I'm installing SSL certificate in my website and I tried following steps but still not website not working in https and still working on http
I already bind my crt file in below
<VirtualHost _default_:443>
DocumentRoot /var/www/http
ServerName my_domain.com
SSLEngine on
SSLCertificateFile /path/to/coolexample.crt
SSLCertificateKeyFile /path/to/privatekey.key
SSLCertificateChainFile /path/to/intermediate.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
After type this command apache2ctl configtest
it shows Syntax OK
But after type last command apache2ctl restart
It shows following error message
httpd not running, trying to start
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Action 'restart' failed.
The Apache error log may have more information.
To activate SSL encryption you need an extra VirtualHost for port 443. This is often done within Apache/conf/extra/httpd-ssl.conf which is platform dependend.
Within such a file you need an entry like (Windows example):
<VirtualHost *:443>
DocumentRoot "C:/webserver/html/my_html"
ServerName www.example.com
Protocols h2 http/1.1
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:SEED-SHA:DHE-RSA-SEED-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLCertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/portal.digipen.de-crt.pem"
SSLCertificateKeyFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/portal.digipen.de-key.pem"
SSLCACertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/ca-portal.digipen.de-crt.pem"
<IfModule headers_module>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header always set x-frame-options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
</IfModule>
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SSLProxyEngine on
EnableSendfile off
EnableMMAP off
</VirtualHost>
Related
I have 2 linux instances on AWS , a webserver that has apache running on it and the other has tomcat running it.
The website on apache is configured to process requests over https and internally the requests go to tomcat over http.
Things i have done so far w.r.t to ssl,
1) created self signed certificate on the apache server.
2) installed and enabled mod_ssl modules in my httpd.conf file
3) mapped my domain to required document root and also to required proxy pass settings in virtual hosts
the website is accessible over https but as soon as you click a link that makes a backend call to tomcat , it fails. I have looked through the net and have played around with all possible config changes not sure what is the issue.
My VirtualHost settings....
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/opt/apache24/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "/opt/testapp/ui"
ServerName app.dev.testapp.dom.com
ErrorLog "/opt/testapp/logs/error_log"
TransferLog "/opt/testapp/logs/access_log"
SSLEngine on
SSLCertificateFile "/opt/testapp/certificate/testapi.crt"
SSLCertificateKeyFile "/opt/testapp/certificate/testapi.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/opt/apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/opt/apache24/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost _default_:443>
ServerName api.dev.testapp.dom.com
ErrorLog "/opt/testapp/logs/error_log"
TransferLog "/opt/testapp/logs/access_log"
SSLEngine on
SSLProxyEngine on
ProxyPass / http://ec2-100-100-100-100.compute-1.amazonaws.com:8080/testapi/
ProxyPassReverse / http://ec2-100-100-100-100.compute-1.amazonaws.com:8080/testapi/
SSLCertificateFile "/opt/testapp/certificate/testapi.crt"
SSLCertificateKeyFile "/opt/testapp/certificate/testapi.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/opt/apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/opt/apache24/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
I'm trying to install SSL certificate on Wamp. I'm following this tutorial here, everything was done without errors, just fine. But when I try to access https://localhost nothing happens. The page shows an error saying it's an insecure connection. If I continue anyway, then I get the https on the address but marked with red alert.
Also, I'm trying to access only the localhost, but usually I'm working with multiple webpages via virtual host, so instead of accessing localhost I would access something like mysite.me or https://mysite.me
Note: I'm using Windows 10.
Edited: As requested in the comments, I'm adding my httpd-ssl.conf file
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:E:/Install/wamp64/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "E:/Install/wamp64/www"
ServerName localhost:443
ServerAdmin admin#example.com
ErrorLog "E:/Install/wamp64/logs/ssl_error.log"
TransferLog "E:/Install/wamp64/logs/ssl_access.log"
SSLEngine on
SSLCertificateFile "E:/Install/wamp64/bin/apache/apache2.4.23/conf/certificate.crt"
SSLCertificateKeyFile "E:/Install/wamp64/bin/apache/apache2.4.23/conf/private.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "E:\Install\wamp64\www">
SSLOptions +StdEnvVars
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require local
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "E:/Install/wamp64/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
I would like to have ONLY https traffic. I want all of it to be driven to https://example.com and https://www.example.com.
At present this is what works and doesn't work:
https://www.example.com - ok!
http://www.example.com - shows a list of files in my webroot for some reason
https://example.com - This site can’t be reached / example.com refused to connect.
http://example.com - The example.com page isn’t working. example.com didn’t send any data.
I am using Ubuntu 14 (trusty) and here is my current enabled virtual host config:
<IfModule mod_ssl.c>
<VirtualHost xxx.xxx.xxx.xxx:443>
ServerAdmin info#example.com
ServerName www.example.com:443
ServerAlias example.com:443
DocumentRoot /var/www/example.com/public_html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Any help much appreciated as going nuts!
Did you tried made permanent redirect? https://wiki.apache.org/httpd/RedirectSSL
I am unable to get my apache2 instance to run on https.
I have a running website that works on http with a couple of aliases. I installed a self signed certificate and added the entries to the conf file. So far so good.
At this juncture apache2ctl configtest says OK.
I run a2enmod ssl and ssl get enabled
apache2ctl configtest or a service apache2 restart both fail with this error
Syntax error on line 140 of /etc/apache2/apache2.conf: Syntax error on line 2 of /etc/apache2/mods-enabled/ssl.load: Cannot load /usr/lib/apache2/modules/mod_ssl.so into server: /usr/lib/apache2/modules/mod_ssl.so: undefined symbol: ap_map_http_request_error
Action 'configtest' failed.
verified that mod_ssl.so is in the specified path
verified that the ln to files in sites-enabled is correct
certificate files exist in the specified path
my ssl conf files look like this:
<IfModule mod_ssl.c>
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
ServerName www.myserver.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
How do I fix this?
secure.dynaccount.com (Thawte cert)
http://certlogik.com/sslchecker/secure.dynaccount.com/
api.dynaccount.com (self-signed)
http://certlogik.com/sslchecker/api.dynaccount.com/
httpd.conf
# Thawte certified
<VirtualHost 88.198.55.138:443>
ServerName secure.dynaccount.com
DocumentRoot /var/www/dynaccount.com
SSLEngine on
SSLCertificateKeyFile /var/ini/ssl/secure.dynaccount.com/private.key
SSLCertificateFile /var/ini/ssl/secure.dynaccount.com/public.crt
SSLCertificateChainFile /var/ini/ssl/secure.dynaccount.com/intermediate.crt
SSLVerifyDepth 1
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
</VirtualHost>
# self-signed
<VirtualHost 88.198.55.154:443>
ServerName api.dynaccount.com
DocumentRoot /var/www/dynaccount.com
SSLEngine on
SSLCertificateKeyFile /var/ini/ssl/api.dynaccount.com/private.key
SSLCertificateFile /var/ini/ssl/api.dynaccount.com/public.crt
SSLVerifyDepth 0
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
</VirtualHost>
Did you read Apache HTTP docs?
http://httpd.apache.org/docs/2.0/vhosts/name-based.html
Name-based virtual hosting cannot be used with SSL secure servers
because of the nature of the SSL protocol.
You can have one SSL host per IP.
Reason?
SSL connection parameters are set per-vhosts, but must be negotiated before httpd reads host HTTP header.
That give a sense, isn't it?
UPDATE:
Change SSLCACertificateFile to SSLCertificateChainFile and provide correct format of file according to docs or disable client cert verification at all
Your problem here is that you have twice the same ServerName.
In your 2nd VHost, you should have ServerName api.dynaccount.com and no ServerAlias
I'm not sure it's the problem, but give it a try :)
edit:
For the Server could not reliably resolve server name error, you have to define a ServerName in httpd.conf (not in VirtualHost, that will be the default server name)