I have two files:
privkey.pem that starts with -----BEGIN ENCRYPTED PRIVATE KEY-----
cert.pem that starts with -----BEGIN CERTIFICATE-----
Now I should install them, but I never did this before and all related information I found (1, 2, 3) say, that I need three files:
primary.crt
private.key
intermediate.crt
The file endings are different, but from what I found my .pom files are ok, too (only the content matters and I can rename the ending).
But what files do I have now? The primary and private? And do I miss some file? Or is it possible with only the two I have?
Start with this:
SSLEngine on
SSLCertificateFile /path/to/cert.crt
SSLCertificateKeyFile /path/to/privkey.crt
This should bring the site up on SSL. While this may work with some browsers, you'd require intermediate certificates for your certificate to chain up to the Root CA to ensure your site works in all browsers.
To obtain the intermediate certificates for your site, go to What's My Chain Cert? and enter you site name. This will indicate that you are missing intermediate certificates, as expected. Use the last form field on the page to generate the intermediate certs.
Use the downloaded cert chain in the SSLCertificateChainFile directive in your Apache webserver config like this:
SSLCertificateChainFile /path/to/intermediate.crt
Once done, I suggest checking your site using an online scanner such as SSL Labs server test to ensure your certificates are properly configured and that your configuration does not expose any vulnerabilities or SSL weaknesses.
Related
I got valid https certificate from Let's Encrypt, but have trust issues giving it to vert.x version 3.6.2
I tested the cert with apache, it's ok, however if I try to reach the https vert.x server instance with wget I get:
$ wget https://www.myhost.mydomain/json/read/all-languages
--2019-01-22 10:30:56-- https://www.myhost.mydomain/json/read/all-languages
Resolving www.myhost.mydomain (www.myhost.mydomain)... 88.14.34.156
Connecting to www.myhost.mydomain >(www.myhost.mydomain)|88.14.34.156|:443... connected.
ERROR: cannot verify www.myhost.mydomain's certificate, issued by >‘CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US’:
Unable to locally verify the issuer's authority.
To connect to www.myhost.mydomain insecurely, use `--no-check->certificate'.
Hostname and ip is forged.
my working apache config snippet:
SSLCertificateFile /etc/certs/myhost.mydomain/cert.pem
SSLCertificateKeyFile /etc/certs/myhost.mydomain/privkey.pem
SSLCertificateChainFile /etc/certs/myhost.mydomain/chain.pem
vert.x code:
val httpsOptions = HttpServerOptions()
.setPort(443)
.setSsl(true)
.setPemTrustOptions(PemTrustOptions()
.addCertPath("/etc/certs/myhost.mydomain/chain.pem"))
.setPemKeyCertOptions(PemKeyCertOptions()
.addKeyPath("/etc/certs/myhost.mydomain/privkey.pem")
.addCertPath("/etc/certs/myhost.mydomain/cert.pem")
)
vertx.createHttpServer(httpsOptions).requestHandler(router).listen()
I set vert.x logging to debug, but no error message appears.
What am I missing?
I found the solution here: https://community.letsencrypt.org/t/android-doesnt-trust-the-certificate/16498/2
I changed the cert.pem to fullchain.pem in the setPemKeyCertOptions settings, and it works.
Thank you for your effort.
The issue is in the certificate chain file chain.pem. It seems that it does not contain the full certificate chain. If you view the file it probably contains only one intermediate LE authority cert inside, i.e., Let's Encrypt Authority X3. It works with Apache because the SSLCertificateChainFile is actually deprecated and it is not being used at all.
Vert.x on the other side does use the chain.pem file. It returns only the intermediate cert and wget complains because of that. To fix the issue create a fullchain.pem file composed of both the chain.pem and the cert.pem files, e.g.,
cat cert.pem chain.pem > fullchain.pem
Then use the fullchain.pem with the PemTrustOptions configuration.
You don't need to put the LE root certificate in the fullchain.pem file, because it should already be present on both client and server side. Here's an excerpt from the TLS Protocol RFC about it.
certificate_list
This is a sequence (chain) of certificates. The sender's
certificate MUST come first in the list. Each following
certificate MUST directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority MAY be omitted from the chain, under the
assumption that the remote end must already possess it in order to
validate it in any case.
I have website, where I doesn't installed ssl certificate.
In apache.conf I have only two files:
SSLCertificateFile /etc/ssl/certs/domainname.crt
SSLCertificateKeyFile /etc/ssl/private/domainname.key
https://www.sslshopper.com/ssl-checker.html give me this error:
The certificate is not trusted in all web browsers. You may need to
install an Intermediate/chain certificate to link it to a trusted root
certificate.
In docs I have see that I must have this files to create a certificate chain:
AddTrustExternalCARoot.crt
ComodoUTNSGCCA.crt
EssentialSSLCA_2.crt
domainname.crt
UTNAddTrustSGCCA.crt
But in my /etc/ssl/ directory I have only domainname.crt file
Can I download other files from anywhere? Or I must buy new certificate with all files?
I have downloaded needle files from https://github.com/cloudflare/cfssl_trust/tree/master/intermediate_ca
and It's work
i have a Question about the certificate files and how to get a site to run on SSL.
Apache is running and SSL is built in. i am past the SSLSessionCache warning and here i am - every time the same problem - i get a mail with some files and i do not know which file is what.
I have a .key, .pem and a .p7b file and i have the VirtualHost config - how do i know which file is what?
SSLCertificateFile ?
SSLCertificateKeyFile <-- .key (i think)
SSLCertificateChainFile ?
and do i need to convert a file with openssl?
This Server is an internal Server and the certificate was issued in our company.
the certificate was issued in our company.
Any reason to not ask whoever issued the certificate the meaning of each file?
Apache requires the key and the certificate to be PEM-encoded. You can use this tool or OpenSSL to convert the . p7b to PEM.
It's hard to know what's inside the .pem and .key file without looking at the content. You can try to use the following OpenSSL commands to check which one does not fail:
# if it works, it's a CSR
openssl req -in file.pem -noout -text
# if it works, it's a certificate
openssl x509 -in file.pem -noout -text
# if it works, it's a private key
openssl rsa -in file.pem -noout -text
The chain file it's easier to spot, because it will contain several PEM-encoded certificates listed one after the other.
Depending on the Apache version, you may or may not need the SSLCertificateChainFile directive. Newer versions require you to bundle the chain and the server certificate in a single file and pass it to SSLCertificateFile. Check your Apache version and compare it with the online documentation.
Assuming it's an old version:
SSLCertificateFile points to the server certificate file
SSLCertificateChainFile points to the intermediate certificate (if it's self-signed, you don't have them)
SSLCertificateKeyFile points to the key
If it's a newer version, ignore SSLCertificateChainFile and concatenate the server plus the chain (if any) in a single file you supply to SSLCertificateFile.
I'm trying to install an intermediate certificate on Nginx ( laravel forge ).
Right now the certificate is properly installed, just the intermediate that is missing.
I've seen that I need to concatenate the current certificate with the intermediate. What is the best/safest way to add the intermediate certificate.
Also, if the install of the intermediate failed, can I just roll back to the previous certificate, and reboot nginx? ( the website site is live, so I can't have a too long downtime )
Nginx expects all server section certificates in a file that you refer with ssl_certificate. Just put all vendor's intermediate certificates and your domain's certificate in a file. It'll look like this.
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
To make sure everything is okay and to avoid downtime, I would suggest you to setup Nginx locally, add 127.0.0.1 yourdomain.com to /etc/hosts, and try open it from major browsers. When you've verified that everything is correct your can replicate it to the production server.
When you're done, it is a good idea to use some SSL checker tool to verify (e.g. this one). Because pre-installed CA certificates may vary depending on browser and platform, you can easily overlook a misconfiguration checking from one OS or a limited set of browsers.
Edit
As #Martin pointed out, the order of certificates in the file is important.
RFC 4346 for TLS 1.1 states:
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it.
Thus the order is:
1. Your domain's certificate
2. Vendor's intermediate certificate that certifies (1)
3. Vendor's intermediate certificate that certifies (2)
...
n. Vendor's root certificate that certifies (n-1). Optional, because it should be contained in client's CA store.
Letsencrypt: fullchain.pem
Same trouble for me. I was using Letsencrypt and, in my Nginx configuration, I needed to NOT use this:
ssl_certificate /etc/letsencrypt/live/domain.tld/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
But use this:
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
I have a question about certificate files with Apache + OpenSSL.
I have generated the following basic certificate files from the server:
/usr/share/ssl/csr/mydomain.csr.pem
/usr/share/ssl/private/mydomain.key.pem
I have sent the mydomain.csr.pem to the CA authority after purchasing Comodo's Positive SSL at
http://www.namecheap.com/ssl-certificates/comodo.aspx
It's approved and got three *.crt files, which are:
AddTrustExternalCARoot.crt
PositiveSSLCA2.crt
mydomain_com.crt
Based on the Apache tutor at
http://www.apache.com/resources/how-to-setup-an-ssl-certificate-on-apache/
looks like I only need to use mydomain_com.crt and put it in
/usr/share/ssl/certs/mydomain_com.crt
My question is, what do I have to do with these two files?
AddTrustExternalCARoot.crt
PositiveSSLCA2.crt
Looks like it's not necessary, then what are these files given to us? If they are used, then when and how?
You may need to specify the PositiveSSLCA2.crt in the Apache configuration. If the HTTP client trusts Comodo, they should already have the root certificate.
I found instructions on this page for configuring the intermediate certificate. Basically, you would specify the PositiveSSLCA2.crt in your Apache configuraiton as the SSLCertificateChainFile. Your client may trust the root CA, but it probably does not know about the intermediate certificate, therefore could not establish trust without it.
The root CA is probably just for your information, but it might be needed if you ever use an HTTP client that requires you to specify it directly, for trust purposes.