We got SSL certificate from 123reg site. but in our server have letsencrypt installed for SSL so we are simply adding our certificate file insated of letsencrypt certificate file like
we save our certificate file (new) to /etc/letsencrypt/{site-name}.
we changed 000-default-le-ssl.conf file for certificate like below
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/safco
ServerName example.com
Redirect Permanent / https://example.com/
SSLEngine on
SSLCertificateFile /etc/letsencrypt/shop/shop.crt
SSLCertificateKeyFile /etc/letsencrypt/shop/shop.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/shop/intermediate.pem
Redirect Permanent / https://example.com/
</VirtualHost>
but it's also giving Your connection is not private.
but when i try to remove
Include /etc/letsencrypt/options-ssl-apache.conf
from 000-default-le-ssl.conf file apache not restart.
how to install simple third pary SSL certificate in letsencrypt ?
Related
I just added a subdomain to my site and am trying to get SSL working. Previously I had SSL working on example.net and www.example.net using a cert from namespace.com.
With the subdomain, things are not quite working.
Here is what I have in DNS entries:
CNAME: www.sub.example.net is an alias of example.net
A: sub.example.net directs to IP
CNAME: www.example.net is an alias of example.net
A: example.net directs to IP
Here is my example.net conf file:
<VirtualHost *:80>
ServerName example.net
Redirect permanent / https://example.net/
</VirtualHost>
<VirtualHost *:443>
ServerName example.net
DocumentRoot "/var/www/example/public"
<Directory "/var/www/example/public">
AllowOverride all
</Directory>
SSLEngine on
SSLCertificateKeyFile /root/example.net.key
SSLCertificateFile /root/example.net.crt
SSLCertificateChainFile /root/example.net.ca-bundle
</VirtualHost>
And my sub.example conf file:
<VirtualHost *:80>
ServerName sub.example.net
ServerAlias www.sub.example.net
DocumentRoot /var/www/sub.example
Redirect permanent / https://sub.example.net/
</VirtualHost>
<VirtualHost *:443>
ServerName sub.example.net
ServerAlias www.sub.example.net
DocumentRoot /var/www/sub.example
SSLCertificateFile /etc/letsencrypt/live/sub.example.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sub.example.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
If I go to sub.example.net and www.sub.example.net then all is well.
If I go to example.net all is well.
However, when I go to www.example.net I get error about the cert only being valid for sub.example.net and *.sub.example.net.
So for some reason the www in front of example.net is having apache not look at the namespace.com wildcard cert that I have for example.net.
Now, I created the subdoamin certs via
sudo certbot certonly --manual -d *.sub.example.net -d sub.example.net --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
I have a feeling I have some weird combo of apache conf settings and DNS entries that are causing this behavior. Any idea what I did wrong?
thanks,
Brian
So for some reason the www in front of example.net is having apache not look at the namespace.com wildcard cert that I have for example.net.
You don't have a ServerAlias defined for www.example.net which means it will not be able to find an exact match for the domain name. In this case it uses the first of your virtual hosts in the configuration, whichever this is in your case.
I have one SSL certificate from GoDaddy (Standard UCC SSL Certificate for up to 5 sub/domains) and two virtual hosts configuration on Apache2.
I can install SSL certificate one every of them separately and they works fine until I add second one.
When the second HTTPS config is added (...), then I am getting kind of weird redirects from one.abc.com to two.abc or vice versa.
I am using the same certificate files for both configs, because it the same Multisite SSL certificate.
F.ex.:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.abc.com
DocumentRoot /var/www/htdocs
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/abc.crt
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abc_bundle.crt
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName subd2.abc.com
DocumentRoot /var/www/test2
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/abc.crt
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abc_bundle.crt
</VirtualHost>
</IfModule>
What I am doing wrong?
This:
Now - I understand that because SSL wraps around the HTTP request,
there's no way to know which host is being requested until a public
key has been sent to the client first. This essentially breaks the
possibility of SSL virtual hosts using a standard SSL certificate.
from
https://serverfault.com/questions/113076/apache-ssl-virtualhosts-on-a-single-ip-using-ucc-san-certificate
Lead me to idea that problem is simple that in case of abc.com server just do not know which HTTPS server (www.abc.com or subd2.abc.com) config to take and simply take the first one. Tests that approved.
From that comes second question / conclusion - do I have configuration for domain abc.com. And it has not, I just have it defined as ServerAlias in www.abc.com config.
When I removed from ServerAlias and created configuration with for abc.com and with redirect, than all stays in their places.
We have two domains (gis4business.co.uk and gis4business.com) that point to the same website hosted using apache. We are using SSL for the entire site and have a wildcard SSL certificate for *.gis4business.co.uk.
The default apache conf file (000-default.conf) has a single virtual host configured to redirect from http to https as follows:
<VirtualHost *:80>
...
Redirect permanent "/" "https://www.gis4business.co.uk/"
</VirtualHost>
Then we have a default SSL config file (default-ssl.conf) that has single a virtual host configured as follows:
<VirtualHost _default_:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
This configuration is working as expected for the following urls:
http://www.gis4business.co.uk
http://www.gis4business.com
https://www.gis4business.co.uk
However, the url https://www.gis4business.com results in a certificate warning (SSL_ERROR_BAD_CERT_DOMAIN in firefox and ERR_CERT_COMMON_NAME_INVALID in chrome).
Its obviously complaining about the SSL certificate not matching the domain (gis4business.com), so I assume we need an HTTPS redirect from gis4business.com to gis4business.co.uk. We have experimented with various configurations and haven't managed to get a redirect working.
We have tried:
1) Adding another virtual host (*:443) to the top of the 000-default.conf file as follows:
<VirtualHost *:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
Redirect permanent "/" "https://www.gis4business.co.uk/"
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
2) Adding another virtual host (default:443) to the top of the default-ssl.conf file as follows:
<VirtualHost _default_:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
Redirect permanent "/" "https://www.gis4business.co.uk/"
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
If redirection of https from one domain to another is possible without certificate errors, then what is the correct configuration to make it work?
Let's see how the redirect directive works
The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location.
The first request is processed by apache generating a 30x response to automatically redirect browser to the new URL
browser SERVER SSL cert
https://www.gis4business.com --> redirect *.gis4business.co.uk
302-redirect <--
https://www.gis4business.co.uk/ --> process *.gis4business.co.uk
The first request is served from https://www.gis4business.com using a certificate issued to *.gis4business.co.uk, so it is considered invalid consequently
To fix it you need to use a certificate issued to www.gis4business.com or *.gis4business.com. Define a new virtual host or request a new certificate with both hostnames.
To enable SSL, I've uncommented this line in httpd.conf:
# Secure (SSL/TLS) connections
Include /Applications/MAMP/conf/apache/extra/httpd-ssl.conf
The httpd-ssl.conf file itself I've left untouched, and created .crt and .key files for a self-signed SSL certificate in the places it's expecting to see them by default:
SSLCertificateFile "/Applications/MAMP/conf/apache/server.crt"
SSLCertificateKeyFile "/Applications/MAMP/conf/apache/server.key"
Back in the main httpd.conf, I've created a VirtualHost for a site I want to use SSL, and configured like this to eventually get it working:
NameVirtualHost *
<VirtualHost *>
DocumentRoot "/Users/jonnott/Documents/sslsite1.dev"
ServerName sslsite1.dev:443
ServerAlias www.sslsite1.dev
SSLEngine on
SSLCertificateFile "/Applications/MAMP/conf/apache/server.crt"
SSLCertificateKeyFile "/Applications/MAMP/conf/apache/server.key"
</VirtualHost>
This SSL site now works fine.
However, the problem I have is that now whenever I try to visit any local non-SSL hosts, I get this error:
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
These other non-SSL sites are configured in httpd.conf like this:
<VirtualHost *>
DocumentRoot "/Users/jonnott/Documents/site2.dev"
ServerName site2.dev
ServerAlias www.site2.dev
</VirtualHost>
What am I missing / doing wrong?
I think I've pretty much figured it out after reading this:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2
I needed BOTH of these in my httpd.conf before the start of my VirtualHost directives:
NameVirtualHost *:80
NameVirtualHost *:443
..and then each VirtualHost needed to be port-specific:
<VirtualHost *:80>
DocumentRoot "/Users/jonnott/Documents/Projects/site1"
ServerName site1.dev:80
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "/Users/jonnott/Documents/Projects/site1"
ServerName site1.dev:443
SSLEngine on
SSLCertificateFile "/Applications/MAMP/conf/apache/server.crt"
SSLCertificateKeyFile "/Applications/MAMP/conf/apache/server.key"
</VirtualHost>
I have website on ubuntu with apache server. Domain is from godaddy. When I type example.com it's running file under SSL (with https). But, for www.example.com it's giving me below error.
www.example.com uses an invalid security certificate. The certificate is only valid for the following names: someother.com, www.someother.com, someother.com (Error code: ssl_error_bad_cert_domain)
What I did?
I tried to talk with godaddy. They suggested me to disable SSL v3 from apache server. Everything is ok from their side.
Then I changed ssl.conf file with this: SSLProtocol All -SSLv2 -SSLv3 according to this documentation. But, still it's giving me the same error.
configurations
<VirtualHost *:80>
ServerAdmin myemail#gmail.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example/public_html
ErrorLog /var/www/example/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost _default_:443>
ServerName example.com
DocumentRoot /var/www/example/public_html
ErrorLog /var/www/example/error.log
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/example.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.key
SSLCertificateChainFile /etc/apache2/ssl/example-bundle.crt
</VirtualHost>
Let me know if you need more info.