#StackBounty: #windows #https HTTPS to Windows VM: Finding/generating certificate on VM?

Bounty: 50

I am testing a REST service against a Windows VM that is provided by the service owner. I have Admin level access to the VM via RDP.

The test setup is to modify the hosts file on the machine that runs the test to point the service.location.net to the IP of the VM, and then do a POST to https://service.location.net/endpoint

My issue is that the https connection is rejected as the sending machine is unable to establish a valid https connection.

I can spoof this in my proof-of-concept code by overriding this from code, but that won’t cut it for the next level of validation/integration.

How do I either find or generate a certificate on the Windows VM, and how do I then import/install it on the test machine that will POST to the VM?


Get this bounty!!!

#StackBounty: #https #pgp PGP Keyservers Featuring Download over HTTP?

Bounty: 300

My company’s firewall blocks keyservers on port 80, and a few of the distributions that I’m hoping to support don’t feature HKPS yet for fetching over TLS.

Are there keyservers out there that offer a simple download of a given key over HTTPS? For instance, I can fetch my own personal key which is on keybase at https://keybase.io/naftulikay/pgp_keys.asc

Are there resources out there for getting a key over HTTPS without using the keyserver protocol? I’m writing Ansible so it’s easy enough to get things over HTTPS.


Get this bounty!!!

#StackBounty: #permalinks #404-error #https 404 on pretty permalinks when serving via HTTPS

Bounty: 100

I deployed my wordpress site in Google Cloud Compute Engine. To enable SSL I followed the the steps outlined here https://www.onepagezen.com/free-ssl-certificate-wordpress-google-cloud-click-to-deploy

  1. Install Certbot Client
  2. Generate Certificates
  3. Configure the Certificates
  4. Enable HTTPS Redirect
  5. Restart Apache Server
  6. Update WordPress URLs
  7. Configure SSL Auto-Renewal

Edit /etc/apache2/sites-available/default-ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        <Directory /var/www/html>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            Allow from all
            Require all granted
        </Directory> 
    ...

and /etc/apache2/sites-available/wordpress.conf

<VirtualHost *:80>

  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html
  ServerName mydomain.com
  ServerAlias mydomain.com
  Redirect permanent / https..mydomain.com

  <Directory />
    Options FollowSymLinks
    AllowOverride None
  </Directory>

  <Directory /var/www/html/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  <Directory "/usr/lib/cgi-bin">
    AllowOverride None
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    Order allow,deny
    Allow from all
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/error.log
  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn
  CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

After setting everything up, I run:

sudo a2ensite default-ssl
sudo a2enmod ssl
sudo service apache2 restart

SSL works fine for the backend and the landing page. However for all other pages I get a 404. When I switch form custom permalinks to simple permalinks the pages are accessible again. Any ideas what might be causing the problem?


Get this bounty!!!

#StackBounty: #nginx #https #301-redirect #ajax Redirecting from https to http?

Bounty: 50

Strange problem here. I use FullCalendar to initiate an ajax request to an endpoint on my server. Endpoint is:

https://my_website/events/?start=2019-03-31&end=2019-05-12&_=1555698739056

Note that it is explicitly https. However, when I initiate a request (that is, when Fullcalendar initiates a request), I get a 301 and a redirect to a non-https endpoint:

http://my_website/events?start=2019-03-31&end=2019-05-12&_=1555698739056

which fails because the page is loaded over https.

enter image description here

The endpoint works fine – when i load it into the browser I get the expected json output (via https). There are other ajax requests happening on this page that work correctly, and I successfully do the exact same thing with Fullcalendar elsewhere on this site (to another endpoint). It’s just this one scenario that is behaving unexpectedly.

Probably noteworthy is this sits in a docker container behind nginx reverse proxy / load balancer; site config is pretty simple:

upstream docker {
    server localhost:8701;
    server localhost:8702;
  }

server {
    server_name my_website;
    location / {
      proxy_pass http://docker;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
      # proxy_set_header                HTTP_Country-Code $geoip_country_code;
        proxy_pass_request_headers      on;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/my_website/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/my_website/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = my_website) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name my_website;
    return 404; # managed by Certbot

}

And nginx log of the request is like this:

134.124.11.91 – – [19/Apr/2019:13:49:49 -0500] “GET /events/?start=2019-04-28&end=2019-06-09&_=1555699678658 HTTP/1.1” 301 0 “https://my_website” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36”

Does anyone see something I’m missing that would be causing this strange 301 redirect to a non-https endpoint?


Get this bounty!!!

#StackBounty: #r #https unable to connect to https site with R

Bounty: 50

I am trying to connect to remote site via https and download some information. I am doing this:

library("httr")
library("XML")
library(RCurl)
url<-c("https://salesweb.civilview.com/Sales/SalesSearch?countyId=3")
file<-getURL(url, ssl.verifyhost = 0L, ssl.verifypeer = 0L)

each row has “Details” link that gives more information on each record. I need to download the url and go into each “Details” section and merge it with the initial data set.

How can I do this?


Get this bounty!!!

#StackBounty: #google-analytics #https #referrer HTTPS site to HTTPS site referral traffic not showing up in Google Analytics

Bounty: 50

I have a site (site A) which used to get allot of traffic from a 3rd party site industry niche portal website (site B), both sites used to be HTTP. Traffic was viewable as referral traffic in Google analytics for site A.

Site B implemented HTTPS, and shortly after i implemented HTTPS on site A, via Lets Encrypt.

Site B has a management dashboard where i can see supposed clicks through to site A. But when i look in Google Analytics for Site A, there is no referral traffic from Site B.

The link on Site B to Site A is using the HTTPS url.

Site B dose not seem to be passing the traffic through a 3rd party tracking URL.

Any ideas why i cant see the referral traffic in Google Analytics ?


Get this bounty!!!

Unable to find valid certification path to requested target

Most of you must be familiar with the below exception message:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

When trying to open an SSL connection to a host using Java.

Sample Code(source):

What this usually means is that the server is using a test certificate (possibly generated using keytool) rather than a certificate from a well known commercial Certification Authority such as Verisign or GoDaddy.

Web browsers display warning dialogs in this case, but since JSSE cannot assume an interactive user is present it just throws an exception by default.

To bypass this issue and be able to get the contents of a HTTPS url here is the steps:

First: use the below class code to install the required certificates(Source):

I was testing this on wikipedia.org, which is on https, thus facing the https issue.
You can modify the same as per requirement.

Next, set the following arguments while running JVM(source):

-Djavax.net.ssl.trustStore=<local path to certs>/jssecacerts

Next use the below code to get the contents(Source):

How to make my browser trust my server certificate?

Hi Guys,

I was exploring the SSL thing, and wanted to know what are the steps involved in making my browser trust the server certificate that server is sending.

First of all you need to generate a keystore (This needs to be done on server side).

C:localhostCerts>keytool -genkey -alias server-alias -keyalg RSA -keypass welcome -storepass welcome -keystore localhost.jks
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: NSEL
What is the name of your organization?
[Unknown]: NSEL
What is the name of your City or Locality?
[Unknown]: NOIDA
What is the name of your State or Province?
[Unknown]: UP
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=localhost, OU=NSEL, O=NSEL, L=NOIDA, ST=UP, C=IN correct?
[no]: yes


C:localhostCerts>dir
Volume in drive C has no label.
Volume Serial Number is CE67-DC0D

Directory of C:localhostCerts

15-Apr-2012 01:10 PM .
15-Apr-2012 01:10 PM ..
15-Apr-2012 01:10 PM 1,338 localhost.jks
1 File(s) 1,338 bytes
2 Dir(s) 343,529,140,224 bytes free

The above command has generated a keystore (on the server side)

Now convert this into a server certificate (and send it to client side)

C:localhostCerts>keytool -export -alias server-alias -storepass welcome -file server.cer -keystore localhost.jks
Certificate stored in file

C:localhostCerts>dir
Volume in drive C has no label.
Volume Serial Number is CE67-DC0D

Directory of C:localhostCerts

15-Apr-2012 01:11 PM .
15-Apr-2012 01:11 PM ..
15-Apr-2012 01:10 PM 1,338 localhost.jks
15-Apr-2012 01:11 PM 563 server.cer
2 File(s) 1,901 bytes
2 Dir(s) 343,560,626,176 bytes free

Make the changes in server.xml

Make changes as given on http://javakafunda.blogspot.in/2012/04/how-to-configure-tomcat-to-support-ssl.html in step 2.
(Take care of the file name)

Saved the server.xml on server and restart Tomcat, access to https://localhost:8443/

You’ll see a page as given below

As you see the google chrome doesn’t trusts the certificate that was provided by the server.

Check untrusted certificate on client side

If you open server.cer (provided by the server) by double clicking, you can see the message as given below

This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities Store

How to add this certificate to Trusted Root Certification Authorities on Google Chrome??

  1. Tools -> Settings
  2. Click on Show advanced settings at the bottom of the page
  3. Click on Manage Certificates
  4. Click on Trusted Root Certification Authorities tab
  5. Click on import
  6. Select server.cer from your machine
  7. Next, Next, and Finish
  8. You should get a import successful message

Again open the server.cer, and now you should see the certificate as follows.

if you open https://localhost:8443/ in IE or google chrome you will NOT see the warning and in the address bar, you’ll notice the lock.

How to configure Tomcat to support SSL or https

Thanks to http://www.mkyong.com/tomcat/how-to-configure-tomcat-to-support-ssl-or-https/

1. Generate Keystore

First, uses “keytool” command to create a self-signed certificate. During the keystore creation process, you need to assign a password and fill in the certificate’s detail.

$Tomcatbin>keytool -genkey -alias mkyong -keyalg RSA -keystore c:mkyongkeystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: yong mook kim
What is the name of your organizational unit?
//omitted to save space
[no]: yes

Enter key password for
(RETURN if same as keystore password):
Re-enter new password:

$Tomcatbin>

Here, you just created a certificate named “mkyongkeystore”, which locate at “c:”.

Check your certificate details

Certificate Details
You can use same “keytool” command to list the existing certificate’s detail
$Tomcatbin>keytool -list -keystore c:mkyongkeystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

mkyong, 14 Disember 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): C8:DD:A1:AF:9F:55:A0:7F:6E:98:10:DE:8C:63:1B:A5

$Tomcatbin>

2. Connector in server.xml

Next, locate your Tomcat’s server configuration file at $Tomcatconfserver.xml, modify it by adding a connector element to support for SSL or https connection.

File : $Tomcatconfserver.xml

//...
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="c:mkyongkeystore"
keystorePass="password" />
//...

Saved it and restart Tomcat, access to https://localhost:8443/

In this example, we are using Google Chrome to access the Tomcat configured SSL site, and you may notice a crossed icon appear before the https protocol :), this is caused by the self-signed certificate and Google chrome just do not trust it.

In production environment, you should consider buy a signed certificate from trusted SSL service provider like verisign or sign it with your own CA server