Is there anyoune out there who got a running arangoDB database working with a letsencrypt certificate? I just can't find out to geht this running.
ArangoDB is running on a digitalOcean droplet and I could get it running togehter with a self-signed certificate following this tutorial. So arangoDB is sucessfully running on port: 8530
Now my approach was replacing the self-signed certificate with a letsencrypt cert.
So I added a subdomain in DigitalOcean to the droplet. e.g.: db.example.com an then generated the cert-files:
sudo -H ./letsencrypt-auto certonly --standalone -d db.example.com
You will end up with 4 files: cert.pem chain.pem fullchain.pem privkey.pem
As I understood, these files are:
Private Key --------> privkey.pem
Public Key ---------> cert.pem
Certificate Chain --> chain.pem
As described in the tutorial I mentioned, you nee the certificate and the key in one file. So i did
cat chain.pem privkey.pem | sudo tee server.pem
to have a file containing the certificate and the private key.
Then I modified the file /etc/arangodb3/arangod.conf to let arango know where the keyfile is and modified the ssl section:
[ssl]
keyfile = /etc/letsencrypt/live/db.example.com/server.pem
But after restarting arango, the server is not available. When trying to connect the browser to: https://db.example.com:8530. Firewall settings for the droplet should all be ok, because I could access this address with the self-signed cetificate before.
I then tried to modify the endpoint in /etc/arangodb3/arangod.conf from
endpoint = ssl://0.0.0.0:8530
to
endpoint = ssl://db.example.com:8530
and also
tcp://db.example.com:8530
None of it was working. Has somebody out there an idea what I am doing wrong?
Please use the ip of the interface you want to use when specifying the endpoint e.g. endpoint = ssl://42.23.13.37:8530 (ip address should list your interfaces along with addresses in use). Then it could help to use the fullchain.pem to create the server.prm (cat fullchain.pem privkey.pem > server.pem). Make sure the resulting server.pem is accessible and readable by the arangodb user. If the server is still not starting correctly please provide logs of the server. To access the logs use systemctl -fu arangodb3.service or follow the logs with tail -f <logfile> if you use some custom location for logging.
I have just tested a setup with letsencrypt certificates and it was working after ensuring all above points.
I just started to learn programming and tried to install SSL on my site.
I used a 90-day free trial SSL from Comodo and it worked well.
I purchased a new SSL from Comodo and generated CSR on the server (on my putty terminal)
My site is a Wordpress run by Bitnami and AWS.
Error message is that my site name is mismatched.
https://www.ssllabs.com/ssltest/analyze.html?d=www.cheeselab.co.kr#whyNotTrusted
How could I solve this problem? I tried to re-install it from the scratch but I don't know what I have to do.
Below codes are what I did
sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 204
sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
sudo nano /opt/bitnami/apache2/conf/cert.csr
sudo nano /opt/bitnami/apache2/conf/cert2.crt
sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami.conf
renamed the file from server.crt to cert2.crt
(above codes worked well)
sudo /opt/bitnami/ctlscript.sh restart apache
but error message with above code as below
Invalid command 'sudo', perhaps misspelled or defined by a module not included in the server configuration apache config test fails, aborting Monitored apache
I have Installed SSL Certificate and When Trying to Restart Httpd It's Goes "Failed"
Here What and How I did
Followed http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html#ssl_enable
and Enable SSL/TLS .Allow Httpd port 443 in Security Groups ( But Page not Opening as HTTPS )
Then I Generate Private Key and CSR Using Command
"openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr "
Get from ( https://in.godaddy.com/help/generating-a-certificate-signing-request-csr-apache-2x-5269 )
Then I Type "Ls -l " and got the Key and CSR i created . Copy them to /etc/pki/tls/certs/ Directory .Then Input CSR ( typing vi filename.csr anc copy in .txt file) to Godaddy and Got Certificate and Intermediate Certificate Bundle. Also Upload Certificate file & Intermediate Certificate Bundle to /etc/pki/tls/certs/ Directory
Then i edite ssl.conf ( "cd /etc/httpd/conf.d/ then "sudo nanao ssl.conf ) Put # before sslCertificateKeyfile,sslCertificatefile and sslcertificatechainfile Then put my sslcertificateKey,sslCertificatefile and sslcertificatechainfile location and Save ssl.conf
Then Type " sudo service httpd restart" showed me httpd stop : OK and Httpd Start : Failed
Let me know what's Wrong i did . This is 2nd time i tried . First time i though i made mistake may be then re setup server and tried But Same Problem .
Wish someone will help me
Thank You
I got Solution . Check Log and got key and csr not matching . then i regenerate key and with new key to generate csr and boom.. it's Done :)
I have been working really hard on installing an OpenSSL certificate so my web-app can show the beautiful “HTTPS” in the URL, however, I can’t get it and it’s driving me insane!!
I have a Linux VPS with Ubuntu 14.04 and Apache 2.4.7.
I have done the following things:
1.- Enable SSL module:
sudo a2enmod ssl
2.- Restart Apache:
sudo service apache2 restart
3.- Create SSL directory inside de Apache2 directory:
sudo mkdir /etc/apache2/ssl
4.- Execute the following command to create a self-signed ssl certificate :
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ` /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt`
5.- Fill in questions:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company
Organizational Unit Name (eg, section) []:Department of Kittens
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:your_email#domain.com
6.- Configure apache to utilize ssl:
sudo nano /etc/apache2/sites-available/default-ssl.conf
7.- Modify the following data:
ServerAdmin admin#example.com
ServerName my_domain.com
ServerAlias www.my_domain.com
DocumentRoot /var/www/html
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
8.- Enable “default-ssl.conf” file:
sudo a2ensite default-ssl.conf
9.- Restart Apache again:
sudo service apache2 restart
According to what I have read that should be all… what am I missing??
Thank's in advanced.
I have an EC2 instance that is using Amazon's custom linux install with built in apache. This install also has openssl installed. That being said, there does not appear to be a mod_ssl.so to load up in httpd.conf.
So, I want to know the best way to get apache to be ssl enabled so I can setup my SSL virtual host (note that I have already setup the cert/signatures). Ideally, I would like to not have to rebuild/reinstall apache.
Try this command:
yum install mod_ssl
A summary of what needs to be done to enable SSL on apache server on EC2:
Get SSL certificate (which you already did)
Install mod_ssl as Jose Vega said
Add the following lines to your httpd.conf 3.
NameVirtualHost *:443
<VirtualHost *:443>
ServerName www.example.com
# other configurations
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/mydomain.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mydomain.key
</VirtualHost>
Finally, don't forget to open port 443 on your EC2 instance
I managed to enable SSL on my ec2 instance and to install a free ssl certificate from startssl.com. I made a few mistakes, this is the basic approach:
Signup to startssl.com by clicking Control Panel link
Complete the signup process. You will need to verify your email address.
Validate your domain under Validation Wizard -> Domain Name Validation
Get a Certificate by Certificate Wizard
Choose: Web Server SSL/TLS Certificate
Enter a password that will be used to encrypt the private key. You will need this later.
I chose keysize of 4096
Save the encrypted private key as ssl.encrypted.key someplace
?? I forget what happened next
Save the certificate file as ssl.crt someplace. For me I had to wait 30 minute then it appeared under Tool Box -> Retrive Certificate
Use openssl to decrypt the encrypted ssl.encrypted.key file
sudo openssl rsa -in ssl.encrypted.key -out ssl.unencrpted.key
startssl.com also have a decrypt option on their website, but it didn't work for me
putty/ssh onto your ec2 machine
install mod_ssl
sudo yum install mod_ssl
Replace the default certificate and key
sudo vi /etc/pki/tls/certs/localhost.crt
Paste in the contents of ssl.crt
Make sure it pastes correctly! I always lose the first 6 characters
Use :%d to delete the existing certificate if required
[ESC] wq
sudo vi /etc/pki/tls/private/localhost.key
Paste in the contents of ssl.unencrypted.key
Again make sure it pastes correctly!
[ESC] wq
Check the configuration
apachectl configtest
Restart
sudo service httpd restart
I had issues restarting and I think what fixed it was sudo kill -9 httpd
You should install the SSL module, since mod SSL does not ship with most instances by default, but that depends on the Apache version you are using in your AWS instance. To check which one you are using, you can run this command in your command line:
httpd -v
For Apache 2.2
yum install mod_ssl
For Apache 2.4
yum install mod24_ssl
If you are using Amazon Lightsail, be sure to go into Networking from the Lightsail dashboard and add HTTPS/443 in your Firewall:
Here's what worked for me, via shell, with a wildcard cert that had a CA bundle (on Lightsail servers, HTTPS/443 enabled). Mileage may vary. Test on https://www.digicert.com/help/ after install. For brevity, I've shortened the certs/keys here (obviously).
It's worth noting also that I did not need to set up a VirtualHost for the domain.
# Overwrite these files on Amazon Linux + mod_ssl (or mod24_ssl)
# /etc/pki/tls/certs/ca-bundle.crt
# /etc/pki/tls/certs/localhost.crt
# /etc/pki/tls/private/localhost.key
## BEGIN
# INSTALL AS ROOT
sudo -su root
sudo cat > /etc/pki/tls/certs/localhost.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgIMNY9yk7s651tb2YasMA0GCSqGSIb3DQEBCwUAMEwxCzAJ
KoZIhvcNAQELBQADggEBACu8MsClqLbO1NqjXw+igERhLRkISgnkIjB1p69zh3V0
/3b68mkC+8pL3HNLgL0qIM9sPKKOl/Iyky2EfwfQDoZEWNB0qWKIOovH5Oj9z5DE
-----END CERTIFICATE-----
EOF
sudo cat > /etc/pki/tls/private/localhost.key <<EOF
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCL6UsW9yC0Faev
1zeEJcF6E7P6XYqT25rWMj5xzUM8gi/4nLpGr+tOBlFJYSbLlEHJKG6QLO9Ku896
MwTtWyOrTlPtpJEi9LUrLmOUXtD1WN2Ekql/ZLaO7pxUtVTRF4MyYspGgU1ZjkxY
vQLnZs85bnG2dLz7Q4xxlj4=
-----END PRIVATE KEY-----
EOF
sudo cat > /etc/pki/tls/certs/ca-bundle.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIESzCCAzOgAwIBAgIOSMqBefg+ikLz9c3isT8wDQYJKoZIhvcNAQELBQAwTDEg
bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTYxMDE0MDAwMDAwWhcNMjQw
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
-----END CERTIFICATE-----
EOF
# RESTART
sudo service httpd restart
#DONE