksylvest.com/posts/2014-05-06/setup-free-ish-ssl-tls-on-heroku-for-ruby-on-rails-or-any-other-framework
A few things have changed since this question was first answered, notably the advent of Let's Encrypt and new Heroku SSL endpoints, which together make it possible to add SSL for free. I've created a gem to generate and add certificates automatically: https://github.com/KMarshland/heroku-ssl. Once you've added heroku_ssl to your gemfile, you can simply run:
rake heroku_ssl:update_certs
Alternatively, if you don't want to use the gem, you can do these tasks manually:
1. Generate the SSL Certificate
Follow the instructions in https://github.com/unixcharles/acme-client to generate your certificates. You'll need to register your email, authorize the domain, and then finally get your certificates. When authorizing the domain, if you only have one server running, you can simply stick the authorization file in your public folder; if not, you'll either have to set up a dedicated controller and route or add a text record to your DNS zone file.
2. Add the certificate to Heroku
After downloading your certificates, you can either use Heroku's web interface or just run
heroku certs:update fullchain.pem privkey.pem
3. Configure your DNS
You need to set a CNAME record in your DNS zone file that points to [yourdomain].herokudns.com. The DNS zone file specifies what urls get mapped to what servers on the domain name you own. If your site is already pointed to your Heroku app, there will already be a CNAME record; you just need to change where it points to. If not, you'll need to add a new line:
[subdomain] [TTL] IN CNAME [yourdomain].herokudns.com.
I uploaded my Rails application to Heroku, bought a domain name mysite.com on Site5 and pointed it to my Heroku application URL. I can normally access my site on Heroku when I type www.mysite.com and everything works.
The problem is that before my site opens, I receive a warning that the certificate for this website is invalid and that some other site is pretending to be my site. This looks bad if a customer comes to my site and sees that warning and needs to accept their information "will be at risk". How can I avoid this message?
Here is the screenshot how it looks in Safari:
Heroku provides a wildcard SSL certificate covering all herokuapp.com subdomains. This will only be valid, of course, when accessing your app via its herokuapp.com subdomain.
If you need SSL for your custom domain, you need to acquire your own certificate for that domain and pay Heroku ($20/mo) to use that certificate for your application.
If you don't need SSL, verify your code isn't redirecting HTTP to HTTPS requests. This isn't something Heroku normally does by itself; any forced-secure transit is most likely coming from your application.
See Heroku KB: SSL Endpoint
I have an iOS client app which connects to a server using HTTPS.
I've added code in the client to verify the identify of the server.
How can a tester testing this feature test that it is now secure, how can they for example create a MITM situation and check that the client rejects connects etc.?
I've tried googling for how to do this but haven't had much luck.
Can it be done using tools like Charles and proxies etc. or is messing around with a wireless router and having detailed knowledge necessary?
This might be over simplification for your solution, but concepts might help.
A web browsers extracts the name of hosts from embedded certificate and do a comparison of host name that we're trying to connect with. If validation fails, we usually see a security warning. For ex: we can connect with facebook by either typing https://www.facebook.com or by typing https://173.252.100.16/. When we choose second option, we get a security warning.
Your program must be using SSL client socket to connect with HTTPS server. The socket must be having capability to extract the hostname from the embedded certificate. Once you get that, compare that with valid HOST NAME that your program is trying to connect with. If it matches, let request proceed, If not, abandon that session.
To re-create MITM, your web server can use a self signed certificate that can be issue to whatever host name you want, but the IP of server could be 127.0.0.1 (for example). Since there is a mismatch between the host name and actual IP, we can probably simulate the MITM situation.
I'm assuming that digital certificate can't be forged in this case.