Une attente un peu trop longue!

Help Aide (en français)
2

DNS Addresses Multi-country domain resolving with DNS service: Check host - online website monitoring

HTTP connectivity Check website performance and response: Check host - online website monitoring

Let's Debug is showing an ERROR https://letsdebug.net/chez.jcz.fr/1362065

From my IPv4 only location I get

$ curl -Ii http://chez.jcz.fr/.well-known/acme-challenge/sometestfile
curl: (28) Failed to connect to chez.jcz.fr port 80 after 76163 ms: Operation timed out

$ nmap -Pn chez.jcz.fr
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-02-04 10:52 PST
Nmap scan report for chez.jcz.fr (109.16.70.70)
Host is up.
Other addresses for chez.jcz.fr (not scanned): 2001:470:c94a::100
rDNS record for 109.16.70.70: 70.70.16.109.rev.sfr.net
All 1000 scanned ports on chez.jcz.fr (109.16.70.70) are filtered

Nmap done: 1 IP address (1 host up) scanned in 203.78 seconds

Best Practice - Keep Port 80 Open

1 Like
3

I configure my site "chez.jcz.fr" with the PFX client certificate, but I can't. Hence the unavailability of my site. I manage to create the PFX certificate. When I consult it, it is valid. But the verification of the client with the server is not done.

If the site is not available, let's encrypt can still create the certificate. Is it this ? Hence the message above and the slowness I noticed.

4

I fail to see the relevance of that statement, as I was showing a general lack of connectivity to the domain.

1 Like
5

Connectivity has improved. :slight_smile:

$ curl -Ii http://chez.jcz.fr/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Sun, 05 Feb 2023 19:21:33 GMT
Server: Apache
Location: https://chez.jcz.fr/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

$ curl -Ii https://chez.jcz.fr/.well-known/acme-challenge/sometestfile
HTTP/2 200
last-modified: Sat, 04 Feb 2023 18:08:15 GMT
accept-ranges: bytes
content-length: 168
vary: Accept-Encoding,User-Agent
content-language: fr
date: Sun, 05 Feb 2023 19:21:55 GMT
server: Apache


$ nmap -Pn chez.jcz.fr
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-05 19:22 UTC
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 2.00% done; ETC: 19:28 (0:05:43 remaining)
Nmap scan report for chez.jcz.fr (109.16.70.70)
Host is up (0.28s latency).
Other addresses for chez.jcz.fr (not scanned): 2001:470:c94a::100
rDNS record for 109.16.70.70: 70.70.16.109.rev.sfr.net
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 44.03 seconds
1 Like
6

Presently the Rate Limits seem in force https://tools.letsdebug.net/cert-search?m=domain&q=chez.jcz.fr&d=168

Testing and debugging are best done using the Staging Environment.

Also here is a list of issued certificates crt.sh | chez.jcz.fr the latest being 2023-02-05.

The certificate presently being served looks good https://decoder.link/sslchecker/chez.jcz.fr/443
however connectivity to IPv6 SSL Server Test: chez.jcz.fr (Powered by Qualys SSL Labs) is showing "Unable to connect to the server"

1 Like
7

I know.
But my main problem is to find a way to create my three certificates: PFX, server Key and Server crt for Apache 2.4.55.
Any help on this would be appreciated.

8

Apache has never used .PFX files.

3 Likes
9

I don't put the PFX certificate in apache, but in the "my" store so that it is available in my Google Chrome browser.
The certificates I use in Apache are the ".pem" ones that Let's Encrypt created.
I already explained everything in my other topic.

10

This is incorrect.
I don't know where you read that is required.

Since you mention it...
Please be mindful that the responses are coming from volunteers.

2 Likes
11

Actually, I think that is correct. They are setting up two-way authentication and the client needs to send a cert to the server. Clients dictate what format is needed to send to the server. In Chrome's case I believe it requires pfx.

That said, I am far from expert in two-way but that's what I understand so far.

3 Likes
12

Maybe also look to a different client as well.

1 Like
13

I would love to read the requirements on that.
I suspect that there may be a simpler way of handling this...

1 Like
14

Not exactly requirements here but a pointer Mutual authentication - Wikipedia

15

So would I !

It starts with Apache SSLVerifyClient require but it is not very helpful sadly

3 Likes
16

From that Wiki:
As it requires provisioning of the certificates to the clients and involves less user-friendly experience, it's rarely used in end-user applications.

So now, I would really LOVE to hear their specific requirements.
What (problem/security issue) are they trying to overcome?

2 Likes
17

As would I.

1 Like
18

[quote=""]Actually, I think that is correct. They are setting up two-way authentication and the client needs to send a cert to the server. Clients dictate what format is needed to send to the server. In Chrome's case I believe it requires pfx.
That said, I am far from expert in two-way but that's what I understand so far.[/quote]
You understood well. I'm trying to set up two-way identification.

me too because the procedure to create the PFX client certificate is far too complicated to do from the files provided by let's encrypt.

with a Let' Encrypt certificate, my site is accessible to everyone.
I want it to be accessible only by those who have my client certificate.
This is for privacy reasons.

2 Likes
19

@Artemus24 See my response to your other thread on this question

This Apache feature does not work like you expect. See that link

3 Likes
20

Then you have missed the target.
As implemented, you will allow anyone with any valid certificate to enter your site.

3 Likes
21

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.