I'm trying to learn how to get ssl up and running on an apache 2.4 webserver (Windows Server 2012). I had the web server and PHP up and running perfectly fine without SSL.
I Generated my cert and key and placed them in C:\Apache24\conf
I Modified httpd.conf in the following way:
LoadModule ssl_module modules/mod_ssl.so
Include C:/Apache24/conf/openssl.cnf
I modified c:/Apache24/conf/extra/httpd-ssl.conf in the following way:
SSLCertificateFile "c:/Apache24/conf/server.crt"
SSLCertificateKeyFile "c:/Apache24/conf/server.key"
DocumentRoot "c:/Apache24/htdocs"
Added the following System Environment Variable
Variable Name: OPENSSL_CONF
Variable Value: C:\Apache24\conf\openssl.cnf
I've hit a point where apache will not start due to the following error.
running httpd -t in powershell gives the result:
: Syntax error on line 8 of C:/Apache24/conf/openssl.cnf:
Invalid command 'HOME', perhaps misspelled or defined by a module not included in the server configuration
The following are lines 6 through 9 of openssl.cnf ( I have not modified this file. )
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
Any help is appreciated.
Thanks !
You are basically trying to include a third party config file inside httpd configuration, which will never yield a good result because Apache httpd will never recognize what's in there. Remove that include.
If you want to add system variables you can use PassEnv directive from mod_env module.
To get SSL up and running all you need is a SSL virtualhost like this:
In your server config something like:
LoadModule ssl_module modules/mod_ssl.so
<IfModule mod_ssl.c>
Listen 443
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLRandomSeed startup file:/dev/urandom 2048 # perhaps this need to be adapted for windows
SSLRandomSeed connect file:/dev/urandom 2048 # same with this
SSLSessionCache shmcb:/path/to/logs/ssl_gcache_data(512000)
</IfModule>
And the Virtualhost:
<Virtualhost *:443>
ServerName myssllvh.example.com
DocumentRoot /filesystem/path/to/docroot
CustomLog /path/to/logs/mysslvh.log combined
ErrorLog /path/to/logs/mysslvh-error.log
SSLEngine on
SSLCertificateFile /path/to/certs/mysslvh.crt
SSLCertificateKeyFile /path/to/certs/mysslvh.key
# Other stuff here
</VirtualHost>
Related
I have created SSL certificate in order to use https instead of http for localhost. The instructions I followed are here: https://medium.freecodecamp.org/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec
I still have the last step which is to include the certificate files (server.crt and server.key) in server.
I tried to rely on the following configuration to make it work which I got from: How to install SSL certificate in apache server in ubuntu
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
# maybe additional config here
ServerName www.example.com
SSLEngine on
SSLCertificateFile "/path/to/www.example.com.cert"
SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>
I am currently using MAMP on a mac, and using Apache as server. I edited the file httpd.conf located in Applications/MAMP/conf/apache, and I added the following at the bottom of the file:
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
ServerName localhost:443
SSLEngine on
SSLCertificateFile "~/server.crt"
SSLCertificateKeyFile "~/server.key"
</VirtualHost>
Note my SSL files are located in ~ directory. I also updated the 8888 entries with 443 in this file, which are:
Listen 443
ServerName localhost:443
When I restarted the server, it fails to start again!
Here is a video providing the solution: https://www.youtube.com/watch?v=886Pea2ljm0&t=2s
IMPORTANT: If you get the following error when restarting the server from MAMP:
Apache couldn't be started. Please check your MAMP installation and
configuration.
Run the following command on terminal and it works:
sudo /Applications/MAMP/Library/bin/apachectl start
MAMP has an extra section for SSL in the settings for hosts. No need to edit the conf files.
I would like to create a configuration for my virtual host in my Ubuntu 14.04 LTS Profile, so I modified the file /etc/apache2/sites-available/mysite.com.conf as follows:
# domain: mysite.com
# public: /var/www/mysite.com/public_html/
<VirtualHost *:80>
# Admin email, Server Name (domain name), and any aliases
ServerAdmin webmaster#mysite.com
ServerName www.mysite.com
ServerAlias mysite.com
ProxyPass / http://139.333.222.107:8080/devices
ProxyPassReverse / http://139.333.222.107:8080/devices
# Index file and Document Root (where the public files are located)
DirectoryIndex index.html index.php
DocumentRoot /var/www/mysite.com/public_html
# Log file locations
LogLevel warn
ErrorLog /var/www/mysite.com/log/error.log
CustomLog /var/www/mysite.com/log/access.log combined
</VirtualHost>
But when I run sudo service apache2 restart , I got this error:
* Restarting web server apache2 [fail]
* The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/mysite.com.conf:
Invalid command 'ProxyPass', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.
You are not including mod_proxy. Depends on your install (sorry not familiar with Ubuntu) but usually this means the following line will be in your main httpd.conf file:
#LoadModule proxy_module modules/modproxy.so
Remove the # so it stops being commented out and is loaded and restart Apache.
This link may also help: https://askubuntu.com/questions/341684/how-to-load-the-modules-for-apache2
What I am trying to do is direct my website on an Amazon EC2 Instance so that I am able to open on an HTTPS protocol. My site was running before but with a warning that it did not have a valid certificate, using this link example https://my.site.name.edu but now I get a "Webpage is not Available" prompt when I try to visit the site.
Please note that I have:
Installed Drupal for this testing site on a Linux server using Apache
My EC2 Instance attached to an Elastic IP
Used the steps in this guide: Creating, Uploading, and Deleting Server Certificates
Valid CA signed Apache certificates
An openssl-1.0.1f file installed in /home/ec2-user folder
Used this link to create the Virtual Host: http://ananthakrishnanravi.wordpress.com/2012/04/15/configuring-ssl-and-https-for-your-website-amazon-ec2/
Below is when the error occurred, while trying to solve the HTTPS access issue
I tried to change the ssl.conf file in this link to see if it would solve the problem: Setup an SSL certificate on an EC2 instance
I copied a new ssl.conf file, commented the old SSLCertificateKeyFile, SSLCertificateFile and SSLCertificateChainFile. I then pasted the copied, modified file into the directory after I coded the first four lines like this:
<VirtualHost 00.00.00.00:443>
SSLCertificateKeyFile /home/ec2-user/castestingapache/privatekey.pem
SSLCertificateFile /home/ec2-user/castestingapache/my_site_name_edu.pem
SSLCertificateChainFile /home/ec2-user/castestingapache/my_site_name_edu_interm.crt
But when I restarted Apache:
service httpd restart
I received this error message:
Stopping httpd: [FAILED]
Starting httpd: [Wed May 21 14:44:31 2014] [warn] module ssl_module is already loaded, skipping
(98)Address already in use: make_sock: could not bind to address [::]:443
[ OK ]
My httpd.conf is set up like this:
<VirtualHost 00.00.00.00:443> #Same as the IP in the ssl.conf#
ServerAdmin ec2-user#ec2-00-00-00-00.compute.amazonaws.com
DocumentRoot /var/www/html
ServerName https://my.site.name.edu
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
# ErrorLog logs/errorlogs
# CustomLog logs/custom
SSLCertificateFile /home/ec2-user/castestingapache/my_site_name_edu.pem
SSLCertificateKeyFile /home/ec2-user/castestingapache/privatekey.pem
SSLCertificateChainFile /home/ec2-user/castestingapache/my_site_name_edu_interm.crt
# SSLCACertificateFile /etc/httpd/conf/bundle.txt
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
# CustomLog /usr/local/apache/logs/ssl_request_log \
# “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
</VirtualHost>
EDIT: I tried reverting back to the old ssl.conf but when I try to restart Apache it gives me the same error. THIS PROBLEM HAS BEEN SOLVED I had to delete one of the ssl.conf even though I had renamed it...
Update I have added this line onto the httpd.conf file:
NameVirtualHost 00.00.00.00:443
I believe the problem is that my certificates are not pointing to this IP address.
Update I have just ran the certificate installation checker test here http://ssltool.com/?action=sslCheckOpenSSL and this is what I got:
Note: IP 12-34-56-78 is my private IP address on my AWS EC2 Instance.
Any help is greatly appreciated.
Thanks,
Ugh.... the answer was in this link the whole time...
Setup an SSL certificate on an EC2 instance
This line in the ssl.conf:
<VirtualHost 00.000.000.00:443>
Had to be changed to:
<VirtualHost _default_:443>
Add the rest:
SSLCertificateKeyFile /etc/ssl/mydomain_com.key
SSLCertificateFile /etc/ssl/mydomain_com.crt
SSLCertificateChainFile /etc/ssl/mydomain_com.ca-bundle
</VirtualHost>
And voilah! Your HTTPS: link should work...
We had confluence running in our company with the URL https://confluence:8443
We changed the domain name - let's say it is https://abc:8443. so server, same Apache instance and it has the new name and the cert for "abc"
It runs on Apache/TomCat, we could not figure out how to make this conversion look seamless to the users, so we created port 80 on the same server (say, server A) and installed confluence certificate on it and created a redirect to
Now if a user goes to http://confluence, it will go to the DNS server finds server A's IP goes to the IIS, get the redirect rule and goes https://abc:8443.
If a user goes to https://abc:8443, no problems there.
but if a user goes to http://confluence:8443 (most of the users have this bookmarked), it gets the cert error.
Can anyone please suggest a way to make this work in confluence, that is tomcat/Apache?
Thanks for your time.
Thanks,
Shiyam
You have two options:
Option 1: Server Name Indication
If your client browsers all support it, you can configure your HTTPD to use Server Name Indication (SNI), which allows the client to tell the server which host it is requesting. This assumes that you already have two distinct SSL certs for "abc" and "confluence", and that you configure the appropriate SSL certificate under each VirtualHost.
Of note is that Internet Explorer on Windows XP does not support SNI, but since Windows XP has already reached End of Life, your organization hopefully no longer has any such clients.
The example from the SNI page above, for reference, is:
Listen 192.168.1.1:443
LoadModule ssl_module modules/mod_ssl.so
SSLPassPhraseDialog builtin
AcceptMutex flock
SSLSessionCache shmcb:/var/cache/httpd/mod_ssl/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
NameVirtualHost 192.168.1.1:443
<VirtualHost 192.168.1.1:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/ssl/star.example.com.crt
SSLCertificateKeyFile /etc/ssl/star.example.com.key
ServerName "one.example.com"
DocumentRoot "/var/www/html/one"
CustomLog "/var/log/httpd/one-access.log" combined
ErrorLog "/var/log/httpd/one-error.log"
<Directory /var/www/html>
AllowOverride none
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost 192.168.1.1:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/ssl/star.example.com.crt
SSLCertificateKeyFile /etc/ssl/star.example.com.key
ServerName "two.example.com"
DocumentRoot "/var/www/html/two"
CustomLog "/var/log/httpd/two-access.log" combined
ErrorLog "/var/log/httpd/two-error.log"
<Directory /var/www/html>
AllowOverride none
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
Option 2: Wildcard SSL Certificate
If your server or clients do not both support SNI, but if "abc" and "confluence" are hosts on the same domain, you can also get a wildcard SSL certificate.
For example, if you obtain a wildcard cert for *.example.com, your single httpd server will be able to handle HTTPS requests for both abc.example.com and confluence.example.com without error.
I'm trying to configure apache server 2.4.6 the newest version that support websocket proxy.
I got non-secure websocket connection to work as expected and HTTPS proxy working as well[this to remove SSL config as the root cause] But my wss:// connection fails. While troubleshooting with wireshark i learned that on wss:// connection is made via plain text.
Here's my apache configuration:
<VirtualHost *:4043>
ServerName cbscclrd.ca.wm.com
LogLevel debug
ErrorLog "/apps/apache/httpd-2.4.6/logs/errorSSL_log"
TransferLog "/apps/apache/httpd-2.4.6/logs/access_log"
SSLCertificateFile "/apps/FXD1D2/SSLKeyStore/sdpssl_cert-dev.cer"
SSLCertificateKeyFile "/apps/FXD1D2/SSLKeyStore/sdp-private-key-no-password.pem"
SSLCACertificateFile "/tmp/Apache-PKG/CAchain.pem"
SSLEngine on
SSLProxyEngine on
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / wss://cbscclrd.ca.wm.com:443 retry=0 keepalive=On
ProxyPassReverse / wss://cbscclrd.ca.wm.com:443 retry=0
</VirtualHost>
When the connection initiated to wss://cbscclrd.ca.wm.com:443 it's plaintext format hence the server listening on "cbscclrd.ca.wm.com:443" rejects the connection with the following error message;javax net ssl SSLException
Any help will be greatly appreciated.
This is a bug in mod_proxy_wstunnel. It will always send plaintext to the backend server regardless of the url scheme (ws:// or wss://).
The bug is reported here:
https://issues.apache.org/bugzilla/show_bug.cgi?id=55320
The bugfix is rather simple (and provided in the bug report). So if you really need the wss:// backend communication, you might want to apply it yourself & rebuild the module.
in Apache-2.4_server.conf
ProxyPass "/ws/" "ws://127.0.0.1:4002/"
ProxyPass "/wss/" "wss://127.0.0.1:4002/"
...
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so