HTTPS Connection Issues

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Like most security protocols HTTPS can start failing for all sorts of reasons, but issues with upgraded security seems to be most common.

Context

  • For HTTPS to work the certificate (and key) used to sign the TLS (SSL) connection packets must match one of the certs in the cert:\localmachiroot folder. That means that the fingerprint (hash) of the root key must match the signing key.

Issues

Net Core Console Apps

Here are the steps:

  1. Create a Certificate Signing Request (CSR).
  2. Have the CSR signed by the server.
  3. Get the signed certificate.
  4. Include the signed certificate in the HTTP request.
  5. Make sure to put the Self-Signed CA Certificate in the Local Computer's Trusted Root CA store.

Troubleshooting steps in order (do not skip if a certain step is not successful):

  1. Test with HTTP
  2. Test with HTTPS (one-way authentication)
  3. Test with HTTPS (mutual authentication)

PowerShell Invoke-xxxMethod

$r = Invoke-RestMethod "https://trustregistry.us/csp" -Method Post -Body $j -ContentType "application/jose"
$r
The registry service https://localhost:5035/csp could not be found. Exception: The SSL connection could not be established, see inner exception.

or on AWS

$r = Invoke-RestMethod "http://localhost:5035/csp" -Method Post -Body $j -ContentType "application/jose"
Invoke-RestMethod : The underlying connection was closed: The connection was closed unexpectedly.
At line:1 char:6
+ $r = Invoke-RestMethod "http://localhost:5035/csp" -Method Post -Body ...
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

One common cause for this issue is a mismatch in TLS levels between the client and server. In general all sites should be (2020-07) set for tls1.1 or higher.

  • Check with powershell Get-TlsCipherSuite [[-Name] <String>] [<CommonParameters>]

References