My hosting (instance) is on EC2 and domain is on Nominalia. I am using ubuntu16.0.4 and Laravel 5.4, I have generated CSR, key file, certificate file and kept on root of server that is /var/www/html
Now I have to place
<VirtualHost *:443>
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /var/www/html/sitename.com.crt
SSLCertificateKeyFile /var/www/html/sitename.com.key
SSLCertificateChainFile /var/www/html/intermediate-ca.crt
</VirtualHost>
I am not getting where I shall keep it. I tried to keep in /etc/apache2/sites-enabled/000-default.conf or /etc/apache2/sites-enabled/default-ssl.conf or /etc/apache2/sites-available/default-ssl.conf but it did not work and I am getting errors
In chrome
This site can’t be reached
and in Mozilla
Secure Connection Failed
Site is working without https
I also tried to keep both "VirtualHost *:443" and "VirtualHost *:80" in /etc/apache2/sites-enabled/000-default.conf but it also did not work. In this case, I am getting "This site can’t be reached"
There are lot of articles that I am reading from few days but not getting how to do final setting so that my site start working after I successfully placed all certificate files.
Recently Chrome stoped accepting self-signed Certificates. You can save a lot of effort using Let's Encrypt SSL Certificates. They are free, but valid for 90 days only. But you can configure auto renewal process, so you don't need to worry, because all things happens behind scenes.
Installation on Ubuntu it's simple:
1. Add repository to apt
sudo add-apt-repository ppa:certbot/certbot
After complete, update apt-get:
sudo apt-get update
2. Install Certbot
Certbot is a client tool for managing certificates from Let's Encrypt.
Run:
sudo apt-get install python-certbot-apache
3. Set up SSL Certificate
sudo certbot --apache -d sitename.com
If your domain could be accessed with www prefix run this command instead:
sudo certbot --apache -d sitename.com -d www.sitename.com
From now Certbot will run automatically via /etc/cron.d to check for expiring certificates.
You can validate process by running:
sudo certbot renew --dry-run.
It's done.
Full documentation for Certbot is here: https://certbot.eff.org/docs/
I have a server running a LAMP stack:
me#server:~$ sudo apachectl -v
Server version: Apache/2.4.10 (Debian)
me#server:~$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
...
On this server I have many two domains - one with SSL and one without SSL - and everything is currently hunky-dory.
I am trying to add SSL to the second site but requests to the second site fail with the issue:
[FIREFOX]
domain2.com uses an invalid security certificate.
The certificate is only valid for the following names: domain1.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN
[CHROME]
NET::ERR_CERT_COMMON_NAME_INVALID
Note 1: I have checked my version of Apache allows multiple SSL sites on the same server.
This leads me to believe that the SSL files being read when domain2.com is called are actually the files relating to domain1.com.
Curiously, if I disable domain1.com using sudo apache dissite domain1, the SSL works just fine on https://domain2.com. This would indicate that the SSL is installed correctly but the sites across the server are not all configured correctly.
The .conf files are below:
me#server:~& cat /etc/apache2/sites-enabled/domain1
[...Port 80 config redacted...]
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/domain1/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain1/key.txt
SSLCertificateChainFile /etc/apache2/ssl/domain1/intermediate.crt
ServerName domain1.com
ServerAlias www.domain1.com
<Directory /var/www/domain1>
[REDACTED]
</Directory>
[Logging information redacted]
</VirtualHost>
me#server:~& cat /etc/apache2/sites-enabled/domain2
[...Port 80 config redacted...]
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/domain2/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain2/key.txt
SSLCertificateChainFile /etc/apache2/ssl/domain2/intermediate.crt
ServerName domain2.com
ServerAlias www.domain2.com
<Directory /var/www/domain2>
[REDACTED]
</Directory>
[Logging information redacted]
</VirtualHost>
So it is clear both sites have the same configuration items applied but relative to the specific SSL files on the server for that site. Note, the SSL bundles for each site are provided from the same vendor.
Further, the certificates should be correct:
me#server:/etc/apache2/ssl/domain1$ openssl x509 -in server.crt -noout -subject
subject= /CN=www.domain1.com
me#server:/etc/apache2/ssl/domain2$ openssl x509 -in server.crt -noout -subject
subject= /CN=www.domain2.com
From all of this, please can some enlighten me as to why requests to domain2.com fail when domain1.com is enabled?
So yeah.. doing the above was all fine and should work.
If it doesn't work, be sure to check the spelling of the ServerName fields and to not work too late at night!
The main idea is i want to upgrade my real webpage to https, but it's in production and i want to make this upgrade in my local server to be sure it's working properly and after that move all changes to production. So i'm trying to create local https website but my browser Google Chrome give me error. I wrote this commands in my linux terminal for creating self signed certificate
sudo openssl req -new -sha256 -out new.ssl.csr
sudo openssl rsa -in privkey.pem -out new.cert.key
sudo openssl x509 -in new.ssl.csr -out new.cert.cert -req -signkey new.cert.key -days 256
sudo cp new.cert.cert /etc/ssl/certs/server.crt
sudo cp new.cert.key /etc/ssl/private/server.key
And i changed my host configuration file like this
VirtualHost *:80
ServerName localsite
DocumentRoot /var/www/localsite
ErrorLog ${APACHE_LOG_DIR}/localsite_error.log
CustomLog ${APACHE_LOG_DIR}/localsite_access.log combined
VirtualHost
VirtualHost *:443
ServerAdmin asdasdasd#asd.asd
ServerName localsite.local
DocumentRoot /var/www/localsite
ErrorLog ${APACHE_LOG_DIR}/localsite_error.log
CustomLog ${APACHE_LOG_DIR}/localsite_access.log combined
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
VirtualHost
sudo service apache2 restart
And after it i export certificate from my file and import it to Google Chrome and still having ERR_CERT_AUTHORITY_INVALID error. What i'm doing wrong?
I used this tutorial to create a self-signed certificate. It looks like what you did to create one.
I forgot to fill in the Common Name (e.g. server FQDN or YOUR name). You can leave all fields empty, but this one should be answered. In your example, it should be localsite.local.
After creating your certificate, upload it to chrome://settings/certificates and the padlock will turn green.
If you use self signed certificate, browsers will alert you error like that.
So you should use certificate signed by known authorities.
I have ever used letsencrypt.
For that, you should purchase your own domain name for your site at first.
I am trying to set ssl on local host i have follwed the http://madurad.wordpress.com/2014/04/25/redirect-http-to-https-with-wamp-server/ and many others but unable to get success. i stuck in the syntax of httpd-ssl.conf. my apache server get down when i set the
<Directory "c:/wamp/www/">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
SSLOptions +StdEnvVars
</Directory>
i have tried many others like
<Directory "c:/wamp/www/">
SSLOptions +StdEnvVars
</Directory>
what is issue not able to get....
How to Configure WAMPServer to use HTTPS SSL
This is not a trivial process. This tutorial will, hopefully, get SSL working for you.
However getting it configured correctly once it is working is TOTALLY DOWN TO YOU.
Additional reading for all who travel this road
Ok,
I have based this tutorial on the creation of a site called www.wamphelpers.dev So whereever you see that name change it to the site name you are trying to secure.
I started by creating a unsecured site, in \wamp\www\wamphelpers
added a Virtual Host for that site, in \wamp\bin\apache\apache{version}\conf\extra\httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "c:/wamp/www"
ServerName localhost
ServerAlias localhost
<Directory "c:/wamp/www">
AllowOverride All
Require local
</Directory>
</VirtualHost>
<VirtualHost *:80>
DocumentRoot "c:/wamp/www/wamphelpers"
ServerName wamphelpers.dev
ServerAlias www.wamphelpers.dev
<Directory "c:/wamp/www/wamphelpers">
AllowOverride All
Require local
</Directory>
</VirtualHost>
Added its domainname to the C:\windows\system32\drivers\etc\hosts
Some virus checkers block access to the HOSTS file so you may need to disable your virus checker, or configure it not to block the hosts file temporarily.
127.0.0.1 wamphelpers.dev www.wamphelpers.dev
::1 wamphelpers.dev www.wamphelpers.dev
Now restart the dnscache as follows from a command windows launched using 'Run as Administrator'
ipconfig /flushdns
Then created a simple script in \wamp\www\wamphelpers\index.php
<?php
echo 'Hello, this is the WAMPHELPERS.DEV site homepage';
?>
Now to activate the new Virtual Hosts you have defined, edit \wamp\bin\apache\apache{version}\conf\httpd.conf and find this line
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
and remove the # comment character like so
# Virtual hosts
Include conf/extra/httpd-vhosts.conf
Save the file.
Now restart Apache and make sure that your simple unsecured Virtually Hosted site is working before continuing.
The openssl toolkit.
The openssl.exe, ssleay32.dll and libeay32.dll come with, and are located in, the C:\wamp\bin\apache\apachex.y.z\bin folder
This should be all you need to create your self signed certificate !!
HOWEVER: These did not work for me on any of the versions of Apache that I had installed.
I always got this error message.
Where the ordinal number changed depending on the apache version folder I was in.
If you get this error dont worry this is what you need to do.
install the latest version of the OPENSSL TOOLKIT
This can be obtained from here
NOTE: Dont use the V1.1 version yet, the PHP team have not yet compiled PHP with these new linkages, so stick to the V1.0.? versions until they do.
Pick the Latest version of 'Win32 OpenSSLv xxx Light' or 'Win64 OpenSSLv xxx Light' to match your installed version of WAMPServer, as this is all you need.
This will download an .exe file which you can run to install this toolkit.
It will ask the following question, I suggest you answer it like this so you dont end up installing something into C:\windows\system32.
Afterall this is a toolkit and it changes reasonably often. Best to keep these things seperate and not make them system global.
Once that is installed ( to whichever folder you specified in the install )you should be ready to start the process of generating keys and certificates!
Generate keys and Certificates.
STEP 1: Generate an RSA Private Key
First we need to create ourselves a certificate.
The normal (paid for) process is to create your certificate and then pass it to a signing authority.
This is why it costs money, as they have to do, due dilligence, to check that you are who you say you are and that site that you will use the certificate on is real and legitimate.
The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request) to be used for our Certificate.
The first step is to create your RSA Private Key.
This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.
Open up a Command window (Dos box) using [b]Run as Administrator[/b]
Change Directory to where you installed the OpenSSL Toolkit above.
In my case this is
CD c:\apps\OpenSSL-Win32\bin
Make a folder for the output to be put in ( to keep the bin folder tidy ) I used website
md website
Now enter this command:
openssl genrsa -out website\server.key 2048
This should have created a file in the website folder called server.key, without a pass phrase key, check it exists.
Step 2: Generate a CSR (Certificate Signing Request)
During the generation of the CSR, you will be prompted for several pieces of information.
These are the X.509 attributes of the certificate.
One of the prompts will be for "Common Name (e.g. server FQDN or YOUR name) []:".
It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL.
So if the website to be protected will be https://www.wamphelpers.dev, then enter www.wampheplers.dev at this prompt. I used wamphelper.dev as my ServerName is ServerName wamphelpers.dev
Do not enter anything to the question: A challenge password []:] Just press Enter.
If you do enter a passphrase here when you come to start Apache with SSL configured Apache will not start and will give this error message :-
[error] Init: SSLPassPhraseDialog builtin is not supported on Win32
Basically if you do enter a passphrase Apache is supposed to challenge you for that passphrase each time it starts.
This is obviously not going to make your life any easier but primarily on windows it does not actually work and will
cause Apache to crash when it attempts to ask for the passphrase, with the above error.
The command to generate the CSR is as follows:
openssl req -new -key website\server.key -out website\server.csr
Example question and answers:
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]: Hampshire
Locality Name (eg, city) []: Portsmouth
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Wamp Helpers Ltd
Organizational Unit Name (eg, section) []: Information Technology
Common Name (e.g. server FQDN or YOUR name) []: wamphelpers.dev
Email Address []: me#wamphelpers.dev
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ( leave blank just hit the enter key )
An optional company name []: ( leave blank just hit the enter key )
Step 3: Generating a Self-Signed Certificate
At this point you will need to generate a self-signed certificate because
you either don't plan on having your certificate signed by a CA, or you wish to test
your new SSL implementation while the CA is signing your certificate.
PRE - WARNING
This certificate will generate an error in the client browser to the effect that
the signing certificate authority is unknown and not trusted.
This is unavoidable as we are signing the certificate ourselves, but of course the web of trust does not know who we are.
See example later in this document showing how to tell your browser that you actually trust this certificate
openssl x509 -req -days 365 -in website\server.csr -signkey website\server.key -out website\server.crt
Example output:
Loading 'screen' into random state - done
Signature ok
subject=/C=GB/ST=Hampshire/L=Portsmouth/O=WampHelpers Ltd/OU=Information Technology/CN=www.wamphelpers.dev/emailAddress=riggsfolly#wamphelpers.dev
Getting Private key
Step 4: Installing the Private Key and Certificate
Create these 2 directories under the version of Apache you are using.
md c:\wamp\bin\apache\apachex.y.z\conf\ssl.key
md c:\wamp\bin\apache\apachex.y.z\conf\ssl.crt
And copy the file we have just generated into them like so:
copy website\server.crt c:\wamp\bin\apache\apachex.y.z\conf\ssl.crt
copy website\server.key c:\wamp\bin\apache\apachex.y.z\conf\ssl.key
Step 5: Configure Apache to activate SSL
Edit httpd.conf, Check that this line is uncommented
LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Remove the comment '#' from this line also
Include conf/extra/httpd-ssl.conf
Then move that line after this block .... like so
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
Step 6: Configure PHP to activate SSL
Edit your php.ini ( use the wampmanager menus so you edit the correct one )
Remove the comment ';' from this line
extension=php_openssl.dll
Step 7: Configure your secure sites Virtual Host
Yup for all you Virtual Host nay sayers, now you cannot avoid the process.
Edit \wamp\bin\apache\apachex.y.z\conf\extra\httpd-ssl.conf
This file is released by Apache and contains some default file location.
We can leave most of this file as it is, but we need to configure the virtual host in here to match our actual sites location and a few other things so:
find these lines
DocumentRoot "c:/Apache2/htdocs"
ServerName www.example.com:443
ServerAdmin admin#example.com
ErrorLog "c:/Apache2/logs/error.log"
TransferLog "c:/Apache2/logs/access.log"
and change them to
DocumentRoot "c:/wamp/www/wamphelpers"
ServerName wamphelpers.dev:443
ErrorLog "c:/wamp/logs/ssl_error.log"
TransferLog "c:/wamp/logs/ssl_access.log"
Find
SSLCertificateFile "c:/Apache2/conf/server.crt"
and change to
SSLCertificateFile "c:/wamp/bin/apache/apachex.y.x/conf/ssl.crt/server.crt"
Find
SSLCertificateKeyFile "c:/Apache2/conf/server.key"
and change to
SSLCertificateKeyFile "c:/wamp/bin/apache/apachex.y.x/conf/ssl.key/server.key"
Find
<Directory "c:/Apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
and change to
Apache 2.2 Syntax
<Directory "c:/wamp/www/wamphelpers">
SSLOptions +StdEnvVars
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 localhost ::1
</Directory>
Apache 2.4 Syntax
<Directory "c:/wamp/www/wamphelpers">
SSLOptions +StdEnvVars
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require local
</Directory>
Find
SSLSessionCache "shmcb:c:/Apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
and change it to
SSLSessionCache "shmcb:c:/wamp/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
Find
CustomLog "c:/Apache24/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
and change to
CustomLog "c:/wamp/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Basically look through the conf file and any command that is not commented out, but has a reference to a file or folder
should be changed to reference the WAMPServer folder structure and not 'C:/Apache2....'
Now make sure all these files we have changed are saved, and restart Apache using the wampmanager menus.
First test that the unprotected site is still working.
Then try using your new protected site by adding the 'https://' to the front of the domain name
i.e. https://www.wamphelpers.dev without the single quotes of course.
If Apache does not restart you have probably spelt something wrong. Test the configs like so :-
Open a command window
cd \wamp\bin\apache\apachex.y.z\bin
httpd -t
This will parse all the config files and should give you a file name and a line number where an error has been found.
Fix it and try again.
First access to your site will generate a message page something like this.
This is using FireFox, others will be slightly different, but the concept it the same.
This is because your certificate is not signed by a trusted authority, DONT PANIC, this is supposed to happen.
Click on, 'I Understand the risk' and that will show you a button saying 'Add Exception'
Press the Add Exception button, after checking that the certificates site details are in fact yours,
and you will not see this message again unless you clear the exception list.
BIG NOTE
As of Apache v2.2.12 and OpenSSL v0.9.8j it is now possible to secure more than one site per Apache instance.
This tutorial does not cover that process.
See here for more details:
Here
and Here
and Here
And like I said at the top, now you need to do some reseach on all the options available in the SSL config and make thing work as you want rather than using the default.
It is necessary activate the module LoadModule socache_shmcb_module modules/mod_socache_shmcb.so in the file httpd.conf in wampserver 2.5. If not apache throws the next message:
AH00526: Syntax error on line 75 of C:/wamp/bin/apache/apache2.4.9/conf/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
If you have the error something like this:
Cannot load modules/mod_ssl.so into server: The specified module could
not be found.
You may want to try to searching libeay32.dll in your wamp folder, you probably find it in {wamp folder}/bin/php/php{version 7}/
Copy libeay32.dll and ssleay32.dll and paste them into {wamp folder}/bin/apache/apache{version 2.x}/bin/ AND {wamp folder}/bin/php/php{verion 5.x}. MAKE SURE you backup anything you are placing.
run httpd -t and test the syntax
NOTE: I believe it is due to the mistake in apache openssl part for wamp 3.0.6. Fortunately in php7 folder those dlls are compatible for the apache and php5.
#RiggsFolly:
some small errors/typos/additions in your tutorial. Below is used in combination with WAMPServer 2.5 64bits (Apache 2.4.9 and PHP 5.5.12) on Windows 7 SP1 64bits:
-httpd-vhosts.conf is located in extra/httpd-vhosts.conf
-when you try to edit your hosts file be sure to disable any virusscanner. Some of them block access to hosts file.
-be sure to open your texteditor as administrator when editing your hosts file or else you get an error trying to save.
-don't forget to remove # at the beginning of the host line if any
-if you use WAMPServer 64bit be sure to download the 64bit version of OpenSSL
-the step openssl genrsa -out website\server.key 2048
creates a server.key file and not a privkey.pem!
-file \wamp\bin\apache\apachex.y.z\conf\httpd-ssl.conf is located at \wamp\bin\apache\apachex.y.z\conf\extra\httpd-ssl.conf (maybe this depends on the WAMPServer version)
-I had to use different ports for http (80->8080) and https(443->444) as these ports where used by I think Skype. When you use different ports be sure to use these everywhere you see 80 or 443 in this tutorial
-I also had to enable socache_shmcb_module. The "httpd -t" also mentioned this.
#RiggsFolly: Self-signed certificate with key could be easily generated for example here... http://www.selfsignedcertificate.com/, so I could start the tutorial from step 4 (I also had standard :80 virtual server running).
Anyways some mentioned things were already enabled in default WAMP installation (I guess it changes from version to version), but the rest helped me a lot. And actually one thing was missing... I also had to uncomment the following line in "httpd.conf"
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
If you have the error :
Cannot load modules/mod_ssl.so into server: The operating system
cannot run %1
Then you have to :
Install Win32 OpenSSL here http://slproweb.com/products/Win32OpenSSL.html
Copy / paste libeay32.dll, ssleay32.dll into your wamp php bin folder (C:\wamp64\bin\php\php5.6.19)
Restart apache
Note: Tested on Wamp server 3
Before all:
1).Shutdown WAMP and proceed to C:\wamp\scripts\config.inc.php move from array libeay32.dll,ssleay32.dll, lines 133,139
2).Install OpenSSL from official site,pay attention on version of the your OS x64 or not.
Command prompt:
3).cd C:\wamp\bin\apache\apache2.4.23\bin
4). openssl req -new > localhost.csr
5). openssl rsa -in privkey.pem -out localhost.key
6). openssl x509 -in localhost.csr -out localhost.crt -req -signkey localhost.key -days 365 -sha256 -extfile v3.ext
Update: from Chrome 58 we will need to provide Subject Alternative Name.
This name we can obtain from extension file v3.ext:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[alt_names]
DNS.1 = 127.0.0.1
DNS.2 = localhost
Very important in Common Name to insert 'localhost'
7).Grab localhost.key and localhost.crt and put them to C:\wamp\bin\apache\apache2.4.23\conf\key (sure,before create appropriate directory)
Configuration:
8).enable in C:\wamp\bin\apache\apache2.4.23\bin\php.ini and
C:\wamp\bin\php\php5.6.25\php.ini extension=php_openssl.dll
9).proceed to C:\wamp\bin\apache\apache2.4.23\conf\httpd.conf and uncomment:
LoadModule ssl_module modules/mod_ssl.so,
Include conf/extra/httpd-ssl.conf,
Include conf/extra/httpd-vhosts.conf,
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
10). proceed to C:\wamp\bin\apache\apache2.4.23\conf\extra\httpd-ssl.conf
and make changes :
SSLSessionCache "shmcb:c:/wamp/bin/apache/apache2.4.23/logs/ssl_scache(512000)" ,
SSLSessionCacheTimeout 300,
VirtualHost _default_:443,
DocumentRoot "c:/wamp/www/",
ServerName localhost:443,
ErrorLog "c:/wamp/bin/apache/apache2.4.23/logs/ssl_error.log"
, (create file if not exists)
TransferLog "c:/wamp/bin/apache/apache2.4.23/logs/access.log",
SSLCertificateFile "c:/wamp/bin/apache/apache2.4.23/conf/key/localhost.crt",
SSLCertificateKeyFile "c:/wamp/bin/apache/apache2.4.23/conf/key/localhost.key",
<Directory "c:/wamp/www/">
SSLOptions +StdEnvVars
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require local
</Directory>
,
CustomLog "c:/wamp/bin/apache/apache2.4.23/logs/ssl_request.log"
Certificate handling:
11).press Win+R and insert 'certmgr.msc',import servercert.crt into 'Trusted Root Certificated Authorities'
12). Check your server in command prompt 'httpd -t' should be 'Syntax OK'
13). Launch Wamp and proceed to link https://localhost
I am hope this will help
Note: please read this article about Mozilla behavior :
https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
I was asked to set up HTTPS with a self-signed cert on Apache on localhost, but how do I actually do that? I have no idea at all.
I've just attempted this - I needed to test some development code on my localhost Apache on Windows. This was WAAAY more difficult than it should be. But here are the steps that managed to work after much hairpulling...
I found that my Apache install comes with openssl.exe which is helpful. If you don't have a copy, you'll need to download it. My copy was in Apache2\bin folder which is how I reference it below.
Steps:
Ensure you have write permissions to your Apache conf folder
Open a command prompt in Apache2\conf folder
Type
..\bin\openssl req -config openssl.cnf -new -out blarg.csr -keyout blarg.pem
You can leave all questions blank except:
PEM Passphrase: a temporary password such as "password"
Common Name: the hostname of your server
When that completes, type
..\bin\openssl rsa -in blarg.pem -out blarg.key
Generate your self-signed certificate by typing:
..\bin\openssl x509 -in blarg.csr -out blarg.cert -req -signkey blarg.key -days 365
Open Apache's conf\httpd.conf file and ensure SSL module is enabled - there should be no hash at the start of this line:
LoadModule ssl_module modules/mod_ssl.so
Some Apache installations place the SSL config in a separate file. If so, ensure that the SSL conf file is being included. In my case I had to uncomment this line:
Include conf/extra/httpd-ssl.conf
In the SSL config httpd-ssl.conf I had to update the following lines:
Update SSLSessionCache "shmcb:C:\Program Files (x86)\Zend\Apache2/logs/ssl_scache(512000)" to SSLSessionCache "shmcb:C:/Progra\~2/Zend/Apache2/logs/ssl_scache(512000)"
(The brackets in the path confuse the module, so we need to escape them)
DocumentRoot - set this to the folder for your web files
ServerName - the server's hostname
SSLCertificateFile "conf/blarg.cert"
SSLCertificateKeyFile "conf/blarg.key"
Restart Apache.
Try loading https://localhost/ in your browser.
Hopefully you made it this far. Feel free to update this post with any other helpful info.
(Screenshots courtesy of Neil Obremski and his helpful article - although now quite out-of-date.)
I use ngrok (https://ngrok.com/) for this.
ngrok is a command line tool and create a tunnel for localhost. It creates both http and https connection.
After downloading it, following command needs to be run :
ngrok http 80
( In version 2, the syntax is : ngrok http 80 . In version 2, any port can be tunneled. )
After few seconds, it will give two urls :
http://a_hexadecimal_number.ngrok.com
https://a_hexadecimal_number.ngrok.com
Now, both the urls point to the localhost.
here is simplest way to do this
first copy these server.crt & server.key files (find in attachment ) into your apache/conf/ssl directory
then open httpd.conf file & add following line
Listen 80
Listen 443
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot "d:/wamp/www" #your wamp www root dir
ServerName localhost
SSLEngine on
SSLCertificateFile "d:/wamp/bin/apache/Apache2.4.4/conf/ssl/server.crt"
SSLCertificateKeyFile "d:/wamp/bin/apache/Apache2.4.4/conf/ssl/server.key"
</VirtualHost>
In order to protect the security of information being sent to and from your web server, it's a good idea to enable encryption of the communication between clients and the server. This is often called SSL.
So let's set up HTTPS with a self-signed certificate on Apache2. I am going to list the steps which you should follow:
Install apache2 web-server on your machine. For linux machine open the terminal and type
sudo apt-get install apache2
After successful installation check the status of apache2 service by executing command
sudo service apache2 status
It should output
Navigate to browser and type
http://localhost:80
Verify that you get default page for apache2 like this.
For encrypting a web connection we need certificate from CA (certificate authority) or we can use self signed certificates. Let's create a self signed certificate using the following command.
openssl req -x509 -newkey rsa:2048 -keyout mykey.key -out mycert.pem -days 365 -nodes
Please fill the information accordingly as shown below.
mykey.key and mycert.pem should be created in your present working directory.
It would be nice we if move certificates and keys at a common place and it will be easy for apache2 web server to find them. So let's execute the following commands
sudo cp mycert.pem /etc/ssl/certs
sudo cp mykey.key /etc/ssl/private
Let's enable the SSL mode on your server
sudo a2enmod ssl
It should output like this
Let's configure apache2 to use self signed certificate and key which we have generated above.
sudo vi /etc/apache2/sites-available/default-ssl.conf
Please find these two lines and replace them with your cert and key paths.
Initial
Final
Enable the site
cd /etc/apache2/sites-available/
sudo a2ensite default-ssl.conf
Restart the apache2 service
sudo service apache2 restart
Verify the apache2 web-server on HTTPS. Open your browser again and type
https://localhost:443
It should output something like this with a warning that page you are about to view is not secure because we have configured the server with self-signed certificate.
Congratulations you have configured your apache2 with HTTPS endpoint, now click on advanced --> add exception --> confirm security exception, you will see the default page again.
Windows + Apache 2.4, for example:
uncomment ssl_module in your httpd.conf file.
LoadModule ssl_module modules/mod_ssl.so
listen 443 port just like 80 port in your httpd.conf file.
Listen 80
Listen 443
uncomment Include Virtual hosts in your httpd.conf file.
# Virtual hosts
Include conf/extra/httpd-vhosts.conf
add VirtualHost in your conf/extra/httpd-vhosts.conf
<VirtualHost _default_:443>
DocumentRoot "D:/www" #your site directory path
ServerName localhost
#ServerAlias localhost.com localhost2.com
SSLEngine on
SSLCertificateFile "${SRVROOT}/conf/ssl/server.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/server.key"
<Directory "D:/www">
Options -Indexes +FollowSymLinks +ExecCGI
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
only the port number 443 and SSL...... lines are different from normal http config.
save you config file and restart apache service. then you can visit https://localhost/
The web browser will warn you that it's unsafe at the first time, just choose go on.
2021 Update
I’m posting this answer since I struggled with this myself and Chrome updated their security with requiring Subject Alternative Name which a lot of posts do not have as it was not required when they were posted as an answer. I’m assuming that WAMP is already installed.
STEP 1
Download OpenSSL Light and install
**STEP 2 (Optional)**
Although this part is optional, but it makes it easier later to execute commands. If you skip this step, you’ll have to provide full path to openssl.exe where you will execute the command. If you prefer to set it then update the openssl.exe path in Environment Variables.
Environment Variables -> System Variables -> Path -> Edit -> New ->
c:\Program Files\OpenSSL-Win64\bin
**STEP 3**
Create a folder named “key” in the c:/wamp64/bin/apache/apache2.4.27(your version number)/conf/ directory.
Create configuration file for your CA MyCompanyCA.cnf with contents (you can change it to your needs):
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = root_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, fully qualified host name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ root_ca ]
basicConstraints = critical, CA:true
Create the extensions configuration file MyCompanyLocalhost.ext for your web server certificate:
subjectAltName = #alt_names
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = localhost
DNS.2 = mycy.mycompany.com
**STEP 4**
Execute these commands in the given order to generate the key and certificates:
openssl req -x509 -newkey rsa:2048 -out MyCompanyCA.cer -outform PEM -keyout MyCompanyCA.pvk -days 10000 -verbose -config MyCompanyCA.cnf -nodes -sha256 -subj "/CN=MyCompany CA"
openssl req -newkey rsa:2048 -keyout MyCompanyLocalhost.pvk -out MyCompanyLocalhost.req -subj /CN=localhost -sha256 -nodes
openssl x509 -req -CA MyCompanyCA.cer -CAkey MyCompanyCA.pvk -in MyCompanyLocalhost.req -out MyCompanyLocalhost.cer -days 10000 -extfile MyCompanyLocalhost.ext -sha256 -set_serial 0x1111
As a result, you will have MyCompanyCA.cer, MyCompanyLocalhost.cer and MyCompanyLocalhost.pvk files.
**STEP 5**
Install MyCompanyCA.cer under
Control Panel -> Manage User Certificates -> Trusted Root
Certification Authorities -> Certificates
To install MyCompanyLocalhost.cer just double click it.
**STEP 6**
Open c:/wamp64/bin/apache/apache2.4.27(your version number)/conf/httpd.conf and un-comment (remove the #) the following 3 lines:
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
**STEP 7**
Open c:/wamp64/bin/apache/apache2.4.37/conf/extra/httpd-ssl.conf and change all the parameters to the ones shown below:
Directory "c:/wamp64/www"
DocumentRoot "c:/wamp64/www"
ServerName localhost:443
ServerAdmin admin#example.com
ErrorLog "c:/wamp64/bin/apache/apache2.4.27/logs/error.log"
TransferLog "c:/wamp64/bin/apache/apache2.4.27/logs/access.log"
SSLCertificateFile "c:/wamp64/bin/apache/apache2.4.27/conf/key/MyCompanyLocalhost.cer"
SSLCertificateKeyFile "c:/wamp64/bin/apache/apache2.4.27/conf/key/MyCompanyLocalhost.pvk"
SSLSessionCache "shmcb:c:/wamp64/bin/apache/apache2.4.27/logs/ssl_scache(512000)"
CustomLog "c:/wamp64/bin/apache/apache2.4.27/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Note: This is the tricky part. If you make any small mistake while editing this file, SSL won’t work. Make a copy of it before you edit it.
**STEP 8**
Restart Wamp and Chrome. Localhost is now secure: https://localhost
It's actually quite easy, assuming you have an openssl installation handy. (What platform are you on?)
Assuming you're on linux/solaris/mac os/x, Van's Apache SSL/TLS mini-HOWTO has an excellent walkthrough that I won't reproduce here.
However, the executive summary is that you have to create a self-signed certificate. Since you're running apache for localhost presumably for development (i.e. not a public web server), you'll know that you can trust the self-signed certificate and can ignore the warnings that your browser will throw at you.
Running Apache on Windows 10 here. I couldn't get Chrome to trust the certificate made in the top answer by Simon. What I ended up doing was using PowerShell to generate a self signed certificate.
Step 1 - Generate Self-Signed certificate
In PowerShell
New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My" 1
Step 2 - Configure and Export Certificate
Type Certificate into the Windows search bar, click the Manage Computer Certificates control panel item that is suggested.
From the Certificate Management program that comes up (certlm), you should now see a localhost key under Personal >> Certificates.
I copied this certificate into Trusted Root Certification Authorities. I'll be honest in that I'm not sure if that's necessary.
Selecting the newly copied certificate, double click on it (the localhost certificate). From the Certificate modal, click the Details tab, then the Copy to File... button.
This will bring up and Export Wizard, I chose to export the private key, click next. I also chose to Export all extended properties (again, I'm not certain if that was necessary). I chose to use a simple password (pass) and the default encryption.
Choose a folder to export to and name the file. You can always move and rename the file if necessary. For simplicity's sake let's copy it to your conf folder under your Apache installation (In my case: C:\apache\conf) and name the file myCert (the resulting file will be a .pfx file)
Step 3 - Convert .pfx file for use with Apache
From here I basically followed the tutorial here, but I'll add instructions here (tweaked for our settings) in case that site goes down.
Open your Command Prompt in the /apache/conf/ folder
Run the following commands: Note: This assumes you have openssl.exe in the bin folder in the apache root folder (this should be standard/default)
..\bin\openssl pkcs12 -in myCert.pfx -nocerts -out privateKey.pem
This will prompt you for a password, enter what you input for Step 2 when you exported the .pfx file. In my case, this is pass. I entered the same password for the PEM phrase and again to verify. This will create a new file called privateKey.pem in your conf folder.
Then, run
..\bin\openssl rsa -in privateKey.pem -out private.pem
Again you will be prompted for a password (Enter pass phrase for privateKey.pem:), use the password you set for privateKey.pem. (In my case, pass)
You should see a message that says writing RSA key and a new file called private.pem in your conf/ folder. This will be your SSLCertificateKeyFile.
Now to generate the corresponding Server Certificate. Run:
..\bin\openssl pkcs12 -in myCert.pfx -clcerts -nokeys -out EntrustCert.pem
This will prompt you for a password, enter what you input for Step 2 when you exported the .pfx file. Enter it and you will now have a file called EntrustCert.pem in your conf folder. This is your SSLCertificateFile
Step 4 - Configure httpd.conf
Use the new files created as you server's key and certificate. Be sure to change your document root to where your files are!
ServerName localhost:80
Protocols h2 h2c http/1.1
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<VirtualHost _default_:443>
ServerName localhost:443
DocumentRoot ${SRVROOT}/htdocs/MYSITE
SSLEngine on
SSLCertificateFile "${SRVROOT}/conf/EntrustCert.pem"
SSLCertificateKeyFile "${SRVROOT}/conf/private.pem"
</VirtualHost>
Also in httpd.conf:
Make sure LoadModule ssl_module modules/mod_ssl.so is uncommented (no # in front)
Uncomment LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Uncomment LoadModule http2_module modules/mod_http2.so
Uncomment Include conf/extra/httpd-ssl.conf (NOTE: Ensure that's where the file is!)
I also have curl and open ssl libraries included:
# load curl and open ssl libraries
LoadFile "C:\php\libeay32.dll"
LoadFile "C:\php\ssleay32.dll"
LoadFile "C:\php\libssh2.dll"
These modules shouldn't be necessary, but I'll note that I have them enabled:
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule filter_module modules/mod_filter.so
LoadModule deflate_module modules/mod_deflate.so
Step 5 - Config httpd-ssl.conf
In the extra/ folder in the conf/ folder you should see a file called httpd-ssl.conf.
5a. Change the DocumentRoot -
Change the DocumentRoot from the default to the directory where your files are.
5b. Change the ServerName -
Change the ServerName from the default (something like www.example.com:443) to localhost:443
5c. Change the SSLCertificateFile
Change the SSLCertificateFile from the default (${SRVROOT}/conf/server.crt) to ${SRVROOT}/conf/EntrustCert.pem
5c. Change the SSLCertificateKeyFile
Change the SSLCertificateKeyFile from the default (${SRVROOT}/conf/server.key) to ${SRVROOT}/conf/private.pem
All together, in the <VirtualHost _default_:443> tag.
# General setup for the virtual host
DocumentRoot "${SRVROOT}/htdocs/MYSITE"
ServerName localhost:443
ServerAdmin admin#example.com
ErrorLog "${SRVROOT}/logs/error.log"
TransferLog "${SRVROOT}/logs/access.log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile "${SRVROOT}/conf/EntrustCert.pem"
#SSLCertificateFile "${SRVROOT}/conf/server-dsa.crt"
#SSLCertificateFile "${SRVROOT}/conf/server-ecc.crt"
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "${SRVROOT}/conf/private.pem"
#SSLCertificateKeyFile "${SRVROOT}/conf/server-dsa.key"
#SSLCertificateKeyFile "${SRVROOT}/conf/server-ecc.key"
Restart Apache
After making these changes you should be able to restart Apache and navigate to https://localhost without a security warning and a little padlock!
I hope this helps someone! 😊
Sources:
1.) Auri Rahimzadeh's answer on creating a self-signed certificate
2.) Entrust Datacard - How do I convert a .pfx to be used with an Apache server?
This should be work Ubuntu, Mint similar with Apache2
It is a nice guide, so following this
https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04
and leaving your ssl.conf like this or similar similar
<VirtualHost _default_:443>
ServerAdmin your#email.com
ServerName localhost
ServerAlias www.localhost.com
DocumentRoot /var/www
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
you can get it.
Hope this help for linuxer
It's very simple,
just run the following commands
sudo a2enmod ssl
sudo service apache2 restart
sudo a2ensite default-ssl.conf
That's it, you are done.
If you want to force SSL (to use https always), edit the file:
sudo nano /etc/apache2/sites-available/000-default.conf
and add this one line
<VirtualHost *:80>
. . .
Redirect "/" "https://your_domain_or_IP/"
. . .
</VirtualHost>
then restart again
sudo service apache2 restart
This HowTo for CentOS was easy to follow and only took about 5 minutes: https://wiki.centos.org/HowTos/Https
I won't detail each step here, but the main steps are:
1.) Install the openssl module for apache, if not already installed
2.) Generate a self-signed certificate
--At this point, you should be able to visit https://localhost successfully
3.) Set up a virtual host if needed
This worked on Windows 10 with Apache24:
1 - Add this at the bottom of C:/Apache24/conf/httpd.conf
Listen 443
<VirtualHost *:443>
DocumentRoot "C:/Apache24/htdocs"
ServerName localhost
SSLEngine on
SSLCertificateFile "C:/Apache24/conf/ssl/server.crt"
SSLCertificateKeyFile "C:/Apache24/conf/ssl/server.key"
</VirtualHost>
2 - Add the server.crt and server.key files in the C:/Apache24/conf/ssl folder. See other answers on this page to find those 2 files.
That's it!
tl;dr
ssh -R youruniquesubdomain:80:localhost:3000 serveo.net
And your local environment can be accessed from https://youruniquesubdomain.serveo.net
Serveo is the best
No signup.
No install.
Has HTTPS.
Accessible world-wide.
You can specify a custom fix, subdomain.
You can self host it, so you can use your own domain, and be future proof, even if the service goes down.
I couldn't believe when I found this service. It offers everything and it is the easiest to use. If there would be such an easy and painless tool for every problem...
I'd like to add something to the very good answer of #CodeWarrior, that works perfectly on Chrome, but for Firefox needs an additional step.
Since Firefox does not thrust CA Certificates that Windows does by default, you need to go on about:config, scroll down to security.enterprise_roots.enabled and change it to true.
Now your certificate should be seen as valid also on Firefox.
Of course this is only for development purposes, since ssl trust is a critical security concern and change this settings only if you know the implications.
Another simple method is using Python Server in Ubuntu.
Generate server.xml with the following command in terminal:
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
Note: Assuming you have openssl installed.
Save below code in a file named simple-https-server.py in any directory you want to run the server.
import BaseHTTPServer, SimpleHTTPServer
import ssl
httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()
Run the server from terminal:
python simple-https-server.py
Visit the page at:
https://localhost:4443
Extra notes::
You can change the port in simple-https-server.py file in line
httpd = BaseHTTPServer.HTTPServer(('localhost', 4443), SimpleHTTPServer.SimpleHTTPRequestHandler)
You can change localhost to your IP in the same line above:
httpd = BaseHTTPServer.HTTPServer(('10.7.1.3', 4443), SimpleHTTPServer.SimpleHTTPRequestHandler)
and access the page on any device your network connected. This is very handy in cases like "you have to test HTML5 GeoLocation API in a mobile, and Chrome restricts the API in secure connections only".
Gist: https://gist.github.com/dergachev/7028596
http://www.piware.de/2011/01/creating-an-https-server-in-python/
For those using macOS this is a great guide https://getgrav.org/blog/macos-sierra-apache-multiple-php-versions to set up your local web dev environment. In its 3rd part https://getgrav.org/blog/macos-sierra-apache-ssl Andy Miller explains how to set up apache with a self-signed certificate:
This is the key command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
But there are a few steps you need to follow, so check that out and good luck! ;)