I run an Ubuntu (17.04) server that is hosting multiple sites. One of the sites I'm hosting now is an eCommerce site and needs an SSL certificate. I've gone through many different tutorials and I've followed every step but when I go to the site with HTTPS I'm just getting an error page.
The domain name in the screenshots below is fake.
First I bought the SSL certificate from Comodo. They requested the CSR from the server so I generated it using this command:
openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
I pasted the CSR and generated the CRT without issue. Now I have the CRT from Comodo and Updated my vhost for a secure connection:
<VirtualHost *:443>
ServerAdmin test#test.com
ServerName www.domain.com
ServerAlias domain.com
DirectoryIndex index.php
DocumentRoot /var/www/html/domain
SSLEngine on
SSLCertificateFile /etc/ssl/certs/www_domain_com.crt
SSLCertificateKeyFile /etc/ssl/private/domain_com.key
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
I then ran:
a2enmod ssl
And finally restarted apache. Now when I go to the site I'm only seeing this error page:
Looking at the apache error log the only hint to what might be wrong is the below message:
[Thu Aug 17 16:42:42.746221 2017] [mpm_prefork:notice] [pid 19871] AH00169: caught SIGTERM, shutting down
[Thu Aug 17 16:42:42.836087 2017] [ssl:warn] [pid 22306] AH01909: 2001:4802:7801:103:be76:4eff:fe20:7c04:443:0 server certificate does NOT include an ID which matches the server name
[Thu Aug 17 16:42:42.874200 2017] [ssl:warn] [pid 22316] AH01909: 2001:4802:7801:103:be76:4eff:fe20:7c04:443:0 server certificate does NOT include an ID which matches the server name
[Thu Aug 17 16:42:42.878354 2017] [mpm_prefork:notice] [pid 22316] AH00163: Apache/2.4.25 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Thu Aug 17 16:42:42.878374 2017] [core:notice] [pid 22316] AH00094: Command line: '/usr/sbin/apache2'
Any help would really be appreciated. This is the first time this server has had an SSL website so maybe I am missing a step with openSSL or something.
Your first mistake is buying a certificate from Namecheap. I just recently had similar problems getting their crt to work. It wasn't until I decided to with Let's Encrypt and used their certbot to generate the SSL certificate that I was able to resolve the problem. I cannot prove this, but I suspect there is a problem with Namecheap's bundling tool which builds the signed certificate.
Let's Encrypt is a completely free open source project to solve your HTTPS needs. I also have multiple virtual hosts and got up and running with Let's Encrypt in minutes.
https://letsencrypt.org/
Related
My company has just provided us SSL certificates that I had to attempt to install and configure using Apache2.4 on a Windows Server 2019.
I created a folder called "certs" within the conf folder on Apache24.
Within the certs folder, I have the following certs:
MYCOMPANY_Intermediate.cer
MYCOMPANY_Root.cer
mycompany_name_com.cer
private.cer
private.key
I have updated the httpd-ssl.conf file to include the certs, as follows:
<VirtualHost _default_:443>
DocumentRoot "D:/htdocs"
ServerName mycompany.name.com:443
ServerAdmin mycompany#email.com
ErrorLog "${SRVROOT}/logs/error-ssl.log"
TransferLog "${SRVROOT}/logs/access-ssl.log"
# SSL Engine Switch:
SSLEngine on
# Server Certificate:
SSLCertificateFile "${SRVROOT}/conf/certs/mycompany_name_com.cer"
# Server Private Key:
SSLCertificateKeyFile "${SRVROOT}/conf/certs/private.key"
# Server Certificate Chain:
SSLCertificateChainFile "${SRVROOT}/conf/certs/MYCOMPANY_Intermediate.cer"
</VirtualHost>
Back in the httpd.conf file, when I include the following:
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
Apache fails to restart.
Within the error log, the only thing noticeable that I am finding is maybe this:
[Sat Jan 23 10:56:32.453519 2021] [mpm_winnt:notice] [pid 8552:tid 772] AH00455: Apache/2.4.46 (Win64) mod_authnz_sspi/0.1.1 OpenSSL/1.1.1h PHP/7.4.12 configured -- resuming normal operations
[Sat Jan 23 10:56:32.453519 2021] [mpm_winnt:notice] [pid 8552:tid 772] AH00456: Apache Lounge VS16 Server built: Oct 2 2020 11:45:39
[Sat Jan 23 10:56:32.453519 2021] [core:notice] [pid 8552:tid 772] AH00094: Command line: 'C:\\Apache24\\bin\\httpd.exe -d C:/Apache24'
[Sat Jan 23 10:56:32.463520 2021] [mpm_winnt:notice] [pid 8552:tid 772] AH00418: Parent: Created child process 17204
[Sat Jan 23 10:56:33.684738 2021] [ssl:warn] [pid 17204:tid 808] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Sat Jan 23 10:56:33.729741 2021] [mpm_winnt:notice] [pid 17204:tid 808] AH00354: Child: Starting 64 worker threads.
As you will see, there are no errors, just warnings. I do not know why Apache is failing to restart, and I really need to get this to work.
Edit
In the Event View, under Windows Log under System, I see the following error:
The Apache2.4 service terminated with the following service-specific error:
Incorrect function.
I also see an event ID number 7024. I am not sure what that means.
I found my problem...
A typo.
Yup, it was a typo.
In the httpd-ssl.conf file, this part:
# Server Certificate:
SSLCertificateFile "${SRVROOT}/conf/certs/mycompany_name_com.cer"
mycompany_name_com.cer was mispelled.
thecompany_name_com.cer is the correct spelling.
I have replaced the certificate and private key to renew my SSL certificate on my Linux server. This is for APACHE by the way. I am positive I am using the right private key, and in the ssl.config file, I have directed the path to the correct places.
i.e - SSLCertificateFile & SSLCertificateKeyFile.
But I still get this error below:
" AH01909: RSA certificate configured for hostname:443 does NOT include an ID which matches the server name
[Wed May 20 21:17:33.432341 2020] [ssl:emerg] [pid 2607] AH02238: Unable to configure RSA server private key
[Wed May 20 21:17:33.432366 2020] [ssl:emerg] [pid 2607] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch"
what could I be missing?
#Oluwatobi Elugbadebo. It sounds like you have used the wrong hostname to generate the certificates. Not knowing your environment, I cannot comment further. However I would recommend using Let's Encrypt / Certbot for free ssl and very minimal setup to turnkey add SSL to any apache2 hosted domain. It will handle everything related to the cert and modification of apache files.
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-centos-7
I am observing the following issue:
Apache2 was compiled with the following flags:
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--host=arm-cortexa9-linux-gnueabi \
--build=i686-host-linux-gnu \
--includedir=/usr/include/apache2 \
--enable-ssl \
--with-ssl \
--enable-ssl-staticlib-deps \
--enable-mods-static="headers rewrite gd log_config mime alias actions unixd access_compat authn_core authz_core cgi ssl http2" \
--with-apr=/opt/PHYTEC_BSPs/PTXDist/platform-phyFLEX-i.MX6/sysroot-target/usr/bin/apr-1-config \
--with-apr-util=/opt/PHYTEC_BSPs/PTXDist/platform-phyFLEX-i.MX6/sysroot-target/usr/bin/apu-1-config \
BUILDCC=/usr/bin/gcc \
--with-mpm=prefork
This leads to a binary that has the following modules compiled in
Compiled in modules:
core.c
mod_authn_core.c
mod_authz_core.c
mod_access_compat.c
mod_so.c
http_core.c
mod_mime.c
mod_log_config.c
mod_headers.c
mod_ssl.c
mod_http2.c
prefork.c
mod_unixd.c
mod_cgi.c
mod_actions.c
mod_alias.c
mod_rewrite.c
The ports.conf enables listening on port 443 and 80:
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
The simplest configuration for a site is the following:
<VirtualHost *:443>
<IfModule ssl_module>
SSLEngine On
SSLCertificateFile /etc/ssl/certs/cert.crt
SSLCertificateKeyFile /etc/ssl/private/key.pem
</IfModule>
</VirtualHost>
We will use the second port 80 for an automated redirect to the https page. For the problem at hand the corresponding VirtualHost is not necessary.
Actually a request to the https page (https://192.168.2.3:443) is working if Listen 80 is removed from ports.conf. That means that the ssl support is properly compiled into the binary. If both Listen directives are present in the ports.conf the request to the https page (https://192.168.2.3:443) remains without a response. Not even an ERR_* response.
Several different searches regarding ports, apache2, ssl did not help to narrow the problem down. The same configuration with a standard apache2 binary works flawless. Increasing the LogLevel to debug gives for both afforementioned scenarios the same output:
[ssl:info] [pid 1583025418028449792] [client 192.168.2.82:51478] AH01964: Connection to child 0 established (server localhost:443)
[ssl:debug] [pid 9122084304870461440] ssl_engine_kernel.c(2143): [client 192.168.2.82:51478] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[ssl:debug] [pid 9122084442309416064] ssl_engine_kernel.c(2143): [client 192.168.2.82:51478] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[core:debug] [pid 4294967296] protocol.c(1893): [client 192.168.2.82:51478] AH03155: select protocol from , choices=h2,http/1.1 for server localhost
[ssl:debug] [pid 7159351466806950200] ssl_engine_kernel.c(2042): [client 192.168.2.82:51478] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[ssl:debug] [pid 3905800881399477553] ssl_engine_kernel.c(366): [client 192.168.2.82:51478] AH02034: Initial (No.1) HTTPS request received for child 0 (server localhost:443)
[authz_core:debug] [pid 3358932565584236] mod_authz_core.c(809): [client 192.168.2.82:51478] AH01626: authorization result of Require all denied: denied
[authz_core:debug] [pid 30064771072] mod_authz_core.c(809): [client 192.168.2.82:51478] AH01626: authorization result of <RequireAny>: denied
[authz_core:error] [pid 30064771072] [client 192.168.2.82:51478] AH01630: client denied by server configuration: /var/www/
[ssl:debug] [pid 2113123909637] ssl_engine_io.c(1033): [client 192.168.2.82:51478] AH02001: Connection closed to child 0 with standard shutdown (server localhost:443)
Has anybody an idea if maybe a module should be added to the binary? Any help would be very much appreciated.
set ac_cv_o_nonblock_inherited=no in configuration options of APR Package.
Cross compiling causes multiple Listen directives to not work properly
I am trying to add SSL certificates from Comodo Security Services on Apache/2.4.10 (Debian) OpenSSL/1.0.1k server.
For configuration:
SSLEngine on
SSLCertificateKeyFile /etc/ssl/24-06-2016/private.key
SSLCertificateFile /etc/ssl/24-06-2016/account_veedo_ru_2017_06_24.crt
SSLCertificateChainFile /etc/ssl/24-06-2016/intermediate.crt
I've got error after Apache2 restart:
[Thu Jun 30 07:39:20.895631 2016] [ssl:emerg] [pid 4614] AH02561: Failed to configure certificate account.veedo.ru:443:0, check /etc/ssl/24-06-2016/account_veedo_ru_2017_06_24.crt
[Thu Jun 30 07:39:20.895688 2016] [ssl:emerg] [pid 4614] SSL Library Error: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
AH00016: Configuration Failed
For configuration:
SSLCertificateKeyFile /etc/ssl/24-06-2016/private.key
SSLCertificateFile /etc/ssl/24-06-2016/account_veedo_ru_2017_06_24.crt
SSLCACertificateFile /etc/ssl/24-06-2016/intermediate.crt
The error is:
[Thu Jul 07 18:22:21.423776 2016] [ssl:emerg] [pid 14180] AH02562: Failed to configure certificate account.veedo.ru:443:0 (with chain), check /etc/ssl/24-06-2016/account_veedo_ru_2017_06_24.crt
[Thu Jul 07 18:22:21.423826 2016] [ssl:emerg] [pid 14180] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
AH00016: Configuration Failed
What is wrong? How can I check my certificates? Please help!
Seller wrote me that there was an extra line feed symbol in certificate. It is fixed now and works correctly.
there is a line at the end of crt file that should be removed , just before ---- end ...
really annoying
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 3 years ago.
Improve this question
I'm using XAMPP and started Apache but I cannot access my site over HTTPS.
I get the following error;
[Wed Aug 20 08:05:33.208723 2014] [ssl:warn] [pid 3784:tid 256] AH01909: RSA certificate configured for www.example.com:443 does NOT include an ID which matches the server name
[Wed Aug 20 08:05:33.746774 2014] [ssl:warn] [pid 3784:tid 256] AH01909: RSA certificate configured for www.example.com:443 does NOT include an ID which matches the server name
[Wed Aug 20 08:05:33.825871 2014] [mpm_winnt:notice] [pid 3784:tid 256] AH00455: Apache/2.4.7 (Win32) OpenSSL/1.0.1e PHP/5.5.6 configured -- resuming normal operations
[Wed Aug 20 08:05:33.825871 2014] [mpm_winnt:notice] [pid 3784:tid 256] AH00456: Apache Lounge VC11 Server built: Nov 21 2013 20:13:01
[Wed Aug 20 08:05:33.825871 2014] [core:notice] [pid 3784:tid 256] AH00094: Command line: 'c:\xampp\apache\bin\httpd.exe -d C:/xampp/apache'
[Wed Aug 20 08:05:33.830753 2014] [mpm_winnt:notice] [pid 3784:tid 256] AH00418: Parent: Created child process 4452
[Wed Aug 20 08:05:35.148052 2014] [ssl:warn] [pid 4452:tid 268] AH01909: RSA certificate configured for www.example.com:443 does NOT include an ID which matches the server name
Below is a snippet from my httpd-ssl.conf file:
# SSL Virtual Host Context
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "C:/xampp/htdocs"
ServerName www.example.com:443
ServerAdmin admin#example.com
ErrorLog "C:/xampp/apache/logs/error.log"
TransferLog "C:/xampp/apache/logs/access.log"
</VirtualHost>
What am I doing wrong and how can I fix it?
[Wed Aug 20 08:05:33.208723 2014] [ssl:warn] [pid 3784:tid 256] AH01909: RSA certificate configured for www.example.com:443 does NOT include an ID which matches the server name
This means there might be a server name of foo.example.com but the certificate is for bar.example.com only. In that situation, while Apache might try to serve such certificate, the browser s will not accept them when accessing https://foo.example.com, for instance.
server name used in Apache (httpd.conf) must be the same as the server name in apache (httpd-ssl.conf) e.g. in Apache (httpd.conf) ServerName localhost:8080 then in apache (httpd-ssl.conf) should be like this ServerName www.example.com:8080
Try to install newer version not latest version
Backup all databases and code
Uninstall XAMPP
Install newer version
That should be fixed.
https://sourceforge.net/projects/xampp/
In File "httpd-ssl.conf" setting :
SSLEngine on (default)
change Off to SSLEngine setting.