ssl installation on apache ubuntu16.0.4 - apache

My hosting (instance) is on EC2 and domain is on Nominalia. I am using ubuntu16.0.4 and Laravel 5.4, I have generated CSR, key file, certificate file and kept on root of server that is /var/www/html
Now I have to place
<VirtualHost *:443>
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /var/www/html/sitename.com.crt
SSLCertificateKeyFile /var/www/html/sitename.com.key
SSLCertificateChainFile /var/www/html/intermediate-ca.crt
</VirtualHost>
I am not getting where I shall keep it. I tried to keep in /etc/apache2/sites-enabled/000-default.conf or /etc/apache2/sites-enabled/default-ssl.conf or /etc/apache2/sites-available/default-ssl.conf but it did not work and I am getting errors
In chrome
This site can’t be reached
and in Mozilla
Secure Connection Failed
Site is working without https
I also tried to keep both "VirtualHost *:443" and "VirtualHost *:80" in /etc/apache2/sites-enabled/000-default.conf but it also did not work. In this case, I am getting "This site can’t be reached"
There are lot of articles that I am reading from few days but not getting how to do final setting so that my site start working after I successfully placed all certificate files.

Recently Chrome stoped accepting self-signed Certificates. You can save a lot of effort using Let's Encrypt SSL Certificates. They are free, but valid for 90 days only. But you can configure auto renewal process, so you don't need to worry, because all things happens behind scenes.
Installation on Ubuntu it's simple:
1. Add repository to apt
sudo add-apt-repository ppa:certbot/certbot
After complete, update apt-get:
sudo apt-get update
2. Install Certbot
Certbot is a client tool for managing certificates from Let's Encrypt.
Run:
sudo apt-get install python-certbot-apache
3. Set up SSL Certificate
sudo certbot --apache -d sitename.com
If your domain could be accessed with www prefix run this command instead:
sudo certbot --apache -d sitename.com -d www.sitename.com
From now Certbot will run automatically via /etc/cron.d to check for expiring certificates.
You can validate process by running:
sudo certbot renew --dry-run.
It's done.
Full documentation for Certbot is here: https://certbot.eff.org/docs/

Related

How to install lets encrypt ssl in amazon linux AMI?

How to install lets encrypt SSL in amazon Linux AMI.i want to implement the lets encrypt SSL for my domain.
There are a lot of solutions online; I think you have to keep on trying until you find one that works for you. After a lot of experimentation, what worked for me was following the certbot instructions for Apache and CentOS 6. The official link is here, but for consistency:
Run the following commands in the terminal:
Download Certbot
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
Execute Certbot
sudo /usr/local/bin/certbot-auto --apache
If there's an error message, read the warning and run (if you feel comfortable):
sudo /usr/local/bin/certbot-auto --apache --debug
Here, you may be asked to complete some fairly intuitive questions to configure your installation. If not, what worked for me won't work for you. :(
Automate Renewal
Test to see if renewing your certificate works:
sudo /usr/local/bin/certbot-auto renew --dry-run
If so, navigate to your system's crontab (usually somewhere around /etc/crontab/) and add the following code to check (and run, if necessary) and auto-renewal at midnight and noon everyday:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew
Here I will explain how to configure let's encrypt in Linux AMI. I did it successfully in my Linux AMI.i followed the following steps to get it done.
1. SSH into your server.
2. Download certbot (the Let’s Encrypt client need to install for renew and install ssl): **wget https://dl.eff.org/certbot-auto** then **chmod a+x certbot-auto**
3. Run certbot to fetch your certificates.follow the below code
sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d YOUR_DOMAIN [Replace your Domain in YOUR_DOMAIN placeholde]
4. while generating it will ask you the recover or support email please add your email.
5. certbot will place your certs in the following paths…
Certificate: /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem
Full Chain: /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem
Private Key: /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
6. Go to your apache config where you created a virtual host it can be either in httpd.conf or conf.d.
7. Add the virtual host for 443 port
<VirtualHost *:443>
ServerAdmin ADMIN_EMAIL
ServerName YOUR_DOMAIN
ServerAlias www.YOUR_DOMAIN
DocumentRoot "YOUR FOLDER PATH"
AllowEncodedSlashes On
ErrorLog "/var/log/httpd/YOUR_DOMAIN_error.log"
CustomLog "/var/log/httpd/YOUR_DOMAIN-sslaccess.log" common
<Directory YOUR FOLDER PATH>
DirectoryIndex index.php
Options -Indexes
AllowOverride All
</Directory>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem
</VirtualHost>
You need to install Certbot if you are running CentOS 7 or 8 since Certbot-auto is deprecated and doesn't work beyond CentOS 6.
You can check which CentOS you are running by using the following command.
rpm -E %{rhel}
And use this tutorial from amazon to install Certbot in Amazon Linux
sudo yum update
sudo yum install -y certbot python2-certbot-apache
If you get "Package not found" error, then try the Prepare to Install section from the same blog.
sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
sudo yum-config-manager --enable epel*

Apache SSL Verify Authority Setup

I am confused with SSL certificates on apache. I have the SSL vhost setup in /etc/httpd/conf.d/ssl.conf which works fine, but when i try to use wget from another server to pull down some files i get "Unable to locally verify the issuer's authority."
The SSL was bought from cheapsslsecurity.com and the zip comes with multiple CRT files and i'm not sure what is what.
So we have the following files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationecureServerCA.crt
STAR_websitenamehere_com.crt
The vhost is currently setup like this:
SSLCertificateFile /etc/pki/tls/certs/STAR_websitenamehere_com.crt
SSLCertificateKeyFile /etc/pki/tld/private/websitenamehere.com.key
SSLCACertificateFile [i have tried all of them here except the STAR_ one and still the same error with wget]
The main SSL works in the web browser, but nothing i do seems to allow wget to pull anything without producing an error.

Letsencrypt certificate for www and non-www domain

I have generated SSL certificate like so:
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
./letsencrypt-auto certonly --standalone
Then I was asked for email ... and a domain name. I entered example.com
I figured out that I could enter multiple domains to be included in one certificate using different approach. E.g.:
sudo -H ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com
I wonder if I could have entered multiple domains when I was promoted for them in a dialog or now I need to regenerate using a different approach?
Do I need to remove previous letsencrypt installation before going new way?
UPDATE -> SOLVED
sudo ./certbot-auto certonly --standalone -d example.com -d www.example.com
You do not need to remove the installed certificate.
You can extend it to your sub-domain if you're using the same domain. Do the following:
sudo certbot certonly --standalone -d example.com -d www.example.com
When prompted for Expanding or Cancelling, reply with E then hit Enter key on your keyboard.
The certificate should be setup successfully.
If you encounter this error: Problem binding to port 80: Could not bind to IPv4 or IPv6, stop Apache by running systemctl stop apache2 then run the above certbot command again.
Once the SSL certificate is successfuly setup, run systemctl restart apache2 to get Apache up and running again.

using certbot-auto for nginx

I have an nginx running.
Now I want my nginx to use SSL:
certbot-auto --nginx -d my.domain.com -n --agree-tos --email admin#mail.com
OUTPUT:
Performing the following challenges:
tls-sni-01 challenge for my.domain.com
Cleaning up challenges
Cannot find a VirtualHost matching domain my.domain.com.
my.domain.com is pointing to the IP of my server. It's its dns name.
What am I doing wrong? I did this already for apache and it was working fine. My nginx is running (and I'm not able to restart it manually after the certbot-auto but this wasn't necessary when I used certbot-auto --apache
In my case, I had to add the "server_name" line because it wasn't in my nginx config so it was giving me the error message "Cannot find a VirtualHost matching domain my.domain.com" when I ran:
certbot --nginx
Make sure this is in your config:
server {
server_name my.domain.com;
....
}
Your are probably missing some Server Blocks (virtual hosts) files in the sites-enabled folder. Check if your config files exist in /etc/nginx/sites-available and /etc/nginx/sites-enabled. If they are not present in the sites-enabled folder, create symbolic links for them:
$ sudo ln -s /etc/nginx/sites-available/my.domain.com /etc/nginx/sites-enabled/
Add your site, check for config errors and restart nginx:
$ sudo certbot --nginx -d my.domain.com
$ sudo nginx -t
$ sudo service nginx restart

How to I enable https on my ec2 ami apache server

I have bought a an ssl certifcate from a respected authority on the internet. I am just having problems installing the certificate and enabling https on my server. I have only been given the certificate and the private key. How do I go about copying these files to my server and enabling https.
NOTE: I am running an amazon micro instance
First try to install mod_ssl on your server with the following command
yum install mod_ssl
Once it's installed you can update your httpd configuration file with your SSL certificate details.
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/mydomain.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mydomain.key