Certificates part two (hopefully last)

[AtoB]

Hi All,

I thought I try to get the production server working with a certicate (without ever getting test environment correct), but that's working very well either:

- when I fetch "myself" (through "netclient"), I get the following error :
The open command timed out or failed to connect: The error number was -53 which means Open Timeout or Failure error - [WinSock Error = 10061 : (WSAECONNREFUSED) Connection refused. No connection could be made because the target machine actively refused it

- the browse is much less verbose and simply says "cannot connect to  ...."

- I've installed my .crt en .pk files in the "certificates" folder below the webfolder, but I think the nettalk server moves them upwards (so it is able to find these ...). Is this intended?

- whenever I place files in there that don't mach the properties I fill in in the server settings for the .crt en .pk file. I get no errrors on the serverside .... Shouldn't I get one?

- I'm running with the "s_web.SuppressErrorMsg = 0" line generated, but I can't find any errormessages serverside ...

- additional question : I can rename the .crt and .pk file to anything I want to as long as it matches the two corresponding prompts in the webserver setting, right?

What I can I do to find out where things go wrong?

TIA,
Ton

[Vinnie]

I will try and help one step at a time.

When you created the certificate you should end up with

someting.crt and something.key

These two files should be placed in the 'certificates' folder from where the exe is running. (not in the web  then certificates folder off the exe)

Then name of the crt and the key are then entered into the Webserver Proedure. ( I think you have that covered)

Please let me know if this is all correct.

Cheers

Vinnie


 

[Bruce]

take baby steps here;

>> - I've installed my .crt en .pk files

should be .crt and .key
also, set the names of both on the webserver security tab.

>>  in the "certificates" folder below the webfolder,

should be in certificates folder, below exe, not in web folder.

>> but I think the nettalk server moves them upwards (so it is able to find these ...). Is this intended?

yes, putting them in web folder is a mistake the server "sees" and allows for.

>> - additional question : I can rename the .crt and .pk file to anything I want to as long as it matches the two corresponding prompts in the webserver setting, right?

correct, but you need a key file, not a pk file.

cheers
Bruce

[AtoB]

Hi

(I've taken a terrible amount of baby steps, but can't get it to work)

I've got the "certificates" folder below the exe folder with both files (a.crt and a.key) present. Now I got the following properties set

  ThisWebserver.SSLCertificateOptions.CertificateFile = 'certificates\a.crt'
  ThisWebserver.SSLCertificateOptions.PrivateKeyFile = 'certificates\a.key'
  ThisWebserver.SSLCertificateOptions.ServerName = 'api.a.nl'

as far as I can tell this should be ok. But I keep getting the "connection refused by the server"

Questions:

- Is there a way to get the server to tell me why it actually refuses (can't find .crt file?, can't find .key file?, certificate doesn't match domain? What's the domain according to certificate, what's the domain the server is on). I can 't find any code to add some debug stuff to ... so I'm totally in the dark here ...

- is it actually nettalk webserver refusing the connection or some other library/software?

- can it be that the certificate is wrong? Is there a way to validate the certificate or "see" what's in the .crt .key files?

- are there multiple types of certificates (I had the network guys set up the domainname and arrange me the certificate files for https) and can it be that I have the wrong type ?

thanks again!

regards,
Ton

[AtoB]

Stil not working,

but I learned a lot the last couple of hours (stuff I don't want to know ..) :

- there are tools to validate, the .crt against the .key (tricky...) and the .crt agains the .csr file.
The three files that I have all match. I've also reverted the .csr file and the domain mentioned in there matches the domain I have in the ThisWebserver.SSLCertificateOptions.ServerName property

So contents of the files should be ok, so now it can only be me, not filling in the right values ...

What bothers me:

1 - when I on purpose specify wrong .key en .crt filenames and or paths, the server doesn't give me an error ...
How can I check what file (full path) the nettalk server is looking for?

2 - is there a way I can check wether request (from outside the domain) actually reach the nettalk server? Should I actualy see something in the webserver console (the screen where the GET and POST's are shown in the two textboxes?), or will the GETs/POSTs only be shown after unencrypting ...?

TIA,
Ton

[AtoB]

Finally SOLVED!

turned out traffic over that port wasn't getting at the server with the same ip, something with redirections and firewalls ...

But still : now that I got it working, my last two question still puzzle me (and might save a lot of time for someone in the future ...):

1 - when I on purpose specify wrong .key en .crt filenames and or paths, the server doesn't give me an error ...
How can I check what file (full path) the nettalk server is looking for?

2 - is there a way I can check wether request (from outside the domain) actually reach the nettalk server? Should I actualy see something in the webserver console (the screen where the GET and POST's are shown in the two textboxes?), or will the GETs/POSTs only be shown after unencrypting ...?

If we can somehow "see" what the server is doing (if anything at all), we might find the solution much faster ...

Just thinking out loud and thanks for thinking along!

Regards,
Ton

[Bruce]

>> 1 - when I on purpose specify wrong .key en .crt filenames and or paths, the server doesn't give me an error ...

It does if error trapping is on (not recommended when in actual production) and it also does in debugview if logging is on (see nettalk global extension.) I use a combination of these to make sure I've set it up correctly.

>> 2 - is there a way I can check whether request (from outside the domain) actually reach the nettalk server?

tricky, if the SSL fails then there's no connection. Detecting that is very low level since the connection is made far away from the web server itself.

<<  Should I actualy see something in the webserver console (the screen where the GET and POST's are shown in the two textboxes?), or will the GETs/POSTs only be shown after unencrypting ...?

Stuff will only appear there _after_ a connection has been made.

cheers
Bruce