Getting certificates working (in test environment)

[AtoB]

Hi All,

I'm trying to get my webservices secure, but can't get it to work in my test environment (locally, so I guess there is no firewall is involved ...)

I want all traffic with this server to be secure, so my documentation should only be visible when accessed over https and my methods too.

I created my CA certificate (see post last week: I did a OpenSSL (re-)install, it is now running version 1.1.0b, dated 26 sept 2016, but I don't think this is the culprit right now ...)

I added my CA-root certificate to both browsers (I use FF, but also tried IE), but both don't show my documentation, when I type "https://localhost:443/myservicename".

 - Firefox then shows the message something like "Unable to connect to localhost ... errorcode: SSL_ERROR_NO_CYPHER_OVERLAP"
- IE says I should activate TLS1.0 through 1.2 in my browser settings (which are activated ...)

I also tried calling a method from my (Clarion) webclient testing procedure (over port 443 and using the https "prefix"), but this gives "The error number was -53 which menas Open Timeout or Failure error - [SSL Error = 16].

The last error lead me to nettalk central (<g>) so I checked the netsimple code but it says "self.SSLMethod = NET:SSLMethodTLS" in the init method (and as far as I know, I'm not changing it ...)

the following is the code to activate ssl serverside (both files are present in the \certificates folder):

  ThisWebserver.SSL = 1 ! Use SSL to make a Secure Web Server
  ThisWebserver.SSLCertificateOptions.DontVerifyRemoteCertificateCommonName = 1
  ThisWebserver.SSLCertificateOptions.DontVerifyRemoteCertificateWithCARoot = 1
  ThisWebserver.SSLCertificateOptions.CertificateFile = 'certificates\webservice.crt'
  ThisWebserver.SSLCertificateOptions.PrivateKeyFile = 'certificates\webservice.key'
  ThisWebserver.SSLCertificateOptions.ServerName = 'www.tvdb.nl.crt'
  ThisWebserver.MoveFolder(clip('web') & '\certificates','certificates')

I'm not sure what the "ServerName" property should contain in my test environment (I also tried "webservice.crt" ...).

I'm out of ideas right now ... Is there a way to somehow trace where this stuff stops working. I don't see any request coming in at the NT server, but I don't now wether https request show up there  at all ?

Any help is really appreciated!

TIA,
Ton

[kevin plummer]

If your certificate is for www.tvdb.nl then you won't be able to test it locally using https://localhost:443 - as the url need to match

[AtoB]

Hi Kevin,

Hmmm, should I recreate my certificates with "127.0.0.1" or "localhost" then? Is that common for testing purposes?

I would expected the browser to complain about the domain not matching the certificate,

will try this evening ....

Thanks,
Ton

[urayoan]

Hi AtoB

  Maybe you can edit your hosts file located in the C:\WINDOWS\System32\drivers\etc and add a line like the following

<local IP>        mydomain.com

Where local IP is your Network IP. This helps to resolve the domain in your machine to your local address.

After you save the changes run
ipconfig /flushdns
ipconfig /registerdns

ping mydomain.com

and it is supposed to get your local IP back.

Make sure your browser does not use Proxy server at all.

Be aware, after all the tests are done, revert the changes you made or your machine would not go out to the real domain in the public. You can comment the line using the pound symbol #

This change only affect your local computer (if it is not a server)

This change can be made to the local DNS server, but is gonna affect all your PCs in your network (not recommended)

To make the changes to the file you need to open notepad as Administrator (right click, Run As Administrator)

Let us know how it goes.

[Bruce]

>> I'm not sure what the "ServerName" property should contain in my test environment (I also tried "webservice.crt" ...).

ServerName should be the name which is in the certificate. In this case  'www.tvdb.nl.crt' is correct.
Having this set does not affect local testing - a local test will come in with a different name, but will be routed to the first certificate in your list (in this case the only certificate in our list.)

>> If your certificate is for www.tvdb.nl then you won't be able to test it locally using https://localhost:443 - as the url need to match

that's not strictly true. The browser will give you a warning, but will also allow you to continue to the site if you want to. (sometimes hidden under "advance options" on the page or whatever.)

>> Maybe you can edit your hosts file

that is one option, but I wouldn't go that route myself. It's too easy to forget it's there which makes testing the _production_ server a real pain. One can waste a lot of time that way.

>> - Firefox then shows the message something like "Unable to connect to localhost ... errorcode: SSL_ERROR_NO_CYPHER_OVERLAP"

This probably means your server did not load the certificates correctly - or they are not in the right format. Turn on errortrapping on the server to see if you get more information. (remember to turn it off again afterwards.)


>>   ThisWebserver.SSLCertificateOptions.CertificateFile = 'certificates\webservice.crt'
>>   ThisWebserver.SSLCertificateOptions.PrivateKeyFile = 'certificates\webservice.key'

try using an explicit full path to the files here, not a path "relative" to the current directory. Relative paths can often end up being not what you think they are.

Cheers
Bruce

[AtoB]

Hi Bruce,

by "turning on errortrapping", do you mean : "suppress error messages" in the NetWebServer extension properties?

(although my focus currently is on getting the webservice running without crashes :-), though Nettalk is not the cause of this! )

regards,
Ton

[Bruce]

Hi Ton,

>> by "turning on errortrapping", do you mean : "suppress error messages" in the NetWebServer extension properties?

yes. I meant "set suppress error messages off".

Cheers
Bruce