dynamically support multiple SSL sites for one IP address - apache

For a web application running on Tomcat, to support multiple SSL sites on one Ip address, I like to add Apache in front of Tomcat.
Is it possible for user to upload its own SSL certificate and configure it dynamically without server restart?
<VirtualHost *:443>
DocumentRoot
ServerName
SSLCertificateFile
SSLCertificateKeyFile
SSLCACertificateFile
SSLEngine on
</VirtualHost>
For apache, the SSL configuration above needs to be added into apache conf file,
and requires server restart. Server restart is not acceptable because there will be many users on the same server. Any solution?
Thanks for help.

Related

Apache HTTP VM Behind HTTPS Lets Encrypt

I've read a lot of questions and answers which seem exactly the same as mine, but I can't seem to get my setup to work. I have a VM running Apache with only HTTP support at 192.168.2.101:32773. I can access it on my local network as such just fine. I now am ready to expose it through my Apache web server that has Lets Encrypt setup to generate SSL certificates. So I added this to my server conf file:
<VirtualHost *:32773>
ServerName server.com
SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/letsencrypt/live/server.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server.com/privkey.pem
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://192.168.2.101:32773/
ProxyPassReverse / http://192.168.2.101:32773/
</VirtualHost>
However, I get an ERR_SSL_PROTOCOL_ERROR when I try to load it up as https://server.com:32773. If I however change my address to http://server.com:32773, it loads just fine. Anything look wrong in this snippet? Thanks!
HTTP and HTTPS need to be on different ports. Typically HTTPS is served on port 443.
This is embarrassing... At some point I changed my port forward rules to point 32773 directly to 192.168.2.101 so I could validate that the rules were working at all. The above config worked as soon as I realized I wasn't even sending traffic to my Apache SSL enabled server.

CentOS HTTPD SSL 404 error

I have a clean install of Linux CentOS on VMWare. Ports 80 and 443 are open in my router. To limit the possible issues, I have temporarily disabled SELinux, and I have stopped the iptables service.
I have followed the directions in the article on setting up an SSL secured Webserver with CentOS: https://wiki.centos.org/HowTos/Https.
Following are the only changes I have made to the default ssl.conf file:
Changes Server name to list my server name
Revised SSLCertificateFile with the name of my .crt file
Revised SSLCertificateKeyFile with the name of my .key file
.
<VirtualHost _default_:443>
ServerName www.example.com
SSLCertificateFile /etc/pki/tls/certs/example.crt
SSLCertificateKeyFile /etc/pki/tls/private/example.key
</VirtualHost>
Using any computer in my LAN, I am able to get both HTTP(80) and HTTPS(443) Web pages from my HTTPD Web server. When using a computer on a different network, I can get HTTP(80) pages. However, HTTPS(443) pages produce "error 404 the requested resource is not found."
Getting an HTTP(80) page using a computer in a different network, I see connections in this log:
/var/log/httpd/access_log
Requesting an HTTPS(443) page using a computer in a different network, these logs do not contain any new events:
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/httpd/ssl_request_log
/var/log/httpd/ssl_access_log
A Wireshark capture on the client does not show any relevant HTTP(80), HTTPS(443) or SSL packets.
Since the logs are not showing events when requesting HTTPS(443) Web pages, and Wireshark is also not capturing packets, I am not certain where to turn next to diagnose this issue. If there are any tips or suggestions on a way to diagnose the issue, I would definitely be appreciative.
I was able to solve this issue. The directions in this article provided the fix: https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-httpd-secure-server.html.
Originally, my ssl.conf file did not have www or .com in the domain name, like this:
<VirtualHost _default_:443>
ServerName www.example.com
SSLCertificateFile /etc/pki/tls/certs/example.crt
SSLCertificateKeyFile /etc/pki/tls/private/example.key
</VirtualHost>
I noticed in the CentOS documentation that www and .com was being used. I created a new certificate and private key, and then updated the ssl.conf file.
<VirtualHost _default_:443>
ServerName www.example.com
SSLCertificateFile /etc/pki/tls/certs/www.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key
</VirtualHost>
Now I am no longer getting error 404 when requesting the Web page on a remote network. This taught me that there are specific requirements in the format of the certificate, private key, and ssl.conf file.

Configuration https on lamp web server ec2 aws with let's encrypt

I have a problem, yesterday i create certificate with let's encrypt on my ec2 instance. Now i want to use them o my site, but i don't know how i can proceed. Have you any suggestions?
I tried to do this but i hadn't any results:
https://www.paulwakeford.info/2015/11/24/letsencrypt/
than, after using webroot plugin on let's encrypt, i install mod_ssl.so on my istance, i edit my security group and enable https on port 443 and than i modify my httpd.conf right here:
<VirtualHost *:443>
DocumentRoot /var/www/my-domain
ServerName my-domain.com
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/my-domain/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/my-domain/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/my-domain/chain.pem"
<Directory /var/www/my-domain>
AllowOverride All
</Directory>
</VirtualHost>
Have you any suggestions?
The tutorial you pointed out uses SSL certificate to Cloudfront distribution, a CDN. Are your using Cloudfront? Because if you are using you need to set certificate on the distribution (and maybe to apache server too), otherwise on the apache server.
Try this look into:
Enabling SSL on apache instance on EC2
and
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html
For the last, forget about "getting certificate" as you already have one issued by Lets Encrypt.

Not able to set up https site with port 443.rsa server certificate commonname (cn) does not match server name in SSl erroe log

I am using WAMP 2.0 with apache 2.2.11 on windows server 2008 R2.I am setting up only one domain on this WAMP server.
i have converted the .pfx file and extracted .crt and .key file using openSSL.
In the conf/extra/httpd-ssl.conf, i have made following changes
SSLEngine on
<VirtualHost 162.62.90.11:443>
ServerAdmin webadmin#oursite.com
DocumentRoot "D:/webpages"
ServerName www.oursite.com
ErrorLog "logs/SSLerror.log"
CustomLog "logs/SSLaccess.log" common
</VirtualHost>
SSLCertificateFile "c:/wamp/bin/apache/apache2.2.11/conf/server.crt"
SSLCertificateKeyFile "c:/wamp/bin/apache/apache2.2.11/conf/server.key"
i checked in command prompt with httpd -t and i get syntax Ok.
But when i open the site with prefix https it does not open. In the error log it shows RSA certificate common name not matching with server name.
i tried replacing the IP address in virtual host with server name in certificate and the one in error log. Still it does not work.
It seems i'm missing something. Plz help me in rectifying this.
Thanx
Did you open the port 443. For example,
** <VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost> **
when i re did the whole thing , i found https site was acessible from same webserver with prefix https.
i checked through telnet if i could connect from another domain PC
but couldn't connect.
Firewall was blocking inbound connection for port 443.added an exception and is working fine
Relieved now
Thanks to all who took time to respond and guide.

Apache SNI: multiple SSL certificates on one IP address

Today I'm trying to configure Apache to run two domains each with their own SSL certificate. From what I have read this is supported by SNI as long as my Apache is configured with a recent version of OpenSSL. I verified that it is:
[notice] Apache/2.2.22 (Ubuntu) PHP/5.3.10-1ubuntu3.7 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- resuming normal operations
I thought I had successfully set up the second domain and certificate, but when I try to visit the second domain in chrome I get the following error:
You attempted to reach example2.com, but instead you actually reached a server identifying itself as example1.com.
this post seems closest to my issue:
hosting multiple SSL certs on apache
but from what I can tell my server is already configured correctly (clearly it is not!)
I have the following directives in my conf file for example2.com
ServerName example2.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example2.com.key
it looks right to me. so why is apache serving example1's cert when I visit example2?
turns out domain 1 was configured as
<VirtualHost *:443>
I use webmin, which only reveals that detail when you view the directive directly.
changing * was part of the solution but introduced some other problems. I think I will punt and do IP-based SSL.
I add this to ports.conf (Apache/2.2.22)
NameVirtualHost *:443
You can read details in this post
It's not possible to have multi SSL domain on the same ip addres.
context
When a client contact a https web site all communication are crypt with the site's public key (ssl certificat). Only the private key associate to the public key can decrypt the http request. basically that's how https work.
That why in your virtual host, you define for each ssl web site the certificate and the key
SSLCertificateFile /etc/apache2/ssl/example2.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example2.com.key
VirtualHost Name base and SSL
When you use VirtualHost name base , when apache receive a client request the server read the request and look which domain name is requested. When the Domain Name is identified apache read virtuahost instruction and return the good web site.
When apache receive an SSL request , the system can't decrypt the message because apache need to use the SSLCertificateKeyFile defined in the Virtualhost but to know which virtualhost to use he need to be able to decrypt the message ....
Because apache don't know how to process your request the system return the first virtualhost processed.
That's why you need to use VirtualHost ip base that what is it use in the example :
hosting multiple SSL certs on apache
You have 2 ip 1.1.1.1 and 2.2.2.2
NameVirtualHost 1.1.1.1:443
NameVirtualHost 2.2.2.2:443
<VirtualHost 1.1.1.1:443>
ServerName www.domain1.com
...
...
</VirtualHost>
<VirtualHost 2.2.2.2:443>
ServerName www.domain2.com
...
...
</VirtualHost>
VirtualHost Name base and SSL wildcard certificat
If the private key AND the public key (ssl certificat) are the same for all domain, apache will be able to decrypt the communication. This situation append only when you use a wildcard certificate for a domain. example , if you have a wildcard for *.domain.com you can define VirtualHost name base like this
NameVirtualHost 1.1.1.1:443
<VirtualHost 1.1.1.1:443>
ServerName foo.domain.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/wildcard.domain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/wildcard.domain.com.key
...
...
</VirtualHost>
<VirtualHost 1.1.1.1:443>
ServerName bar.domain.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/wildcard.domain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/wildcard.domain.com.key
...
...
</VirtualHost>
This configuration will work because, whatever the domain, apache use the same private key to decrypt the communication so the system will be able to select the good VirtualHost setting.
Have a nice day.