You are viewing limited content. For full access, please sign in.

Question

Question

Trouble with Setting Up SSL

Laserfiche
Updated April 4, 2016
asked on April 2, 2016

Hey guys! I'm having some trouble setting up SSL and I wanted to see if anyone had any suggestions.

My goal is to secure two different types of communication:

  • External communication between end-user's browsers and Laserfiche Forms. For this I have purchased a third-party certificate from a commonly-trusted CA and installed it on my Web server that hosts Forms (within the local computer's "personal" store).
  • Internal communication between various Laserfiche components within my network (e.g., between thick clients and LFS, between Workflow and LFS). For this I have used the Microsoft SDK's makecert tool to create a self-signed certificate and installed the certificate on the relevant machine (within the local computer's "personal" store).


What is interesting (and annoying!) is that I can get either of the above communication lines secured individually, but not both at the same time. In other words, one certificate seems to break the other. I know that sounds abstract and confusing, so below is a bit more detail.

In IIS, if I select the default Web site, choose Bindings, and set the https binding to point at the third-party certificate, that successfully configures the browser-to-Forms communication to occur over SSL (I see the "lock" icon in Chrome when visiting Forms and can confirm that the correct certificate is being used). However, this configuration breaks the Laserfiche components from being able to communicate over SSL (they each throw a SSL Host Name Does Not Match Certificate Host Name error).

However, if I change the IIS binding to instead point at the self-signed certificate, then the Laserfiche components communicate just fine over SSL (e.g., I see the "lock" icon in the thick client), but then Forms obviously isn't using the correct certificate (and using a self-signed certificate for Internet traffic is obviously a terrible idea).

In my case, everything is installed on the same machine (Forms, Workflow, LFS, IIS, etc.). I realize that this may negate the need to use SSL between the various Laserfiche components (since all traffic is occurring over localhost), but I'd still like to at least understand why I can't get this working.

In case it is relevant, note that I'm using the following commands to create the self-signed certificate:

To create the CA:

makecert -pe -n "CN=my_ca_name" -ss ROOT -sr LocalMachine -a sha1 -sky signature -r "C:\my_ca_name.cer"

To create the client certificate:

makecert -pe -n "CN=localhost" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "my_ca_name" -is ROOT -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 myhost.cer

To create the configuration record:

netsh http add sslcert ipport=0.0.0.0:443 certhash=thumbprint_value_without_spaces appid={my_guid}

Any help would be much appreciated!

1 0

Replies

replied on April 2, 2016

Hi Jonathan,

Have you checked that the FQDN in the cert matches the server name in the Binding configuration you've types into IIS? When you test the SSL connection, what URL do you use?

-Ben

1 0
replied on April 4, 2016

Hey Ben! For the self-signed certificate, I'm using `localhost` as the machine name. So in this case, there isn't a FQDN in play (from what I can tell).

0 0
replied on April 4, 2016

One thing though....why is the "internal" certificate for localhost? Your internal thick clients will not be accessing the Laserfiche or Workflow server as "localhost" unless they run directly on it.

1 0
replied on April 4, 2016

Is it because you're trying to bind 2 certificates to the same port? See https://blogs.msdn.microsoft.com/varunm/2013/06/18/bind-multiple-sites-on-same-ip-address-and-port-in-ssl/  for possible workarounds.

0 0
replied on April 4, 2016

Hey Miruna! That sounds like it may be the problem. I'll try this work-around. Thanks!

0 0
replied on April 4, 2016

Hi Jonathan, 

Sounds like you might have a fix bit if not, can you post a screen shot of you website binding? 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...