I am confused with SSL certificates on apache. I have the SSL vhost setup in /etc/httpd/conf.d/ssl.conf which works fine, but when i try to use wget from another server to pull down some files i get "Unable to locally verify the issuer's authority."
The SSL was bought from cheapsslsecurity.com and the zip comes with multiple CRT files and i'm not sure what is what.
So we have the following files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationecureServerCA.crt
STAR_websitenamehere_com.crt
The vhost is currently setup like this:
SSLCertificateFile /etc/pki/tls/certs/STAR_websitenamehere_com.crt
SSLCertificateKeyFile /etc/pki/tld/private/websitenamehere.com.key
SSLCACertificateFile [i have tried all of them here except the STAR_ one and still the same error with wget]
The main SSL works in the web browser, but nothing i do seems to allow wget to pull anything without producing an error.
Related
I edited '/etc/apache-sites-enabled/default-ssl.conf' to include the following:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/mydomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/mydomain.com.key
SSLCertificateChainFile /etc/apache2/ssl/mydomain.com.ca-bundle
The files exist and contain the relevant blocks from my Rapidssl. SSL is enabled via a2enmod ssl, have also checked port is open and checked error log.
The apache error log is clear and http is accessible.
When I visit the site I get this message in Chrome:
SSL connection error
ERRSSLPROTOCOL_ERROR
Hide details
Unable to make a secure connection to the server. This may be a problem with the server or it may be requiring a client authentication certificate that you don't have.
To me it seems to be pointing to the CA Bundle being not seen?
I'm running apache with on a multi-tenant server with vhost sites configured.
So I have a vhost for domain1.com that has SSL cert defined in the vhost file. Then I have domain2.com that does not have SSL cert defined. If I visit https://domain2.com, the browser pulls up the website for domain1.com, then of course displays a broken SSL cert warning in the browser.
The way I'm trying to correct this is:
First, in the vhost.conf file for domain2 I've put this:
<VirtualHost ip:443>
ServerName domain2.com
DocumentRoot /var/www/domain2/
SSLEngine on
SSLCertificateFile /var/certs/cert.crt
SSLCertificateKeyFile /var/certs/cert.key
Redirect permanent / http://www.domain2.com
</VirtualHost>
Of course this client doesn't actually own their own SSL certificate, so I'm pointing it to a certificate file for one of our domains. This in some instances gives a certificate warning to the user when they visit https://www.domain2.com or https://domain2.com. (in Chrome I can go to https://domain2.com and get redirected without a warning)
Of course generating a self-signed cert to use for this purpose also throws a cert warning. If I remove the "SSLEngine On" directive so I don't have to specify a cert at all, it essentially breaks SSL on the entire server and no sites work right.
How can I successfully do this without having to worry about users getting the certificate warning, and simply redirect all their HTTPS requests for domain2.com to HTTP?
You can't.
The only way to have a proper redirect without certificate warnings is to have a proper certificate for the domain you want to redirect from.
A redirect is done at the HTTP level, that is inside the TLS tunnel created by the HTTPS connection. Thus the clients first needs to create the TLS connection before it can get the redirect. But creating the TLS connection already results in the certificate issue because name in the URL and in the certificate do not match.
Another way is to move all SSL hosts to one IP address and all other hosts to another IP address. This way the client will not get a certificate warning but will see that there is no HTTPS on this address.
My site https://uberdice.com works fine for me with no SSL related errors or warnings.
However a few of my users have informed me they are getting SSL related warnings. I believe I have installed everything correctly. Below you can see the apache2.conf file:
<VirtualHost *:443>
DocumentRoot /var/www/
ServerName uberdice.com
SSLEngine on
SSLCertificateFile /path/uberdice.com.crt
SSLCertificateKeyFile /path/uberdice.com.key
SSLCertificateChainFile /path/intermediate.crt
</VirtualHost>
All files are in the same directory. I have also tried using the SSLCACertificateFile directive.
Yet when I run a check on: https://www.sslshopper.com/ssl-checker.html#hostname=https://uberdice.com it would appear to fail to connect to a root certificate. Presumably from a faulty intermediate certificate.
I am using RapidSSL and this bundle code for the intermediate certificate https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26464.
Does anyone have any ideas what is going wrong?
Thanks.
Your are sending the wrong intermediate certificates and it only works in your browser because you either have cached the right certificates from visits to other sites using the same chain or because the browser is actively downloading the missing certificates (Chrome on desktop might do, Firefox not).
Have a look at the trust path information in the analysis from SSLLabs and you will see:
Chain issues Incomplete, Extra certs
That's the problem you need to resolve, i.e. remove the wrong chain certificate and add the right one. For more information look at the "Certification Path" information in the analysis. In short: instead of "RapidSSL CA" you need "RapidSSL SHA256 CA - G3".
I just got commodo free ssl trial, and uploaded the ssl to my EC2 instance using AWS CLI, then changed the listener in the loadbalancer to the new ssl, but when I run ssl checker still shows the previous self signed certificate, which causes the browser warning when accessing the website, I have googled for hours trying to find and answer and followed everything in regards of updating the SSL but still no luck
Ok I had to figure it out myself, since it was the first time i had to install an SSL on an aws server, and thought i would post the answer in case someone else is going trough the same issue.
I have got my ssl from comodo which they provide 2 files (file.crt & file.ca-bundle), I went through load balancer to change my SSL first, not 100% sure if it is a required step, but I would recommend doing, so you would need the three ssl files (name.key "which is the one you submitted to your ssl provider", name.crt and name.ca-bundle).
1- in my case I was using an ubuntu instance with apache2, you will need to create a new ssl directory in /etc/apache2 (e.g /etc/apache2/ssl).
2- Upload all three files to the new directory.
3- navigate to /etc/apache2/sites-enabled -> and edit ssl-enabled.conf as follows:
<VirtualHost>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>
4- Restart your apache2 service and you should be all good to go.
Hope that was helpful
I have an EC2 instance on AWS, with Apache server.
I purchased an SSL certificate from Comodo and installed the following files in /etc/pki/tls/private/:
server.ca-bundle server.crt server.key
I also added the following lines to /etc/httpd/conf/httpd.conf:
<VirtualHost www.mydomain.com:443>
ServerName www.mydomain.com
DocumentRoot "/var/www/html"
SSLENGINE on
SSLCertificateFile /etc/pki/tls/private/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
SSLCertificateChainFile /etc/pki/tls/private/server.ca-bundle
</VirtualHost>
and restarted the http server.
But when trying to access my site through https://www.mydomain.com there is a certificate error warning (but if I continue through the warning, the site shows well).
I checked with ssltool.com and got:
The site tested www.mydomain.com is NOT the same as the Subject CN ip-10-203-65-225!
Needless to say, the key file was created with my domain name (CN=www.mydomain.com) and not with the name containing the ip.
When I enter "hostname" in the unix shell, I indeed get 'ip-10-203-65-225', which is something that Amazon gave it automatically. But even if I change it (in /etc/sysconfig/network) it is still seen as ip-10-203-65-225.
On the other hand, the same problem is viewed without installing the keys: Even if I remove those lines from httpd.conf, and remove the key files, the browsers warn about a certificate error, as if there is a self-signed certificate and with the same error on ssltool.com. So it seems that it's not that my key files are invalid but rather that the server doesn't use them at all...
I'm totally confused. Please can anybody help?
For some reasons, none of the pages I visited to seek for the answer mentioned that the above lines should be in
/etc/httpd/conf.d/ssl.conf
and not in
/etc/httpd/conf/httpd.conf
(and not inside a <virtualHost> section)
Your certificate was issued to a Common Name (CN) matching the hostname of your EC2 instance. You need to create a new CSR using the correct hostname and go through the entire process again. When you generate the new CSR, be sure to change the CN rather than accept the default.