I have a php web app running on a AWS EC2 instance with ubuntu. It's domain name comes however from 1&1 and is pointing to the AWS EC2 public IP.
I have a SSL certificate from 1&1 on this same domain name.
When running the web page on my browser in http everything works fine. But as soon as I run it with https it's there is constant load and the page never renders.
I guess the issue is caused by my apache configuration, but I don't know what needs to be changed to make the https working fine.
Here is my mydomain.com.conf :
<VirtualHost *:80>
ServerName www.mydomain.com
ServerAlias mydomain.com
DocumentRoot "/var/www/html/mydomain/"
ErrorLog ${APACHE_LOG_DIR}/error_mydomain.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
By looking on internet, I found out that a ssl key has to be added into the conf file, but since I'm using an ssl certificate from 1&1 I have no key or whatsoever.
Is there anyone who knows more about it ?
Thanks
Ok, so I know not many people will run into this same issue, but we never know...
It is impossible to do this without the /ssl/cert files indeed.
Unfortunately, the 1 SSL Certificate offered by 1&1 on the ultimate packs are only made for websites hosted on 1&1. I called them, and they don't want to give me the cert files because my webpage is hosted at AWS.
Thus, there is no other option then getting an other SSL certificate. I'll probably use letsencrypt for that.
You must have been provided with a cert and cert bundle from your CA vendor, and I am hoping you have kept the private key intact when creating the CSR for the bundle, your vhost should look something like this:
<VirtualHost *:80>
ServerName <mywebsite>
ServerAlias www.<mywebsite>
DocumentRoot /var/www/html/<mywebsitedocroot>
DirectoryIndex index.php index.html
<Directory /var/www/html/<mywebsitedocroot>>
#Options Indexes FollowSymLinks MultiViews
Options -Indexes
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html/<mywebsitedocroot>
DirectoryIndex index.php index.html
ServerName <mywebsite>
ServerAlias www.<mywebsite>
SSLEngine On
#SSLCertificateFile /etc/ssl/certs/<mycert>.crt
#SSLCertificateKeyFile /etc/ssl/certs/<mycert>.key
SSLCertificateFile /etc/ssl/certs/<mycert>_com.crt
SSLCertificateKeyFile /etc/ssl/certs/<mycert>_com.key
SSLCertificateChainFile /etc/ssl/certs/<mycert>_com.ca-bundle
<Directory /var/www/html/<mywebsitedocroot>>
#Options Indexes FollowSymLinks MultiViews
Options -Indexes
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
What is essential to understand is HTTPS listens on port 443, not 80 (it is for HTTP) and the most important section (considering your situation) is:
SSLCertificateFile /etc/ssl/certs/<mycert>_com.crt
SSLCertificateKeyFile /etc/ssl/certs/<mycert>_com.key
SSLCertificateChainFile /etc/ssl/certs/<mycert>_com.ca-bundle
You can ignore all the Options I have set or set it as per your need. I just grabbed the info from my website conf. Hope this helps
Related
I have an embedded page (yyy.subdomain.com) that i call and share session from my web with subdomain(xxx.subdomain.com), but i need that the embedded page can be only accessed by my app and not by the url in a browser. this is my conf in my vhost of apache.
<VirtualHost 127.0.0.1:443 _default_:443>
ServerAlias yyy.subdomain.com
SSLEngine on
SSLCertificateFile "/opt/user/apache/conf/certs/server.crt"
SSLCertificateKeyFile "/opt/user/apache/conf/certs/server.key"
DocumentRoot /opt/bitnami/apache/htdocs/yyy
<Directory "/opt/bitnami/apache/htdocs/yyy">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
Also I try to remove "Require all granted" and write "Require all denied" and then use Require host / ip but it didn't work
I found the solution in other way, i put a script in the header of the embedded page to redirect if is not embedded.
Due to the fact that this is a sensitive client project, all uses of the domain name I'm talking about have been replaced with "example.com".
I am managing a public website whose Let's Encrypt certificate expired recently. So I followed the DigitalOcean tutorial here and used certbot-auto renew to renew the certificate (yes, I ran sudo service apache2 reload afterwards). It worked, but the problem is that the site now serves both the new certificate and the expired one, and it seems like a random selection happens. Sometimes the site is trusted by the browser because it receives the new one, other times the browser rejects the expired certificate. Even running the site through the SSL Labs analyzer gives an A grade sometimes and a failure other times.
What could possibly be causing both certificates to continue to be used when my configuration explicitly includes only the new one? I'm very confused.
Running certbot-auto renew right now gives this result:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem (skipped)
No renewals were attempted
Apache's sites-enabled directory looks like this:
000-default.conf 000-default-le-ssl.conf
And the configuration for each are as follows:
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName example.com
</VirtualHost>
</IfModule>
I was able to solve the issue by calling sudo service apache2 stop to stop apache, and then running ps aux | grep apache. I discovered that there were multiple instances of apache running. So I killed them and started apache up again, and everything is now working.
Hi I'm trying to serve one site with two subdomains, and both subdomains should be under SSL. I've purchased a wildcard SSL certificate and have it installed. In my vhosts file I have 5 definitions, www (80), app (80/443), and staging (80/443). All of the subdomains work under port 80.
Here's a snippet of my vhosts.conf file:
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
ServerAdmin support#---
ServerName app.---
DocumentRoot /var/www/vhosts/---/app/www/
ErrorLog /var/www/vhosts/---/app/log/error.log
<Directory "/var/www/vhosts/---/app/www">
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin support#---
ServerName app.---
DocumentRoot /var/www/vhosts/---/app/www/
ErrorLog /var/www/vhosts/---/app/log/ssl.log
SSLEngine ON
SSLCertificateFile /etc/httpd/conf.d/ssl/---/ssl.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/---/ssl.key
SSLCertificateChainFile /etc/httpd/conf.d/ssl/---/intermediate.crt
<Directory "/var/www/vhosts/---/app/www">
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerAdmin support#---
ServerName staging.---
DocumentRoot /var/www/vhosts/---/staging/www/
ErrorLog /var/www/vhosts/---/staging/log/error.log
<Directory "/var/www/vhosts/---/staging/www">
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin support#---
ServerName staging.---
DocumentRoot /var/www/vhosts/---/staging/www/
ErrorLog /var/www/vhosts/---/staging/log/ssl.log
SSLEngine ON
SSLCertificateFile /etc/httpd/conf.d/ssl/---/ssl.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/---/ssl.key
SSLCertificateChainFile /etc/httpd/conf.d/ssl/---/intermediate.crt
<Directory "/var/www/vhosts/---/staging/www">
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
If I change this line:
<VirtualHost *:443>
To:
<VirtualHost SERVER_IPADDRESS:443>
The first definition will work as expected and use the correct certificate. When I restart Apache I receive a message in the terminal stating there's a duplicate entry and only the first will be used.
With the conf as it is above I don't receive any errors or warnings in the terminal, but I have seen this in Apache's log:
[warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!
From what I've read online that warning is expected and shouldn't be a problem.
Running configtest shows Syntax OK.
It seems the problem is named virtual hosts with SSL. I've checked 3 guides online and tried a variety of things (using *.domain.com as ServerName for both, app.domain.com as ServerAlias), subdomains as the directive (app.domain.com:443) but can't figure out the right combination to serve each subdomain under both 80 and 443 using only one IP address.
I know it's possible. Any ideas on what I'm missing?
Check the version of apache you are using. It may be that your apache is too old to support it. I think sni was supported in apache 2.2.12 and later.
The only solution I was able to find which isn't a great one was to rebuild on CentOS 6.4. The issue as noted by Russ is that the built in Apache/OpenSSL do not support SNI. I managed to get OpenSSL upgraded in 5.9, but I was not able to build Apache with SNI. I compiled it using a guide that showed the flags to use but it didn't work. That's not to say it can't be done and I may have done it wrong, this was easier since it's for a new site and downtime isn't an issue.
Once the issue was corrected the warning in error_log changes to this:
[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
Thanks for the help!
If on the server, we already setup/configured the SSL certificate, how could I make my websites using secure page? Just make the linke to https://example.com/etc.php?
Thanks!
Two things have to be in place.
You'll need to setup the ssl cert properly, which it sounds like you have
As the other commentator said, this will depend upon which webserver you're using. More likely than not, apache:
Apache:
You'll need to modify the apache settings to support the https version of your site. If you're using a modern installation of Apache2 with virtual hosts, usually there will be a "sites-available" directory where individual config files exists for each domain. For a domain that will have both http and https (80 and 443), you would do something like this, assuming apache is listening on 127.0.0.1 (this would not be the case for most apache installations, so be sure to change the ip). It also goes without saying that you need to change the paths and domain name in the following:
<VirtualHost 127.0.0.1:80>
ServerAdmin somebody#domain.com
ServerName somebody.com
ServerAlias www.somebody.com
DocumentRoot /home/somebody/www
<Directory "/home/somebody/www">
Options FollowSymLinks
AllowOverride All
Options -Indexes
</Directory>
ErrorLog /home/logs/somebody.error.log
CustomLog /home/logs/somebody.access.log combined
</VirtualHost>
<VirtualHost 127.0.0.1:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/something.crt
SSLCertificateKeyFile /etc/apache2/ssl/something.key
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt
ServerAdmin somebody#something.com
ServerName somebody.com
ServerAlias www.somebody.com
DocumentRoot /home/somebody/www
<Directory "/home/somebody/www">
Options FollowSymLinks
AllowOverride All
Options -Indexes
</Directory>
ErrorLog /home/logs/somebody.ssl.error.log
CustomLog /home/logs/somebody.ssl.access.log combined
</VirtualHost>
If you are using nginx, there is a similar dual block you'll need to have for :80 and :443. Look at the block you already have for 80 and consult their documentation:
http://nginx.org/en/docs/http/configuring_https_servers.html
You may also be using iis, in which case, here are the instructions for version 7:
How do I configure a site in IIS 7 for SSL?
I've been following this guide as much as I could
http://robsnotebook.com/xampp-ssl-encrypt-passwords .
However whenever I browse to a page starting with https the apache server replies 404 Object Not Found.
What setting I am missing? Thanks for any help.
Found the answer. In the file xampp\apache\conf\extra\httpd-ssl.conf, under the comment SSL Virtual Host Context pages on port 443 meaning https is looked up under different document root.
Simply change the document root to the same one and problem is fixed.
You can also configure your SSL in xampp/apache/conf/extra/httpd-vhost.conf like this:
<VirtualHost *:443>
DocumentRoot C:/xampp/htdocs/yourProject
ServerName yourProject.whatever
SSLEngine on
SSLCertificateFile "conf/ssl.crt/server.crt"
SSLCertificateKeyFile "conf/ssl.key/server.key"
</VirtualHost>
I guess, it's better not change it in the httpd-ssl.conf if you have more than one project and you need SSL on more than one of them
For XAMPP, do the following steps:
G:\xampp\apache\conf\extra\httpd-ssl.conf"
Search 'DocumentRoot' text.
Change DocumentRoot DocumentRoot "G:/xampp/htdocs" to DocumentRoot "G:/xampp/htdocs/project name".
configure SSL in xampp/apache/conf/extra/httpd-vhost.conf
http
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs/myproject/web"
ServerName www.myurl.com
<Directory "C:/xampp/htdocs/myproject/web">
Options All
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
https
<VirtualHost *:443>
DocumentRoot "C:/xampp/htdocs/myproject/web"
ServerName www.myurl.com
SSLEngine on
SSLCertificateFile "conf/ssl.crt/server.crt"
SSLCertificateKeyFile "conf/ssl.key/server.key"
<Directory "C:/xampp/htdocs/myproject/web">
Options All
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
make sure server.crt & server.key path given properly otherwise this will not work.
don't forget to enable vhost in httpd.conf
# Virtual hosts
Include etc/extra/httpd-vhosts.conf
There is a better guide here for Windows:
https://shellcreeper.com/how-to-create-valid-ssl-in-localhost-for-xampp/
Basic steps:
Create an SSL certificate for your local domain using this: See more details in the link above
https://gist.github.com/turtlepod/3b8d8d0eef29de019951aa9d9dcba546
https://gist.github.com/turtlepod/e94928cddbfc46cfbaf8c3e5856577d0
Install this cert in Windows (Trusted Root Certification Authorities) See more details in the link above
Add the site in Windows hosts (C:\Windows\System32\drivers\etc\hosts)
E.g.: 127.0.0.1 site.test
Add the site in XAMPP conf (C:\xampp\apache\conf\extra\httpd-vhosts.conf)
E.g.:
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs"
ServerName site.test
ServerAlias *.site.test
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "C:/xampp/htdocs"
ServerName site.test
ServerAlias *.site.test
SSLEngine on
SSLCertificateFile "crt/site.test/server.crt"
SSLCertificateKeyFile "crt/site.test/server.key"
</VirtualHost>
Restart Apache and your browser and it's done!
I finally got this to work on my own hosted xampp windows 10 server web site. I.e. padlocks came up as ssl. I am using xampp version from November 2020.
Went to certbot.eff.org. Selected from their home page software [apache] and system [windows]. Then downloaded and installed certbot software found at the next page into my C drive.
Then from command line [cmd in Windows Start and then before you open cmd right click to run cmd as admin] I enhtered the command from Certbot page above. I.e. navigated to system32-- C:\WINDOWS\system32> certbot certonly --standalone
Then followed the prompts and enteredmy domain name. This created certs as cert1.pem and key1.pem in C:\Certbot yourwebsitedomain folder. the cmd windows tells you where these are.
Then took these and changed their names from cert1.pem to my domainname or shorter+cert.pem and same for domainname or shorter+key.key. Copied these into C:\xampp\apache\ssl.crt and ssl.key folders respectively.
Then for G:\xampp\apache\conf\extra\httpd-vhosts entered the following:
<VirtualHost *:443>
DocumentRoot "G:/xampp/htdocs/yourwebsitedomainname.hopto.org/public/" ###NB My document root is public. Yours may not be. Or could have an index.php page before /public###
ServerName yourwebsitedomainnamee.hopto.org
<Directory G:/xampp/htdocs/yourwebsitedomainname.hopto.org>
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require all granted
</Directory>
ErrorLog "G:/xampp/apache/logs/error.log"
CustomLog "G:/xampp/apache/logs/access.log" common
SSLEngine on
SSLCertificateFile "G:\xampp\apache\conf\ssl.crt\abscert.pem"
SSLCertificateKeyFile "G:\xampp\apache\conf\ssl.key\abskey.pem"
</VirtualHost>
Then navigated to G:\xampp\apache\conf\extra\httpd-ssl.conf and did as was advised above. I missed this important step for days until I read this post. Thank you!
I.e. entered
<VirtualHost _default_:443>
DocumentRoot "G:/xampp/htdocs/yourwebsitedomainnamee.hopto.org/public/"
###NB My document root is public. Yours may not be. Or could have an index.php page before /public###
SSLEngine on
SSLCertificateFile "conf/ssl.crt/abscert.pem"
SSLCertificateKeyFile "conf/ssl.key/abskey.pem"
CustomLog "G:/xampp/apache/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Note1. I used www.noip.com to register the domain name.
Note2. Rather then try to get them to give me a ssl certificate, as I could not get it to work, the above worked instead.
Note3 I use the noip DUC software to keep my personally hosted web site in sync with noip.
Note4. Very important to stop and start xampp server after each change you make in xampp. If xampp fails for some reason instead of starting the xampp consol try the start xampp as this will give you problems you can bug fix. Copy these quickly and paste into note.txt.
In case you are on Mac OS (catalina or mojave) and wants to enable HTTPS/SSL on XAMPP for Mac, you need to enable the virtual host and use the default certificates included in XAMPP.
On your httpd-vhosts.conf file add a new vhost:
<VirtualHost *:443>
ServerAdmin webmaster#localhost.com
DocumentRoot "/Users/your-user/your-site"
ServerName your-site.local
SSLEngine on
SSLCertificateFile "etc/ssl.crt/server.crt"
SSLCertificateKeyFile "etc/ssl.key/server.key"
<Directory "/Users/your-user/your-site">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
Order allow,deny
Allow from all
</Directory>
</VirtualHost>