Hi I receive two files an .cer and .p7b, how I can have the .key and .crt from this files? to install in my apache server?
I need to set here
I have only files.cer
SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile
Related
when making a wireshark trace to check if my Let's Encrypt certificate is correctly offered by our server, I see that the same certificate is being send twice in TLS handshake when 'Server Hello Done'.
How can this occur ? How to correct ?
The certificate details is 2 times exactly the same :
Extra info requested :
I trace this with wireshark by visiting a https-page of my Apache webserver (CentOS Linux release 7.4.1708 (Core)) with my Chrome browser on Fedora 25 client.
VirtualHost config :
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
Don't know if it matters, but I also have a second VirtualHost with a different Let's Encrypt certificate :
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my2.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my2.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my2.domain.tld/fullchain.pem
The Problem
This is caused by simultaneous config of SSLCertificateFile along with SSLCertificateChainFile.
From the mod_ssl documentation (Emphasis mine):
This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.
But if you check your fullchain.pem, you'll see that it includes the server certificate at the top, followed by the Let's Encrypt issuing CA. Apache is delivering the contents of SSLCertificateFile with the SSLCertificateChainFile concatenated after it. Since your server's certificate appears in both of them, it's duplicated in the final chain seen in the SSL handshake, just like you observed in Wireshark:
vhost.conf Sent To Client
+---------------+ +------------------+
| cert.pem |----------> |Server Certificate|
| | | + |
| + | +---> |Server Certificate|
| | | | + |
| fullchain.pem |----------> | CA Certificate |
+---------------+ +------------------+
The Fix
In modern Apache, don't use SSLCertificateChainFile directive anymore, and give fullchain.pem directly to SSLCertificateFile.
Again, from the mod_ssl documentation:
SSLCertificateChainFile is deprecated
SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.
So all you should need to do is change your vhost configuration from this:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
To this:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
I have a server running a LAMP stack:
me#server:~$ sudo apachectl -v
Server version: Apache/2.4.10 (Debian)
me#server:~$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
...
On this server I have many two domains - one with SSL and one without SSL - and everything is currently hunky-dory.
I am trying to add SSL to the second site but requests to the second site fail with the issue:
[FIREFOX]
domain2.com uses an invalid security certificate.
The certificate is only valid for the following names: domain1.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN
[CHROME]
NET::ERR_CERT_COMMON_NAME_INVALID
Note 1: I have checked my version of Apache allows multiple SSL sites on the same server.
This leads me to believe that the SSL files being read when domain2.com is called are actually the files relating to domain1.com.
Curiously, if I disable domain1.com using sudo apache dissite domain1, the SSL works just fine on https://domain2.com. This would indicate that the SSL is installed correctly but the sites across the server are not all configured correctly.
The .conf files are below:
me#server:~& cat /etc/apache2/sites-enabled/domain1
[...Port 80 config redacted...]
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/domain1/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain1/key.txt
SSLCertificateChainFile /etc/apache2/ssl/domain1/intermediate.crt
ServerName domain1.com
ServerAlias www.domain1.com
<Directory /var/www/domain1>
[REDACTED]
</Directory>
[Logging information redacted]
</VirtualHost>
me#server:~& cat /etc/apache2/sites-enabled/domain2
[...Port 80 config redacted...]
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/domain2/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain2/key.txt
SSLCertificateChainFile /etc/apache2/ssl/domain2/intermediate.crt
ServerName domain2.com
ServerAlias www.domain2.com
<Directory /var/www/domain2>
[REDACTED]
</Directory>
[Logging information redacted]
</VirtualHost>
So it is clear both sites have the same configuration items applied but relative to the specific SSL files on the server for that site. Note, the SSL bundles for each site are provided from the same vendor.
Further, the certificates should be correct:
me#server:/etc/apache2/ssl/domain1$ openssl x509 -in server.crt -noout -subject
subject= /CN=www.domain1.com
me#server:/etc/apache2/ssl/domain2$ openssl x509 -in server.crt -noout -subject
subject= /CN=www.domain2.com
From all of this, please can some enlighten me as to why requests to domain2.com fail when domain1.com is enabled?
So yeah.. doing the above was all fine and should work.
If it doesn't work, be sure to check the spelling of the ServerName fields and to not work too late at night!
I have 2 crt files for Apache server:
1_root_bundle.crt
2_my_domain_name.com.crt
And other bundle:
1_Intermediate.crt
2_my_domain_name.com.crt
root.crt
I have modified
/etc/apache2/sites-available/default-ssl.conf
And tried various combinations of above mentioned files but after Apache2 service restart SSL does not work, browser shows "Connection is not secure":
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/1_Intermediate.crt
SSLCertificateKeyFile /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateChainFile /etc/apache2/ssl/root.crt
How to make SSL on Apache server?
It is missing the key file with your certificate private key. Usually it has the .key extension like 2_my_domain_name.com.key and the file content starts with -----BEGIN PRIVATE KEY-----
You configuration should looks like this
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/2_my_domain_name.com.key
SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt
The SSLCertificateChainFile points to a all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate.
So ensure that 1_root_bundle.crt contains 1_Intermediate.crt content and is in PEM format (base64 with --- BEGIN CERTIFICATE --- ----END CERTIFICATE--- headers)
If you use apache >= 2.4.8 you could also concatenate all certificates in the file pointed at SSLCertificateFile
SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.
1) Install Apache HTTP Server, mod_ssl
2) Configure httpd
Remember to disable SSLv2 and SSLv3, because they are vulnerable.
# Toggle on the SSL/TLS Protocol Engine
SSLEngine On
# The signed certificate of the server
SSLCertificateFile /etc/pki/tls/myserver/myserver.crt
# The private key of the server
SSLCertificateKeyFile /etc/pki/tls/myserver/myserver.key
# The intermediate_certificate of the server
SSLCertificateChainFile /etc/pki/tls/myserver/tls-ca-chain.pem
# Accept only strong encryption
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
3) Check the permissions on the certificate files.
UPD:
How to create a key and certificate signing request in one step:
openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr
Next you have to send this csr file to one of the certificate authorities. They will send back your signed certificate, and the intermediate certificate(s).
You can also create a self-signed certificate.
You can use the bundle file with SSLCertificateChainFile.
SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCertificateChainFile /home/ubuntu/tad.com/intermediate_bundle.crt
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt
OR
If you are using bundle so it will work without SSLCertificateChainFile file.
SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt
I've obtained an SSL certificate from Comodo. I try to install it on an apache server using the following steps:
Upload to the directory /home/perica these files:
bedbids_com.crt
bedbids_com.key
bedbids_com.ca-bundle
Edit /etc/apache2/sites-available/default-ssl.conf with
SSLEngine on
SSLCertificateFile "/home/perica/bedbids_com.crt"
SSLCertificateKeyFile "/home/perica/bedbids.key"
SSLCertificateChainFile "/home/perica/bedbids_com.ca-bundle"
but at this point ssl is still not enabled. What do I miss?
Check that the ssl module is enabled with:
sudo a2enmod ssl
(assuming you use a debian based linux distribution)
Then you should add to your configuration file something like:
NameVirtualHost [your IP address]:443
< VirtualHost [your IP address]:443>
ServerSignature On
SSLCertificateFile /path/to/the/certificate/from/your/certificate/company/apache.crt
SSLCertificateKeyFile /path/to/the/file/created/in/step/1.key [can be a .pem file too I think]
SSLCertificateChainFile /path/to/intermediate/cert.crt [optional, only if yout certificate compay provides you with one]
SSLEngine On
</VirtualHost>
You will find detailled instructions here:
http://wiki.vpslink.com/Enable_SSL_on_Apache2
So I've got a login script (domain.com/script/index.php) that I need protected with a self-signed certificate, but installing a cert with Apache will apply it to my whole domain. My domain is a personal website, and the last thing I would want is for someone to go through the hassle of having to jump through the hoops of having to 'trust' my self-signed certificate.
Right now I have Webmin running on my server, and it currently has its own self-signed without applying it to my root website directory. Is there any way to secure my script directory without applying it to my root directory?
I'm gonna assume this is php and apache:
Just add this lines to your vhost configs:
SSLEngine on
SSLCertificateFile {{SERVER CRT PATH}}
SSLCertificateKeyFile {{SERVER CRT PATH}}
Make sure SSL dll is on in the php.ini
and apply like so:
# Local Php site
<VirtualHost *:83>
ServerName localhost
DocumentRoot C:/xampp2/htdocs/scripts/php
<Directory C:/xampp2/htdocs/scripts/php>
AllowOverride All
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile C:\xampp2\apache\conf\ssl.crt\server.crt
SSLCertificateKeyFile C:\xampp2\apache\conf\ssl.key\server.key
</VirtualHost>
Reference: http://robsnotebook.com/xampp-ssl-encrypt-passwords
restart apache then visit: https://localhost:83