SSL Apache csr .pem .key on GoDaddy - apache

Morning guys
I have never really dealt with SSL's on an apache server.
I found the domain on godaddy for my site. Downloaded the CentOS Apache zip.
This includes
gd_bundle .crt
hereismysite.crt
blahblah.pem
Now,the folder that currently has the SSL has
gd_bundle .crt
hereismysite.crt
blahblah.key
I have this rekey thing on godaddy for the CSR?
I am a little confused as to how to do this step and what to do with it?
I followed some apache instructions here after I replaced the files with the new ones. (I also just replaced the .pem info in the key). Crashed the servers all on apachectl restart so put the old ones back and restarted again
https://ae.godaddy.com/help/manually-install-an-ssl-certificate-on-my-apache-server-centos-5238
I am baffled.
Anyone able to break it down for a dummy like me?

To configure your site you need the following:
A private key
A public certificate
A CA bundle containing intermediate certs (not always required)
The zip from godaddy contains the following:
gd_bundle.crt - This is the CA bundle
hereismysite.crt - This is your sites public certificate signed by godaddy
blahblah.pem - This is the same as hereismysite.crt in a different format (I haven't been able to verify why they do this, maybe convenience...?)
On your server, you have:
gd_bundle.crt - Same as above
hereismysite.crt - Same as above
blahblah.key - Your private key. This is generated during the CSR process. If you don't have or lost this file, then you need to rekey your cert as you mentioned in your post.
To put all this together, your Apache config will look something like this:
<VirtualHost *:443>
ServerName www.example.com
SSLEngine on
SSLCertificateFile "/path/to/hereismysite.crt"
SSLCertificateKeyFile "/path/to/blahblah.key"
</VirtualHost>
See also: https://bofeng.github.io/post/godaddy-ssl-cert-nginx/

Related

Moving multiple security certificates from server to server

I have moved a site from an ISP to a private server and need to move my SSL certs over.
However, the ISP gave me 4 certs for the site in question, so I am unsure of the match of three of the four files, as well as confused about why I have four:
AAACertificateServices.crt
[THE DOMAIN I AM MOVING]_com.crt
SectigoRSADomainValidationSecureServerCA.crt
USERTrustRSAAAACA.crt
Spending time to research the procedure of installing the certs for a site up and running on Ubuntu 20.04 with Apache2, all the online docs I found will have me edit the virtual host block of the Apache2 site conf file thusly:
<VirtualHost xxx.xxx.x.x:443>
DocumentRoot /var/www/[THE DOMAIN I AM MOVING]
ServerName [THE DOMAIN I AM MOVING]
SSLEngine on
SSLCertificateFile /path/to/[THE DOMAIN I AM MOVING]_com.crt
SSLCertificateKeyFile /path/to/privatekey.key
SSLCertificateChainFile /path/to/intermediate.crt
</VirtualHost>
There is one obvious .crt file that matches here, but I am not sure of the placement of two others, and entirely unsure why I received 4 files instead of 3.
So, I have a couple of questions:
Why the forth file?
Which two of the remaining three are the privatekey and intermediate files?
Is there a standard way to identify the purpose of each file?
I have tried a number of combinations, but cannot get these files to work. The ISP that originated the certs is no help, as they have WHM and cPanels that make this an easier task, but my server does not have either so I am stuck with manual entries.
I have successfully installed a Comodo cert for one of two sites I have on my private server, so I am OK for now using that one, but it remains a mystery and a problem: not being able to EASILY transfer certs from a shared server to a private server.
I will continue the effort and post any positive results.
So, the "answer" here is: This operation is difficult and there is no easy solution I have found, to date.

How to properly install SSL to my server?

I have a sub-domain I want to install a valid SSL (possibly free SSL). I used to access my website through the public address of my server. Now I am using subdomain to access my website. I want to add a valid SSL to my server to secure my website. I am using XAMPP. How can I install SSL properly because when I access my website using HTTPS I am getting a NET::ERR_CERT_AUTHORITY_INVALID and where can I get a valid SSL Certificate?
The most popular Free SSL certificate you can get from letsencrypt.
Than here is the steps you can get your certificate works on localhost machine (XAMPP):
Create new folder crt, in default XAMPP location C:\xampp\apache\crt
Paste there 2 files: cert.conf and make-cert.bat
Now edit cert.conf and Run make-cert.bat
Change {{DOMAIN}} text using the domain we want to use, in this case site.test and save.
Double click the make-cert.bat and input the domain site.test when prompted. And just do enter in other question since we already set the default from cert.conf.
After that, you will see site.test folder created. In that folder we will have server.crt and server.key. This is our SSL certificate.
Double click on the server.crt to install it on Windows so Windows can trust it.
And then Select “Place all certificate in the following store” and click browse and select Trusted Root Certification Authorities.
Edit your host file
5.1 Open notepad as administrator.
5.2 Edit C:\Windows\System32\drivers\etc\hosts (the file have no ext)
5.3 Add this in a new line:
127.0.0.1 site.test
This will tell windows to load XAMPP when we visit http://site.test You can try and it will show XAMPP dashboard page.
Add the site in XAMPP conf.
We need to enable SSL for this domain and let XAMPP know where we store the SSL Cert. So we need to edit C:\xampp\apache\conf\extra\httpd-xampp.conf
And add this code at the bottom:
## site.test
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs"
ServerName site.test
ServerAlias *.site.test
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "C:/xampp/htdocs"
ServerName site.test
ServerAlias *.site.test
SSLEngine on
SSLCertificateFile "crt/site.test/server.crt"
SSLCertificateKeyFile "crt/site.test/server.key"
</VirtualHost>
After that, you will need to restart Apache in XAMPP. It’s very simple, simply open XAMPP Control Panel and Stop and re-Start Apache Module.
Restart your browser
Arguably most popular free SSL Provider (and the one I use) will be LetsEncrypt.
Steps for installation will vary based on OS, like this for Ubuntu
You may get free ssl using this link [1]. You need to select the Software that you're using for example Apache and select what operating system you are using in my case I am using Debian 9. If you're unsure about your system, you need to ssh to your server and execute the command "$ cat /etc/*release" if you're using Linux.Once you have selected the correct software and system, it will give you instructions on how to get SSL.
You may follow the instructions here [2] on how to install SSL.
Hope this information helps you.
[1] https://certbot.eff.org/lets-encrypt/debianstretch-apache
[2] https://www.sslshopper.com/apache-server-ssl-installation-instructions.html
The most common solution of free SSL is LetsEncrypt.
LetsEncrypt provides a variety of clients for most OSs. I recommend using the client ACMESharp.
Follow the following steps on Powershell (as described in the official documentation of the project)
1) Install ACMESharp
Import-Module ACMESharp
2) Initialize the vault
Initialize-ACMEVault
3) Create new ACME registration using email
New-ACMERegistration -Contacts mailto:somebody#example.org -AcceptTos
4) Submit the domain identifier
New-ACMEIdentifier -Dns myserver.example.com -Alias dns1
5) Handle the Challenge to Prove Domain Ownership
Pick a method to porve that you own your domain, I recommend HTTP
Challenge.
(Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler manual).Challenge
If you do not get the challenge details like file path and content in the output , try this:
(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges | Where-Object {$_.Type -eq "http-01"}
You'll probably have to allow hidden locations to be accessed via apache, so the challenge can reach .well-known location.
You could use something like the following config, depending on your custom needs (as mentioned in this post as well):
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_FILENAME} !.well-known/
RewriteRule "(^|/)\.(?!well-known)" - [F]
</IfModule>
6) Submit the Challenge Response to Prove Domain Ownership (HTTP method)
Submit-ACMEChallenge dns1 -ChallengeType http-01
The challenge does not get updated instantly so try updating on the results until it's valid.
(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges |Where-Object {$_.Type -eq "http-01"}
Once it's valid, try:
Update-ACMEIdentifier dns1
7) Request and Retrieve the Certificate
New-ACMECertificate dns1 -Generate -Alias cert1
Submit-ACMECertificate cert1
The certificate might not be issued instantly so try:
Update-ACMECertificate cert1
Until it's ok.
8) Export the public and private keys
Private key:
Get-ACMECertificate cert1 -ExportKeyPEM "path\to\cert1.key.pem"
Certificate signing request:
Get-ACMECertificate cert1 -ExportCsrPEM "path\to\cert1.csr.pem"
Lets encrypt public certificate:
Get-ACMECertificate cert1 -ExportCertificatePEM "path\to\cert1.crt.pem" -ExportCertificateDER "path\to\cert1.crt"
Issuer's public certificate:
Get-ACMECertificate cert1 -ExportIssuerPEM "path\to\cert1-issuer.crt.pem" -ExportIssuerDER "path\to\cert1-issuer.crt"
You don't practically need all of the above, anyway, but the private key is absolutely necessary so keep it safe.
For more documentation visit the github repo of the project.

Certbot detects incorrect Common Name (CN)

I have multiple virtual hosts on the same server using CentOS 6. After running sudo ./path/to/certbot-auto --apache I have successfully installed a certificate for a website https://domain1.example. Browser confirms that the certificate is issued to Common Name (CN) domain1.example.
However, after repeating the same procedure for domain2.example, browser is warning that the connection is not secure and the certificate is issued to Common Name 192.168.1.5, which is a local IP address of the server. Why isn't the Common Name correctly determined for domain2.example? What could be the reason?
Without https:// the website http://domain2.example is working properly.
It turns out the problem was due to the /etc/httpd/conf.d/ssl.conf file which enables SSL for Apache. Since CentOS loads all Apache conf files in alphabetical order, only those conf files will be using SSL which come after ssl.conf in alphabetical order. All files that come before will not be recognized for SSL.
In my case conf file for domain1.example came after ssl.conf and thus was recognized for SSL. But the conf file for domain2.example was before ssl.conf and therefore was ignored. A simple renaming ssl.conf to 000-ssl.conf put that file on top of the list and all the other files were loaded correctly.

Why do I get browser warnings on my new lets encrypt ssl setup?

I recently successfully installed Letsencrypt, and my site seems to work well with https. When i visit it e.g https://example.com, no errors/warnings appear. However when i visit it with https://www.example.com, (including www) in all browser I get some sort of warning, for example, in chrome:
Your connection is not private
Attackers might be trying to steal your information from
www.example.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID
And in opera:
Opera cannot verify the identity of the server "www.example.com", due to a certificate problem. The server could be trying to trick you.
My server runs apache and https works wonderfully when not www. In /etc/letsencrypt/live/www.example.com/ I have:
cert.pem chain.pem fullchain.pem privkey.pem
Would appreciate any help and do ask if you require further detail. Hope this helps others too.
This is saying the cert is not valid for www.example.com.
Could be several reasons for this including:
You didn't specify this when creating the cert and only asked for example.com. Though weird that LetsEncrypt has put it in the www.example.com directory, suggesting you did do this right.
You made a typo in the domain name.
You included the protocol (http/https) in the domain name and/or the port (443). These should not be in the cert request and just the domain name.
You have a separate cert for example.com and www.example.com and have only one configured in Apache. Most sites use the same cert for both and have both versions valid for the domain.
Probably best to view the cert to rule out some of these. This can either be done in the browser by clicking on the green padlock when viewing https://example.com and/or running this command:
openssl x509 -in /etc/letsencrypt/live/www.example.com/cert.pem -text
You can also use the https://www.ssllabs.com/ssltest/ online tool to view your SSL setup (in fact I'd recommend to do this anyway!).
It might be late but the problem is there because you didn't mentioned www.exemple.com in the certbot setup.
to add the domain to your certificate just run this command
sudo certbot --expand -d www.camelges.com
then restart your apache server
if you are on ubuntu service apache2 restart
Reference: https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates
From their post here:
Can I get a certificate for multiple domain names (SAN certificates)?
Yes, the same certificate can apply to several different names using
the Subject Alternative Name (SAN) mechanism. The Let's Encrypt client
automatically requests certificates for multiple names when requested
to do so. The resulting certificates will be accepted by browsers for
any of the domain names listed in them.
If your common name is example.com you will need to set a SAN as www.example.com when generating the certificate request.
Adding to the points from BazzaDP, (From my own experience).
5) if you have virtual configuration files where ServerName is same but ServerAlias is different then you will be getting same err, hence you should change ServerName.
You need to generate certificate for both URL's, by example:
sudo certbot --apache -d mydomain.com,www.mydomain.com

Determine which certificate expired

Knowing that my apache certificates were to expire, I went through the process of renewing them. I got them all in place. My website worked wonderful. Checking the cert from IE showed the new expiration date. Perfect... or so I thought. When the original expiration date hit, I couldn't access the website. My log is showing a Java cert expired. I can't find it on my system.
I've done simple things like find / -name "*.crt" I've gone through our company admin guide. I've checked several websites. But I can't determine where there is an expired cert. Is there a way to get Java to tell you more information about the error?
My system info:
3 servers: FrontEnd, Middleware, DB. Using Apache, Tomcat, ecm. Closed system so I can't copy the log.
Error message from log on FrontEnd:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sun Feb 01 20:44:51 UTC 2015
If you have and apache http server normally the ssl certificate is configured in /etc/httpd/httpd.conf or in a separate file under /etc/httpd directory like /etc/httpd/sites/vhosts_your_site. The property is SSLCertificateFile defined inside a <VirtualHost> tag. You can grep for:
grep -r "SSLCertificateFile" /etc/httpd/
Typically the configuration looks like:
<VirtualHost your_ip:443>
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path_to_your_cds.crt
SSLCertificateKeyFile /path_to_your_private.key
SSLCertificateChainFile /path_to_your_cdschain.crt
...
</VirtualHost>
See the apache documentation for more details.
Could be also possible to configure a ssl certificate in tomcat, however since you've an apache I think that it's more probably the configuration is there.
Anyway if you want to check if the ssl certificate is configured under tomcat check in the $CATALINA_BASE/conf/server.xml file if there is a <connector> with attribute scheme="https".
If your connector uses JSSE the certificate keystore path is in <connector keystoreFile='your_ks_path'>, if you use an ARP connector then is in <connector SSLCertificateFile='your_cert.cer'>.
For more details take a look at tomcat ssl documentation.
Hope this helps,
If you don't you Apache as an SSL Proxy it could be that your Apache is using a certificate which is stored in a Java Keystore File (jks). So you should check for jks files: find / -name "*.jks"