Supply Let's Encrypt certificate chain to the client on IIS - email

To the people that close vote this post: it doesn't help if you don't comment why. We're all trying to learn here.
I want to have wildcard certificates for 2 domains of mine using Let's Encrypt. Here's what I did:
In Chrome it all works. In Firefox I get the error below:
So I tested here: https://www.ssllabs.com/ssltest/analyze.html?d=gamegorilla.net
I also checked this other post.
There's talk on making sure that "the server supplies a certificate chain to the client, only the domain certificate". I found validating the certificate chain here.
I then took these steps found here:
Open the Certificates Microsoft Management Console (MMC) snap-in.
On the File menu, click Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, click the Certificates snap-in in the Available snap-ins list, click Add, and
then click OK.
In the Certificates snap-in dialog box, click Computer account, and then click Next.
In the Select computer dialog box, click Finish.
I already see "Let's Encrypt Authority X3" in the Intermediate Certification Authorities. So that should already be handling things correctly I'd presume.
How can I ensure the Let's Encrypt certificate chain is supplied to the client so it works in Firefox too?
UPDATE 1
Based on #rfkortekaas' suggestion I used "all binding identifiers" instead of supplying the search pattern. When Win-acme asked Please pick the main host, which will be presented as the subject of the certificate, I selected gamegorilla.net. After this gamegorilla.net now works in Firefox, however, on www.karo-elektrogroothandel.nl I now get an insecure certificate.
UPDATE 2
Alright, that seems to fix it. I do see that bindings for smtp/mail (e.g. smtp.gamegorilla.net) are now also added to IIS automatically:
Should I leave those or delete those mail+smtp records here?
Also, the certificate is now [Manual], does that mean I need to renew manually (which woud be weird since nowhere during the certificate creation steps did I see an option for auto-renewal):

The issue is that you only generate the certificate for www.gamegorilla.net and not gamegorilla.net if you select all binding identifiers instead of supplying the search pattern I think it should work.
To also get certificates for other names that are not hosted by IIS you cannot use the import from IIS function. You need to supply them all, starting with the common name.
After starting wacs select M for a new request and select option 2 for manual input. After that enter the comma separated list with the common name first: gamegorilla.net,www.gamegorilla.net,smtp.gamegorilla.net,karo-elektrogroothandel.nl,www.karo-elektrogroothandel.nl,smtpkaro-elektrogroothandel.nl (without any spaces). Or when you want to generate a wildcard certificate you can use: gamegorilla.net,*.gamegorilla.net,karo-elektrogroothandel.nl,*.karo-elektrogroothandel.nl.
Please be aware that for generating wildcard certificates you need to be able to use the DNS-01 challenge. The HTTP-01 challange doesn't support wildcard certificates.
For the certificate renewal you should run wacs --renew from time to time (for example via a schedules task).

Related

Same p12 certificate, different trust chain on different machines, why?

I have a p12 file. This was generated from a DigiCert p7b.
When I import this into my personal store on one machine (windows server, using certificates mmc) it shows me one chain when I view the path.
Using the same file, I import into my personal store on a different machine (also windows, using certs mmc). On this one I see a different path (and in this case it has an expired hop)
Specifically, two hops above my cert the divergence occurs.
Why does this happen? Is there anything I can do to influence that chain (remember its the same p12 that is creating different paths)?
I should also say, I am no expert in this area. I'm a developer that muddles through these security issues when needed.
I had the same issue. Two different windows 2008 r2 servers, same certificate. After standard OS patching one of the servers was sending only the first layer of certificate trust chain (number 0), so the openssl client was failing with the message:
verify error:num=21:unable to verify the first certificate
No idea what was the root cause. I tried to
reassign certificate in IIS
reimport certificate
restart IIS
with no success. What finally helped to fix the issue was the server reboot...
Closing this out.
I'm still a little foggy on why things were working the way they did but some things made sense.
It seems the .p12 was created from a p7b that included some of the intermediate certs. One of the included intermediates was the bad one. This explains why the chain was bad on one machine.
Still not sure how I was able to see a good chain on different machine but I understand why I saw the bad one. It seems the good chain was the fluke and the bad chain should have been expected (I originally assumed the opposite).
I created a new .p12 without the intermediates. Cleaned up all the bad intermediates that were previously imported from the first .p12 in both service user and local machine stores. All seems to be working as expected now with same valid chain on all machines.

Getting SmartCard certificate into Windows service local store (mmc)

I need the certificate from my smart card to be in the Windows service local sotre. I opened the store with mmc -> snap-in -> certificates.
I used different little tools to see informations(ATR etc.) about my smartcard and they all worked out.
I can see a lot of certificates there, but the one from my smartcard is missing in the store. The folder 'Smartcard trusted Roots' is empty. Windows gets the .cer/.pfx-data from smart cards automatically, right?
Or is there no chance, i can do it without using low-level programming(APDU-commands etc.)
First read this:
http://technet.microsoft.com/en-us/library/ff404288(v=WS.10).aspx
As it's written
A logged-on user inserts a smart card.
CertPropSvc is notified that a smart card was inserted.
CertPropSvc reads all certificates from all inserted smart cards. The certificates are written to the user's personal certificate store
So yes, gnerally certificates should pop up in User Personal Certificate Store automatically.
First thing to check is that you have CertPropSvc service runnig.
Another thing that I saw that some smart cards drivers doesn't work with Windows API. One example I know was old RSA tokens. We have changed them to Gemalto .NET cards and USB readers because of this
Note: In the artcle I linked it's written that this is valid for Windows 7 and 2008 but it worked for me on XP and Vista.

How to set Group Policy "Turn Off Automatic Root Certificates Update" vie Registry/Powershell?

I need to disable the following group policy in Windows 7 programatically, for example by modifying a registry key using Powershell:
"Turn Off Automatic Root Certificates Update"
Does anybody know which registry key needs to be set or unset in order to make this work?
I had a similar issue when i was creating an application that communicated with a server over HTTPS using two-way SSL.
This was causing a delay of a full minute when the initial request was made
It ran in WinPE where hand clicking through the local group policy editor was not an option.
There also is no way I am aware of to register a root authority in this environment and it is running in an incredibly restricted environment so it can not access windows update (not that it would find our corporate CA there anyway).
The registry value you are looking for is
HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot
DWORD DisableRootAutoUpdate = 1
Source: http://www.group-policy.com/ref/policy/452/Turn_off_Automatic_Root_Certificates_Update
To turn off Automatic Root Certificates Update via Local Group Policy Editor:
Click Start, and then click Run.
Type gpedit.msc, and then click OK.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
Under computer configuration, Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings.
Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK.
Close the Local Group Policy Editor.
Domain policies override local settings. That's how they're supposed to work (they'd be rather useless otherwise). If you want the policy disabled, disable or remove the policy in Group Policy Management or remove the computer from the domain.

lighttpd - don't terminate on invalid ssl key/cert?

I'm using lighty on an embedded device where power-users are allowed to manipulate the system configuration using an web interface. The users can upload an PEM file containing valid private key and certificate information.
Now I wonder how to avoid that lighty will not start if the file is corrupt? One idea is to check the file before installing it, but it seems that there is no easy solution.
My other idea is to configure lighty in a way that it will recognize the file is invalid (it does in fact) but it should not terminate. Instead it should run without SSL features, so HTTP only.
Is there a way to configure lighty for that? or is there a better solution?
This should provide just enough check options for your need
openssl verify --help
You could use a perlscript to comment out any ssl related config block if the cert check fails, but that is beyond this question.
Of course you need to edit the init/service script which starts lighttpd/lighttpd.service

Can Selenium IDE deal effectively with Browser alerts

Hi I am currently writing a Test script for an ecommerce site using Seleneium IDE, this is in a testing environment in HTTP. The issue I am having is the test payment gateway 3D Secure is in HTTPS so when using FireFox the browser displays the security warning message when I am returning from the payment gateway 3D Secure HTTPS to the site testing environment.
'Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?'
I have tried the various commands in the IDE for waitForAlert* and asertAlert* but this javascript alert just seems to over ride any of the commands I use and essentially halts the script until manual intervention is used.
I am unable to turn this particular alert off in FF from what I can assertain from various forums as it is too important to be switched off, I have tried in FF about:config
I can obviusly switch the 3D secure off to allow thee script to run, but I would prefer a complete user scenario to be tested as opposed to a test adapted to suit automation.
Many thanks in advance for your time and assistance.
I had exactly the same problem :
I use Selenium web driver to test against my local http server which sends redirects to https service (3DS as well btw ;). The problem is not with certs, but with this hardcoded warning of switching between https/http.
Based on the link from MacGyver's answer and this answer Key press in (Ctrl+A) Selenium WebDriver, I tested this and I can confirm it closes "Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party" dialog:
Alert alert = driver.switchTo().alert();
alert.accept();
The other solution, seems to work fine but you'll get UnhandledAlertException with latest Selenium versions (e.g. 2.25.0) :
Actions a = new Actions(driver);
a.sendKeys(Keys.ENTER).perform();
Option #1:
The easiest way is to remove the option in security options for your profile:
http://forums.mozillazine.org/viewtopic.php?f=38&t=665552
Option #2:
Not sure if this applies to an untrusted certifiate or your security warning, but the forum thread seemed to fit. It requires that you use Selenium RC Server.
Profiles are stored here for Firefox: %APPDATA%\Mozilla\Firefox
Profiles can be edited: http://www.dennisplucinik.com/blog/2011/02/04/how-to-install-run-multiple-firefox-versions-in-windows-simultaneously/
Follow the snippet below from this link:
http://old.nabble.com/Security-Warning-on-final-page,-how-to-remove-td22907376.html
If using Firefox 3, see the following post https://developer.mozilla.org/En/Cert_override.txt
The solution I use to get past this security pop-up is only applicable to Firefox 3 browsers and might be more of an hack than a fix but it works.
Run the selenium test
Select "Accept this certificate permanently" when prompted by popup
Click on the OK button (it might be neccessary to have a pause after this because we need to open explorer to find a file now)
Open Windows Explorer and navigate to => "C:\Users\xxxxxxxx\AppData\Local\Temp\customProfileDirxxxx"
This is a temparary profile created by Firefox which contains a file called "cert_override.txt"
Copy "cert_override.txt" to your temp directory
Stop your selenium server.
Open your "selenium-server.jar" file from "c:\selenium-remote-control-xxx\selenium-server-xxx" using WinRar
Drag "cert_override.txt" file into the "selenium-server.jar\customProfileDirCUSTFFCHROME" folder in WinRar (do not delete or edit anything in the .jar file!!!!!)
Close WinRar, start selenium and try it again :)