Tuesday, April 27, 2021

Adding a digicert certificate to xampp

I setup a computer that was connected to a building speaker system to act as a PA System.  I created a web utility that allowed users to enable and disable the audio if it was required without having to get IT to do it.  Now those with all the browser security settings and SSL everywhere I had to add an SSL Certificate to the server.

The Server is running XAMPP on Windows, so we have a couple steps to get this site validated.

  1. Download our Certificate and Key.  In this case the key is on my primary webserver, and the certificate I need to download from digicert.

  2. Install the certificate.  Using the "CMD Prompt" type MMC then add the snap in for certificates, ensure you use the "local computer" and then in the "Trusted Root Certification Authorities" import the SSL Certificate.

  3. Stop Apache, Create a folder in C:\xampp\apache\ called crt

  4. Create 2 Files, copy the content from the provided links into the new files. 
    cert.conf  https://gist.githubusercontent.com/turtlepod/3b8d8d0eef29de019951aa9d9dcba546/raw/518d3a96b7bb03494ada4f2ebde8325fb6ba6966/cert.conf
    and make-cert.bat
    https://gist.github.com/turtlepod/e94928cddbfc46cfbaf8c3e5856577d0

  5. Double click and run the make-cert.bat and create your local certificate, this will make it easier or create a directory with your domain name (pasystem.domain.ca) and copy/paste the cert and the key in there

  6. Add the following to the xampp conf file located in C:\xampp\apache\conf\extra\httpd-xampp.conf

    • And add this code at the bottom:
      ## site.test
      <VirtualHost *:80>
      DocumentRoot "C:/xampp/htdocs"
      ServerName pasystem.domain.ca
      ServerAlias pasystem.domain.ca
      </VirtualHost>
      <VirtualHost *:443>
      DocumentRoot "C:/xampp/htdocs"
       ServerName pasystem.domain.ca
      ServerAlias pasystem.domain.ca
      SSLEngine on
      SSLCertificateFile "crt/pasystem.domain.ca/server.crt"
      SSLCertificateKeyFile "crt/pasystem.domain.ca/server.key"
       </VirtualHost>
    • In newer versions of xampp you may need to combine them as shown below
      <VirtualHost *:80 *:443>
      DocumentRoot "C:/xampp/htdocs"
      ServerName pasystem.domain.ca
      ServerAlias pasystem.domain.ca
      SSLEngine on
      SSLCertificateFile "$PATH/crt/pasystem.domain.ca/server.crt"
      SSLCertificateKeyFile "$PATH/crt/pasystem.domain.ca/server.key"
      </VirtualHost>

  7. After that, you will need to restart Apache in XAMPP.

Reference

https://stackoverflow.com/questions/64800565/how-to-create-valid-ssl-in-localhost-for-xampp

https://shellcreeper.com/how-to-create-valid-ssl-in-localhost-for-xampp/

-
Labels: , , , ,

Thursday, April 22, 2021

Updating SSL Certificate for Lansweeper

Lansweeper has some great instructions for adding a SSL certificate to their IIS server.  I added a SSL certificate to the lansweeper server 11 months ago, and now it was time to update the certificate.  I logged into my digicert account and downloaded a pkcs 7 certificate to install into lansweeper.  I installed the cert to Certificates -> Personal -> Certificates.


and following Lansweeper's instructions also updating the iisexpressSvc.exe.config and restarting the service.  To my surprise I got the following error.


Being unable to bypass the error I discovered that putting the old certificate's thumbprint back into place or setting  "UseCustomSSLCertificate" to 0 you would be able to access lansweeper again.


<add key="UseCustomSSLCertificate" value="0"/>

<add key="CertificateThumbPrint" value="‎$TLSThumbprint"/>


The error logs were not really helpful either; showing just a binding error.

--------------------------------------Error Logs----------------------------------

me: 22-04-2021 12:06:50 - Result: ADD Custom URL -  Port: 443

Time: 22-04-2021 12:06:50 - Result: Error Performing Commands. System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated    at SslCertBinding.Net.HttpApi.ThrowWin32ExceptionIfError(UInt32 retVal)    at SslCertBinding.Net.CertificateBindingConfiguration.<>c__DisplayClass1_0.<Bind>b__0()    at SslCertBinding.Net.HttpApi.CallHttpApi(Action body)    at SslCertBinding.Net.CertificateBindingConfiguration.Bind(CertificateBinding binding)    at IISExpressSvc.ServiceStart.PerformCommands(String thumbPrint, Boolean isCustom, Boolean debug)

Time: 22-04-2021 12:07:04 - Result: === Stop ===

Time: 22-04-2021 12:07:29 - Result: === Start ===

Time: 22-04-2021 12:07:29 - Result: ADD Custom URL -  Port: 443

Time: 22-04-2021 12:07:29 - Result: Error Performing Commands. System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated    at SslCertBinding.Net.HttpApi.ThrowWin32ExceptionIfError(UInt32 retVal)    at SslCertBinding.Net.CertificateBindingConfiguration.<>c__DisplayClass1_0.<Bind>b__0()    at SslCertBinding.Net.HttpApi.CallHttpApi(Action body)    at SslCertBinding.Net.CertificateBindingConfiguration.Bind(CertificateBinding binding)    at IISExpressSvc.ServiceStart.PerformCommands(String thumbPrint, Boolean isCustom, Boolean debug)

Time: 22-04-2021 12:07:40 - Result: === Stop ===

Time: 22-04-2021 12:08:03 - Result: === Start ===

Time: 22-04-2021 12:08:03 - Result: ADD Custom URL -  Port: 443

Time: 22-04-2021 12:08:03 - Result: ADD Custom SSL -  Port: 443

Time: 22-04-2021 12:21:09 - Result: === Stop ===

Time: 22-04-2021 12:21:29 - Result: === Start ===

Time: 22-04-2021 12:21:29 - Result: ADD Custom URL -  Port: 443

Time: 22-04-2021 12:21:29 - Result: Error Performing Commands. System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated    at SslCertBinding.Net.HttpApi.ThrowWin32ExceptionIfError(UInt32 retVal)    at SslCertBinding.Net.CertificateBindingConfiguration.<>c__DisplayClass1_0.<Bind>b__0()    at SslCertBinding.Net.HttpApi.CallHttpApi(Action body)    at SslCertBinding.Net.CertificateBindingConfiguration.Bind(CertificateBinding binding)    at IISExpressSvc.ServiceStart.PerformCommands(String thumbPrint, Boolean isCustom, Boolean debug)

Time: 22-04-2021 12:21:53 - Result: === Stop ===

Doing some checks on Lansweeper's website I came across the same error on the forums. PR_CONNECT_RESET_ERROR when trying to connect via HTTPS - Followed the instructions. Why is my result bad?

After trying the notepad instructions, and it failing spectacularly, I researched the error "A specified logon session does not exist.  It may already have been terminated."

On techraptor.net I found this post https://techraptor.net/guides/how-to-fix-iis-server-error-specified-logon-session-does-not-exist stating that the certificate had to be reimported, following this procedure:

Run MMC

Here’s how to fix:

Open up certificates in MMC

Step 1: Open up a Run window and type “mmc”

Step 2: Click File > Add/Remove Snap In

Step 3: Add > Certificates, Click OK

Step 4: Choose “Computer Account”, then “Local Computer” and proceed.

Step 5: Hit OK

Export Certificate in MMC

Step 1: Open “Certificates”

Step 2: Open the folder where your certificate is stored.

Step 3: Right Click on Certificate, All Tasks, Export

Step 4: Export to the server Desktop

Now you should be able to re-import your certificate into IIS (or just into MMC) without issue. Restart IIS, and Note: You may have to reimport as “Complete certificate renewal” depending on your certificate.  This did not fix the certificate issue.

What did fix the SSL Issue in lansweeper was the following this article on Microsoft.com to repair the certificate and added the private key.  https://docs.microsoft.com/en-us/troubleshoot/iis/assign-certificate-private-key

Below is the output from powershell, showing the successful repair of the certificate, and after running the commnad Lansweeper was able to run under the new certificate.

Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator> certutil -repairstore my "Certificate Serial Number"
my "Personal"
================ Certificate 9 ================
Serial Number: 0933dade655d53658470d076c90446ff
Issuer: CN=GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US
 NotBefore: 2021-03-22 6:00 PM
 NotAfter: 2022-04-23 5:59 PM
Subject: CN=*.sapl.ca
Non-root Certificate
Cert Hash(sha1): 01 e5 53 e4 cc cf f9 73 15 11 35 2e 0b fd c4 d1 91 74 b5 05
  Key Container = {63B4CC61-46F3-4C4B-9F8E-CB38E333DD79}
  Unique container name: 3f90b86fe9b728070aead75c51dfc869_ebcb9c16-cc6e-4b9c-b957-49c2f2cdfce1
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.
PS C:\Users\Administrator> 01 e5 53 e4 cc cf f9 73 15 11 35 2e 0b fd c4 d1 91 74 b5 05


After running the repair command in powershell as an administrator, lansweeper started working with the new certificate after updating the thumbprint and restarting IIS.
-
Labels: , , , , , , ,
Subscribe to: Posts (Atom)

How to fix CURL call imporitng an RSS feed on a site blocking CURL calls

There is a 3rd party service provider that my organization uses called bibliocommons.  They have these nice book carousels.  However the car...