I just started to learn programming and tried to install SSL on my site.
I used a 90-day free trial SSL from Comodo and it worked well.
I purchased a new SSL from Comodo and generated CSR on the server (on my putty terminal)
My site is a Wordpress run by Bitnami and AWS.
Error message is that my site name is mismatched.
https://www.ssllabs.com/ssltest/analyze.html?d=www.cheeselab.co.kr#whyNotTrusted
How could I solve this problem? I tried to re-install it from the scratch but I don't know what I have to do.
Below codes are what I did
sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 204
sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
sudo nano /opt/bitnami/apache2/conf/cert.csr
sudo nano /opt/bitnami/apache2/conf/cert2.crt
sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami.conf
renamed the file from server.crt to cert2.crt
(above codes worked well)
sudo /opt/bitnami/ctlscript.sh restart apache
but error message with above code as below
Invalid command 'sudo', perhaps misspelled or defined by a module not included in the server configuration apache config test fails, aborting Monitored apache
Related
I have a Godaddy Domain for example , website.com which points to a amazon ec2 instance. I bought a ssl certificate from Godaddy for website.com . How can I configure ec2 instance to make website.com https?
If you are using Ubuntu for the server instance, follow the following points:
Log in to the ec2 instance using ssh or putty
Enable ssl module by executing this command: sudo a2enmod ssl
You may have to restart the apache server through systemctl: sudo systemctl restart apache2
Make a ssl folder under your html directory and open it:
sudo mkdir /var/www/html/my_ssl
cd /var/www/html/my_ssl
Generate csr and key files:
sudo openssl req -nodes -newkey rsa:2048 -keyout my_website.key -out my_website.csr
You'll have to provide these details: Country, State, City, Organization, Unit, FQDN, email, a challenge password, Optioanl company name.
Note that the FQDN can be website.com or example.website.com
Open the csr file through nano or vi and copy its contents: vi /var/www/html/my_ssl/my_website.csr
Go to your godaddy certificate, click on new certificate, choose the second option that handles csr, and paste the contents into it. If no problem is found, you can continue to the next step.
Godaddy will send an email to one of the standard admin emails of the site. If none of them exists, make sure you create it. It will take around half an hour for the certificate to change from pending to valid.
Download the key files from godaddy and put them in the apache ssl folder: /etc/apache2/ssl/certs
Open the default-ssl.conf file for modification : sudo vi /etc/apache2/sites-available/default-ssl.conf
Add your website name, and change the default values for ServerAdmin email, ServerAlias, DocumentRoot, set SSLEngine on, and the paths of SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile.
Finally set the modified file to be the default configuration and restart your apache:
sudo a2ensite default-ssl.conf
sudo service apache2 restart
I was using certificate which expired. I requested new one with new private key and request file.
But when I add new certificate to ISPConfig vhost, even after running
/usr/local/ispconfig/server/server.sh
the new certificate wont be accepted by ISPConfig and is still using the old one which expired, so my site is not working with HTTPS. Is there possibility that ISPConfig have this old certificate stored somewhere?
I also deleted content of SSL folder in my vhost but did not worked either.
Site is working with generated Let's Encrypt certificate.
I also faced the same error and I fixed it by applying the second method. I've mentioned both methods for you. Please try any to renew your SSL Certificate.
Method 1:
Create a new ISPConfig 3 SSL Certificate with OpenSSL
Login to your server on the shell as a root user. Before we create a new SSL Cert, backup the current ones. SSL Certs are security-sensitive so I'll store the backup in the /root/ folder.
# tar pcfz /root/ispconfig_ssl_backup.tar.gz /usr/local/ispconfig/interface/ssl
# chmod 600 /root/ispconfig_ssl_backup.tar.gz
Now create a new SSL Certificate key, Certificate Request (csr) and a self-signed certificate.
# cd /usr/local/ispconfig/interface/ssl
# openssl genrsa -des3 -out ispserver.key 4096
# openssl req -new -key ispserver.key -out ispserver.csr
# openssl x509 -req -days 3650 -in ispserver.csr \
-signkey ispserver.key -out ispserver.crt
# openssl rsa -in ispserver.key -out ispserver.key.insecure
# mv ispserver.key ispserver.key.secure
# mv ispserver.key.insecure ispserver.key
Restart Apache to load the new SSL Certificate.
# service apache2 restart
Method 2:
Renew the SSL Certificate with the ISPConfig installer
The alternative way to get a new SSL Certificate is to use the ISPConfig update script.
Download ISPConfig to the /tmp folder, unpack the archive and start the update script.
# cd /tmp
# wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
# tar xvfz ISPConfig-3-stable.tar.gz
# cd ispconfig3_install/install
# php -q update.php
The update script will ask the following question during the update:
Create new ISPConfig SSL certificate (yes,no) [no]:
Answer "yes" here and the SSL Certificate creation dialog will start.
Thank you!
I have followed the Amazon tutorial to install the SSL certificate on the EC2 instance. However at the end of procedure, I cannot start the HTTPD server.
My detailed steps:
Installed the module: sudo yum install -y mod24_ssl AND I tested with the local signed SSL certificate, it worked.
Generate myprivate.key and my.csr: openssl req -newkey rsa:2048 -keyout myprivate.key -out my.csr
Submit my.csr to Startcom and get the certificate file: mycertificate.pem
Put the myprivate.key in the folder: /etc/pki/tls/private/
Put the mycertificate.pem in the folder: /etc/pki/tls/certs/
Change the /etc/httpd/conf.d/ssl.conf: SSLCertificateFile /etc/pki/tls/certs/mycertificate.pem
Change the /etc/httpd/conf.d/ssl.conf:SSLCertificqteKeyFile /etc/pki/tls/private/myprivate.key
Note: I've deleted both localhost.key and localhost.crt.
Was it due to the deletion of localhost.key file?
I have updated my certificate on Gandi like this :
sudo openssl genrsa -des3 -out mywebsite.com_encrypted.key 4096
sudo openssl req -new -key mywebsite.com_encrypted.key -out mywebsite.com.csr
cd /etc/nginx/ssl/
sudo nano mywebsite.com.crt # > pasted the Gandi certificate in this file
sudo wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
sudo cat GandiStandardSSLCA.pem >> mywebsite.com.crt
sudo openssl rsa -in mywebsite.com_encrypted.key -out mywebsite.com.key
sudo chown root:root mywebsite.com.key
sudo chmod 400 mywebsite.com.key
Everything was working good with older certificate but since I updated configuration with new certificate here is is my log on nginx. I can't restart :
Nginx logs :
2015/05/12 20:53:03 [emerg] 7515#0: SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mywebsite.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
What's wrong with process ?
Configuration of nginx is ok.
Here is my nginx configuration :
ssl on;
ssl_certificate /etc/nginx/ssl/mywebsite.com.crt;
ssl_certificate_key /etc/nginx/ssl/mywebsite.com.key;
I have no idea what you are trying to achieve. It looks like you replaced the key in /etc/nginx/ssl/mywebsite.com.key, leaving the original certificate /etc/nginx/ssl/mywebsite.com.crt unchanged (the mywebsite.com.crt certificate is still bound to the original key - and you cannot change that - public key is an integral part of X509 certificate). This is exactly what openssl is trying to tell you - you are trying to use a certificate with different private key that was originaly created with.
BTW: I also have no idea why you created a certificate request (along with the new key) and then left it unused (without actually using it to create new certificate).
I followed this tutorial by rapidssl.com how to set up their SSL certificate. I did everything according to the article, but when I try to restart nginx, I get following error:
Restarting nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/certs/website.co.private.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
I have in the /etc/nginx/certs/ directory 2 files - website.co.crt and website.co.private.key.
The content of the website.co.private.key file is the key that is generatet from the command
sudo openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
In the website.co.crt file is the certificate that I received by email by SSLRapid.com + Bundled CA Version (PEM) - so basically, there are 3 blocks of certificates.
What am I missing or what could be wrong? I've create the directory /etc/nginx/certs/ as sudo mkdir, I did it also in my previous project and it was working, but not in here.
It's causing me headache, I am fighting with this issue 2nd day already and no result so far. I'll be grateful for every help.
Thank you
Check the order that you add the parts to the bundle. Getting the wrong order will cause the error you are seeing.
This is the correct order:
cat yourdomain_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt >
yourdomain.com.pem