Using Apache I created an HTTPS site that contains a folder called secure [which I want to access with user and password] and another folder called verysecure [which I want to access with certificate authentication].
When I access the site using https://www.example.com I get the default index.html file located in the root, as would be expected. When I access https://www.example.com/secure/ I provide the user and password and get the index.html file located in that folder. When I access https://www.example.com/verysecure/ the certificate popup window allows me to choose the certificate that I want to use and upon doing so I get the index.html file located in that folder.
How can I configure Nginx so that the certificate chooser pop up window comes only when I access https://www.example.com/verysecure/ and not when I access https://www.example.com/ or https://www.example.com/secure/ ?
According to this thread from official nginx development forum, you can't (although this thread is almost 10 years old, SSL/TLS re-handshake still doesn't supported by nginx). The only workaround suggested by Igor Sysoev is to use an optional client certificate verification
ssl_verify_client optional;
and then checking the $ssl_client_verify variable value:
location /verysecure/
if ($ssl_client_verify != SUCCESS) {
# deny client
return 403;
# or process the request on some internal location, see
# http://nginx.org/en/docs/http/ngx_http_core_module.html#internal
# rewrite ^ /internal last;
}
...
}
However using this workaround the certificate chooser window will popup (only for clients who had the correct certificate installed) on the initial TLS handshaking, not only on visiting the /verysecure/ URI.
Related
I know importing the certificate into browser trust store can dismiss the warning, but is it the only workaround? Is it possible using a domain (with a valid SSL) to reverse proxy the localhost web server: redirecting user's request to the localhost?
If you have an external domain and a valid certificate for it (i.e. both certificate and key) you could configure your localhost server to serve this domain and use this certificate. To make sure that any local requests to this domain actually reach your local server instead of the external IP you need the appropriate name resolution though. This can be done for example by modifying the hosts file (i.e. /etc/hosts on UNIX, c:\Windows\System32\Drivers\etc\hosts on Windows).
In other words:
Configure the local web server to expect requests for example.com instead of localhost, i.e. set certificate and key you have for example.com and configure the expected name to example.com.
Modify the local hosts file to resolve example.com with 127.0.0.1.
Access the local web server with the local browser by using the URL https://example.com. Due to the changed local hosts file it will use 127.0.0.1 as the IP address for example.com and thus access the local web server. This will provide the publicly trusted certificate for example.com so that the browser will not complain (issuer CA is trusted and subject of certificate matches the URL).
Remember to change your local hosts file back if you want to access the real (external) example.com.
I have a sub-domain I want to install a valid SSL (possibly free SSL). I used to access my website through the public address of my server. Now I am using subdomain to access my website. I want to add a valid SSL to my server to secure my website. I am using XAMPP. How can I install SSL properly because when I access my website using HTTPS I am getting a NET::ERR_CERT_AUTHORITY_INVALID and where can I get a valid SSL Certificate?
The most popular Free SSL certificate you can get from letsencrypt.
Than here is the steps you can get your certificate works on localhost machine (XAMPP):
Create new folder crt, in default XAMPP location C:\xampp\apache\crt
Paste there 2 files: cert.conf and make-cert.bat
Now edit cert.conf and Run make-cert.bat
Change {{DOMAIN}} text using the domain we want to use, in this case site.test and save.
Double click the make-cert.bat and input the domain site.test when prompted. And just do enter in other question since we already set the default from cert.conf.
After that, you will see site.test folder created. In that folder we will have server.crt and server.key. This is our SSL certificate.
Double click on the server.crt to install it on Windows so Windows can trust it.
And then Select “Place all certificate in the following store” and click browse and select Trusted Root Certification Authorities.
Edit your host file
5.1 Open notepad as administrator.
5.2 Edit C:\Windows\System32\drivers\etc\hosts (the file have no ext)
5.3 Add this in a new line:
127.0.0.1 site.test
This will tell windows to load XAMPP when we visit http://site.test You can try and it will show XAMPP dashboard page.
Add the site in XAMPP conf.
We need to enable SSL for this domain and let XAMPP know where we store the SSL Cert. So we need to edit C:\xampp\apache\conf\extra\httpd-xampp.conf
And add this code at the bottom:
## site.test
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs"
ServerName site.test
ServerAlias *.site.test
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "C:/xampp/htdocs"
ServerName site.test
ServerAlias *.site.test
SSLEngine on
SSLCertificateFile "crt/site.test/server.crt"
SSLCertificateKeyFile "crt/site.test/server.key"
</VirtualHost>
After that, you will need to restart Apache in XAMPP. It’s very simple, simply open XAMPP Control Panel and Stop and re-Start Apache Module.
Restart your browser
Arguably most popular free SSL Provider (and the one I use) will be LetsEncrypt.
Steps for installation will vary based on OS, like this for Ubuntu
You may get free ssl using this link [1]. You need to select the Software that you're using for example Apache and select what operating system you are using in my case I am using Debian 9. If you're unsure about your system, you need to ssh to your server and execute the command "$ cat /etc/*release" if you're using Linux.Once you have selected the correct software and system, it will give you instructions on how to get SSL.
You may follow the instructions here [2] on how to install SSL.
Hope this information helps you.
[1] https://certbot.eff.org/lets-encrypt/debianstretch-apache
[2] https://www.sslshopper.com/apache-server-ssl-installation-instructions.html
The most common solution of free SSL is LetsEncrypt.
LetsEncrypt provides a variety of clients for most OSs. I recommend using the client ACMESharp.
Follow the following steps on Powershell (as described in the official documentation of the project)
1) Install ACMESharp
Import-Module ACMESharp
2) Initialize the vault
Initialize-ACMEVault
3) Create new ACME registration using email
New-ACMERegistration -Contacts mailto:somebody#example.org -AcceptTos
4) Submit the domain identifier
New-ACMEIdentifier -Dns myserver.example.com -Alias dns1
5) Handle the Challenge to Prove Domain Ownership
Pick a method to porve that you own your domain, I recommend HTTP
Challenge.
(Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler manual).Challenge
If you do not get the challenge details like file path and content in the output , try this:
(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges | Where-Object {$_.Type -eq "http-01"}
You'll probably have to allow hidden locations to be accessed via apache, so the challenge can reach .well-known location.
You could use something like the following config, depending on your custom needs (as mentioned in this post as well):
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_FILENAME} !.well-known/
RewriteRule "(^|/)\.(?!well-known)" - [F]
</IfModule>
6) Submit the Challenge Response to Prove Domain Ownership (HTTP method)
Submit-ACMEChallenge dns1 -ChallengeType http-01
The challenge does not get updated instantly so try updating on the results until it's valid.
(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges |Where-Object {$_.Type -eq "http-01"}
Once it's valid, try:
Update-ACMEIdentifier dns1
7) Request and Retrieve the Certificate
New-ACMECertificate dns1 -Generate -Alias cert1
Submit-ACMECertificate cert1
The certificate might not be issued instantly so try:
Update-ACMECertificate cert1
Until it's ok.
8) Export the public and private keys
Private key:
Get-ACMECertificate cert1 -ExportKeyPEM "path\to\cert1.key.pem"
Certificate signing request:
Get-ACMECertificate cert1 -ExportCsrPEM "path\to\cert1.csr.pem"
Lets encrypt public certificate:
Get-ACMECertificate cert1 -ExportCertificatePEM "path\to\cert1.crt.pem" -ExportCertificateDER "path\to\cert1.crt"
Issuer's public certificate:
Get-ACMECertificate cert1 -ExportIssuerPEM "path\to\cert1-issuer.crt.pem" -ExportIssuerDER "path\to\cert1-issuer.crt"
You don't practically need all of the above, anyway, but the private key is absolutely necessary so keep it safe.
For more documentation visit the github repo of the project.
I have recently installed ssl certificate through CloudFlare. I'm getting https but not getting padlock. I tried using really simple ssl WordPress plugin but I could not help mixed content.
My website URL: https://claimstock.com
Looking at the developer console of Chrome clearly shows the problems:
Mixed Content: ... requested an insecure image 'http://35.232.70.59/wp-content/uploads/2018/11/construction-image38-2-free-img.jpg'
This means that your site includes resources loaded with plain http:// even though the site is served with https://.
Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID ... 35.232.70.59/wp-content/uploads/2018/11/911-2.jpg:1
This mean your site tries to download resources via https:// from 35.232.70.59. But the certificate for 35.232.70.59 is a self-signed certificate for www.example.com. A self-signed certificate can not be trusted and apart from that the name of the certificate does not match the name in the URL.
I have used certbot to obtain SSL certificates. At that time ubuntu's default apache server was listening on port 80. Assume my server is accessible via example.com.
Now, I am running a GitLab CE 9.4.4 server using the SSL certificate I have obtained earlier with letsencrypt. In /etc/gitlab/gitlab.rb I same something like this
nginx['ssl_certificate'] = "/etc/letsencrypt/live/example.com/fullchain.pem"
nginx['ssl_certificate_key'] = "/etc/letsencrypt/live/example.com/privkey.pem"
(and similar lines with registry_nginx for the docker registry.)
However, certbot renew fails, when it tries to renew my certificates, since /var/www/.well-known is not accessible via http://example.com/.well-known.
A similar problem arises, when one tries to use Google webmaster tools. The default verification process requires you to upload a file named googleXXXXXXX.html into the server's root directory.
How can GitLab be configures to server static files in .well-known and files starting with google?
(Unfortunately, a Google search containing gitlab and static files, produces results about GitLab pages.)
Via GitLab Webroot
The webroot of GitLab CE on Ubuntu is /opt/gitlab/embedded/service/gitlab-rails/public by default. You can copy the googleXXXX.html into this directory and point LetsEncrypt's webroot to this directory:
...
[renewalparams]
authenticator = webroot
installer = None
account = SOMEHASH
[[webroot_map]]
example.com = /opt/gitlab/embedded/service/gitlab-rails/public
Via GitLab Config
Configure LetsEncrypt
Open the letencrupt renewal configuration, e.g. /etc/letsencrypt/renewal/example.com.conf, and adjust the options, such that the web root points to /var/www/letsencrypt:
...
[renewalparams]
authenticator = webroot
installer = None
account = SOMEHASH
[[webroot_map]]
example.com = /var/www/letsencrypt
Create the directories /var/www/letsencrypt and /var/www/letsencrypt/.well-known. The latter directory will host the verification challenge files.
Configure Webmaster tools
Create the directory /var/www/google and download the googleXXXX.html it into the newly created directory.
Configure GitLab (for LetsEncrypt and Webmaster tools)
Open /etc/gitlab/gitlab.rb and add the following two lines.
nginx['custom_gitlab_server_config'] = "location ^~ /.well-known { root /var/www/letsencrypt; }\n"
nginx['custom_gitlab_server_config'] << "location ^~ /google { root /var/www/google; }\n"
Reconfigure your gitlab server by running
gitlab-ctl reconfigure
All requests, which start with /.will-known will now be forwarded to the /var/www/letsencrypt directory. Similarly, all requests starting with /google are forwarded to the directory /var/www/google. (Please note, that this approach makes users or group starting with google inaccessible. In this case you can change the gitlab config to include the full name of your googleXXXX.html)
Trying to get
https://example.com
To not refuse the connection, to show my website, and to redirect to:
https://www.example.com
Without having to switch my DNS hosting to DNSimple or adding another service provider.
My domain was purchased on GoDaddy. DNS is on GoDaddy as well, set up as shown below.
My app is hosted on Heroku, using a Let's Encrypt certificate, that I installed following this answer.
Currently using Helmet+express-enforces-ssl to force hsts.
I have read the following info:
Heroku SSL on root domain ; Heroku SSL Endpoints ; The Limitations of DNS A-Records
The last of which states:
(...) applications requiring SSL encryption should use the
ALIAS/ANAME configuration on the root domain. Subdomain redirection
will cause a browser error when the root domain is requested over SSL
(i.e. https://example.com).
Which seems to be my problem (?).
How do I set this up on GoDaddy?