I have one apache server which is configured with ssl.
SSLCertificateFile /etc/certs/localhost.crt
SSLCertificateKeyFile /etc/private/localhost.key
Now i need to replace the certificate with a new one(Provided by our department).
For that i have shared the csr and they send back the certificate.
Now the file that they have shared is *.p7b (contains the certificate in PEM/base64 encoded format. is a .p7b file with the DER encoded certificate and the issuing CA certificate.)
But in apache ssl.conf i need to provide the crt file. How to get the crt files from p7b
Install openssl on Red Hat Linux server / CentOS 7
Firstly we need to install httpd on our server, to install httpd type the below command,
yum install httpd
After installing httpd, Now we need to install mod_ssl,
yum install mod_ssl
Now, we have install openssl as well on the server,
yum install openssl
After installing httpd, mod_ssl & openssl, we need to generate key using below command,
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr (You can skip steps by pressing enter)
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.cert
cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/
cp ca.csr /etc/pki/tls/private
vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
Replace by
SSLCertificateFile /etc/pki/tls/certs/ca.crt
and
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Replace by
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
11. httpd -t (check whether the above change are correct or not)
12. vim /etc/httpd/conf/httpd.conf
Go to the bottom of the file and write
<VirtaulHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
servername localhost
Documentroot /var/www/html
</VirtualHost>
Save & Exit
13. httpd -t (check whether the above change are correct or not)
14. firewall-cmd –permanent –add-service=https
15. firewall-cmd –permanent –add-port=443/tcp
16. firewall-cmd --reload
17. service httpd restart
Related
I was using certificate which expired. I requested new one with new private key and request file.
But when I add new certificate to ISPConfig vhost, even after running
/usr/local/ispconfig/server/server.sh
the new certificate wont be accepted by ISPConfig and is still using the old one which expired, so my site is not working with HTTPS. Is there possibility that ISPConfig have this old certificate stored somewhere?
I also deleted content of SSL folder in my vhost but did not worked either.
Site is working with generated Let's Encrypt certificate.
I also faced the same error and I fixed it by applying the second method. I've mentioned both methods for you. Please try any to renew your SSL Certificate.
Method 1:
Create a new ISPConfig 3 SSL Certificate with OpenSSL
Login to your server on the shell as a root user. Before we create a new SSL Cert, backup the current ones. SSL Certs are security-sensitive so I'll store the backup in the /root/ folder.
# tar pcfz /root/ispconfig_ssl_backup.tar.gz /usr/local/ispconfig/interface/ssl
# chmod 600 /root/ispconfig_ssl_backup.tar.gz
Now create a new SSL Certificate key, Certificate Request (csr) and a self-signed certificate.
# cd /usr/local/ispconfig/interface/ssl
# openssl genrsa -des3 -out ispserver.key 4096
# openssl req -new -key ispserver.key -out ispserver.csr
# openssl x509 -req -days 3650 -in ispserver.csr \
-signkey ispserver.key -out ispserver.crt
# openssl rsa -in ispserver.key -out ispserver.key.insecure
# mv ispserver.key ispserver.key.secure
# mv ispserver.key.insecure ispserver.key
Restart Apache to load the new SSL Certificate.
# service apache2 restart
Method 2:
Renew the SSL Certificate with the ISPConfig installer
The alternative way to get a new SSL Certificate is to use the ISPConfig update script.
Download ISPConfig to the /tmp folder, unpack the archive and start the update script.
# cd /tmp
# wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
# tar xvfz ISPConfig-3-stable.tar.gz
# cd ispconfig3_install/install
# php -q update.php
The update script will ask the following question during the update:
Create new ISPConfig SSL certificate (yes,no) [no]:
Answer "yes" here and the SSL Certificate creation dialog will start.
Thank you!
For several OSX versions, I've been using these tutorials to set up a local development environment, including SSL.
I've also always been able to create dynamic virtual hosts based on the folder structure like this:
# Auto-VirtualHosts with .dev
<VirtualHost *:8080>
ServerName dev
ServerAlias *.dev
CustomLog "/Users/username/Sites/logs/dev-access_log" combinedmassvhost
ErrorLog "/Users/username/Sites/logs/dev-error_log"
VirtualDocumentRoot /Users/username/Sites/%-2+
</VirtualHost>
<VirtualHost *:8443>
ServerName dev
ServerAlias *.dev
Include "/Users/username/Sites/ssl/ssl-shared-cert.inc"
CustomLog "/Users/username/Sites/logs/dev-access_log" combinedmassvhost
ErrorLog "/Users/username/Sites/logs/dev-error_log"
VirtualDocumentRoot /Users/username/Sites/%-2+
</VirtualHost>
The included SSL file there is like this:
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile "/usr/local/etc/httpd/server.crt"
SSLCertificateKeyFile "/usr/local/etc/httpd/server.key"
And to generate that certificate I run this code:
$ cd /usr/local/etc/httpd
$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt
This has always worked okay for me, locally. I can run curl successfully, and especially in WordPress development I can run cron tasks that presumably use curl.
Upon upgrading to High Sierra, I get the following error in WordPress:
There was a problem spawning a call to the WP-Cron system on your site. This means WP-Cron events on your site may not work. The problem was:
cURL error 60: SSL certificate problem: self signed certificate
And on the command line, when I run curl to a local HTTPS URL, I get this error:
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I've tried reinstalling all the items from the initial tutorial, but so far nothing has helped. I've also tried installing curl from the Homebrew version instead of the built in, but this didn't seem to have any effect. Is there something known about High Sierra that would make it more picky about this? If so, is there anything I can do to bypass this for local development?
You have to add your self-signed certificate to the curl CA certificate store.
First you have to generate the ca bundle by running the perl script stored in:
/usr/local/Cellar/curl/7.56.1/libexec/mk-ca-bundle.pl
Edit the generated file:
/usr/local/Cellar/curl/7.56.1/libexec/ca-bundle.crt
and add your self-signed certificate using the same syntax.
You can obtain the certificate with:
openssl s_client -showcerts -connect my.server.com:443
Copy everything from :
-----BEGIN CERTIFICATE-----
to
-----END CERTIFICATE-----
including the BEGIN and ENDlines.
Create then a file ~/.curlrc containing:
cacert /usr/local/Cellar/curl/7.56.1/libexec/ca-bundle.crt
I have followed the Amazon tutorial to install the SSL certificate on the EC2 instance. However at the end of procedure, I cannot start the HTTPD server.
My detailed steps:
Installed the module: sudo yum install -y mod24_ssl AND I tested with the local signed SSL certificate, it worked.
Generate myprivate.key and my.csr: openssl req -newkey rsa:2048 -keyout myprivate.key -out my.csr
Submit my.csr to Startcom and get the certificate file: mycertificate.pem
Put the myprivate.key in the folder: /etc/pki/tls/private/
Put the mycertificate.pem in the folder: /etc/pki/tls/certs/
Change the /etc/httpd/conf.d/ssl.conf: SSLCertificateFile /etc/pki/tls/certs/mycertificate.pem
Change the /etc/httpd/conf.d/ssl.conf:SSLCertificqteKeyFile /etc/pki/tls/private/myprivate.key
Note: I've deleted both localhost.key and localhost.crt.
Was it due to the deletion of localhost.key file?
I have updated my certificate on Gandi like this :
sudo openssl genrsa -des3 -out mywebsite.com_encrypted.key 4096
sudo openssl req -new -key mywebsite.com_encrypted.key -out mywebsite.com.csr
cd /etc/nginx/ssl/
sudo nano mywebsite.com.crt # > pasted the Gandi certificate in this file
sudo wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
sudo cat GandiStandardSSLCA.pem >> mywebsite.com.crt
sudo openssl rsa -in mywebsite.com_encrypted.key -out mywebsite.com.key
sudo chown root:root mywebsite.com.key
sudo chmod 400 mywebsite.com.key
Everything was working good with older certificate but since I updated configuration with new certificate here is is my log on nginx. I can't restart :
Nginx logs :
2015/05/12 20:53:03 [emerg] 7515#0: SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mywebsite.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
What's wrong with process ?
Configuration of nginx is ok.
Here is my nginx configuration :
ssl on;
ssl_certificate /etc/nginx/ssl/mywebsite.com.crt;
ssl_certificate_key /etc/nginx/ssl/mywebsite.com.key;
I have no idea what you are trying to achieve. It looks like you replaced the key in /etc/nginx/ssl/mywebsite.com.key, leaving the original certificate /etc/nginx/ssl/mywebsite.com.crt unchanged (the mywebsite.com.crt certificate is still bound to the original key - and you cannot change that - public key is an integral part of X509 certificate). This is exactly what openssl is trying to tell you - you are trying to use a certificate with different private key that was originaly created with.
BTW: I also have no idea why you created a certificate request (along with the new key) and then left it unused (without actually using it to create new certificate).
I purchased a Godaddy Certificate, I correctly installed it on my Mac Server, so now I see 2 entry within Keychain Application:
Go Daddy Secure Certification Authority
mydomain
mydomain (private key)
Then I added the certificate (mydomain.com) to a VirtualHost of httpd.conf file, so:
<VirtualHost *:443>
DocumentRoot "/Library/ApacheTomcat/apache-tomcat-6.0.33/webapps/MyServerAppName"
ServerName mydomain.com
ErrorLog "/private/var/log/apache2/mydomain.com-error_log"
CustomLog "/private/var/log/apache2/mydomain.com-access_log" common
SSLCertificateFile /etc/apache2/mydomain.cer
JkMountCopy On
JkMount /* ajp13
</VirtualHost>
Then, I guess, I also need the private key file, otherwise Apache fails to handle the certificate.
How to do this? I can save the certificates from Apple Keychain into .pem and .cer file.
In the Keychain, export your private key and certificate in PKCS#12 format (.p12 file, Personal Information Exchange). You should be able to do this using by expanding your private key entry (in Keychain Access), right-clicking on its certificate and using Export. It will probably ask you for a password to protect this p12 file.
Then, in the Terminal, extract the private key using OpenSSL:
umask 0077
openssl pkcs12 -in filename.p12 -nocerts -nodes -out filename-key.pem
umask 0022
Note that you should protect this file, since the private key will not be password protected (so that it can be used by Apache Httpd).
Similarly, for the certificate (although it seems you may already have it in PEM format, so you might not need this step):
openssl pkcs12 -in filename.p12 -clcerts -nokeys -out filename-cert.pem
Then, set the SSLCertificateFile (cert) and SSLCertificateKeyFile (private key) options to point to these files in your Apache Httpd configuration.
I had the same problem and I used these commands to export the private key
umask 0077
openssl pkcs12 -in filename.p12 -nocerts -nodes -out filename-key.pem
umask 0022
and these to export the certificate
openssl pkcs12 -in filename.p12 -clcerts -nokeys -out filename-cert.pem