I have a sub-domain I want to install a valid SSL (possibly free SSL). I used to access my website through the public address of my server. Now I am using subdomain to access my website. I want to add a valid SSL to my server to secure my website. I am using XAMPP. How can I install SSL properly because when I access my website using HTTPS I am getting a NET::ERR_CERT_AUTHORITY_INVALID and where can I get a valid SSL Certificate?
The most popular Free SSL certificate you can get from letsencrypt.
Than here is the steps you can get your certificate works on localhost machine (XAMPP):
Create new folder crt, in default XAMPP location C:\xampp\apache\crt
Paste there 2 files: cert.conf and make-cert.bat
Now edit cert.conf and Run make-cert.bat
Change {{DOMAIN}} text using the domain we want to use, in this case site.test and save.
Double click the make-cert.bat and input the domain site.test when prompted. And just do enter in other question since we already set the default from cert.conf.
After that, you will see site.test folder created. In that folder we will have server.crt and server.key. This is our SSL certificate.
Double click on the server.crt to install it on Windows so Windows can trust it.
And then Select “Place all certificate in the following store” and click browse and select Trusted Root Certification Authorities.
Edit your host file
5.1 Open notepad as administrator.
5.2 Edit C:\Windows\System32\drivers\etc\hosts (the file have no ext)
5.3 Add this in a new line:
127.0.0.1 site.test
This will tell windows to load XAMPP when we visit http://site.test You can try and it will show XAMPP dashboard page.
Add the site in XAMPP conf.
We need to enable SSL for this domain and let XAMPP know where we store the SSL Cert. So we need to edit C:\xampp\apache\conf\extra\httpd-xampp.conf
And add this code at the bottom:
## site.test
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs"
ServerName site.test
ServerAlias *.site.test
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "C:/xampp/htdocs"
ServerName site.test
ServerAlias *.site.test
SSLEngine on
SSLCertificateFile "crt/site.test/server.crt"
SSLCertificateKeyFile "crt/site.test/server.key"
</VirtualHost>
After that, you will need to restart Apache in XAMPP. It’s very simple, simply open XAMPP Control Panel and Stop and re-Start Apache Module.
Restart your browser
Arguably most popular free SSL Provider (and the one I use) will be LetsEncrypt.
Steps for installation will vary based on OS, like this for Ubuntu
You may get free ssl using this link [1]. You need to select the Software that you're using for example Apache and select what operating system you are using in my case I am using Debian 9. If you're unsure about your system, you need to ssh to your server and execute the command "$ cat /etc/*release" if you're using Linux.Once you have selected the correct software and system, it will give you instructions on how to get SSL.
You may follow the instructions here [2] on how to install SSL.
Hope this information helps you.
[1] https://certbot.eff.org/lets-encrypt/debianstretch-apache
[2] https://www.sslshopper.com/apache-server-ssl-installation-instructions.html
The most common solution of free SSL is LetsEncrypt.
LetsEncrypt provides a variety of clients for most OSs. I recommend using the client ACMESharp.
Follow the following steps on Powershell (as described in the official documentation of the project)
1) Install ACMESharp
Import-Module ACMESharp
2) Initialize the vault
Initialize-ACMEVault
3) Create new ACME registration using email
New-ACMERegistration -Contacts mailto:somebody#example.org -AcceptTos
4) Submit the domain identifier
New-ACMEIdentifier -Dns myserver.example.com -Alias dns1
5) Handle the Challenge to Prove Domain Ownership
Pick a method to porve that you own your domain, I recommend HTTP
Challenge.
(Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler manual).Challenge
If you do not get the challenge details like file path and content in the output , try this:
(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges | Where-Object {$_.Type -eq "http-01"}
You'll probably have to allow hidden locations to be accessed via apache, so the challenge can reach .well-known location.
You could use something like the following config, depending on your custom needs (as mentioned in this post as well):
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_FILENAME} !.well-known/
RewriteRule "(^|/)\.(?!well-known)" - [F]
</IfModule>
6) Submit the Challenge Response to Prove Domain Ownership (HTTP method)
Submit-ACMEChallenge dns1 -ChallengeType http-01
The challenge does not get updated instantly so try updating on the results until it's valid.
(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges |Where-Object {$_.Type -eq "http-01"}
Once it's valid, try:
Update-ACMEIdentifier dns1
7) Request and Retrieve the Certificate
New-ACMECertificate dns1 -Generate -Alias cert1
Submit-ACMECertificate cert1
The certificate might not be issued instantly so try:
Update-ACMECertificate cert1
Until it's ok.
8) Export the public and private keys
Private key:
Get-ACMECertificate cert1 -ExportKeyPEM "path\to\cert1.key.pem"
Certificate signing request:
Get-ACMECertificate cert1 -ExportCsrPEM "path\to\cert1.csr.pem"
Lets encrypt public certificate:
Get-ACMECertificate cert1 -ExportCertificatePEM "path\to\cert1.crt.pem" -ExportCertificateDER "path\to\cert1.crt"
Issuer's public certificate:
Get-ACMECertificate cert1 -ExportIssuerPEM "path\to\cert1-issuer.crt.pem" -ExportIssuerDER "path\to\cert1-issuer.crt"
You don't practically need all of the above, anyway, but the private key is absolutely necessary so keep it safe.
For more documentation visit the github repo of the project.
Related
Morning guys
I have never really dealt with SSL's on an apache server.
I found the domain on godaddy for my site. Downloaded the CentOS Apache zip.
This includes
gd_bundle .crt
hereismysite.crt
blahblah.pem
Now,the folder that currently has the SSL has
gd_bundle .crt
hereismysite.crt
blahblah.key
I have this rekey thing on godaddy for the CSR?
I am a little confused as to how to do this step and what to do with it?
I followed some apache instructions here after I replaced the files with the new ones. (I also just replaced the .pem info in the key). Crashed the servers all on apachectl restart so put the old ones back and restarted again
https://ae.godaddy.com/help/manually-install-an-ssl-certificate-on-my-apache-server-centos-5238
I am baffled.
Anyone able to break it down for a dummy like me?
To configure your site you need the following:
A private key
A public certificate
A CA bundle containing intermediate certs (not always required)
The zip from godaddy contains the following:
gd_bundle.crt - This is the CA bundle
hereismysite.crt - This is your sites public certificate signed by godaddy
blahblah.pem - This is the same as hereismysite.crt in a different format (I haven't been able to verify why they do this, maybe convenience...?)
On your server, you have:
gd_bundle.crt - Same as above
hereismysite.crt - Same as above
blahblah.key - Your private key. This is generated during the CSR process. If you don't have or lost this file, then you need to rekey your cert as you mentioned in your post.
To put all this together, your Apache config will look something like this:
<VirtualHost *:443>
ServerName www.example.com
SSLEngine on
SSLCertificateFile "/path/to/hereismysite.crt"
SSLCertificateKeyFile "/path/to/blahblah.key"
</VirtualHost>
See also: https://bofeng.github.io/post/godaddy-ssl-cert-nginx/
I have trouble installing the ssl certificate in a server.
The vhost file looks like this
`<VirtualHost <ip>:443>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/YourIntermediateCertificate.crt
</VirtualHost>`
I have tried SSL checker and the results are as follwing.
the error it shows is
The certificate is not trusted in all web browsers. You may need to
install an Intermediate/chain certificate to link it to a trusted root
certificate. Learn more about this error. The fastest way to fix this
problem is to contact your SSL provider.
An intermediate certificate is already installed. The common name for server in the image should be same as host name. I am not sure why it is "CloudFlare Origin Certificate". Need help in solving this issue. Thanks!!
I have researched and found an answer for this issue.
To resolve the issue we need to enable the proxy for all A, AAAA, and CNAME records using cloudflare dashboard. Below is the explanation for why to enable the proxy.
Normally, the request hit the origin(server) directly and response is served. To encrypt this communication we use SSL certificate. But, the SSL certificate is also used for the identity of the origin server. Here in the above case, no chain certificate file is provided to identify the origin server i.e yourdomain.com, rather the certificate is issued to cloudflare.
After enabling the proxy, the request hits cloudflare and the same request is sent to the origin server, the response from origin server is received by the cloudflare proxy and it is sent to the user. In this way the users browser thinks cloudflare proxy as the origin server and identifies cloudflare since it has its own ssl ( we don't need to bother ).
After enabling proxy, we don't need any chain certificate file to be installed in the origin server. We just need to install the server certificate issued by cloudflare.
I recently successfully installed Letsencrypt, and my site seems to work well with https. When i visit it e.g https://example.com, no errors/warnings appear. However when i visit it with https://www.example.com, (including www) in all browser I get some sort of warning, for example, in chrome:
Your connection is not private
Attackers might be trying to steal your information from
www.example.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID
And in opera:
Opera cannot verify the identity of the server "www.example.com", due to a certificate problem. The server could be trying to trick you.
My server runs apache and https works wonderfully when not www. In /etc/letsencrypt/live/www.example.com/ I have:
cert.pem chain.pem fullchain.pem privkey.pem
Would appreciate any help and do ask if you require further detail. Hope this helps others too.
This is saying the cert is not valid for www.example.com.
Could be several reasons for this including:
You didn't specify this when creating the cert and only asked for example.com. Though weird that LetsEncrypt has put it in the www.example.com directory, suggesting you did do this right.
You made a typo in the domain name.
You included the protocol (http/https) in the domain name and/or the port (443). These should not be in the cert request and just the domain name.
You have a separate cert for example.com and www.example.com and have only one configured in Apache. Most sites use the same cert for both and have both versions valid for the domain.
Probably best to view the cert to rule out some of these. This can either be done in the browser by clicking on the green padlock when viewing https://example.com and/or running this command:
openssl x509 -in /etc/letsencrypt/live/www.example.com/cert.pem -text
You can also use the https://www.ssllabs.com/ssltest/ online tool to view your SSL setup (in fact I'd recommend to do this anyway!).
It might be late but the problem is there because you didn't mentioned www.exemple.com in the certbot setup.
to add the domain to your certificate just run this command
sudo certbot --expand -d www.camelges.com
then restart your apache server
if you are on ubuntu service apache2 restart
Reference: https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates
From their post here:
Can I get a certificate for multiple domain names (SAN certificates)?
Yes, the same certificate can apply to several different names using
the Subject Alternative Name (SAN) mechanism. The Let's Encrypt client
automatically requests certificates for multiple names when requested
to do so. The resulting certificates will be accepted by browsers for
any of the domain names listed in them.
If your common name is example.com you will need to set a SAN as www.example.com when generating the certificate request.
Adding to the points from BazzaDP, (From my own experience).
5) if you have virtual configuration files where ServerName is same but ServerAlias is different then you will be getting same err, hence you should change ServerName.
You need to generate certificate for both URL's, by example:
sudo certbot --apache -d mydomain.com,www.mydomain.com
Knowing that my apache certificates were to expire, I went through the process of renewing them. I got them all in place. My website worked wonderful. Checking the cert from IE showed the new expiration date. Perfect... or so I thought. When the original expiration date hit, I couldn't access the website. My log is showing a Java cert expired. I can't find it on my system.
I've done simple things like find / -name "*.crt" I've gone through our company admin guide. I've checked several websites. But I can't determine where there is an expired cert. Is there a way to get Java to tell you more information about the error?
My system info:
3 servers: FrontEnd, Middleware, DB. Using Apache, Tomcat, ecm. Closed system so I can't copy the log.
Error message from log on FrontEnd:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sun Feb 01 20:44:51 UTC 2015
If you have and apache http server normally the ssl certificate is configured in /etc/httpd/httpd.conf or in a separate file under /etc/httpd directory like /etc/httpd/sites/vhosts_your_site. The property is SSLCertificateFile defined inside a <VirtualHost> tag. You can grep for:
grep -r "SSLCertificateFile" /etc/httpd/
Typically the configuration looks like:
<VirtualHost your_ip:443>
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path_to_your_cds.crt
SSLCertificateKeyFile /path_to_your_private.key
SSLCertificateChainFile /path_to_your_cdschain.crt
...
</VirtualHost>
See the apache documentation for more details.
Could be also possible to configure a ssl certificate in tomcat, however since you've an apache I think that it's more probably the configuration is there.
Anyway if you want to check if the ssl certificate is configured under tomcat check in the $CATALINA_BASE/conf/server.xml file if there is a <connector> with attribute scheme="https".
If your connector uses JSSE the certificate keystore path is in <connector keystoreFile='your_ks_path'>, if you use an ARP connector then is in <connector SSLCertificateFile='your_cert.cer'>.
For more details take a look at tomcat ssl documentation.
Hope this helps,
If you don't you Apache as an SSL Proxy it could be that your Apache is using a certificate which is stored in a Java Keystore File (jks). So you should check for jks files: find / -name "*.jks"
i am new to site maps, and Google sitemap generator.
i am working on a test server and neither localhost nor live. its basically a local test server.
I have installed it and also enabled remote access and am now able to access the admin console using http.
the problem is i need to enable https as well.
when i try to access it through https, i get an "SSL CONNECTION ERROR".
i know that google's documentation on this topic says something like:
To set up HTTPS on Linux:
1.Edit the file /usr/local/google-sitemap-generator/conf/httpd.conf.
2.In the VirtualHost section, edit the SSL settings.
3.Save the file.
4.Restart Apache to effect the changes.
But in the file httpd.conf, there are no "SSL settings" for me to edit.
Can someone remove this 'vagueness' from the directions?
Thanks
I suppose, you have to add to /usr/local/google-sitemap-generator/conf/httpd.conf something like this (into virtualhost directive)
SSLEngine on
SSLCertificateFile /etc/google-sitemap-generator/server.crt
SSLCertificateKeyFile /etc/google-sitemap-generator/server.key
This link was helpful for me: http://groups.google.com/group/google-sitemap-generator/browse_thread/thread/a5b0575efad76328
In my case server.crt and server.key files were generated by openssl command (http://www.akadia.com/services/ssh_test_certificate.html).
Make sure mod_ssl is enabled in Apache (run a2enmod).