It's been days since I did not get to the top of the thing.
I already have certificates.
I would like to know where to place them, and what files to edit / create to run the site in https.
Thanks to everyone
On FreeBSD, look at SSLCertificateChainFile in file /usr/local/etc/apache24/extra/httpd-ssl.conf
Uncomment the two lines:
SSLCertificateFile "/usr/local/etc/apache24/server.crt"
SSLCertificateKeyFile "/usr/local/etc/apache24/server.key"
Put the certificate and the private key in the corresponding files.
Related
I was testing my httpd config on centOS-like OS, and found a "wired" error AH02574: Init: Can't open server private key file in one of the VirtualHost, while another one doesn't produce any error.
In my config file, same SSL cert is referred by both (two) virtual hosts, of course is the private key file also shared. The httpd fail to start with this config. When I dig into the log, I found one virtual host (example.com) config does not produce any error, while the other vhost (sub.example.com, at latter lines in the ssl.conf) can't read the key file. I suspect this is due to the file was opened by the programme already, and hence stays on hold preventing it to be opened again. If this is the case, how should I solve it? An simple solution comes to my mind was to duplicate the key file, but I doubt for any security risk.
To give a better idea, below is a sample config:
<VirtualHost *:443>
ServerName example.com
# ... some other config
SSLCertificateFile "/path/to/ssl.crt"
SSLCertificateKeyFile "/path/to/ssl.key"
</VirtualHost>
<VirtualHost *:443>
ServerName sub.example.com
# ... some other config
SSLCertificateFile "/path/to/ssl.crt"
SSLCertificateKeyFile "/path/to/ssl.key"
</VirtualHost>
As per answer given by Jimmy, You can include sudo at the beginning of the command as below. I have also spent some 2 hours battling the same error but this helped me
sudo restorecon -RvF /etc/ssl/keyfile
After running the command, it should show as per image attached. Then you can restart the apache service
[1]: https://i.stack.imgur.com/uipI4.png
Although with a different problem, but This answer also resolves my problem!
Here is the solution provided by that answer:
restorecon -RvF /path/to/key_file
I know this looks like a old question, but my situation is that I have different file names in respect to what I expected and to what I see in the actual Apache2 configuration, so I need a more precise answer, if possible.
I got these files from my SSL cert provider
DigiCert_Global_Root_G2.crt
mydomain.it.crt
mydomain.it.csr
mydomain.it.key
mydomain.it.pfx
RapidSSL_TLS_RSA_CA_G1.crt
Actually my apache is configured as
SSLCertificateKeyFile /etc/apache2/ssl-conf/mydomain.it.key
SSLCertificateFile /etc/apache2/ssl-conf/mydomain.it.cer
SSLCertificateChainFile /etc/apache2/ssl-conf/intermediate.cer
I don't know which file associate to each item
Well, keyfile is, obviously, the .key.
But which is the right .crt for CertificateFile and which for CertificateChainFile?
EDIT
I read https://www.ssl247.it/support/install/apache and I think I must user mydomain.it.crt as SSLCertificateFile
Last doubt is: what is intermediate.cer equivalent in my situation?
SSLCertificateKeyFile /etc/apache2/ssl-conf/mydomain.it.key
SSLCertificateFile /etc/apache2/ssl-conf/mydomain.it.crt
SSLCertificateChainFile /etc/apache2/ssl-conf/intermediate.crt
Where intermediate.crt is created by concatenating the content of DigiCert_Global_Root_G2.crt and RapidSSL_TLS_RSA_CA_G1.crt
Also, please remember that extensions do not matter, they are just for conveninence of human user/administrator. Only the content matters.
I just got commodo free ssl trial, and uploaded the ssl to my EC2 instance using AWS CLI, then changed the listener in the loadbalancer to the new ssl, but when I run ssl checker still shows the previous self signed certificate, which causes the browser warning when accessing the website, I have googled for hours trying to find and answer and followed everything in regards of updating the SSL but still no luck
Ok I had to figure it out myself, since it was the first time i had to install an SSL on an aws server, and thought i would post the answer in case someone else is going trough the same issue.
I have got my ssl from comodo which they provide 2 files (file.crt & file.ca-bundle), I went through load balancer to change my SSL first, not 100% sure if it is a required step, but I would recommend doing, so you would need the three ssl files (name.key "which is the one you submitted to your ssl provider", name.crt and name.ca-bundle).
1- in my case I was using an ubuntu instance with apache2, you will need to create a new ssl directory in /etc/apache2 (e.g /etc/apache2/ssl).
2- Upload all three files to the new directory.
3- navigate to /etc/apache2/sites-enabled -> and edit ssl-enabled.conf as follows:
<VirtualHost>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>
4- Restart your apache2 service and you should be all good to go.
Hope that was helpful
Trying to setup SSL on Apache (on AWS Linux). Firefox gives me these details in it's nastygram:
The certificate is not trusted because it is self-signed.
The certificate is only valid for ip-###-##-#-##
I'm currently working under the assumption that this is a problem with the ChainFile or CA cert - quite possibly because I dont have the correct info in httpd.conf. Can you comment on the code below or let me know where else to look for the error?
httpd.conf:
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName https://###-##-#-##
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /home/ec2-user/StartSSLcert.pem
SSLCertificateKeyFile /home/ec2-user/StartSSLkey.pem
SSLCertificateChainFile /home/ec2-user/sub.class1.server.sha1.ca.pem
SSLCACertificateFile /home/ec2-user/ca.pem
</VirtualHost>
This page has been my primary reference: http://www.startssl.com/?app=21 However, it includes many lines of code not in other examples I've found online with no description of what they do.
I've been guess-and-checking between the example above and a simpler example like: http://www.sslshopper.com/apache-server-ssl-installation-instructions.html
Everything I try is either untrusted by Firefox or I get errors when restarting apache. Ideas?
by default, the ssl settings in:
/etc/httpd/conf.d/ssl.conf
override the corresponding block in:
/etc/httpd/conf/httpd.conf
When using AWS you need to edit ssl.conf
"The certificate is only valid for ip-###-##-#-##"
credit due here:
Cannot setup SSL keys on my apache server in AWS EC2
If your server have more than one IP address, replace the * with IP address inside""
See: http://httpd.apache.org/docs/2.4/mod/core.html#virtualhost
Whats more, make sure you create your private key, CSR correctly.
See:https://library.linode.com/security/ssl-certificates/commercial#sph_create-a-certificate-signing-request
I have an EC2 instance on AWS, with Apache server.
I purchased an SSL certificate from Comodo and installed the following files in /etc/pki/tls/private/:
server.ca-bundle server.crt server.key
I also added the following lines to /etc/httpd/conf/httpd.conf:
<VirtualHost www.mydomain.com:443>
ServerName www.mydomain.com
DocumentRoot "/var/www/html"
SSLENGINE on
SSLCertificateFile /etc/pki/tls/private/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
SSLCertificateChainFile /etc/pki/tls/private/server.ca-bundle
</VirtualHost>
and restarted the http server.
But when trying to access my site through https://www.mydomain.com there is a certificate error warning (but if I continue through the warning, the site shows well).
I checked with ssltool.com and got:
The site tested www.mydomain.com is NOT the same as the Subject CN ip-10-203-65-225!
Needless to say, the key file was created with my domain name (CN=www.mydomain.com) and not with the name containing the ip.
When I enter "hostname" in the unix shell, I indeed get 'ip-10-203-65-225', which is something that Amazon gave it automatically. But even if I change it (in /etc/sysconfig/network) it is still seen as ip-10-203-65-225.
On the other hand, the same problem is viewed without installing the keys: Even if I remove those lines from httpd.conf, and remove the key files, the browsers warn about a certificate error, as if there is a self-signed certificate and with the same error on ssltool.com. So it seems that it's not that my key files are invalid but rather that the server doesn't use them at all...
I'm totally confused. Please can anybody help?
For some reasons, none of the pages I visited to seek for the answer mentioned that the above lines should be in
/etc/httpd/conf.d/ssl.conf
and not in
/etc/httpd/conf/httpd.conf
(and not inside a <virtualHost> section)
Your certificate was issued to a Common Name (CN) matching the hostname of your EC2 instance. You need to create a new CSR using the correct hostname and go through the entire process again. When you generate the new CSR, be sure to change the CN rather than accept the default.