My case is quite specific.
My client uses one of my services (https://example.com/service.php) and I generated for them SSL client certificate, which they use for http requests. but they have requirement that they can only use 1024 bit certificates (I had no problem generating it). but since my CA root certificate is 2048 bit requests fail. Now they want me to open port 4000 for them and require access via SSL cleint certificate. (If that makes any sense).
I run Ubuntu 14.04 on DigitalOcean VPS
I opened port 4000 with
sudo iptables -A INPUT -p tcp --dport 4000 -j ACCEPT
I also allowed that port in ufw with
sudo ufw allow 4000
I also added record to
/etc/apache2/sites-available/default-ssl.conf
I added it to default-ssl.conf because I want port 4000 to be accessible via https (https://example.com:4000/service.php)
<VirtualHost *:4000>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /home/admin/conf/web/client.pem
SSLCertificateKeyFile /home/admin/conf/web/client.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
What Immediate problem I have is that when i try to telnet example.com:4000 it says that 4000 is closed. I need advice on trouble shooting.
You need to add
Listen 4000
somewhere in your apache configuration. Otherwise, apache will not open a socket for that port.
Usually, these settings are apart from the sites-enabled or sites-available directories found on Ubuntu derivatives, for example in the main httpd.conf. A good place would probably be a separate file in conf-available and symlinking that into conf-enabled.
Related
I'm using Apache as a reverse proxy to redirect all requests. I need to forward client cert details to my apps within the request. For testing purposes, I'm simply trying to attach CN to the forwarded request. This is my conf file (simplified):
<VirtualHost _default_:443>
ServerName localhost
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/CA.pem
SSLCertificateKeyFile /etc/ssl/private/CA.key
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +ExportCertData +StdEnvVars
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}:8443/myapp?cn=%{SSL_CLIENT_S_DN_CN}
</VirtualHost>
If I navigate to https://localhost browser asks for a cert, and then I get redirected to:
https://localhost:8443/myapp?cn=
So it appears that it's not reading SSL_CLIENT_S_DN_CN. What am I missing?
EDIT: If I set request header, e.g.:
RequestHeader set XYZ %{SSL_CLIENT_S_DN_CN}e
I don't see it in dev tools, either. So there must be something wrong with my configuration. %{SERVER_NAME} works, %{SSL_CLIENT_S_DN_CN} doesn't.
I am trying to install a certificate for all my subdomain on GCE VM, here is what I've done so far:
Allow HTTPS traffic is enabled in the VM settings.
I enabled the certificate on apache and default-ssl.conf looks like this
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin fadi#domain.com
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ProxyPreserveHost On
ProxyPass /console https://0.0.0.0:8080/console
ProxyPassReverse /console https://0.0.0.0:8080/console
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
But still I can not reach my server on https but am still able to access it via http, even though I enabled ssl using
sudo a2ensite default-ssl.conf
sudo service apache2 restart
Can someone help me please figure out this issue! the app is actually running on apache tomcat but proxied through apache if that make any difference!
443 is the default port used by Compute Engine for its services . Better you use any other port like 7443 or 8443 , then i guess it will work . I myself faced this issue on Compute Engine with Tomcat , and used other than the default ports . And also don't forget to mention whatever port you choose in the Firewall Rules section in the Networking . Let me know if that works !!
I am unable to get my apache2 instance to run on https.
I have a running website that works on http with a couple of aliases. I installed a self signed certificate and added the entries to the conf file. So far so good.
At this juncture apache2ctl configtest says OK.
I run a2enmod ssl and ssl get enabled
apache2ctl configtest or a service apache2 restart both fail with this error
Syntax error on line 140 of /etc/apache2/apache2.conf: Syntax error on line 2 of /etc/apache2/mods-enabled/ssl.load: Cannot load /usr/lib/apache2/modules/mod_ssl.so into server: /usr/lib/apache2/modules/mod_ssl.so: undefined symbol: ap_map_http_request_error
Action 'configtest' failed.
verified that mod_ssl.so is in the specified path
verified that the ln to files in sites-enabled is correct
certificate files exist in the specified path
my ssl conf files look like this:
<IfModule mod_ssl.c>
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
ServerName www.myserver.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
How do I fix this?
i have a website on my localhost, so to test the secure connection i did generate ssl certificate offline for localhost only, the thing is i used exact the same method as i did on my laptop, but it is not work for the new pc that i just setup. But it works fine on my laptop.
what could be the problem.
i did go through this too, but it not solved my problem
Setup HTTPS on wildcard subdomain on localhost
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster#muster.project
ServerName muster.project
ServerAlias *.muster.project
DocumentRoot /var/www/project/muster/web
<Directory "/var/www/project/muster/web">
AllowOverride All
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
Interestingly, it is only work for the
https://muster.project
but not for https://anything.muster.project
Same method, same system both lubuntu,
i did change the ServerAlias to
www.muster.project *.muster.project it is also not works
i changed the not works either.
there are no error log either...
the only things i get was
rsa server certificate is a ca certificate (basicconstraints ca == true )
i don't think this is matter since the domain without subdomain works.
did i need to set the /etc/hosts file? even though i did! it is not work.
got some idea how to solve this? it is been few days already fixing it without success. Thanks for the helps!
Hier are the tutorial i followed
thomas-leister[dot]de/allgemein/apache-webserver-ssl-verschlusselung-einrichten/
Wildcards certificates only works for one level :
If you have a certificate for *.project it's valid for anything.project but not for anything.muster.project
Finally i found the Problem...
i set the wildcards DNS according to this sites
https://www.leaseweb.com/labs/2013/08/wildcard-dns-ubuntu-hosts-file-using-dnsmasq/
it seems it has nothing to do with the ssl (locally , it might be different for live website)..
i don't know why my laptop works even i don't set the dnsmasq...
however it is works now. maybe it will help if someone face this problem.
I purchased an SSL certificate and had it validated. The vendor then sent me the files.
This is my first time adding an SSL to ubuntu.
In my sites enabled folder in Apache I added a new conf file example-ssl.conf
I then added the following
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin info#example.ie
ServerName example.ie
ServerAlias www.example.ie
DocumentRoot /var/www/html/example/
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.crt
SSLCertificateKeyFile /etc/ssl/private/example_private.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
I then ran sudo a2ensite example-ssl.conf
But got an error...
Site example-ssl not properly enabled: /etc/apache2/sites-enabled/example-ssl.conf is a real file, not touching it
So I decided to change default-ssl.conf with the same information as above,
I then ran sudo a2ensite default-ssl.conf which worked.
I restarted apache,
but when I go to https://www.example.com , I get an unable to connect error as if the site doesnt exist at all. "Firefox can't establish a connection to the server at www.example.ie."
Thank you
EDIT: A bit of background, I set this up using Digital Ocean. I've now realised this is happening with all my droplets when I try to use https. So perhaps its a more generic setting on linux I need to enable
You don't show any "Listen 443" directive. That's step one if you expect Apache to listen for connections on a new port.
Also everything you posted is a no-op if mod_ssl isn't loaded due to your ifModule.