Let's Encrypt ssl certificate send twice in TLS handshake - ssl

when making a wireshark trace to check if my Let's Encrypt certificate is correctly offered by our server, I see that the same certificate is being send twice in TLS handshake when 'Server Hello Done'.
How can this occur ? How to correct ?
The certificate details is 2 times exactly the same :
Extra info requested :
I trace this with wireshark by visiting a https-page of my Apache webserver (CentOS Linux release 7.4.1708 (Core)) with my Chrome browser on Fedora 25 client.
VirtualHost config :
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
Don't know if it matters, but I also have a second VirtualHost with a different Let's Encrypt certificate :
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my2.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my2.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my2.domain.tld/fullchain.pem

The Problem
This is caused by simultaneous config of SSLCertificateFile along with SSLCertificateChainFile.
From the mod_ssl documentation (Emphasis mine):
This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.
But if you check your fullchain.pem, you'll see that it includes the server certificate at the top, followed by the Let's Encrypt issuing CA. Apache is delivering the contents of SSLCertificateFile with the SSLCertificateChainFile concatenated after it. Since your server's certificate appears in both of them, it's duplicated in the final chain seen in the SSL handshake, just like you observed in Wireshark:
vhost.conf Sent To Client
+---------------+ +------------------+
| cert.pem |----------> |Server Certificate|
| | | + |
| + | +---> |Server Certificate|
| | | | + |
| fullchain.pem |----------> | CA Certificate |
+---------------+ +------------------+
The Fix
In modern Apache, don't use SSLCertificateChainFile directive anymore, and give fullchain.pem directly to SSLCertificateFile.
Again, from the mod_ssl documentation:
SSLCertificateChainFile is deprecated
SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.
So all you should need to do is change your vhost configuration from this:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
To this:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem

Related

Browser not asking for client certificate when CA is set in Apache

UPDATED :
I updated my CA to match the CA that my client certificate was issued from and my browser now prompts me to choose a certificate (and the correct certificate is listed) but the error "ERR_BAD_SSL_CLIENT_AUTH_CERT" persists.
OLD MESSAGE :
I need to make a certificate authentication with Apache.
My problem is that no certificate list pops up when the CA is set in Apache. However, not setting it brings the popup and allows me to select a certificate... but of course the authentication doesn't work and brings the following error :
ERR_BAD_SSL_CLIENT_AUTH_CERT
The configuration I have is the following :
ssl.conf :
SSLEngine on
SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite HIGH:MEDIUM
SSLCACertificateFile /etc/httpd/ca.cer
SSLCARevocationFile /etc/httpd/crl.pem
SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 10
SSLOptions +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_CN
vhost :
Include ssl.conf
SSLCertificateFile /etc/httpd/sub.domain.crt
SSLCertificateKeyFile /etc/httpd/sub.domain.key
The CA is also installed on my computer along with my client certificate, ready to be used.
There's nothing in the logs, just a line mentionning a closed SSL connection.
Been searching for a while and I can't find what could be causing this.
Alright so first the SSLVerifyDepth parameter wasn't properly set. I was able to find this by checking Apache's ssl_error_log file.
And second, the log file was saying that the CRL was not reacheable. Even if set what I thought was the correct CRL... but I actualy forgot the CRL of the CA that is above the clients CA !
Thanks again for helping me with checking the CA, case closed !

LetsEncrypt SSL Error - SSL routines:ssl3_get_record:wrong version number

I've managed to pull down a fresh cert from LetsEncrypt. My VirtualHost config is set up as:
<VirtualHost *:80>
ServerName example.com
Redirect 301 / https://example.com/
</VirtualHost>
<VirtualHost *:443>
Servername example.com
DocumentRoot /var/www/example.com/wav
ErrorLog /var/log/apache2/example.com/www/error.log
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
When trying to verify this with openssl:
openssl s_client -connect example.com -port 443
I get the following:
CONNECTED(00000003)
140229655213824:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 202 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1541086087
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
So, looks like the handshake is okay but the cert isn't being sent.
Worth pointing out that the Apache logs don't report any errors - just the usual - "starting up/shutting down" messages. apache2ctl configtest reports no issues.
So, looks like the handshake is okay but the cert isn't being sent.
The handshake is not ok. The Client has sent the ClientHello to start the handshake but received nothing useful back:
|- ClientHello
---
SSL handshake has read 5 bytes and written 202 bytes
---
|- nothing useful from server
I don't know what it is getting back in the 5 bytes but it does not look like TLS (too short for a TLS message). It might be some server misconfiguration which can not be seen from the part of the config you've shown. It might also be some middlebox (firewall, load balancer...) hurting the connection. It might also be that you don't connect to the expected server (i.e. example.com does not resolve to your actual server).
I recommend that you first check on the server itself (i.e. localhost) and if this works move further away from the server with your checks. You might also do a packet capture and have a look what you'll find in the 5 bytes received by the client.
Just sharing for anyone who ends up here with the same problem.
This is my experience in Ubuntu 20 with Apache
I was editing the default-ssl.conf in SITES-AVAILABLE folder but nothing happened. The above same error was repeating no matter what i did.
I copied the default-ssl.conf from sites-available into SITES-ENABLED folder without the IfModule mod_ssl.c tag and THAT SOLVED THE PROBLEM.
Hope this info helps someone.
Thanks
It seems apache's default *:80 HTTP handler will also listen on 443 for unmatched VirtualHost IPs including loopback.
For example, my machine has a NAT ip 192.168.32.5 and of course the 127.0.0.1 loopback. If my site conf uses <VirtualHost 192.168.32.5:443> then any requests that resolve to 127.0.0.1:443 are actually answered by the default HTTP handler...not HTTPS. Simply setting my hosts entry for the SSL hostname to 192.168.32.5 fixed the issue.
I had the same issue. My example.com.conf file did have HTTPS set up properly, but my 000-default.conf file did not. I seemed to have forgotten to include the SSL certificate and turn on the SSL engine for my 000-default.conf, but after I fixed that, it worked perfectly.
The code I added to 000-default.conf:
SSLEngine On
SSLCertificateFile /etc/ssl/example.com/domain.cert.pem
SSLCertificateKeyFile /etc/ssl/example.com/private.key.pem
I got the same error with you. suggest you test your https connection on local, add your domain name to /etc/hosts, ex:
127.0.0.1 yourdomain.com
in order to keep packet not going out.
then using "links" to test the https connection in local environment, if no problem, then it's caused by ISP firewall issue or setting, I finally found local https connection ok and throw the problem to ISP to solve this problem finally, good luck!
set your file types for ssl as well, this is confirmed working
See the FilesMatch section? If that is missing, you will see this error.
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
SSLCertificateFile /etc/letsencrypt/live/mysite.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
#SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
#SSLCipherSuite "AES256-SHA"
SSLCipherSuite HIGH:!aNULL:!MD5
We had the problem that our HTTPS-port was serving unencrypted HTTP.
The reason was that we had two VirtualHosts on the same port and one was configured to use SSLEngine on and the other one not.
Deactivating the unencrypted site fixed the problem. Using SSLEngine on on both VirtualHosts would also fix it.
Also, we needed a proper service restart to get out of that problem. A reload had not fixed the problem, although the config was correct at that time.

SSL Certificate Issue with Multiple Domains on One Apache2 Server

I have a server running a LAMP stack:
me#server:~$ sudo apachectl -v
Server version: Apache/2.4.10 (Debian)
me#server:~$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
...
On this server I have many two domains - one with SSL and one without SSL - and everything is currently hunky-dory.
I am trying to add SSL to the second site but requests to the second site fail with the issue:
[FIREFOX]
domain2.com uses an invalid security certificate.
The certificate is only valid for the following names: domain1.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN
[CHROME]
NET::ERR_CERT_COMMON_NAME_INVALID
Note 1: I have checked my version of Apache allows multiple SSL sites on the same server.
This leads me to believe that the SSL files being read when domain2.com is called are actually the files relating to domain1.com.
Curiously, if I disable domain1.com using sudo apache dissite domain1, the SSL works just fine on https://domain2.com. This would indicate that the SSL is installed correctly but the sites across the server are not all configured correctly.
The .conf files are below:
me#server:~& cat /etc/apache2/sites-enabled/domain1
[...Port 80 config redacted...]
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/domain1/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain1/key.txt
SSLCertificateChainFile /etc/apache2/ssl/domain1/intermediate.crt
ServerName domain1.com
ServerAlias www.domain1.com
<Directory /var/www/domain1>
[REDACTED]
</Directory>
[Logging information redacted]
</VirtualHost>
me#server:~& cat /etc/apache2/sites-enabled/domain2
[...Port 80 config redacted...]
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/domain2/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain2/key.txt
SSLCertificateChainFile /etc/apache2/ssl/domain2/intermediate.crt
ServerName domain2.com
ServerAlias www.domain2.com
<Directory /var/www/domain2>
[REDACTED]
</Directory>
[Logging information redacted]
</VirtualHost>
So it is clear both sites have the same configuration items applied but relative to the specific SSL files on the server for that site. Note, the SSL bundles for each site are provided from the same vendor.
Further, the certificates should be correct:
me#server:/etc/apache2/ssl/domain1$ openssl x509 -in server.crt -noout -subject
subject= /CN=www.domain1.com
me#server:/etc/apache2/ssl/domain2$ openssl x509 -in server.crt -noout -subject
subject= /CN=www.domain2.com
From all of this, please can some enlighten me as to why requests to domain2.com fail when domain1.com is enabled?
So yeah.. doing the above was all fine and should work.
If it doesn't work, be sure to check the spelling of the ServerName fields and to not work too late at night!

SSL on Apache HTTP Server

I have 2 crt files for Apache server:
1_root_bundle.crt
2_my_domain_name.com.crt
And other bundle:
1_Intermediate.crt
2_my_domain_name.com.crt
root.crt
I have modified
/etc/apache2/sites-available/default-ssl.conf
And tried various combinations of above mentioned files but after Apache2 service restart SSL does not work, browser shows "Connection is not secure":
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/1_Intermediate.crt
SSLCertificateKeyFile /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateChainFile /etc/apache2/ssl/root.crt
How to make SSL on Apache server?
It is missing the key file with your certificate private key. Usually it has the .key extension like 2_my_domain_name.com.key and the file content starts with -----BEGIN PRIVATE KEY-----
You configuration should looks like this
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/2_my_domain_name.com.key
SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt
The SSLCertificateChainFile points to a all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate.
So ensure that 1_root_bundle.crt contains 1_Intermediate.crt content and is in PEM format (base64 with --- BEGIN CERTIFICATE --- ----END CERTIFICATE--- headers)
If you use apache >= 2.4.8 you could also concatenate all certificates in the file pointed at SSLCertificateFile
SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.
1) Install Apache HTTP Server, mod_ssl
2) Configure httpd
Remember to disable SSLv2 and SSLv3, because they are vulnerable.
# Toggle on the SSL/TLS Protocol Engine
SSLEngine On
# The signed certificate of the server
SSLCertificateFile /etc/pki/tls/myserver/myserver.crt
# The private key of the server
SSLCertificateKeyFile /etc/pki/tls/myserver/myserver.key
# The intermediate_certificate of the server
SSLCertificateChainFile /etc/pki/tls/myserver/tls-ca-chain.pem
# Accept only strong encryption
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
3) Check the permissions on the certificate files.
UPD:
How to create a key and certificate signing request in one step:
openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr
Next you have to send this csr file to one of the certificate authorities. They will send back your signed certificate, and the intermediate certificate(s).
You can also create a self-signed certificate.
You can use the bundle file with SSLCertificateChainFile.
SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCertificateChainFile /home/ubuntu/tad.com/intermediate_bundle.crt
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt
OR
If you are using bundle so it will work without SSLCertificateChainFile file.
SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt

SSL certification apache

I want to setup https on my site
<VirtualHost 1.2.3.4:443>
...
SSLEngine on
SSLCertificateFile /usr/local/ssl/www.blabla.com/public.crt
SSLCertificateKeyFile /usr/local/ssl/www.blabla.com/private.key
SSLCACertificateFile /usr/local/ssl/www.blabla.com/intermediate.crt
...
</VirtualHost>
I've bought certificate and they provide me: ssl certificate code, root certificate code and intermediate certificate code. What is CertificateFile and CertificateKeyFile from these?
SSLCertificateKeyFile would have been passed in as the key when you created the request -- it doesn't come from the CA.
SSLCertificateFile is the "ssl certificate code" you got from the CA
SSLCAcertificate file is the "root certificate code" you got from the CA
The "intermediate certificate code" from the CA should be identified by SSLCertificateChainFile