Start Apache without Virtual Host's SSL certificate file - apache

I have Apache 2.4.10 with name based SSL (SNI) virtual hosting.
Virtual users can use their own certificate and upload it to server.
Everything works fine until there is some error with certificate file (i.e. file is missing or with wrong name).
Problem is Apache will not start if there is some certificate problem.
Is there some solution how to start Apache with this error (i.e. all vhosts will start except that one virtual host with failure)?
This does not work:
<If "-f /path/to/file.crt">
<VritualHost *:443>
SSLEngine On
SSLCertificateFile /path/to/file.crt
</VirtualHost>
</If>
...and this also does not work:
<VritualHost *:443>
<If "-f /path/to/file.crt">
SSLEngine On
SSLCertificateFile /path/to/file.crt
</If>
</VirtualHost>
Many thanks.

Related

Using certbot to authenticate domain

My domain is advice.com. I'm running Apache webserver on Ubuntu 20.04 LTS. I've configured domain name as per this link:
Within my internet, I can access domain name www.advice.com which is mapped as 192.168.0.xxx
As per this tutorial https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-20-04, self signed certificate was generated for domain. However, it shows warning of not secure. I want to fetch certificates using certbot. When I ran this command ```sudo certbot --apache``
It produces following output:
http-01 challenge for www.advice.com Cleaning up challenges Some challenges have failed.
IMPORTANT NOTES. - The following errors were reported by the server:
Domain: www.advice.com
Type: unauthorized
Detail: Invalid response from http://www.advice.com/.well-known/acme-challenge/_fasLpkG_oxH7gK3K78GEG1L6x9TFRlGpm__5QiIWr4[3.33.152.147]: 404
To fix these errors, please makes sure that your domain name was entered correctly and the DNS A/AAA record(s) for that domain contain(s)the right IP address.
Looking into the solutions for this error, I also added acme-challenge directory in configuration file. I can access this file http://advice.com/.well-known/acme-challenge/test-file-1234
Here is the configuration of server:
ServerName advice.com
ServerAlias www.advice.com
DocumentRoot /var/www/advice.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ServerName advice.com
ServerAlias www.advice.com
DocumentRoot /var/www/advice.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Redirect / https://advice.com/
DocumentRoot /var/www/advice.com/.well-known/acme-challenge
<Location "/.well-known/acme-challenge/">
#do nothing special for challenges / ignore bad requests
RedirectMatch 403 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
</Location>
<Location "/">
#redirect all other requests to HTTPS
Redirect permanent "/" https://%{HOST}/$1
</Location>
</VirtualHost>
Is it something related to configuration file? I just want to assign domain name to ubuntu server and make it secure for further work.
please make sure that you correctly added the A record pointing to your host IP address, and if error still exist, delete AAA record and just keep the A record

Apache conf VirtualHost ignored

I'm running apache on a CentOS 7.
I have 2 config files in /etc/httpd/conf.d :
A10-my_site_dev.conf
A10-my_site_test.conf
As they are similar, I show you only one of the files :
<VirtualHost *:443>
ErrorLog "logs/my_site_test.log"
SSLCertificateFile /etc/ssl/host/host.crt
SSLCertificateKeyFile /etc/ssl/host/host.key
Alias /my-site/test/static /var/www/my_site_test/static/
<Directory /var/www/my_site_test/static>
Require all granted
</Directory>
WSGIScriptAlias /my-site/test /var/www/my_site_test/app/wsgi.py
<Directory /var/www/my_site_test>
Require all granted
</Directory>
</VirtualHost>
Currently, VirtualHost in A10-my_site_test.conf is ignored. If I go to https://my-server.com/my-site/test, I've got a 404, but https://my-server.com/my-site/dev is working fine.
If I remove A10-my_site_dev.conf and restart apache, https://my-server.com/my-site/test works.
I understood that it takes only the first VirtualHost apache finds.
I have the feeling that VirtualHost in my ssl.conf is ignored too cause, if I move SSLCertificateFile and SSLCertificateKeyFile to ssl.conf, I have the following error :
I tried not to use VirtualHost, and everything works fine in that case. I think all VirtualHost are ignored except the first.
I've got the same problem with other ports (like 80).
Another point : I read that I should have a ServerName. But I have the same ServerName for all my environments. I tried to put something random such as "my_site_test" as ServerName, but I've got a 404.
How could I configure apache to make my 2 files work ?
This is not how VirtualHosts work. Especially with SSL.
So you have:
<VirtualHost *:443>
CONFIGURATION FOR DEV
</VirtualHost>
<VirtualHost *:443>
CONFIGURATION FOR TEST
</VirtualHost>
The only difference between both VirtualHosts is the logs and directory? That will not work.
Apache can distinguish between VirtualHost sections based on:
IP associated to the domain
Port
ServerName (for non-SSL configurations)
The way you configured it right now, Apache cannot distinguish between both VirtualHosts. So it takes the first one it finds. That explains the mix up with certificates.
Ex of a working configuration
# www.example1.com == 1.1.1.1
# www.example2.com == 2.2.2.2
<VirtualHost 1.1.1.1:443>
ServerName www.example1.com
# SSL CONFIG
# LOGS CONFIG
# OTHER CONFIGURATION
</VirtualHost>
<VirtualHost 2.2.2.2:443>
ServerName www.example2.com
# SSL CONFIG
# LOGS CONFIG
# OTHER CONFIGURATION
</VirtualHost>
Read the documentation (again?), it will do you good: https://httpd.apache.org/docs/2.4/vhosts/examples.html
There are posts on this site explaining the finer points of SSL VirtualHosts configuration (I even wrote some myself).

One Multisite SSL on Two virtual hosts (Apache2 on Ubuntu 16.04)

I have one SSL certificate from GoDaddy (Standard UCC SSL Certificate for up to 5 sub/domains) and two virtual hosts configuration on Apache2.
I can install SSL certificate one every of them separately and they works fine until I add second one.
When the second HTTPS config is added (...), then I am getting kind of weird redirects from one.abc.com to two.abc or vice versa.
I am using the same certificate files for both configs, because it the same Multisite SSL certificate.
F.ex.:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.abc.com
DocumentRoot /var/www/htdocs
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/abc.crt
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abc_bundle.crt
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName subd2.abc.com
DocumentRoot /var/www/test2
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/abc.crt
SSLCertificateKeyFile /etc/apache2/ssl/abc.key
SSLCertificateChainFile /etc/apache2/ssl/abc_bundle.crt
</VirtualHost>
</IfModule>
What I am doing wrong?
This:
Now - I understand that because SSL wraps around the HTTP request,
there's no way to know which host is being requested until a public
key has been sent to the client first. This essentially breaks the
possibility of SSL virtual hosts using a standard SSL certificate.
from
https://serverfault.com/questions/113076/apache-ssl-virtualhosts-on-a-single-ip-using-ucc-san-certificate
Lead me to idea that problem is simple that in case of abc.com server just do not know which HTTPS server (www.abc.com or subd2.abc.com) config to take and simply take the first one. Tests that approved.
From that comes second question / conclusion - do I have configuration for domain abc.com. And it has not, I just have it defined as ServerAlias in www.abc.com config.
When I removed from ServerAlias and created configuration with for abc.com and with redirect, than all stays in their places.

Apache HTTPS redirection certificate error

We have two domains (gis4business.co.uk and gis4business.com) that point to the same website hosted using apache. We are using SSL for the entire site and have a wildcard SSL certificate for *.gis4business.co.uk.
The default apache conf file (000-default.conf) has a single virtual host configured to redirect from http to https as follows:
<VirtualHost *:80>
...
Redirect permanent "/" "https://www.gis4business.co.uk/"
</VirtualHost>
Then we have a default SSL config file (default-ssl.conf) that has single a virtual host configured as follows:
<VirtualHost _default_:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
This configuration is working as expected for the following urls:
http://www.gis4business.co.uk
http://www.gis4business.com
https://www.gis4business.co.uk
However, the url https://www.gis4business.com results in a certificate warning (SSL_ERROR_BAD_CERT_DOMAIN in firefox and ERR_CERT_COMMON_NAME_INVALID in chrome).
Its obviously complaining about the SSL certificate not matching the domain (gis4business.com), so I assume we need an HTTPS redirect from gis4business.com to gis4business.co.uk. We have experimented with various configurations and haven't managed to get a redirect working.
We have tried:
1) Adding another virtual host (*:443) to the top of the 000-default.conf file as follows:
<VirtualHost *:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
Redirect permanent "/" "https://www.gis4business.co.uk/"
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
2) Adding another virtual host (default:443) to the top of the default-ssl.conf file as follows:
<VirtualHost _default_:443>
ServerName gis4business.co.uk
ServerAlias *.gis4business.co.uk www.gis4business.co.uk *gis4business.com www.gis4business.com gis4business.com
Redirect permanent "/" "https://www.gis4business.co.uk/"
...
SSLEngine on
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/privatekey.key
SSLCertificateChainFile /etc/ssl/certs/ca_certificate.crt
</VirtualHost>
If redirection of https from one domain to another is possible without certificate errors, then what is the correct configuration to make it work?
Let's see how the redirect directive works
The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location.
The first request is processed by apache generating a 30x response to automatically redirect browser to the new URL
browser SERVER SSL cert
https://www.gis4business.com --> redirect *.gis4business.co.uk
302-redirect <--
https://www.gis4business.co.uk/ --> process *.gis4business.co.uk
The first request is served from https://www.gis4business.com using a certificate issued to *.gis4business.co.uk, so it is considered invalid consequently
To fix it you need to use a certificate issued to www.gis4business.com or *.gis4business.com. Define a new virtual host or request a new certificate with both hostnames.

Debian 8 - SSL Certificate is not working

I have recently moved a website from my old web server with 123-reg.co.uk to a new Linode web server hosted with Linode.
I am running Apache with Debian 8.9.
123-reg provided me with an SSL certificate for my website which, of course, was deactivated when I moved the website to the new server. So I set to work manually reactivating the certificate on my new server.
I was able to get the necessary SSL files (CA Bundle, Key and Certificate) from 123-reg and I followed Linode's instructions to setup the SSL certificate on their servers using the following tutorials:
First tutorial and
second tutorial.
Here is the site's config file:
<VirtualHost *:80>
# All of the files here exist on the server
SSLEngine On
SSLCertificateFile /etc/ssl/certs/zetec-it.com.crt
SSLCertificateKeyFile /etc/ssl/private/zetec-it.com.key
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
The setup seems legit, but when I attempt to access the website via https the browser states that the connection isn't secure.
I'm fairly new to server admin; does anyone have any suggestions or potential solutions?
You need a VirtualHost which is listening on port 443 in order to have working HTTPS. You configured your VirtualHost to listen on Port 80 while having SSLEngine On.
In order to get https working you would only need to change <VirtualHost *:80> to <VirtualHost *:443>.
Once you did that, you would not have a configuration that handles http connections to (there would not be any VirtualHost waiting for connections for ServerName zetec-it.com).
There are generally to ways to go to serve http connections requesting the same hostname:
You redirect them to https using something like this (uses mod_rewrite in order to redirect to the same path):
<VirtualHost *:80>
ServerName zetec-it.com
ServerAlias www.zetec-it.com
RewriteEngine on
RewriteRule ^ https://zetec-it.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
You deliver the same content through http as well
<VirtualHost *:80>
# All of the files here exist on the server
ServerAdmin webmaster#zetec-it.com
ServerName zetec-it.com
ServerAlias www.zetec-it.com
DirectoryIndex index.html index.php
DocumentRoot /var/www/html/zetec-it.com/public_html
LogLevel warn
ErrorLog /var/www/html/zetec-it.com/log/error.log
CustomLog /var/www/html/zetec-it.com/log/access.log combined
</VirtualHost>
Either way you need two config files, the https one (which is basically your example from above, remember to replace 80 with 443) and one for http which I gave you 2 examples for.
You can put them into separate files, remember to activate them in this case.