Instaling SSL on apache2 - apache

I've obtained an SSL certificate from Comodo. I try to install it on an apache server using the following steps:
Upload to the directory /home/perica these files:
bedbids_com.crt
bedbids_com.key
bedbids_com.ca-bundle
Edit /etc/apache2/sites-available/default-ssl.conf with
SSLEngine on
SSLCertificateFile "/home/perica/bedbids_com.crt"
SSLCertificateKeyFile "/home/perica/bedbids.key"
SSLCertificateChainFile "/home/perica/bedbids_com.ca-bundle"
but at this point ssl is still not enabled. What do I miss?

Check that the ssl module is enabled with:
sudo a2enmod ssl
(assuming you use a debian based linux distribution)
Then you should add to your configuration file something like:
NameVirtualHost [your IP address]:443
< VirtualHost [your IP address]:443>
ServerSignature On
SSLCertificateFile /path/to/the/certificate/from/your/certificate/company/apache.crt
SSLCertificateKeyFile /path/to/the/file/created/in/step/1.key [can be a .pem file too I think]
SSLCertificateChainFile /path/to/intermediate/cert.crt [optional, only if yout certificate compay provides you with one]
SSLEngine On
</VirtualHost>
You will find detailled instructions here:
http://wiki.vpslink.com/Enable_SSL_on_Apache2

Related

How to include SSL certificate files in Apache Server running using MAMP

I have created SSL certificate in order to use https instead of http for localhost. The instructions I followed are here: https://medium.freecodecamp.org/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec
I still have the last step which is to include the certificate files (server.crt and server.key) in server.
I tried to rely on the following configuration to make it work which I got from: How to install SSL certificate in apache server in ubuntu
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
# maybe additional config here
ServerName www.example.com
SSLEngine on
SSLCertificateFile "/path/to/www.example.com.cert"
SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>
I am currently using MAMP on a mac, and using Apache as server. I edited the file httpd.conf located in Applications/MAMP/conf/apache, and I added the following at the bottom of the file:
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
ServerName localhost:443
SSLEngine on
SSLCertificateFile "~/server.crt"
SSLCertificateKeyFile "~/server.key"
</VirtualHost>
Note my SSL files are located in ~ directory. I also updated the 8888 entries with 443 in this file, which are:
Listen 443
ServerName localhost:443
When I restarted the server, it fails to start again!
Here is a video providing the solution: https://www.youtube.com/watch?v=886Pea2ljm0&t=2s
IMPORTANT: If you get the following error when restarting the server from MAMP:
Apache couldn't be started. Please check your MAMP installation and
configuration.
Run the following command on terminal and it works:
sudo /Applications/MAMP/Library/bin/apachectl start
MAMP has an extra section for SSL in the settings for hosts. No need to edit the conf files.

SSL Certificate Issue with Multiple Domains on One Apache2 Server

I have a server running a LAMP stack:
me#server:~$ sudo apachectl -v
Server version: Apache/2.4.10 (Debian)
me#server:~$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
...
On this server I have many two domains - one with SSL and one without SSL - and everything is currently hunky-dory.
I am trying to add SSL to the second site but requests to the second site fail with the issue:
[FIREFOX]
domain2.com uses an invalid security certificate.
The certificate is only valid for the following names: domain1.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN
[CHROME]
NET::ERR_CERT_COMMON_NAME_INVALID
Note 1: I have checked my version of Apache allows multiple SSL sites on the same server.
This leads me to believe that the SSL files being read when domain2.com is called are actually the files relating to domain1.com.
Curiously, if I disable domain1.com using sudo apache dissite domain1, the SSL works just fine on https://domain2.com. This would indicate that the SSL is installed correctly but the sites across the server are not all configured correctly.
The .conf files are below:
me#server:~& cat /etc/apache2/sites-enabled/domain1
[...Port 80 config redacted...]
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/domain1/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain1/key.txt
SSLCertificateChainFile /etc/apache2/ssl/domain1/intermediate.crt
ServerName domain1.com
ServerAlias www.domain1.com
<Directory /var/www/domain1>
[REDACTED]
</Directory>
[Logging information redacted]
</VirtualHost>
me#server:~& cat /etc/apache2/sites-enabled/domain2
[...Port 80 config redacted...]
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/domain2/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain2/key.txt
SSLCertificateChainFile /etc/apache2/ssl/domain2/intermediate.crt
ServerName domain2.com
ServerAlias www.domain2.com
<Directory /var/www/domain2>
[REDACTED]
</Directory>
[Logging information redacted]
</VirtualHost>
So it is clear both sites have the same configuration items applied but relative to the specific SSL files on the server for that site. Note, the SSL bundles for each site are provided from the same vendor.
Further, the certificates should be correct:
me#server:/etc/apache2/ssl/domain1$ openssl x509 -in server.crt -noout -subject
subject= /CN=www.domain1.com
me#server:/etc/apache2/ssl/domain2$ openssl x509 -in server.crt -noout -subject
subject= /CN=www.domain2.com
From all of this, please can some enlighten me as to why requests to domain2.com fail when domain1.com is enabled?
So yeah.. doing the above was all fine and should work.
If it doesn't work, be sure to check the spelling of the ServerName fields and to not work too late at night!

SSL certificate for specific directories

So I've got a login script (domain.com/script/index.php) that I need protected with a self-signed certificate, but installing a cert with Apache will apply it to my whole domain. My domain is a personal website, and the last thing I would want is for someone to go through the hassle of having to jump through the hoops of having to 'trust' my self-signed certificate.
Right now I have Webmin running on my server, and it currently has its own self-signed without applying it to my root website directory. Is there any way to secure my script directory without applying it to my root directory?
I'm gonna assume this is php and apache:
Just add this lines to your vhost configs:
SSLEngine on
SSLCertificateFile {{SERVER CRT PATH}}
SSLCertificateKeyFile {{SERVER CRT PATH}}
Make sure SSL dll is on in the php.ini
and apply like so:
# Local Php site
<VirtualHost *:83>
ServerName localhost
DocumentRoot C:/xampp2/htdocs/scripts/php
<Directory C:/xampp2/htdocs/scripts/php>
AllowOverride All
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile C:\xampp2\apache\conf\ssl.crt\server.crt
SSLCertificateKeyFile C:\xampp2\apache\conf\ssl.key\server.key
</VirtualHost>
Reference: http://robsnotebook.com/xampp-ssl-encrypt-passwords
restart apache then visit: https://localhost:83

(98)Address already in use: make_sock: could not bind to address [::]:443

What I am trying to do is direct my website on an Amazon EC2 Instance so that I am able to open on an HTTPS protocol. My site was running before but with a warning that it did not have a valid certificate, using this link example https://my.site.name.edu but now I get a "Webpage is not Available" prompt when I try to visit the site.
Please note that I have:
Installed Drupal for this testing site on a Linux server using Apache
My EC2 Instance attached to an Elastic IP
Used the steps in this guide: Creating, Uploading, and Deleting Server Certificates
Valid CA signed Apache certificates
An openssl-1.0.1f file installed in /home/ec2-user folder
Used this link to create the Virtual Host: http://ananthakrishnanravi.wordpress.com/2012/04/15/configuring-ssl-and-https-for-your-website-amazon-ec2/
Below is when the error occurred, while trying to solve the HTTPS access issue
I tried to change the ssl.conf file in this link to see if it would solve the problem: Setup an SSL certificate on an EC2 instance
I copied a new ssl.conf file, commented the old SSLCertificateKeyFile, SSLCertificateFile and SSLCertificateChainFile. I then pasted the copied, modified file into the directory after I coded the first four lines like this:
<VirtualHost 00.00.00.00:443>
SSLCertificateKeyFile /home/ec2-user/castestingapache/privatekey.pem
SSLCertificateFile /home/ec2-user/castestingapache/my_site_name_edu.pem
SSLCertificateChainFile /home/ec2-user/castestingapache/my_site_name_edu_interm.crt
But when I restarted Apache:
service httpd restart
I received this error message:
Stopping httpd: [FAILED]
Starting httpd: [Wed May 21 14:44:31 2014] [warn] module ssl_module is already loaded, skipping
(98)Address already in use: make_sock: could not bind to address [::]:443
[ OK ]
My httpd.conf is set up like this:
<VirtualHost 00.00.00.00:443> #Same as the IP in the ssl.conf#
ServerAdmin ec2-user#ec2-00-00-00-00.compute.amazonaws.com
DocumentRoot /var/www/html
ServerName https://my.site.name.edu
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
# ErrorLog logs/errorlogs
# CustomLog logs/custom
SSLCertificateFile /home/ec2-user/castestingapache/my_site_name_edu.pem
SSLCertificateKeyFile /home/ec2-user/castestingapache/privatekey.pem
SSLCertificateChainFile /home/ec2-user/castestingapache/my_site_name_edu_interm.crt
# SSLCACertificateFile /etc/httpd/conf/bundle.txt
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
# CustomLog /usr/local/apache/logs/ssl_request_log \
# “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
</VirtualHost>
EDIT: I tried reverting back to the old ssl.conf but when I try to restart Apache it gives me the same error. THIS PROBLEM HAS BEEN SOLVED I had to delete one of the ssl.conf even though I had renamed it...
Update I have added this line onto the httpd.conf file:
NameVirtualHost 00.00.00.00:443
I believe the problem is that my certificates are not pointing to this IP address.
Update I have just ran the certificate installation checker test here http://ssltool.com/?action=sslCheckOpenSSL and this is what I got:
Note: IP 12-34-56-78 is my private IP address on my AWS EC2 Instance.
Any help is greatly appreciated.
Thanks,
Ugh.... the answer was in this link the whole time...
Setup an SSL certificate on an EC2 instance
This line in the ssl.conf:
<VirtualHost 00.000.000.00:443>
Had to be changed to:
<VirtualHost _default_:443>
Add the rest:
SSLCertificateKeyFile /etc/ssl/mydomain_com.key
SSLCertificateFile /etc/ssl/mydomain_com.crt
SSLCertificateChainFile /etc/ssl/mydomain_com.ca-bundle
</VirtualHost>
And voilah! Your HTTPS: link should work...

Untrusted certificate - Apache & StartSSL

Trying to setup SSL on Apache (on AWS Linux). Firefox gives me these details in it's nastygram:
The certificate is not trusted because it is self-signed.
The certificate is only valid for ip-###-##-#-##
I'm currently working under the assumption that this is a problem with the ChainFile or CA cert - quite possibly because I dont have the correct info in httpd.conf. Can you comment on the code below or let me know where else to look for the error?
httpd.conf:
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName https://###-##-#-##
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /home/ec2-user/StartSSLcert.pem
SSLCertificateKeyFile /home/ec2-user/StartSSLkey.pem
SSLCertificateChainFile /home/ec2-user/sub.class1.server.sha1.ca.pem
SSLCACertificateFile /home/ec2-user/ca.pem
</VirtualHost>
This page has been my primary reference: http://www.startssl.com/?app=21 However, it includes many lines of code not in other examples I've found online with no description of what they do.
I've been guess-and-checking between the example above and a simpler example like: http://www.sslshopper.com/apache-server-ssl-installation-instructions.html
Everything I try is either untrusted by Firefox or I get errors when restarting apache. Ideas?
by default, the ssl settings in:
/etc/httpd/conf.d/ssl.conf
override the corresponding block in:
/etc/httpd/conf/httpd.conf
When using AWS you need to edit ssl.conf
"The certificate is only valid for ip-###-##-#-##"
credit due here:
Cannot setup SSL keys on my apache server in AWS EC2
If your server have more than one IP address, replace the * with IP address inside""
See: http://httpd.apache.org/docs/2.4/mod/core.html#virtualhost
Whats more, make sure you create your private key, CSR correctly.
See:https://library.linode.com/security/ssl-certificates/commercial#sph_create-a-certificate-signing-request