I am supporting a Classic ASP application that connects to a payment gateway via HTTPS. Up until recently there have been no issues. A few days ago the latest updates were installed on the server (Windows Server 2003) and caused the site to break. A code snippet is below.
Dim oHttp
Dim strResult
Set oHttp = CreateObject("MSXML2.ServerXMLHTTP")
oHttp.setOption(2) = 13056
oHttp.open "POST", SOAP_ENDPOINT, false
oHttp.setRequestHeader "Content-Type", "application/soap+xml; charset=utf-8"
oHttp.setRequestHeader "SOAPAction", SOAP_NS + "/" & SOAP_FUNCTION
oHttp.send SOAP_REQUEST
Below is a dump of the error object :-
Number: -2147012852
Description: A certificate is required to complete client authentication
Message: A certificate is required to complete client authentication
At first I thought it was because the Payment Gateway's SSL certificate was not being authenticated or they needed a client certificate. I tested the URL in a browser on the server and it displayed correctly without errors and confirmed that the Payment Gateway server did not require a client certificate.
I am at a loss. All the research I have done has lead me nowhere. I even tried the following found on Stackoverflow :-
Getting XMLHTTP to work with HTTPS
xmlHttp, XML request,asp
The last one stated that a client certificate is required by XMLHTTP even though the server does not need it and pointed to a KB article on how to install one, but that is outdated and does not work.
Try adding oHttp.setOption 2, 13056
Just found the solution to this which has passed testing on:
Windows 10 (IIS 10)
Windows 2012 R2 (IIS 8.5)
It's a client problem. MSXML2.ServerXMLHTTP does indeed require you to use a client certificate when calling an endpoint secured with SSL (even if the endpoint doesn't require it), as the OP noted.
On the webserver, you need to:
Create a client certificate
Assign permissions to the certificate
Set the certificate on the ServerXMLHTTP object
In detail:
1. Create a client certificate
Use the following PowerShell command to create a new self-signed certificate:
New-SelfSignedCertificate -DnsName "ServerXMLHTTP", "ServerXMLHTTP" -CertStoreLocation "cert:\LocalMachine\My"
Note that the certificate created by this command will only be valid for 1 year.
2. Assign permissions to the certificate
Using MMC, view the certificate store for the computer account:
How to: View Certificates with the MMC Snap-in
The certificate created above can be found in Certificates (Local Computer)\Personal\Certificates (the "Issued By" and "Issued To" columns display "ServerXMLHTTP").
Right click the ServerXMLHTTP certificate, select "All Tasks" -> "Manage Private Keys" and the permissions dialog will display.
Add the user that the ASP website app pool is running as. By default it will be running as "ApplicationPoolIdentity", but your setup may be using a specific user account. If the app pool is using ApplicationPoolIdentity, the username to add is "IIS AppPool\APP POOL NAME", e.g. IIS AppPool\DefaultAppPool
The user will be added with "Full Control" which can be deselected. Only "Read" permission seems to be required. Click "OK" to confirm the permissions.
3. Set the certificate on the ServerXMLHTTP object
In your ASP code, set the ServerXMLHTTP object to use the certificate created above. For example calling PayPal for an access token:
Dim strAuthToken: strAuthToken = "<Base64 encoded version of ClientId:Secret>"
Dim oHttp: Set oHttp = Server.CreateObject("MSXML2.ServerXMLHTTP")
With oHttp
Call .Open("POST", "https://api.sandbox.paypal.com/v1/oauth2/token", False)
Call .SetOption(3, "LOCAL_MACHINE\My\ServerXMLHTTP")
Call .SetRequestHeader("Content-Type", "application/x-www-form-urlencoded")
Call .SetRequestHeader("Authorization", "Basic " & strAuthToken)
Call .Send("grant_type=client_credentials")
End With
Hopefully this is still of assistance.
I know it is an old question. This issue could be because of unsupported cipher suites.
Try adding
- TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
- TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
That means you have to follow this kb: http://support.microsoft.com/kb/948963
This update is also interesting if you are still using windows 2003. Which will allow connecting to site using SHA2 - http://support.microsoft.com/kb/968730
Please note that Windows Server 2003 support is ending July 14, 2015
This is probably a ServerFault.com question really, after all if the code is working fine then its not a programmatic problem.
However I would try a couple of things. First try using a the ProgID "MSXML2.ServerXMLHTTP.3.0", in some circumstances MSXML3 will behave differently depending on which ProgID was used to instantiate the component. Also update from other sources like your anti-virus supplier (Sophos had this problem) can break MSXML installs.
Another ProgID to try is "MSXML2.ServerXMLHTTP.6.0" after having installed MSXML6. If the problem is with an update to the MSXML3 core then perhaps the MSXML6 core doesn't have the same problem.
Can you try with oHttp.setOption(3) = "certificate store name/friendlyname of certificate"
as below. I hope this will works.
Dim oHttp
Dim strResult
Set oHttp = CreateObject("MSXML2.ServerXMLHTTP")
oHttp.setOption(2) = 13056
oHttp.setOption(3) = "certificate store name/friendlyname of certificate"
oHttp.open "POST", SOAP_ENDPOINT, false
oHttp.setRequestHeader "Content-Type", "application/soap+xml; charset=utf-8"
oHttp.setRequestHeader "SOAPAction", SOAP_NS + "/" & SOAP_FUNCTION
oHttp.send SOAP_REQUEST
I have owncloud version 9.1.8 running on a synology. Now I installed onlyoffice on a local server with a self signed certificat. It is important to know, that the onlyoffice server is running locally in a network. So I cannot access the server like e.g. with lets encrypt, because I only have a local server name and not a public server name. Lets Encrypt therefore cannot verify the server. However if I want (and if you have a solution doing that), I can access the internet using the server.
Now i have the problem, that owncloud delivers me the following error message
"Error while downloading the document file to be converted."
when I want to save the url in the onlyoffice configuration in owncloud. I guess the problem is, that I am using a self signed certificat. Do you know what I can do? Google does not really help me.
"Error while downloading the document file to be converted."
means that DocumentServer cannot validate your storage's self-signed certificate (OC in your case)
There are 2 possible workarounds:
1) Change "rejectUnauthorized" to false in the /etc/onlyoffice/documentserver/default.json config file
2) Change the default Node.js CAstore:
Edit the files:
/etc/supervisor/conf.d/onlyoffice-documentserver-converter.conf
/etc/supervisor/conf.d/onlyoffice-documentserver-docservice.conf
Add a flag --use-openssl-ca to the parameters in this line
Then you need to add your certificate to the the default CA store and restart ONLYOFFICE services:
supervisorctl restart all
these are the steps i did :
1- created a keypair.
2- downloaded the keypair and used puttygen to generate a private key
3-created a new instance using the orion-psb-image-R5.4 image for a context broker.
4-created a security group and added a rule that opened the ssh port
5- associated a floating ip to that image
6-tried to access the image from putty using the floating ip and the private key generated in step 2
putty gives me this error:
Disconnected : No supported authentication methods available (server sent:publickey).
I would like to know how to solve this issue and understand the reason for it.
update:
Screen shots:
1.loading the downloaded keypair into puttygen
2.the downloaded keypair file from fiware lab (keypair.pem) and the generated private key
3.entering the floating ip for the contextbroker instance
4.loading the generated private key to use during connection establishment
5.the error message when i try to connect
Seems to be a problem with key generation or Putty configuration. Unfortunatelly, the question post doesn't include enough detail to provide a more precices anser.
I'd suggest you to edit your question post to include full detail of each step you have done (even including screenshots as you go).
EDIT: use centos as user login instead of root
I am trying to import an RSA Key.
I open cmd prompt in Admin mode, go to C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and my command is as follows: aspnet_regiis - pi "Key" "S:\RSAKeys\Key.xml" -pku
This is the exact same command that my coworker used and it worked perfectly for him. When I try it though, I get "Importing RSA Keys from file..Unable to find the specified file. Failed!"
What could be different between our machines?
I have also tried different things (removing the -pku, trying it not as admin, etc.) but in the end it doesn't fully work.
Trying it not as admin with -pku will say succeeded (but then when I try to use the service, it errors with "The RSA key container could not be opened"). Trying it not as admin without -pku will error with "Access is denied."
Edit 1: Looks like a read perms issue between S drive and C drive maybe. Putting the file on the C drive was able to succeed the import but still receiving an error from the service that uses the import saying the rsa key container could not be opened.
Final Edit: After some research, I discovered that I needed to change permissions. I used these documents to help: https://serverfault.com/questions/293416/the-rsa-key-container-could-not-be-opened-windows-server-2008-r2 http://austrianalex.com/rsaprotectedconfigurationprovider-not-recommended-for-children-under-5.html The RSA key container could not be opened
Unfortunately, none of them fixed the problem. Somehow, the RSA key was imported where even the Admin group didn't have the permissions it needed to change permissions. So I went and found the RSA key under the C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys folder. I had originally tried giving the Administrator group (which was only me anyways) full permissions but received a Safe Handle Error and had to remove that.
Finally, I added myself (not the administrator group) with full permissions and it worked. Thanks #Thymine for pointing me in the right direction!
I used the following code to import certificate WITH the password/private key in WinXp desktop.
Recently I migrated to windows7 and now I am not able to import the private key, although the certificate gets imported in the store.
What could be wrong here ? Any help is deeply appreciated.
X509Store store = new X509Store(StoreName.My);
X509Certificate2 certificate = new X509Certificate2("certFileName", "password" ); store.Open(OpenFlags.ReadWrite); store.Add(certificate); store.Close()
Noticed that even if I type in the wrong password, the certificate still gets imported and private key field shows null, obviously. But with correct password it should get populated :-(
Check if you have correct permissions :
How to set read permission on the private key file of X.509 certificate from .NET
You can also try adding storage flags to the certificate constructor:
X509Certificate2 certificate = new X509Certificate2("certFileName", "password", X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet);
Setting this permmission might help:
https://serverfault.com/questions/48124/disabling-strong-private-key-encryption-on-a-personal-certificate