I have followed the Amazon tutorial to install the SSL certificate on the EC2 instance. However at the end of procedure, I cannot start the HTTPD server.
My detailed steps:
Installed the module: sudo yum install -y mod24_ssl AND I tested with the local signed SSL certificate, it worked.
Generate myprivate.key and my.csr: openssl req -newkey rsa:2048 -keyout myprivate.key -out my.csr
Submit my.csr to Startcom and get the certificate file: mycertificate.pem
Put the myprivate.key in the folder: /etc/pki/tls/private/
Put the mycertificate.pem in the folder: /etc/pki/tls/certs/
Change the /etc/httpd/conf.d/ssl.conf: SSLCertificateFile /etc/pki/tls/certs/mycertificate.pem
Change the /etc/httpd/conf.d/ssl.conf:SSLCertificqteKeyFile /etc/pki/tls/private/myprivate.key
Note: I've deleted both localhost.key and localhost.crt.
Was it due to the deletion of localhost.key file?
Related
I was using certificate which expired. I requested new one with new private key and request file.
But when I add new certificate to ISPConfig vhost, even after running
/usr/local/ispconfig/server/server.sh
the new certificate wont be accepted by ISPConfig and is still using the old one which expired, so my site is not working with HTTPS. Is there possibility that ISPConfig have this old certificate stored somewhere?
I also deleted content of SSL folder in my vhost but did not worked either.
Site is working with generated Let's Encrypt certificate.
I also faced the same error and I fixed it by applying the second method. I've mentioned both methods for you. Please try any to renew your SSL Certificate.
Method 1:
Create a new ISPConfig 3 SSL Certificate with OpenSSL
Login to your server on the shell as a root user. Before we create a new SSL Cert, backup the current ones. SSL Certs are security-sensitive so I'll store the backup in the /root/ folder.
# tar pcfz /root/ispconfig_ssl_backup.tar.gz /usr/local/ispconfig/interface/ssl
# chmod 600 /root/ispconfig_ssl_backup.tar.gz
Now create a new SSL Certificate key, Certificate Request (csr) and a self-signed certificate.
# cd /usr/local/ispconfig/interface/ssl
# openssl genrsa -des3 -out ispserver.key 4096
# openssl req -new -key ispserver.key -out ispserver.csr
# openssl x509 -req -days 3650 -in ispserver.csr \
-signkey ispserver.key -out ispserver.crt
# openssl rsa -in ispserver.key -out ispserver.key.insecure
# mv ispserver.key ispserver.key.secure
# mv ispserver.key.insecure ispserver.key
Restart Apache to load the new SSL Certificate.
# service apache2 restart
Method 2:
Renew the SSL Certificate with the ISPConfig installer
The alternative way to get a new SSL Certificate is to use the ISPConfig update script.
Download ISPConfig to the /tmp folder, unpack the archive and start the update script.
# cd /tmp
# wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
# tar xvfz ISPConfig-3-stable.tar.gz
# cd ispconfig3_install/install
# php -q update.php
The update script will ask the following question during the update:
Create new ISPConfig SSL certificate (yes,no) [no]:
Answer "yes" here and the SSL Certificate creation dialog will start.
Thank you!
I just started to learn programming and tried to install SSL on my site.
I used a 90-day free trial SSL from Comodo and it worked well.
I purchased a new SSL from Comodo and generated CSR on the server (on my putty terminal)
My site is a Wordpress run by Bitnami and AWS.
Error message is that my site name is mismatched.
https://www.ssllabs.com/ssltest/analyze.html?d=www.cheeselab.co.kr#whyNotTrusted
How could I solve this problem? I tried to re-install it from the scratch but I don't know what I have to do.
Below codes are what I did
sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 204
sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
sudo nano /opt/bitnami/apache2/conf/cert.csr
sudo nano /opt/bitnami/apache2/conf/cert2.crt
sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami.conf
renamed the file from server.crt to cert2.crt
(above codes worked well)
sudo /opt/bitnami/ctlscript.sh restart apache
but error message with above code as below
Invalid command 'sudo', perhaps misspelled or defined by a module not included in the server configuration apache config test fails, aborting Monitored apache
I have set up a docker registry using harbor.
I have copied the appropriate certificates in /usr/share/local/ca-certificates and run sudo update-ca-certificates with success. (indicated the number of newly certs added).
When trying to login to the specific registry:
ubuntu#master1:/home/vagrant$ docker login my.registry.url
Username: pkaramol
Password:
Error response from daemon: Get https://my.registry.url/v2/: x509: certificate signed by unknown authority
However the following test succeeds:
openssl s_client -connect my.registry.url:443 -CApath /etc/ssl/certs/
...coming back with a lot of verbose output, the certificate itself and ending in :
Verify return code: 0 (ok)
curl also succeeds to the above https link (it fails when the site is not trusted).
Any suggestions?
If you read the documentation
Use self-signed certificates
Warning: Using this along with basic authentication requires to also trust the certificate into the OS cert store for some versions of docker (see below)
This is more secure than the insecure registry solution.
Generate your own certificate:
$ mkdir -p certs
$ openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt
Be sure to use the name myregistrydomain.com as a CN.
Use the result to start your registry with TLS enabled.
Instruct every Docker daemon to trust that certificate. The way to do this depends on your OS.
Linux: Copy the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt on every Docker host. You do not need to restart Docker.
See below link for more details
https://docs.docker.com/registry/insecure/#use-self-signed-certificates
I've set up an internal pypi server for internal projects.
It's hosted at https://<USER>:<PASS>#<INTERAL>/pypi with a self-signed certificate.
I can get pip to use this repository in addition to the central pypi server using extra-index-url in ~/.pip/pip.conf. As the certificate to my server is self-signed, and pip isn't using the system-wide (keychain) certificated, I've made it aware of it using cert = ... in the config file:
extra-index-url = https://<USER>:<PASS>#<INTERAL>/pypi
cert = /path/to/cert.pem
Now, whenever I install something using pip install, I get a warning that the certificate can't be verified for https://pypi.python.org:
$ pip install <PACKAGE-NAME>
Collecting <PACKAGE-NAME>
Could not fetch URL https://pypi.python.org/simple/<PACKAGE-NAME>/:
There was a problem confirming the ssl certificate: [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) -
skipping
Is there any way to tell pip only to use the self-signed certificate only for the extra-index-url repository?
Pip uses it's certificate bundle (a file) that can be found by running:
python -m pip._vendor.requests.certs
The bundle is just a file with certificates concatenated, one after another. We want to tell pip to use those AND our certificate,
so generate a new file using
cat $(python -m pip._vendor.requests.certs) /path/to/my/cert.pem > /path/to/my/bundle.pem
and make sure your .pip/pip.conf file contains something along these lines:
[global]
extra-index-url = https://user:pass#my-pypi.com
cert = /path/to/my/bundle.pem
Finally, you might want to periodically update /path/to/my/bundle.pem (in a cronjob or whatever).
Other notes
I also got the following error:
SubjectAltNameWarning: Certificate for my-pypi.com has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
Normally, you'd create a certificate something like:
openssl req -new -x509 -nodes -key my.key -out cert.csr -days 365
Instead, copy your openssl.cnf (possibly in /etc/pki/tls/openssl.cnf) to your working directory, and add an extension by adding the following to the end of the file:
[ san_env ]
subjectAltName=DNS:mypypi.com
and generating your certificate with
openssl req -new -x509 -nodes -key my.key -out cert.csr -days 365 -config openssl.cnf -extensions san_env
In addition, pip wants your certificate in a different format, which can be generated using
openssl x509 -inform der -in cert.cer -out cert.pem
This file cert.pem can be concatenated with the python ca bundle as described above to generate your custom bundle.
I have updated my certificate on Gandi like this :
sudo openssl genrsa -des3 -out mywebsite.com_encrypted.key 4096
sudo openssl req -new -key mywebsite.com_encrypted.key -out mywebsite.com.csr
cd /etc/nginx/ssl/
sudo nano mywebsite.com.crt # > pasted the Gandi certificate in this file
sudo wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
sudo cat GandiStandardSSLCA.pem >> mywebsite.com.crt
sudo openssl rsa -in mywebsite.com_encrypted.key -out mywebsite.com.key
sudo chown root:root mywebsite.com.key
sudo chmod 400 mywebsite.com.key
Everything was working good with older certificate but since I updated configuration with new certificate here is is my log on nginx. I can't restart :
Nginx logs :
2015/05/12 20:53:03 [emerg] 7515#0: SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mywebsite.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
What's wrong with process ?
Configuration of nginx is ok.
Here is my nginx configuration :
ssl on;
ssl_certificate /etc/nginx/ssl/mywebsite.com.crt;
ssl_certificate_key /etc/nginx/ssl/mywebsite.com.key;
I have no idea what you are trying to achieve. It looks like you replaced the key in /etc/nginx/ssl/mywebsite.com.key, leaving the original certificate /etc/nginx/ssl/mywebsite.com.crt unchanged (the mywebsite.com.crt certificate is still bound to the original key - and you cannot change that - public key is an integral part of X509 certificate). This is exactly what openssl is trying to tell you - you are trying to use a certificate with different private key that was originaly created with.
BTW: I also have no idea why you created a certificate request (along with the new key) and then left it unused (without actually using it to create new certificate).