For several OSX versions, I've been using these tutorials to set up a local development environment, including SSL.
I've also always been able to create dynamic virtual hosts based on the folder structure like this:
# Auto-VirtualHosts with .dev
<VirtualHost *:8080>
ServerName dev
ServerAlias *.dev
CustomLog "/Users/username/Sites/logs/dev-access_log" combinedmassvhost
ErrorLog "/Users/username/Sites/logs/dev-error_log"
VirtualDocumentRoot /Users/username/Sites/%-2+
</VirtualHost>
<VirtualHost *:8443>
ServerName dev
ServerAlias *.dev
Include "/Users/username/Sites/ssl/ssl-shared-cert.inc"
CustomLog "/Users/username/Sites/logs/dev-access_log" combinedmassvhost
ErrorLog "/Users/username/Sites/logs/dev-error_log"
VirtualDocumentRoot /Users/username/Sites/%-2+
</VirtualHost>
The included SSL file there is like this:
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile "/usr/local/etc/httpd/server.crt"
SSLCertificateKeyFile "/usr/local/etc/httpd/server.key"
And to generate that certificate I run this code:
$ cd /usr/local/etc/httpd
$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt
This has always worked okay for me, locally. I can run curl successfully, and especially in WordPress development I can run cron tasks that presumably use curl.
Upon upgrading to High Sierra, I get the following error in WordPress:
There was a problem spawning a call to the WP-Cron system on your site. This means WP-Cron events on your site may not work. The problem was:
cURL error 60: SSL certificate problem: self signed certificate
And on the command line, when I run curl to a local HTTPS URL, I get this error:
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I've tried reinstalling all the items from the initial tutorial, but so far nothing has helped. I've also tried installing curl from the Homebrew version instead of the built in, but this didn't seem to have any effect. Is there something known about High Sierra that would make it more picky about this? If so, is there anything I can do to bypass this for local development?
You have to add your self-signed certificate to the curl CA certificate store.
First you have to generate the ca bundle by running the perl script stored in:
/usr/local/Cellar/curl/7.56.1/libexec/mk-ca-bundle.pl
Edit the generated file:
/usr/local/Cellar/curl/7.56.1/libexec/ca-bundle.crt
and add your self-signed certificate using the same syntax.
You can obtain the certificate with:
openssl s_client -showcerts -connect my.server.com:443
Copy everything from :
-----BEGIN CERTIFICATE-----
to
-----END CERTIFICATE-----
including the BEGIN and ENDlines.
Create then a file ~/.curlrc containing:
cacert /usr/local/Cellar/curl/7.56.1/libexec/ca-bundle.crt
Related
I have one apache server which is configured with ssl.
SSLCertificateFile /etc/certs/localhost.crt
SSLCertificateKeyFile /etc/private/localhost.key
Now i need to replace the certificate with a new one(Provided by our department).
For that i have shared the csr and they send back the certificate.
Now the file that they have shared is *.p7b (contains the certificate in PEM/base64 encoded format. is a .p7b file with the DER encoded certificate and the issuing CA certificate.)
But in apache ssl.conf i need to provide the crt file. How to get the crt files from p7b
Install openssl on Red Hat Linux server / CentOS 7
Firstly we need to install httpd on our server, to install httpd type the below command,
yum install httpd
After installing httpd, Now we need to install mod_ssl,
yum install mod_ssl
Now, we have install openssl as well on the server,
yum install openssl
After installing httpd, mod_ssl & openssl, we need to generate key using below command,
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr (You can skip steps by pressing enter)
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.cert
cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/
cp ca.csr /etc/pki/tls/private
vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
Replace by
SSLCertificateFile /etc/pki/tls/certs/ca.crt
and
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Replace by
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
11. httpd -t (check whether the above change are correct or not)
12. vim /etc/httpd/conf/httpd.conf
Go to the bottom of the file and write
<VirtaulHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
servername localhost
Documentroot /var/www/html
</VirtualHost>
Save & Exit
13. httpd -t (check whether the above change are correct or not)
14. firewall-cmd –permanent –add-service=https
15. firewall-cmd –permanent –add-port=443/tcp
16. firewall-cmd --reload
17. service httpd restart
I have two files:
privkey.pem that starts with -----BEGIN ENCRYPTED PRIVATE KEY-----
cert.pem that starts with -----BEGIN CERTIFICATE-----
Now I should install them, but I never did this before and all related information I found (1, 2, 3) say, that I need three files:
primary.crt
private.key
intermediate.crt
The file endings are different, but from what I found my .pom files are ok, too (only the content matters and I can rename the ending).
But what files do I have now? The primary and private? And do I miss some file? Or is it possible with only the two I have?
Start with this:
SSLEngine on
SSLCertificateFile /path/to/cert.crt
SSLCertificateKeyFile /path/to/privkey.crt
This should bring the site up on SSL. While this may work with some browsers, you'd require intermediate certificates for your certificate to chain up to the Root CA to ensure your site works in all browsers.
To obtain the intermediate certificates for your site, go to What's My Chain Cert? and enter you site name. This will indicate that you are missing intermediate certificates, as expected. Use the last form field on the page to generate the intermediate certs.
Use the downloaded cert chain in the SSLCertificateChainFile directive in your Apache webserver config like this:
SSLCertificateChainFile /path/to/intermediate.crt
Once done, I suggest checking your site using an online scanner such as SSL Labs server test to ensure your certificates are properly configured and that your configuration does not expose any vulnerabilities or SSL weaknesses.
i have a Question about the certificate files and how to get a site to run on SSL.
Apache is running and SSL is built in. i am past the SSLSessionCache warning and here i am - every time the same problem - i get a mail with some files and i do not know which file is what.
I have a .key, .pem and a .p7b file and i have the VirtualHost config - how do i know which file is what?
SSLCertificateFile ?
SSLCertificateKeyFile <-- .key (i think)
SSLCertificateChainFile ?
and do i need to convert a file with openssl?
This Server is an internal Server and the certificate was issued in our company.
the certificate was issued in our company.
Any reason to not ask whoever issued the certificate the meaning of each file?
Apache requires the key and the certificate to be PEM-encoded. You can use this tool or OpenSSL to convert the . p7b to PEM.
It's hard to know what's inside the .pem and .key file without looking at the content. You can try to use the following OpenSSL commands to check which one does not fail:
# if it works, it's a CSR
openssl req -in file.pem -noout -text
# if it works, it's a certificate
openssl x509 -in file.pem -noout -text
# if it works, it's a private key
openssl rsa -in file.pem -noout -text
The chain file it's easier to spot, because it will contain several PEM-encoded certificates listed one after the other.
Depending on the Apache version, you may or may not need the SSLCertificateChainFile directive. Newer versions require you to bundle the chain and the server certificate in a single file and pass it to SSLCertificateFile. Check your Apache version and compare it with the online documentation.
Assuming it's an old version:
SSLCertificateFile points to the server certificate file
SSLCertificateChainFile points to the intermediate certificate (if it's self-signed, you don't have them)
SSLCertificateKeyFile points to the key
If it's a newer version, ignore SSLCertificateChainFile and concatenate the server plus the chain (if any) in a single file you supply to SSLCertificateFile.
Here is my problem.
I have multiple domains hosted on one apache webserver. (Virtual Hosts)
Two of them (a.com and b.com) use ssl certificates.
I configured both with these commands:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/ABC.crt
SSLCertificateKeyFile /etc/apache2/ssl/ABC.key
SSLCertificateChainFile /etc/apache2/ssl/ABC.chain.crt
SSLProtocol all -SSLv2
When i try to connect via browser (chrome, Firefox, IE) it works fine and i get the right certificate.
But on android i got an exception: No peer certificate
Then i tried to test it with this command:
openssl s_client -connect b.com:443
It returns me the certificate of the a.com.
Any suggestions what I've done wrong that i get the wrong certificate with openssl and android?
There are probably multiple hosts on the same IP address and you need to use Server Name Indication (SNI) to access this site. To you SNI with openssl s_client use the -servername option, e.g. openssl s_client -connect b.com:443 -servername a.com. As for android: according to https://developer.android.com/training/articles/security-ssl.html SNI is supported since 2.3 for HttpsURLConnection but not for Apache HTTP Client.
I received my certificate by email and then created the necessary files and copied it over. I went to restart my server and received the following errors.
[Wed Feb 08 13:02:06 2012] [error] Init: Unable to read server certificate from file /home/sslcertificates/mydomain.crt
[Wed Feb 08 13:02:06 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Feb 08 13:02:06 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
Does anyone have any ideas?
Another possible source of failure which causes this errror message is:
Instead of the certificate file I linked to the certification request file.
It's recognizable when you read the first line of the file:
Either
-----BEGIN CERTIFICATE REQUEST-----
Or
-----BEGIN CERTIFICATE-----
:-)
Situation: Apache 2.4 using the StartSSL cert generating ASN encoding error
Issue:
AH02564: Failed to configure encrypted (?) private key <domain>.com:80:0, check /etc/pki/tls/certs/ssl.key
Some SSL issuers encrypts the ssl key files by default so make sure decrypt it at the server and point it from Virtual Host.
Simply echo the key file to make sure it is not encrypted.
Decrypt the key file for the mod_ssl
openssl rsa -in ssl.key -out ssl.key
For SSL config in the Apache conf (httpd.conf) add the following configurations and restart the Apache.
# SSL
<VirtualHost *:443>
ServerName gajen.com
SSLCertificateKeyFile /etc/pki/tls/certs/ssl.key
SSLCertificateFile /etc/pki/tls/certs/ssl.crt
SSLCertificateChainFile /etc/pki/tls/certs/root.ca.pem
</VirtualHost>
For troubleshooting:
Debug the Apache first tail 50 /var/log/httpd/error_log
Debug the mod_ssl tail 50 /var/log/httpd/ssl_error_log
In my case I had the certificates mixed: SSLCertificateFile had the private_key and SSLCertificateKeyFile had the cert.
Leaving this here since it's the first google search for the error: This can also be caused when you install a new passphrase protected certificate and just reload the apache configuration (rather then restart apache completely). The reload itself will not throw any errors but it also will not ask for your passphrase and is unable to decrypt the certificate.
It can be resolved by restarting apache completely which will ask for the passphrase and allow you to decrypt.
Problem solved with recreate *.key file and copy-paste content again.
Or you need before disable old password autoinput.
Comment rule like:
#SSLPassPhraseDialog exec:/etc/ssl/passphrase-script
Recently during SSL installation in Apache 2.4, we faced the same error - 'asn1 encoding routines'
We had placed all the files correctly and pointed them correctly in the .conf file. After a day of troublshooting,we realized issue was not with the configuration after we got the certificate.
We created the Certificate Signing request (CSR) using our vendors inbuilt system. This allowed us to paste the key we created. The SSL certificate which vendor returned was supposed to map this CSR which was mapped to our private key. Apparently it did not match. The SSL certificate they provided does not map to the CSR.
Possible reason
The Key to CSR transformation is wrong at vendor side due to unix line endings (\n instead of \r\n) / encoding (ANSI/UTF8) / expected new lines .
We created CSR ourselves using OpenSSL, and bypassed vendor CSR generation. It worked. So, in our case, creating the key and corresponding CSR using OpenSSL and using that to generate the public SSL worked.
OpenSSL Command
openssl req -new -sha256 -key ~/site.com.ssl/site.com.key -out ~/site.com.ssl/site.com.csr
I had this problem because I was sent the content of an IIS-style .p7b file pasted into an email. It has "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" tags, just like .pem, and the content uses a similar looking base64 encoding. I converted it to a *.pem file like so:
openssl pkcs7 -print_certs -in cert.p7b -out cert.cer
After that, Apache 2.2 was happy.
(Linux Solution) This has been posted a long time ago - but I have another way to troubleshoot this problem: Change the error logging to a more verbose mode by editing /etc/apache2.conf and find this block:
#
# LogLevel: Control the severity of messages logged to the
error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn
and change LogLevel to something lower - I chose trace1. Then restart apache:
sudo service restart apache2
I received the same error message but when I went to the error log in /var/log/apache2/error.log there were many more error messages to help troubleshoot the problem. I was able to determine I was pointing the key file descriptor to the wrong file.
Be sure to change the apache2.conf back to warn and restart the apache2 service after troubleshooting to avoid your error.log file from becoming too large.