WL 5.0.6, HTTP adapter, running on Liberty
We want to make simple connection from our adpater to a backend over SSL, the backend team have provided us their certificate.
Our symptom is
FWLSE0101E: Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
We have read the infocenter here but clearly have got something wrong. Steps we took
Used the JRE keystore tool to add the cert to a keystore.
Adjusted the worklight properties to point to the kaystore.
Restarted the WL Server
Any suggestions for how to diagnose or fix?
The issue in this case was that the certificate referenced hosts that were not visible to our DNS server. We worked around this by adding entries to /etc/hosts.
Related
I'm trying to run neo4j community on a vps via a docker image managed with plesk.
I am however having issues configuring the SSL certificate so I can connect to it securely from nodejs.
Currently, the error I'm getting is quite straightforward in node:
Neo4jError: Failed to connect to server.
Please ensure that your database is listening on the correct host and port and that you have
compatible encryption settings both on Neo4j server and driver. Note that the default encryption
setting has changed in Neo4j 4.0. Caused by: Server certificate is not trusted. If you trust the
database you are connecting to, use TRUST_CUSTOM_CA_SIGNED_CERTIFICATES and add the signing
certificate, or the server certificate, to the list of certificates trusted by this driver using
`neo4j.driver(.., { trustedCertificates:['path/to/certificate.crt']}). This is a security measure
to protect against man-in-the-middle attacks. If you are just trying Neo4j out and are not
concerned about encryption, simply disable it using `encrypted="ENCRYPTION_OFF"` in the driver
options. Socket responded with: DEPTH_ZERO_SELF_SIGNED_CERT
I've mapped the volumes as follows:
/certificates to the letsencrypt live folder for the domain db.example.com
Then I'm trying to connect to it via: bolt://db.example.com:32771
When i check via browser, the certificate being served is self-signed. I have try to add this certificate to the trusted certificates in windows but it didn't do anything at all.
Also added the path to the trusted certificates when instantiating the driver:
this._driver = neo4j.driver(process.env.Neo4jUri, token, {
encrypted: true,
trustedCertificates: ['ssl/neo4j.crt'],
});
I've also tried to copy the files within that certificate folder so that the appropriate files are named as mentioned in this article.
I am trying to use Stripe with my Ruby app and keep getting this error:
Error! Could not verify Stripe's SSL certificate. Please make sure that your network is not intercepting certificates. (Try going to https://api.stripe.com/v1 in your browser.) If this problem persists, let us know at support#stripe.com. (Network error: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed).
Why am I getting this? Any help would be greatly appreciated.
Thanks!
Stripe's Ruby bindings verify the HTTPS certificate on Stripe's servers (api.stripe.com) to ensure you're really communicating with Stripe and not with a malicious third-party (a.k.a. a "man-in-the-middle attack").
There are a number of reasons that can cause this error. First, you should make sure you're using the latest versions of the following:
the stripe-ruby gem
the rest-client gem
Ruby
OpenSSL
If you're working in a corporate environment, it's possible your firewall replaces HTTPS certificates in order to be able to decrypt HTTPS traffic. (This is essentially the same thing as a man-in-the-middle attack.)
If you're still having this issue, you can disable the SSL verification by including this line:
Stripe.verify_ssl_certs = false
However, I would strongly advise against doing this. It might be okay in a development environment, but you should never do this in a production environment.
EDIT: We're currently investigating this issue -- it seems it might have been introduced in a recent version of the stripe-ruby gem. For now, it seems downgrading to version 1.34.0 will fix the "Could not verify Stripe's SSL certificate" issue.
Open terminal.
Run command $curl -v https://api.stripe.com
For intermittent issue like I had you may have to run this command 10 to 20 times back to back. Then stop and start again until you see the error.
The IP address it attempts to connect to should match an IP address of the domain you are trying to access. For stripe you can check valid ip addresses here https://stripe.com/docs/ips
If the IP address does not match or if the IP address is the same as your network then you could be experiencing man in the middle attack.
In my case I was experiencing this issue with aws and stripe because they use curl to connect. Returning error 60 no alternative certificate subject name matches target host name.
A workaround is to edit /etc/hosts file.
Hard code an IP address of the endpoint
XXX.XXX.X.X api.stripe.com
This will stop the issue, but should be revisited because your application will fail in the future if the IP address for the endpoint is changed or removed.
In iOS 8.1 we are getting random SSL errors.
There is no issue at the sever and it seems like iOS device issue. AWS support has checked the SSL configuration and the certificate in server, but didn't find any issue.
Error message is this - "An SSL error has occurred and a secure connection to the server cannot be made. (NSURLErrorDomain:-1200)". We are using NSURLConnection to make network connections.
Many of our users started getting this error recently and all were in in iOS 8.1. Is this a known bug?
I have exactly the same issue with iOS8.1 user on my website
on the server side, i have this error :
No hostname was provided via SNI for a name based virtual host
it seems that iOS8.1 doesn't support very well SNI.
The workaround is to configure your webserver tp accept client that doesn't support SNI and set the virtualhost and certificate you want "no SNI client" to be show by default for any all SSL virtualhosts
In apache you have to add :
NameVirtualHost *.443 #before the first SSL virtualhost which will have the default certificate.
SSLStrictSNIVHostCheck off # in this default virtualhost.
Sorry for my english (i'm french) and hope it will help
I've successfully created a Bot and run an integration test for an iOS application hosted on a remote SVN server over HTTP. When trying to run the same test over HTTPS the test fails and I receive the error: Integration failed. Unexpected internal server error. See the integration's logs for more details. The certificate used for the SVN server is self signed and I ensured I am able to still update/commit to the server over HTTPS. After looking through the logs I can't seem to find out what the error is or how to fix it. (I would post the logs but it's like 100 pages to read through...)
Steps taken so far:
Deleted the bot and project, checked out the project over HTTPS, re-made the bot.
Ensure the correct HTTPS repository is listed both in OS X Server --> Xcode --> Repositories, and in Xcode's repository preferences. (Deleted the old repository as well)
Place the self signed certificate into the keychain's System Store and ensure it is set to Trust All.
Modified the Xcode config file xcsbuildd.plist and changed TrustSelfSignedSSLCertificates to true.
Nothing has seemed to fix it so far. If anyone can think of a fix for this issue please let me know.
I finally was able to fix this by adding to the System keychain our company's Root certificate authority and Intermediate certificate authority certs.
I used Charles (web debugging proxy) to intercept requests and responses and see what was wrong. It gave me a clue that OS X Server was struggling with certs.
I have
config.force_ssl = true
in my environment/production.rb file so as to make every request sequre with ssl and https.
I came to know that SSL can't be enabled in development mode. So, I started my thin web server in production mode and when I went to
https://127.0.0.1:3000
it's the same as the development mode(SSL connection error). Tried almost all the links of first 6 pages fetched by google. Anybody have solution to my problem??
P.S. I'm working on windows and I have client authentication certificate.
The problem you described is related to using a self-signed certificate.
SSL certificates relies on a chain of trust, where the root CA's (Certification Authority) are at the top.
To understand more how it works, the Wikipedia entry on SSL provide a good insight. For Self-Signed certificates there's also an entry at Wikipedia.
To solve you issue you can have a self-signed certificate (be aware of the security issues), but your users will be always prompted for an action.
Another option is to apply for a certificate on CertCA since some Linux distributions have them on root CA's.
The last and most reliable option is to acquire a certificate.