i would like to install squid proxy with SSL bump, i am working on my Virtual lab and once everything is ok i will Test it on the real network.
i already created i directory for the cert and generated the cert as below:
#Generate Private Key
openssl genrsa -out MSY.com.private 2048
# Create Certificate Signing Request
openssl req -new -key MSY.com.private -out MSY.com.csr
# Sign Certificate
openssl x509 -req -days 3652 -in MSY.com.csr -signkey MSY.com.private -out
MSY.com.cert
then i fill the info and put the 'Common Name' something other than the domain or server_name. in addition, please find the below lines from the squid configuration file:
http_port 3128
#the problem is with the below line
ssl-bump cert=/etc/squid/ssl_cert/MSY.com.cert
key=/etc/squid/ssl_cert/MSY.com.private generate-host-certificates=on
version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
# SSL Bump Config
ssl_bump stare all
ssl_bump bump all
and its not working and if i remove the SSL bump certificate line from the configuration, the proxy works but without SSL. my questions can we eliminate SSL-bump from configuration and can i manually copy the certificate to the client/user machine and added to his/her Internet browser.
thanks
Related
I have set up a LAMP server with phpmyadmin. I have apache2 configured (through the Headers mod) to only allow SSL connections, but this is keeping me from accessing phpmyadmin on the LAN. When I setup a subdomain and LetsEncrypt cert I have no problem accessing phpmyadmin (phpmyadmin.example.com), but if I try to access it from the LAN or on the server itself, I can't do so securely, so I can't log in.
Well, on the actual server I can just jam https://localhost/phpmyadmin into the browser and accept the insecure connection warning, but that doesn't work when using a different computer on the LAN (https://server-name/phpmyadmin). I'm not crazy about having phpmyadmin accessible to the outside, even with password protection.
Is there a way to establish a secure connection on a LAN, or do I need some way to exempt the /phpmyadmin folder from the SSL requirement? Can this be done for LAN connections only?
You have to access the URL using the same hostname which was provided as CN or SAN during certificate generation.
Since you want to access the application locally using localhost and any CA will not sign your certificate which has CN value localhost, you need to live with slef sign certificate generated against localhost and import to your keystore.
Command to generate self-signed certificate against localhost:
openssl req -x509 -out localhost.crt -keyout localhost.key \
-newkey rsa:2048 -nodes -sha256 \
-subj '/CN=localhost' -extensions EXT -config <( \
printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")
Here is an article on the same.
I was using certificate which expired. I requested new one with new private key and request file.
But when I add new certificate to ISPConfig vhost, even after running
/usr/local/ispconfig/server/server.sh
the new certificate wont be accepted by ISPConfig and is still using the old one which expired, so my site is not working with HTTPS. Is there possibility that ISPConfig have this old certificate stored somewhere?
I also deleted content of SSL folder in my vhost but did not worked either.
Site is working with generated Let's Encrypt certificate.
I also faced the same error and I fixed it by applying the second method. I've mentioned both methods for you. Please try any to renew your SSL Certificate.
Method 1:
Create a new ISPConfig 3 SSL Certificate with OpenSSL
Login to your server on the shell as a root user. Before we create a new SSL Cert, backup the current ones. SSL Certs are security-sensitive so I'll store the backup in the /root/ folder.
# tar pcfz /root/ispconfig_ssl_backup.tar.gz /usr/local/ispconfig/interface/ssl
# chmod 600 /root/ispconfig_ssl_backup.tar.gz
Now create a new SSL Certificate key, Certificate Request (csr) and a self-signed certificate.
# cd /usr/local/ispconfig/interface/ssl
# openssl genrsa -des3 -out ispserver.key 4096
# openssl req -new -key ispserver.key -out ispserver.csr
# openssl x509 -req -days 3650 -in ispserver.csr \
-signkey ispserver.key -out ispserver.crt
# openssl rsa -in ispserver.key -out ispserver.key.insecure
# mv ispserver.key ispserver.key.secure
# mv ispserver.key.insecure ispserver.key
Restart Apache to load the new SSL Certificate.
# service apache2 restart
Method 2:
Renew the SSL Certificate with the ISPConfig installer
The alternative way to get a new SSL Certificate is to use the ISPConfig update script.
Download ISPConfig to the /tmp folder, unpack the archive and start the update script.
# cd /tmp
# wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
# tar xvfz ISPConfig-3-stable.tar.gz
# cd ispconfig3_install/install
# php -q update.php
The update script will ask the following question during the update:
Create new ISPConfig SSL certificate (yes,no) [no]:
Answer "yes" here and the SSL Certificate creation dialog will start.
Thank you!
I have Tomcat-Apache set up to serve my application using 443(Apache).
Configured Apache for root certificate and key for enabling HTTPS access for my application.
On server i had to install this certificate to user personal store for HTTPS access.
Problem is if client wants to access he needs to manually install the certificate first. These are self signed certificates generated via openSSL.
openssl req -new -x509 -days 1024 -key ca.key -out ca.crt -config openssl.cnf
Is there a way to configure Apache, or install certificate in another store for client to trigger auto installation of certificate while accessing the site?
I have updated my certificate on Gandi like this :
sudo openssl genrsa -des3 -out mywebsite.com_encrypted.key 4096
sudo openssl req -new -key mywebsite.com_encrypted.key -out mywebsite.com.csr
cd /etc/nginx/ssl/
sudo nano mywebsite.com.crt # > pasted the Gandi certificate in this file
sudo wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
sudo cat GandiStandardSSLCA.pem >> mywebsite.com.crt
sudo openssl rsa -in mywebsite.com_encrypted.key -out mywebsite.com.key
sudo chown root:root mywebsite.com.key
sudo chmod 400 mywebsite.com.key
Everything was working good with older certificate but since I updated configuration with new certificate here is is my log on nginx. I can't restart :
Nginx logs :
2015/05/12 20:53:03 [emerg] 7515#0: SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mywebsite.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
What's wrong with process ?
Configuration of nginx is ok.
Here is my nginx configuration :
ssl on;
ssl_certificate /etc/nginx/ssl/mywebsite.com.crt;
ssl_certificate_key /etc/nginx/ssl/mywebsite.com.key;
I have no idea what you are trying to achieve. It looks like you replaced the key in /etc/nginx/ssl/mywebsite.com.key, leaving the original certificate /etc/nginx/ssl/mywebsite.com.crt unchanged (the mywebsite.com.crt certificate is still bound to the original key - and you cannot change that - public key is an integral part of X509 certificate). This is exactly what openssl is trying to tell you - you are trying to use a certificate with different private key that was originaly created with.
BTW: I also have no idea why you created a certificate request (along with the new key) and then left it unused (without actually using it to create new certificate).
I've installed HAPRoxy 1.5-dev19, adn I am trying to bind using SSL.
I generated openssl certs in /etc/ssl/certs keys and validated that they are there and look good, and updated haproxy.cfg as below:
openssl req -nodes -x509 -newkey rsa:2048 -keyout /etc/ssl/certs/private.key -out /etc/ssl/certs/cert.pem -days 2000
frontend XRE
bind *:9045 ssl crt /etc/ssl/certs/private.key
But I still get:
parsing [/etc/haproxy/haproxy.cfg:48] : 'bind :443' : unable to load SSL certificate from PEM file '/etc/ssl/certs/private.key'.
Proxy 'haproxyLoopback': no SSL certificate specified for bind ':443' at [/etc/haproxy/haproxy.cfg:48] (use 'crt').
Your help is appreciated,
Many thanks,
Charlie
You are pointing the wrong file. It should be like this:
frontend XRE bind *:9045 ssl crt /etc/ssl/certs/cert.pem