https – How to set the Bit Length when generating SSL Certificate with Java keytool?

I’m going to create a SSL Certificate so I can use https on my web site. I have to generate a Certificate Signing Request (CSR) and I did generate such a file with the Java keytool following the guide Generate a Certificate Signing Request (CSR) on Tomcat, but when I upload my CSR, I get a message from GlobalSign:

We suggest that a Bit Length of 2048 bits is used when generating your CSR.
Please regenerate your CSR and select this Bit Length.

So how do I set the Bit Length to 2048 bits using the Java keytool?

I generated the CSR file with: keytool -certreq -keyalg RSA -alias your_alias_name -file certreq.csr -keystore your_keystore_filename

And before that I created my certificate keystore and private key with: keytool -genkey -alias your_alaias_name -keyalg RSA -keystore your_keystore_filename

https – iOS Safari not accepting certificates issued by custom CA

I’m trying to make iOS Safari accept an https website that runs a certificate I signed with my own CA.

My CA cert is here: https://gist.github.com/BenMorel/014d7bd7802b75eec78b0bc0bad7e4e1

When I import this CA in Chrome / Edge / Firefox, on Windows & Linux, all the browsers accept the certificate and allow me to browse my website with no warning.

On iOS, however, I can’t make this work. I downloaded the CA from the URL above, then followed all the steps listed here.

The CA is now listed in the Configuration Profiles, and enabled in the Certificate Trust Settings. With that done, I’m still getting the following errors:

  • iOS Safari:

    Safari can’t establish a secure connection to server

  • iOS Chrome:

    ERR_SSL_PROTOCOL_ERROR

  • iOS Firefox:

    An SSL error has occurred and a secure connection to the server cannot be made.
    NSURLErrorDomain

Again, this works fine with all desktop browsers. What did I miss?

One single Nginx 301 redirect to HTTPS + with WWW subdomain

please I don’t know what I am doing wrong. I have removed a default file entry from /etc/nginx/sites-enabled and there is only one enabled site:

server {
    listen              80;
    listen              443 ssl;
    server_name         example.com;
    
    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot

    return 301          https://www.$server_name$request_uri;
}

server {
    listen              443 ssl;
    server_name         www.example.com;

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location = /favicon.ico { access_log off; log_not_found off; }

    location /static/ {
        root /django/example;
    }

    location /media/ {
        root /django/example;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/run/mydomain.sock;
    }
}

When I try a CURL test, it is still doing two 301 redirects, instead of one. It first redirects from http to https and then to www:

HTTP/1.1 301 Moved Permanently
Date: Tue, 24 Nov 2020 13:29:24 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Tue, 24 Nov 2020 14:29:24 GMT
Location: https://example.com/
...
...
Server: cloudflare

HTTP/2 301 
date: Tue, 24 Nov 2020 13:29:24 GMT
content-type: text/html
set-cookie: __cfduid=d750a6e7c1d415accb428ff6431220db01606224564; expires=Thu, 24-Dec-20 13:29:24 GMT; path=/; domain=.example.com; HttpOnly; SameSite=Lax; Secure
location: https://www.example.com/
cf-cache-status: DYNAMIC
...
...
server: cloudflare

HTTP/2 200 
date: Tue, 24 Nov 2020 13:29:25 GMT
content-type: text/html; charset=utf-8
set-cookie: __cfduid=d075d1d072fd35d4ec365037a68bb30cdb608224565; expires=Thu, 24-Dec-20 13:29:25 GMT; path=/; domain=.example.com; HttpOnly; SameSite=Lax; Secure
...
...
server: cloudflare

Is there something wrong, with my nginx configuration? Is possible to do one single 301 redirect from http and non-www to https + www?

Thank you for any advice!

tls – HTTPS vs VPN – which is more secure

This question is based on a wrong premise.

VPN’s do NOT protect you end-to-end.
A VPN is basically a second encryption layer to wrap your normal traffic in, it is encrypted until the VPN endpoint (or exit node).
This will “Protect the traffic from being readable” by any intermediate (your ISP mainly). They will see traffic is going from you to the VPN but nothing more.

HTTPS (HTTP with TLS) protects almost all data end-to-end. The data not encrypted are:

  • Source IP
  • Target IP
  • the Hostname connecting to (through the SNI extension allowing for tls with virtual hosting, as an example the URL “HTTPS://site.example.com/page/1” would have the following in clear text in the header for SNI “host: site.example.com”)

In order to do a MiTM attack (Man in The Middle), you need a certificate that your browser will accept as valid. (E.a. Issued by an authorized Certificate Authority). This is the same with a VPN.

In short. A VPN only gives a limited form of privacy by having many people using the same (set) of IP addresses. (Hiding in the crowd).
HTTPS is about integrity, authenticity and identity (especially with client side certificates)
Or in other words HTTPS ensures the data is not tampered with, is from the original source. And is known from who it came.

https – Should I have a separate SSL certificate for CDN or I can re-use existing website’s certificate?

I’m about to add CDN to my website, doing the research. My plans are to use CDN for static content only (CSS, JS, images), so the initial HTML pages are always dynamic, and some other critical downloads are also non-cacheable. I don’t know if this changes anything in how I connect CDN or not, from what I’ve read, I just change the nameservers to point to CDN and don’t need to alter any links from my side, and CDN inspects headers to see what should be cached and what should not.

My question

Do I need to buy a separate SSL certificate especially for CDN and have it installed at CDN or I can use the same DV certificate I bought for my website, e.g., from Sectigo? In other words, should I own 2 certificates in case having CDN, or can own just one (DV) and use it both on my server and on CDN? And let us suppose that the answer is “I need 2 certificates”. Does it matter what kind of certificate is then used on the CDN side (self-signed, DV, OV, EV) ?

https – Nginx: could not allocate new session in SSL session shared cache “SSL” while SSL handshaking

What to make of this error? I get it a few times a day, often in a clump. 14 of them yesterday, scattered throughout, but with a cluster of 9 within a few seconds of each other.

My first thought was that my cache wasn’t big enough, but at 50m I think that’s good enough for 200,000 sessions. I have a timeout of 24h and typically get 1,000,000 page views per month, so I don’t think that’s likely to be the issue.

Furthermore, if the cache WERE to run out of space, I’m pretty sure it would just silently purge the oldest entry and add the new one, with no message in the error log.

So what causes this error? I feel it can’t be a problem with the system being IO-bound – I have NVMe drives that are barely tickled by the level of traffic I have.

Any ideas?

Thank you

ssl – IIS 8.5 redirect HTTP URL to HTTPS

Using IIS 8.5 – our website has been live for several months internally on the corporate network with no SSL cert. Users have been accessing the site through the HTTP URL (let call it http://companyapp) .

I have now a HTTPS certificate and when I apply the cert to the website by adding a new binding the HTTPS URL is https://companyapp:8443 and the HTTPS is working from the browser. -Port 443 is already in use on the server for a different (non IIS) application .

However I want to configure IIS so that when the user types the URL http://companyapp , the browser will go to https://companyapp – Ideally there will be no port number required in the URL.

I want to do this in the most efficient way, so just curious what my options are as I am admin on the server running IIS but I don’t have DNS admin rights on the network.
Thanks

Why is iOS sending HTTPS requests even with background refresh disabled?

I’ve installed NextDNS on my iPhone and started noticing random connection requests to *.aliexpress.com, live.musical.ly, amazon.sa and others.

What made me wonder is that

  1. I don’t have “background app refresh” enabled,
  2. No app from TikTok, AliExpress or Amazon is installed and
  3. I had the phone locked (“standby”) during the whole time.

Does anyone know what might be happening here?

nginx – Moving https website from server A (CentOS 7) to server B (CentOS 8) – what do I need to do regarding certificates?

I’ve copied all of the referenced files in my nginx configuration over:

  • /etc/nginx/ssl/STAR_example_com/ssl-bundle.crt
  • /etc/nginx/ssl/STAR_example_com/STAR_example.key
  • /etc/ssl/certs/dhparam.pem

I was optimistic that might be all I’d need to do, but didn’t believe it would be…

When I browse to https://new.example.com it just spins, and eventually times out.

I have configured my DNS correctly, I believe. dig seems to confirm this.
I have configured my firewall correctly, I believe. firewall-cmd –list-all shows services: cockpit dhcpv6-client http https ssh.

The site was working on http://<ipaddress>/. For the domain I have no option but to use https rather than http (as one might, for testing etc) as it’s preloaded HSTS.

What am I missing? I’m completely clueless when it comes to certs. Is it the STAR_example.key file – should that be a private key relating to the machine it’s on? If so how do I generate a new one?

The fact that it’s timing out rather than coming back with an error of some sort has me stumped…

Thank you!

Please novice help: failover with https howto?

Hello all. I manage 50+ minisites (all static) spread over 4 reseller accounts with 4 different hosting companies. The DNS is hosted separat… | Read the rest of https://www.webhostingtalk.com/showthread.php?t=1828202&goto=newpost