I have 2 crt files for Apache server:
1_root_bundle.crt
2_my_domain_name.com.crt
And other bundle:
1_Intermediate.crt
2_my_domain_name.com.crt
root.crt
I have modified
/etc/apache2/sites-available/default-ssl.conf
And tried various combinations of above mentioned files but after Apache2 service restart SSL does not work, browser shows "Connection is not secure":
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/1_Intermediate.crt
SSLCertificateKeyFile /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateChainFile /etc/apache2/ssl/root.crt
How to make SSL on Apache server?
It is missing the key file with your certificate private key. Usually it has the .key extension like 2_my_domain_name.com.key and the file content starts with -----BEGIN PRIVATE KEY-----
You configuration should looks like this
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/2_my_domain_name.com.key
SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt
The SSLCertificateChainFile points to a all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate.
So ensure that 1_root_bundle.crt contains 1_Intermediate.crt content and is in PEM format (base64 with --- BEGIN CERTIFICATE --- ----END CERTIFICATE--- headers)
If you use apache >= 2.4.8 you could also concatenate all certificates in the file pointed at SSLCertificateFile
SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.
1) Install Apache HTTP Server, mod_ssl
2) Configure httpd
Remember to disable SSLv2 and SSLv3, because they are vulnerable.
# Toggle on the SSL/TLS Protocol Engine
SSLEngine On
# The signed certificate of the server
SSLCertificateFile /etc/pki/tls/myserver/myserver.crt
# The private key of the server
SSLCertificateKeyFile /etc/pki/tls/myserver/myserver.key
# The intermediate_certificate of the server
SSLCertificateChainFile /etc/pki/tls/myserver/tls-ca-chain.pem
# Accept only strong encryption
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
3) Check the permissions on the certificate files.
UPD:
How to create a key and certificate signing request in one step:
openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr
Next you have to send this csr file to one of the certificate authorities. They will send back your signed certificate, and the intermediate certificate(s).
You can also create a self-signed certificate.
You can use the bundle file with SSLCertificateChainFile.
SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCertificateChainFile /home/ubuntu/tad.com/intermediate_bundle.crt
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt
OR
If you are using bundle so it will work without SSLCertificateChainFile file.
SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt
Related
Hi I receive two files an .cer and .p7b, how I can have the .key and .crt from this files? to install in my apache server?
I need to set here
I have only files.cer
SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile
when making a wireshark trace to check if my Let's Encrypt certificate is correctly offered by our server, I see that the same certificate is being send twice in TLS handshake when 'Server Hello Done'.
How can this occur ? How to correct ?
The certificate details is 2 times exactly the same :
Extra info requested :
I trace this with wireshark by visiting a https-page of my Apache webserver (CentOS Linux release 7.4.1708 (Core)) with my Chrome browser on Fedora 25 client.
VirtualHost config :
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
Don't know if it matters, but I also have a second VirtualHost with a different Let's Encrypt certificate :
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my2.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my2.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my2.domain.tld/fullchain.pem
The Problem
This is caused by simultaneous config of SSLCertificateFile along with SSLCertificateChainFile.
From the mod_ssl documentation (Emphasis mine):
This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.
But if you check your fullchain.pem, you'll see that it includes the server certificate at the top, followed by the Let's Encrypt issuing CA. Apache is delivering the contents of SSLCertificateFile with the SSLCertificateChainFile concatenated after it. Since your server's certificate appears in both of them, it's duplicated in the final chain seen in the SSL handshake, just like you observed in Wireshark:
vhost.conf Sent To Client
+---------------+ +------------------+
| cert.pem |----------> |Server Certificate|
| | | + |
| + | +---> |Server Certificate|
| | | | + |
| fullchain.pem |----------> | CA Certificate |
+---------------+ +------------------+
The Fix
In modern Apache, don't use SSLCertificateChainFile directive anymore, and give fullchain.pem directly to SSLCertificateFile.
Again, from the mod_ssl documentation:
SSLCertificateChainFile is deprecated
SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.
So all you should need to do is change your vhost configuration from this:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
To this:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
I have a server running a LAMP stack:
me#server:~$ sudo apachectl -v
Server version: Apache/2.4.10 (Debian)
me#server:~$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
...
On this server I have many two domains - one with SSL and one without SSL - and everything is currently hunky-dory.
I am trying to add SSL to the second site but requests to the second site fail with the issue:
[FIREFOX]
domain2.com uses an invalid security certificate.
The certificate is only valid for the following names: domain1.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN
[CHROME]
NET::ERR_CERT_COMMON_NAME_INVALID
Note 1: I have checked my version of Apache allows multiple SSL sites on the same server.
This leads me to believe that the SSL files being read when domain2.com is called are actually the files relating to domain1.com.
Curiously, if I disable domain1.com using sudo apache dissite domain1, the SSL works just fine on https://domain2.com. This would indicate that the SSL is installed correctly but the sites across the server are not all configured correctly.
The .conf files are below:
me#server:~& cat /etc/apache2/sites-enabled/domain1
[...Port 80 config redacted...]
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/domain1/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain1/key.txt
SSLCertificateChainFile /etc/apache2/ssl/domain1/intermediate.crt
ServerName domain1.com
ServerAlias www.domain1.com
<Directory /var/www/domain1>
[REDACTED]
</Directory>
[Logging information redacted]
</VirtualHost>
me#server:~& cat /etc/apache2/sites-enabled/domain2
[...Port 80 config redacted...]
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/domain2/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain2/key.txt
SSLCertificateChainFile /etc/apache2/ssl/domain2/intermediate.crt
ServerName domain2.com
ServerAlias www.domain2.com
<Directory /var/www/domain2>
[REDACTED]
</Directory>
[Logging information redacted]
</VirtualHost>
So it is clear both sites have the same configuration items applied but relative to the specific SSL files on the server for that site. Note, the SSL bundles for each site are provided from the same vendor.
Further, the certificates should be correct:
me#server:/etc/apache2/ssl/domain1$ openssl x509 -in server.crt -noout -subject
subject= /CN=www.domain1.com
me#server:/etc/apache2/ssl/domain2$ openssl x509 -in server.crt -noout -subject
subject= /CN=www.domain2.com
From all of this, please can some enlighten me as to why requests to domain2.com fail when domain1.com is enabled?
So yeah.. doing the above was all fine and should work.
If it doesn't work, be sure to check the spelling of the ServerName fields and to not work too late at night!
The main idea is i want to upgrade my real webpage to https, but it's in production and i want to make this upgrade in my local server to be sure it's working properly and after that move all changes to production. So i'm trying to create local https website but my browser Google Chrome give me error. I wrote this commands in my linux terminal for creating self signed certificate
sudo openssl req -new -sha256 -out new.ssl.csr
sudo openssl rsa -in privkey.pem -out new.cert.key
sudo openssl x509 -in new.ssl.csr -out new.cert.cert -req -signkey new.cert.key -days 256
sudo cp new.cert.cert /etc/ssl/certs/server.crt
sudo cp new.cert.key /etc/ssl/private/server.key
And i changed my host configuration file like this
VirtualHost *:80
ServerName localsite
DocumentRoot /var/www/localsite
ErrorLog ${APACHE_LOG_DIR}/localsite_error.log
CustomLog ${APACHE_LOG_DIR}/localsite_access.log combined
VirtualHost
VirtualHost *:443
ServerAdmin asdasdasd#asd.asd
ServerName localsite.local
DocumentRoot /var/www/localsite
ErrorLog ${APACHE_LOG_DIR}/localsite_error.log
CustomLog ${APACHE_LOG_DIR}/localsite_access.log combined
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
VirtualHost
sudo service apache2 restart
And after it i export certificate from my file and import it to Google Chrome and still having ERR_CERT_AUTHORITY_INVALID error. What i'm doing wrong?
I used this tutorial to create a self-signed certificate. It looks like what you did to create one.
I forgot to fill in the Common Name (e.g. server FQDN or YOUR name). You can leave all fields empty, but this one should be answered. In your example, it should be localsite.local.
After creating your certificate, upload it to chrome://settings/certificates and the padlock will turn green.
If you use self signed certificate, browsers will alert you error like that.
So you should use certificate signed by known authorities.
I have ever used letsencrypt.
For that, you should purchase your own domain name for your site at first.
I want to setup https on my site
<VirtualHost 1.2.3.4:443>
...
SSLEngine on
SSLCertificateFile /usr/local/ssl/www.blabla.com/public.crt
SSLCertificateKeyFile /usr/local/ssl/www.blabla.com/private.key
SSLCACertificateFile /usr/local/ssl/www.blabla.com/intermediate.crt
...
</VirtualHost>
I've bought certificate and they provide me: ssl certificate code, root certificate code and intermediate certificate code. What is CertificateFile and CertificateKeyFile from these?
SSLCertificateKeyFile would have been passed in as the key when you created the request -- it doesn't come from the CA.
SSLCertificateFile is the "ssl certificate code" you got from the CA
SSLCAcertificate file is the "root certificate code" you got from the CA
The "intermediate certificate code" from the CA should be identified by SSLCertificateChainFile