ERR_SSL_PROTOCOL_ERROR After Installing SSL - apache

I am on a very newby level when it comes to AWS and SSL.
I got an SSL from GoDaddy. After that I generated the .csr file on AWS and I got an elastic IP. I created a subdomain on godaddy sub.mydomain.com that points to that IP.
I installed the certs following the instructions a found online, but now I get an error. I've tried installing apache2 on the EC2 and rebooting the instance but no luck yet.
Is there a way to remove the SSL cert or Fix the issue? When I got the SSL from GoDaddy, the zip had 2 files and ran the following command to install them:
sudo java -jar lib/ace.jar import_cert gd_bundle-g2-g1.crt gdroot-g2.crt sfroot-g2.crt 54581acbeba8a74e.crt
System said the certs were installed but now as I get that error, on the EC2 we have a unifi controller and we want to get that SSLrunning to accept payments for the hotspot.

I had the same issues my controller is hosted on an EC2 instance.
Check your system.properties which sits in /var/lib/unifi/ open the file with vim or your text editor of choice.
Have a look at your HTTPS options, the important ones are the ciphers and protocols.
The Protocols you need are TLSv1 and potentially SSLv2Hello there should be no other SSL protocols in there.
The Ciphers you ideally want are TLS, so for example TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA
If you are having issues throw them all in, CAUTION! only use this in a demo /test environment.
unifi.https.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
Remember once you have edited the system.properties you need to restart the controller.
sudo service unifi restart
Lots of help on the Unifi page
UniFi - SSL Certificate Error
UniFi - Explaining the config.properties File
UniFi - system.properties File Explanation

Related

Trying to set up SSL/TLS certificate on Debian Apache AWS Lightsail instance by following tutorial, but still not working

By "not working" I mean the page loads with an http:// prefix. If I manually type https:// it times out. I'm hoping that someone who has done this before can glance at the tutorials and see what might be missing.
The tutorials I've tried all tend to be the same:
https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-debian-8
https://wiki.debian.org/Self-Signed_Certificate
If I test the SSL connection with an online utility such as:
https://www.sslshopper.com/ssl-checker.html
I get this error:
No SSL certificates were found on mywebsite.com. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server's firewall.
Relevant info:
$ sudo uname -a
Linux ip-172-26-14-207 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux
Running in an AWS Lightsail instance with Debian (OS only) and LAMP stack installed.
Solved it! After using nmap, wget, telnet, etc. to verify that port 443 was open locally but not externally, I remembered that my AWS Lightsail instance was a virtual private server and I might need to configure the VPS. Sure enough, in the Lightsail web interface there is a firewall setting.
Lightsail landing page > Manage instance > Networking > Firewall

ssl for aws EC2 Flask application

I have registered a free domain name from freenom.com and added nameservers from AWS route53. Now my domain <blabla>.ga successfully redirects to EC2 python flask server. But I really can't figure out how to add ssl by using lets encrypt. I am following the link https://ivopetkov.com/b/let-s-encrypt-on-ec2/ for SLLifying my ec2.after running letsencrypt-auto I add domain names and press enter, then I get
[ec2-user#ip-172-31-40-218 letsencrypt]$ cd /opt/letsencrypt/
[ec2-user#ip-172-31-40-218 letsencrypt]$ ./letsencrypt-auto
Requesting to rerun ./letsencrypt-auto with root privileges...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): iotserver.ga www.iotserver.ga
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for iotserver.ga
http-01 challenge for www.iotserver.ga
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
A similar question is asked here, but I've already done most part explained in both of the answers. Can anyone assist me on what I am missing here ?
try following tutorials:
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
https://www.digitalocean.com/community/tutorials/how-to-deploy-a-flask-application-on-an-ubuntu-vps
Make sure that you able to access said web app without https, then try to install SSL. As I can see you are getting following error
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
There must be some configuration issue. Please debug it and let me know.

Mattermost TLS issue

I'm having issues with TLS enabling in Mattemost. In my server I configured a lot of virtualHosts plus the mattermost files. In http everything was working fine.
Today I tried to setup TLS and https. I followed the instuctions as in https://docs.mattermost.com/install/config-tls-mattermost .html. Now I get this:
Please notice the error: I'm trying to access domain1.mywebsite.com and the error is "its security certificate is signed by domain2.mywebsite.com". domain2.mywebsite.com is one of the websites configured as virtualhosts in apache.
I did not configure any virtualhost for Mattermost, since I don't thing any is needed (and it worked flawlessly without one, and without TLS). But how can I tell mattermost (or the browser?) that the server of domain2.mywebsite.com is the same of domain1.mywebsite.com?
I generated the certificates using letsencrypt with the standalone option (sudo certbot certonly --standalone -d domain1.mywebsite.com) and didn't move any file, just enabled "UseLetsEncrypt": true, in config.json file.
Do you happen to have any idea about how I could fix this?
Thank you
Marco
You'll need to configure TLS on Apache. You'll needs to use separate certificates for each virtual host.
Here is information that might help you: https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
Don't configure TLS on Mattermost if TLS is being handled by the proxy.

Maven 3.0.5 refuses our updated nexus certificate

When running maven 3.0.5 our (newly swapped, apache proxy hosted) https certificate for Nexus is rejected with error:
hostname in certificate didn't match: <new.domain.com> != <*.old.domain.com> OR ..
This does not happen with earlier maven version (e.g. 3.0.3) and I noticed that the fix for 3.0.5 seem to match my problem: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0253
I've reviewed the certificate via Chrome etc and it seems fine. Running maven in debug (-X) doesn't give me much more information.
(I know it's boarder-lining to an Apache/Nexus question).
Also - this is a wildcard SSL certificate used by several other services, also proxied by the same Apache instance.
Any ideas?
Ok. Problem solved.
After reading up on Apache HTTPS and virtual hosts along with a crash course in HTTP proxies I got it.
Simply put: Apache cannot support multiple virtual hosts with different SSL certificates. This is because the Host-header used to proxy request is encrypted so we're in a hen-or-the-egg-situation.
We had Apache our configured like this as we wanted to re-directs from our old domain to the new one. In this situation Apache simply uses the certificate set up for the first virtual host: https://wiki.apache.org/httpd/NameBasedSSLVHosts
So why did Chrome get the correct certificate? Well - it appears that Chrome (and Apache) support an TLS extension which sends the host-name un-encrypted in the Client Hello (eg the 1st SSL message). Hence Apache knows which virtual host (eg Certificate) to send back.
Problem solved.
We will now set up our new domains virtual hosts 1st and our old re-directs last. This will enabled clients with the TLS extension to work 100% meanwhile it will enable the other clients to work for our new domain.

The command heroku ssl says my domains have no certificate installed

I just want to say that this is not normally something I do, but I have been tasked with it recently...
I have followed the heroku documentation for setting up SSL closely, but I am still encountering a problem.
I have added my cert to heroku using the following command:
heroku certs:add path_to_crt path_to_key
This part seems to work. I receive a message saying:
Adding SSL Endpoint to my_app ... done
I have also setup a CNAME for my hosting service to point to the endpoint associated with the cert command above. However, when I browse to the site I still receive a SSL error. It says my certificate isn't trusted and points to the *.heroku.com license, not the one I have just uploaded.
I have noticed that when I execute the following command:
heroku ssl
I receive the following:
my_domain_name has no certificate
My assumption is that there should be a certificate associated with this domain at this point.
Any ideas?
Edit: It appears that I did not wait long enough for the certificate stuff to trickle through the internets... however, my question regarding the "heroku ssl" command still puzzles me.
The Heroku ssl command is for legacy certificates:
$ heroku ssl -h
Usage: heroku ssl
list legacy certificates for an app
The command you need is heroku certs which will output the relevant certificate info for that project.