12 Replies Latest reply on Mar 2, 2016 9:33 PM by jramirez

    Certificate Error when using WebAPI Calls on IIS Express

    jramirez

      Hi:

      I am working on a Web API application, here is the issue:

      When debugging in VS2012 the URL is http://localhost:58214/index.html, the server is the IIS express server.

      I am getting a data.status=0 when sending the authorization credentials to the server (see code below) and any webapi calls do not work at all.however when I open Fiddler and try to login again using webapi I get a pop up window with a "Certificate Error" title, and asking for "ignore errors (unsafe) an proceed" if I choose to ignore then then everything works fine as long as fiddler is open.

       

      Any ideas?

       

      Jaime

       

       

      var authSuccessCallBack = function (data, statusMessage, statusObj) {

          alert("Log OK");

      };

       

       

      var authErrorCallBack = function (data) {

          if (data.status == 401) {

              alert("Invalid username and password.");

          }

          else {

              alert("Error during validation.");

          }

      };

       

          //TEST START HERE

       

       

          $("#Test-btn").click(function () {

              var username = "Administrator";

              var password = "Sios10";

       

       

              piwebapi.SetBaseUrl(baseServiceUrl);

              piwebapi.SetCredentials(username, password);

              piwebapi.Authorize(authSuccessCallBack, authErrorCallBack);

          });

        • Re: Certificate Error when using WebAPI Calls on IIS Express
          Jerome Lefebvre

          Hello Jaime, I just wanted to confirm that you have PI Web API installed locally and even locally you get warnings about the certificate when using localhost. Is that correct?

           

          PI Web API uses HTTPS to send and receive information, thus a certificate is required. During installation, a self-signed certificate is created and localhost will be placed in the subject alternative name (SAN) field of the certificate. Can you verify that the certificate that PI Web API does have localhost in its SAN? To see this entry, you can navigate to https://localhost/piwebapi and in most browsers there should be a lock icon in the toolbar that will give you access to the certificate and the SAN information will be in the details tab.

           

          If you are using a different certificate than the one created by the installer, you may need to access PI Web API using the FQDN or simply host name.

          1 of 1 people found this helpful
            • Re: Certificate Error when using WebAPI Calls on IIS Express
              jramirez

              Hi:

              I have the WEBAPI installed in a server on my network, I am using another PC with VS2012 to develop the code, when I run the code an IIS Express is launched on my PC, I have that localhost:58214 added on CORS. When accessing the webapi help page IN the server everything is fine (green lock in the https). I am getting warnings and red lock when accessing the WEBAPI help from my remote PC.

               

              I can see "localhost" listed in SAN and also the server name, however I am accessing this test server using a no-ip URL, how can I include that no-ip name into the SAN?

               

              Any ideas?

               

              Jaime

                • Re: Certificate Error when using WebAPI Calls on IIS Express
                  gregor

                  Hello Jaime,

                   

                  Please make sure access to PI Web API works properly from your development machine. Please use a browser and see if there are any issues accessing PI Web API remotely. If so, the details of the messages returned in the browser should help to understand what the issue is about.

                  Common issues are with the Certificate as mentioned by Jerome Lefebvre. The certificate becomes issued for the host specification you've referenced during PI Web API installation. This could be either hostname, IP address, FQDN or similar. 'Localhost' is however not a good choice because it will only work with local access but could be preference e.g. on an application server that intentionally allows PI Web API access only to local applications.

                  PI Web API is using secured http communication. Therefore the URL must always start with https and the assigned communication port (default 443) must be allowed.

                  Another common issue is with authentication against PI Web API. Recommended security is Kerberos delegation but for sure a domain environment is required and delegation must explicitly be allowed to either the PI Web API host or the PI Web API service account.

                  Below are some links to related knowledge base articles:

                  KB01222 - Types of Kerberos Delegation

                  KB01223 - Kerberos and Internet Browsers

                • Re: Certificate Error when using WebAPI Calls on IIS Express
                  pthivierge

                  Hello Jaime,

                   

                  We do have a very nice video series to learn about PI Web API ( thanks to Daphne Ng that kindly recorded all those videos. )

                  For details about certificate see Setting up PI Web API for a Development Project from 4:25.

                  she explains step by step what it takes to generate a certificate on a client machine that is different than the PI Web API server machine.

                • Re: Certificate Error when using WebAPI Calls on IIS Express
                  jramirez

                  Hi:

                  The certificate generated during installation works fine when developing within the office network, however, when developing from home, I access the server thru a no-ip ddns URL and the certificate is invalid....how can I add the no.ip URL to the certificate?

                   

                  J

                    • Re: Certificate Error when using WebAPI Calls on IIS Express
                      gregor

                      Hello Jaime,

                       

                      I am uncertain if this could work and must admit that I don't have any experience with the scenario you describe. I have however done some internet research using terms like https, certificate, binding, multiple etc. to find related discussions.

                       

                      It appears to be possible to specify host aliases when generating a certificate. This could be an option to add your Dyn DNS to the certificate. This will however not work with the self-signed certificate offered by the PI Web API Installer. If you have an authority within your domain that you can request a certificate from, this could be an option. Please consult with your IT department.

                       

                      The current release of PI Web API comes with a configuration tool (OSIsoft.REST.Admin.exe) that allows to modify the existing installation. It's possible to change the communication port, to replace the certificate reference and similar. One option showing here is the Submit URL. I was looking for options to define multiple https ports, multiple certificates or multiple Submit URL's and conclude this is a scenario not foreseen.

                       

                      Have you considered going via VPN rather than using Dyn DNS? How about placing your development machine inside your office network and connecting via RDP through Dyn DNS. This way your development environment would reside inside your office network.

                      1 of 1 people found this helpful
                      • Re: Certificate Error when using WebAPI Calls on IIS Express
                        pthivierge

                        To add a little on this discussion:

                         

                        Certificates are closely coupled with the domain name e.g. https://pisquare.osisoft.com.  This is for security reasons and is part of the way browsers are make the security checks as well.

                        So if you try to access a machine that is within your enterprise network, your domain name is not public thus the certificate won't work if you created it with the local computer name.

                         

                        One thing that may work, this is just an idea:

                        • Modify the host files of both: your PI Web API Server and your work computer to contain an entry that points to the PI Web API Server but with the no-ip name
                          • Example: no-ip=jaime.no-ip.com, work network pi web api server IP=10.10.10.10
                          • host file entry: 10.10.10.10 jaime.no-ip.com
                        • Create a new certificate, check the video provided above (Setting up PI Web API for a Development Project from 4:25.), make sure you are using the jaime.no-ip.com to access PI Web API from your work network.
                        • Update the certificate.

                         

                        Next time you will be accessing the website from your home place using the no-ip address, you should have a trusted site.

                         

                        Hope this helps

                          • Re: Certificate Error when using WebAPI Calls on IIS Express
                            gregor

                            Hi Patrice Thivierge,

                             

                            The public IP address assigned by an Internet Service Provider (ISP) often is dynamic. This means the ISP assigns IP addresses from a pool owned by them as needed. The changing IP address can become an issue when attempting to access a resource behind the Internet router from the outside. This is where Dny DNS comes into play. As far as I recall, a service running on a machine inside the organization monitors the current external IP address assigned by the ISP. The service reports this address to the Dyn DNS provider who holds an domain alias together with the current IP address. This way the domain alias can at any time be resolved to the (changing) IP address assigned by the ISP.

                            For this reason I have strong doubts static hosts file entries will help to resolve this issue.

                        • Re: Certificate Error when using WebAPI Calls on IIS Express
                          jramirez

                          The video shows how to register an existing certificate into the machine not how to create a new self signed certificate that includes the no-ip name as SAN...any reference on how to do it?, once created it will require to reinstall webapi to include that newly created certificate into it, right?

                           

                          Jaime