The issue I'm having is reinstalling an SSL certificate purchased through Namecheap.
When I purchased the certificate, I received a .zip file with these files:
domainname.ca-bundle
domainname.crt
domainname.p7b
When trying to install the SSL certificate, on an apache2 server using SSH, it was originally configured to use a .key file. I have tried modifying the certificate to use p7b but this generates an error.
Here is the code:
SSLEngine on
SSLCertificateFile /var/www/domainname/public_html/domainname.crt
SSLCertificateKeyFile /var/www/domainname.ca/public_html/domainname.p7b
SSLCertificateChainFile /var/www/domainname.ca/public_html/domainname.ca-bundle
What modifications or changes must I make in order to install this SSL Certificate?
Thanks for any help or assistance in this matter, been trying to fix this for a while!
I looked up some openssl commands to compare the .key and .cert file to make sure they matched. It was indeed the incorrect .key file and I managed to find the correct key to install it correctly. Thank you for your helpful advice and here is the source I used for the commands: https://www.ssl.com/faqs/how-do-i-confirm-that-a-private-key-matches-a-csr-and-certificate/
In case this helps someone else with the same issue. – RichardManson 3 hours ago
Related
So, I bought an SSL Certificate from godaddy for one of my domains. it gave me one generated-csr.txt and generated-private-key.txt. I've been looking for a while on how to deploy a CSR certificate, but couldn't find any that is understandable. Even godaddy itself uses the .crt format in their tutorial
Also they uses SSLCertificateChainFile which I don't if I am suppose to chain my private key and csr to get this or what?
URL: https://au.godaddy.com/help/manually-install-an-ssl-certificate-on-my-apache-server-centos-5238
Can someone explain, how do I deploy my certificate manually to apache2?
The SSL Certificate for Apache server had expired yesterday. I renewed it with CA Cert, viewed the certificate, copied the contents into a .crt file which is referenced in ssl.conf. Restarted httpd server but still the browser throws "SEC_ERROR_EXPIRED_CERTIFICATE". What is even strange is that it shows the expired certificate. I changed the name of the .crt file and restarted httpd server and it failed to start saying the SSLCertificate was not found. That would mean it was referring to the .crt file I put after renewal from CA Cert.
Appreciate your help in resolving this.
Found the issue - I was referring to old certificate in another .conf file. So due to the conflict, it was fetching the old one itself. Once I removed that, it worked fine.
I got valid https certificate from Let's Encrypt, but have trust issues giving it to vert.x version 3.6.2
I tested the cert with apache, it's ok, however if I try to reach the https vert.x server instance with wget I get:
$ wget https://www.myhost.mydomain/json/read/all-languages
--2019-01-22 10:30:56-- https://www.myhost.mydomain/json/read/all-languages
Resolving www.myhost.mydomain (www.myhost.mydomain)... 88.14.34.156
Connecting to www.myhost.mydomain >(www.myhost.mydomain)|88.14.34.156|:443... connected.
ERROR: cannot verify www.myhost.mydomain's certificate, issued by >‘CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US’:
Unable to locally verify the issuer's authority.
To connect to www.myhost.mydomain insecurely, use `--no-check->certificate'.
Hostname and ip is forged.
my working apache config snippet:
SSLCertificateFile /etc/certs/myhost.mydomain/cert.pem
SSLCertificateKeyFile /etc/certs/myhost.mydomain/privkey.pem
SSLCertificateChainFile /etc/certs/myhost.mydomain/chain.pem
vert.x code:
val httpsOptions = HttpServerOptions()
.setPort(443)
.setSsl(true)
.setPemTrustOptions(PemTrustOptions()
.addCertPath("/etc/certs/myhost.mydomain/chain.pem"))
.setPemKeyCertOptions(PemKeyCertOptions()
.addKeyPath("/etc/certs/myhost.mydomain/privkey.pem")
.addCertPath("/etc/certs/myhost.mydomain/cert.pem")
)
vertx.createHttpServer(httpsOptions).requestHandler(router).listen()
I set vert.x logging to debug, but no error message appears.
What am I missing?
I found the solution here: https://community.letsencrypt.org/t/android-doesnt-trust-the-certificate/16498/2
I changed the cert.pem to fullchain.pem in the setPemKeyCertOptions settings, and it works.
Thank you for your effort.
The issue is in the certificate chain file chain.pem. It seems that it does not contain the full certificate chain. If you view the file it probably contains only one intermediate LE authority cert inside, i.e., Let's Encrypt Authority X3. It works with Apache because the SSLCertificateChainFile is actually deprecated and it is not being used at all.
Vert.x on the other side does use the chain.pem file. It returns only the intermediate cert and wget complains because of that. To fix the issue create a fullchain.pem file composed of both the chain.pem and the cert.pem files, e.g.,
cat cert.pem chain.pem > fullchain.pem
Then use the fullchain.pem with the PemTrustOptions configuration.
You don't need to put the LE root certificate in the fullchain.pem file, because it should already be present on both client and server side. Here's an excerpt from the TLS Protocol RFC about it.
certificate_list
This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following
certificate MUST directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority MAY be omitted from the chain, under the
assumption that the remote end must already possess it in order to
validate it in any case.
I have two files:
privkey.pem that starts with -----BEGIN ENCRYPTED PRIVATE KEY-----
cert.pem that starts with -----BEGIN CERTIFICATE-----
Now I should install them, but I never did this before and all related information I found (1, 2, 3) say, that I need three files:
primary.crt
private.key
intermediate.crt
The file endings are different, but from what I found my .pom files are ok, too (only the content matters and I can rename the ending).
But what files do I have now? The primary and private? And do I miss some file? Or is it possible with only the two I have?
Start with this:
SSLEngine on
SSLCertificateFile /path/to/cert.crt
SSLCertificateKeyFile /path/to/privkey.crt
This should bring the site up on SSL. While this may work with some browsers, you'd require intermediate certificates for your certificate to chain up to the Root CA to ensure your site works in all browsers.
To obtain the intermediate certificates for your site, go to What's My Chain Cert? and enter you site name. This will indicate that you are missing intermediate certificates, as expected. Use the last form field on the page to generate the intermediate certs.
Use the downloaded cert chain in the SSLCertificateChainFile directive in your Apache webserver config like this:
SSLCertificateChainFile /path/to/intermediate.crt
Once done, I suggest checking your site using an online scanner such as SSL Labs server test to ensure your certificates are properly configured and that your configuration does not expose any vulnerabilities or SSL weaknesses.
I have website, where I doesn't installed ssl certificate.
In apache.conf I have only two files:
SSLCertificateFile /etc/ssl/certs/domainname.crt
SSLCertificateKeyFile /etc/ssl/private/domainname.key
https://www.sslshopper.com/ssl-checker.html give me this error:
The certificate is not trusted in all web browsers. You may need to
install an Intermediate/chain certificate to link it to a trusted root
certificate.
In docs I have see that I must have this files to create a certificate chain:
AddTrustExternalCARoot.crt
ComodoUTNSGCCA.crt
EssentialSSLCA_2.crt
domainname.crt
UTNAddTrustSGCCA.crt
But in my /etc/ssl/ directory I have only domainname.crt file
Can I download other files from anywhere? Or I must buy new certificate with all files?
I have downloaded needle files from https://github.com/cloudflare/cfssl_trust/tree/master/intermediate_ca
and It's work