I have trouble installing the ssl certificate in a server.
The vhost file looks like this
`<VirtualHost <ip>:443>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/YourIntermediateCertificate.crt
</VirtualHost>`
I have tried SSL checker and the results are as follwing.
the error it shows is
The certificate is not trusted in all web browsers. You may need to
install an Intermediate/chain certificate to link it to a trusted root
certificate. Learn more about this error. The fastest way to fix this
problem is to contact your SSL provider.
An intermediate certificate is already installed. The common name for server in the image should be same as host name. I am not sure why it is "CloudFlare Origin Certificate". Need help in solving this issue. Thanks!!
I have researched and found an answer for this issue.
To resolve the issue we need to enable the proxy for all A, AAAA, and CNAME records using cloudflare dashboard. Below is the explanation for why to enable the proxy.
Normally, the request hit the origin(server) directly and response is served. To encrypt this communication we use SSL certificate. But, the SSL certificate is also used for the identity of the origin server. Here in the above case, no chain certificate file is provided to identify the origin server i.e yourdomain.com, rather the certificate is issued to cloudflare.
After enabling the proxy, the request hits cloudflare and the same request is sent to the origin server, the response from origin server is received by the cloudflare proxy and it is sent to the user. In this way the users browser thinks cloudflare proxy as the origin server and identifies cloudflare since it has its own ssl ( we don't need to bother ).
After enabling proxy, we don't need any chain certificate file to be installed in the origin server. We just need to install the server certificate issued by cloudflare.
Related
I have a server which is hosting a domain named abc.com . I have an SSL certificate installed for this domain on server and abc.com require SSL. Now I have a sub domain say sub.abc.com which is secured by another SSL certificate.
Now this is what I did to bind. Clicked the main site abc.com in IIS and opened bindings. Now in bindings, I added https and for IP Address I gave All Unassigned. For SSL certificate I selected the SSL cert for abc.com.
Again for the sub domain binding I followed same steps but under IP Address I gave the IP (19.xxx.xx.xx) of my server. Under certificate I picked the certificate for sub.abc.com.
Now on a browser if I open sub.abc.com its working fine. But if I load abc.com then the site is loading with warning and its displaying the certificate of sub.abc.com instead of abc.com . In bindings I can confirm that I have mapped to correct certificate.
Not sure whats going wrong here. Any help highly appreciated.
If you are running IIS 8 and above, you can use SNI,
http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability
You may also go for WildCard certificate i.e a certificate issues to *.abc.com for the root domain , this will not only simplify your deployment and will provide adequate security as well.
I want to serve files from A server with cloudflare.
I cannot disable SSL on A server. Simply I pointed my domain to A server. When I type https://example.com chrome says that Your connection is not private.
Is it possible to make cloudflare serve files from A server over http not https?
Or can I make cloudflare to use a different SSL?
CloudFlare has a few different SSL options:
CloudFlare's Flexible SSL will allow communication between the client and CloudFlare over HTTPS whilst the connection from CloudFlare to the origin is over HTTP.
In addition to this, if the certificate is just unsigned but still returns the correct website files you can actually utilise Full SSL (but not Full (Strict)). By contrast Full (Strict) will require a signed certificate from the origin to CloudFlare.
I have a wildcard SSL certificate on my apache server. It works perfectly with my domain, but the mistake is that it works with all the domains on my apache server ! And I don't want it, when I go on https://www.mywebsitewithouthttps.com, firefox tell me that the page is not secure because the certificate is for www.mydomainwithhttps.com. If I add an exception for this SSL error on my browser, it is not "mywebsitewithouthttps.com" that is display but "mydomainwithhttps.com" (on this URL : https://www.mywebsitewithouthttps.com) !
I don't want my certificate to work for all the other domains ! It's a big problem because Google is crawling and indexing all my other domains on HTTPS with the content of mydomainwithhttps.com :-(
This my virtualhost for SSL :
NameVirtualHost *:443
<VirtualHost *:443>
ServerName www.mydomainwithhttps.com
DocumentRoot "/home/mydomainwithhttps/www"
suPHP_Engine On
suPHP_AddHandler x-httpd-php
suPHP_UserGroup mydomainwithhttps users
AddHandler x-httpd-php .php
SSLEngine on
SSLCertificateFile /certificates/ssl_certificate.crt
SSLCertificateKeyFile /certificates/www.mydomainwithhttps.com.key
SSLCACertificateFile /certificates/IntermediateCA.crt
</VirtualHost>
If you make a HTTPS request the client will establish a TCP connection to the relevant IP and port (usually 443) at the server. If the connection succeeded it will start the TLS handshake and during the TLS handshake it will get the certificate for validation.
If you have multiple servers at the same IP address and port they all share the same TCP listener. Since the TCP connection attempt has no information about the targets server name but only has the targets IP address and port the listener will accept all connection attempts, even if the (yet unknown) target hostname has no HTTPS configured.
Modern clients then send the target hostname inside the TLS handshake and only then the server knows what the client wants. If it has HTTPS configured for the requested name the server can send the appropriate certificate. If HTTPS is not configured for this name the server will either send a default certificate or close the connection (maybe send a TLS alert when closing).
In summary this leaves you with the following options:
Use a different IP address for HTTPS sites and non-HTTPS sites. This way the TCP connection will already fail because the server is not listening for connections on this IP:port.
Configure your server to return an error when the client requests a hostname for which no HTTPS is configured. This way the client will probably get some strange error message about HTTPS problem in the browser. I'm not sure but maybe you can setup Apache this way when using the SSLStrictSNIVHostCheck on option. If this option does not help then apache might not support this kind of setup.
Configure your server to use a default certificate (usually the first configured certificate) whenever the name does not match or the client does not support SNI. The client will get a certificate mismatch warning in the browser. This is the setup you currently have.
Setup HTTPS properly for all domains either by having separate certificates or by including them all into a single certificate.
Thus to make sure that the bots don't assume that your site can do HTTPS you need to go with option 1 or 2. Please note also that in all of these cases you expect the bots to support SNI, which not all do. Therefore for best compatibility you would need to use a separate IP address for each HTTPS site.
You can configure the multi domain with SSL and with different certificate on both UBUNTU and RHEL by following multi donain with ssl
The problem is that Apache will try to find config for https://www.mywebsitewithouthttps.com/ and when it doesn't, it will default back to the first https config (the one for mydomainwithhttps).
This will show a cert error but, as you've experienced, if you click through, you see the wrong site.
I cannot however understand Google crawling and indexing the site. I would have thought it would have stopped when it saw the cert error? I'd be very surprised if that is not the case but if it's not you can put a rewrite rule on for those hostname a to redirect back to http.
There's only 2 ways around this:
Get certs for the other domains so you can connect via https. You can still redirect back to http if you really want.
Separate out the servers with https to a different server (or a different IP on the same server and set up Apache config to listen on port 443 on https IP address only).
That's just the way Apache (and most - if not all - other webservers) work.
I am using cloudflare to proxy requests to my server and within my server I have added support for subdomains. The issue is that my server only has an ssl certificate issued to the root domain, but the cloudflare certificate has support for wildcards. Whenever there is a request to the root domain the ssl certificate from cloudflare is used but when I try to access a subdomain my server's certificate is used and I get a nasty the domain is insecure error. Any suggestions as to how I can fix this? There is a CNAME record within cloudflare which has the * name as an alias to my domain.
If you're on a Free CloudFlare account, only browsers with SNI support work. This is so CloudFlare doesn't need to assign an IP for every free client; using a Pro account you can have support for legacy browsers which don't support SNI.
according to this question all HTTP header when we are using HTTPS are encrypted(including request URI and Host header).
when browser want to browse a page on website that using HTTPS, it first create secure connection, then it sends HTTP request(encrypted) and server return the answer to browser. Now assume there are more than one secure website with more than one SSL certificate, so when server want to create secure connection how does it detect which certificate should be used because it doesn't know anything about request!!!
Since the SSL channel is negotiated prior to the reception of the Host header, an HTTPS server can use at most one certificate per bound IP endpoint (IP address and port). In other words, to use two different SSL certificates, you will either need to bind each virtual host to a different port, or a different IP address.
Before TLS the server indeed didn't have a way to know certificate of which host it should present to the client and this caused problems.
In TLS there was a special extension named Server Name introduced (see RFC 3546), which lets the client tell the server, what host the client wants to connect to. Based on contents of this extension the server can present proper certificate. Of course, all of this requires that TLS and the extension itself are supported and used by both parties.
The basis of this is to provide a SSL key(set) for each virtual server.
In Apache, for example, it's relatively simple. Each shared site is likely in a <VirtualHost> directive. The SSL keys can be specified within that, and thus apply to that virtual host only.
Rough example:
<VirtualHost *:443>
ServerName server.com
SSLEngine on
SSLCertificateKeyFile /etc/ssl/server_com.key
SSLCertificateFile /etc/ssl/server_com.crt
SSLCertificateChainFile /etc/ssl/server_com.ca-bundle
The server will then use the specified keys for all requests directed to that site over HTTPS. Further details on the Apache site. Similar things should apply to most web servers that support a concept of virtual hosts.
You won't get any errors, as the certificate and domain name match up.