Apache: one domain - multiple folders with different certificates - apache

I've just started my linux security classes and my task is to set up an apache2 server (nginx is allowed aswell but chose the first one) with configuration listed below:
There is one domain (localhost) with different subfolders:
/ssl (any user can access, force redirect to https)
/ssl/user_1 (access with certificate "user_1")
/ssl/user_2 (access with certificate "user_2")
/ssl/any (access with any certificate (user_1, user_2))
/no_ssl (access without certificate)
I don't have much experience with apache2 but succesfully managed to set it up and configured basic ssl. However, I managed to set just one certificate for all folders/subfolders - I've been digging through whole Google (I have three pages of results marked already as visited..) but could not find a proper solution, tutorial or docs how to set up few different certificates, each for a different folder. I found few but it's often the case that the code was written few years ago and does not work anymore in the new version.
I'm not asking for a full solution but I'd appreciate if someone could point me in the right direction or provide some good tutorials/docs about the matter. Some configuration snippets would be awesome aswell of course!
Thank you so much in advance,
F.

I don't think I'm giving too much away when I say you are misunderstanding that part of the question. You are assuming that user_1 and user_2 are server certificates.
This is about client certificates - otherwise options 1 and 4 are the same. Also I think this is implied with the certs being user_1 and user_2 rather than server_1 and server_2. So go read up about client certificates.
Saying that I still don't know how to do this simply for options 2 and 3 so it's still a tricky question. Let us know how this is done after the assignment is finished for my own curiosity and good luck figuring it out yourself!

Related

Gitlab pages and automatic certificate management using Let's Encrypt

I guess that's a very simple task, but I can't manage to have SSL work on gitlab pages. Gitlab pages documentation is too vague for me.
For example, when they say "Make sure your domain doesn't have an AAAA DNS record." does that mean the subdomain (say gitlab.mysite.com) doesn't have a AAAA record. Or does it mean my whole DNS configuration shouldn't have such a record?
Also if that's the later, how can I manage to make this work?
Maybe someone has a source to a good tutorial for this because I really struggle finding simple information (not assuming any prior knowledge about SSL/gitlab).
I just went through the whole process beginning to end and set up a GitLab Pages website on a custom domain with a Let's Encrypt certificate -- it worked like a charm.
I had to:
a) set up a TXT record to verify domain ownership, and
b) add an A record to point at the GitLab Pages IP address (since my domain DNS management provider didn't allow me to set up a domain-level CNAME)
After this, GitLab went and fetched a Let's Encrypt certificate for my Pages web site.
I didn't have a AAAA record, so that didn't come into the picture.
As per GitLab Pages documentation section GitLab Pages integration with Let's Encrypt,
Caution: This feature covers only certificates for custom domains
Issue 3342 is open to add support for sub-domains.
If you are still having trouble, let me know, I'd be happy to help with this.

Apache, Ubuntu, SSL, alias and virtual

First let me state that I am a Linux noob. I am learning as I go here. Here is my situation. I have an Ubuntu 16lts server, with apache. The software we just installed comes with "samples" These samples are stored in the same directory structure as the program. The instructions have you add an alias and a directory to the apache2 config file. Like so
Alias /pccis_sample /usr/share/prizm/Samples/php
This actually worked :)
However now we want to make sure this site is SSL. I did manage to use openssl to import to Ubuntu the certificates we wanted to use. (i am open to using self signed though at this point its non prod so i dont care)
In trying to find out the right way to tell Apache i want to use SSL for this directory and which cert i want to use. Things went wonky on me. I did manage to get it to use ssl but with browser warning as one would epexct with a self signed cert. I had thought that i could just install the cert on our devs machines and that would go away. But no dice. Now in trying to fix all that i just done broke it. SOOOO What I am looking for is not neccessarily and spoon fed answer but rather any good tools, scripts, articles tips tricks gotchas that i can use to get this sucker done.
Thanks
You need to import your certificate(s) into the browsers trusted store. For each browser on each machine you test with. "What a pain!" you probably think. You are right.
Make it less painful - go through it once. Create your own Certificate Authority, and add that to your browsers trusted certificates/issuers listing. This way, you modify each one once, but then any certificate created by your CA certificate's key will be considered valid by those clients.
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
Note that when configuring Apache or other services, they will still need an issued/signed certificate that corresponds correctly to the hostname that is being used to address them.
Words of warning - consider these to be big, red, bold, and blinking.
DO NOT take the lazy way and do a wildcard, etc. DO keep your key and passphrase under strict control. Remember - your clients will implicitly trust any certificate signed by this key, so it is possible for someone to use the key and create certificates for other domains and effectively MITM the clients.

Primary SSL re-routing HTTP add-on

As a complete newbie, I've been skulking through this site for about the past twelve months to find solutions to errors. The following issue has driven me to distraction to such a degree that I decided to join the fun and see if anyone can help.
I have a main site which has an essential SSL certificate. I recently created another site as an add-on domain to the main hosting. However, this means the add-on tries to run as https, causing a security error and blocking most of the html and css document. I'd be very grateful if anyone could offer advice on how to work around this.
The certificates are valid only for the domain specificed in the CN.
However you are not only one with this requirement, so what you can do:
use a wildcard certificate - the wildcard certificates are usually more expensive, but they cover all subdomain on that level (*.domain.com covers www.domain.com, mail.domain.com, ... but not domain.com itself)
use Subject Alternative Name - it is an explicit list of domiains covered by the certificate

How to add valid SSL to heroku custom damoain

I need to add SSL to my heroku custom domain. I have done through a wide variety of keys/crts/pems etc. All I want to do is have SSL on a heroku wildcard custom domain.
I bought a wildcard ssl certificate. I have a plan on DNSimple.com, and now I need to upload everything to the server.
What files do I need to add? How can I get them?
I have a Certificate and a private key from DNSimple, now I understand I have to upload a CRS file to DNSimple. Can someone offer a step-by-step, heroku's is very poorly designed and convoluted.
Right now, chrome gives me a big red user warning.
Thanks,
Brian
Hope you have gone through Heroku documentation for DNS simple-
https://devcenter.heroku.com/articles/ssl-endpoint
https://devcenter.heroku.com/articles/ssl-certificate-dnsimple
If still not working, let me know. Will post the steps needed to do this.

CryptAcquireCertificatePrivateKey failed when using SelfSSL on IIS6 with multiple Websites

I have two "Web Sites" running under IIS6 (Windows Server 2003R2 Standard), each bound to a separate IP address (one is the base address of the server).
I used SelfSSL to generate and install an SSL certificate for development purposes on one of these sites and it works great. I then run SelfSSL to generate a certificate for the second site and the second site works, but now the first site is broken over SSL.
I run SSL Diagnostics and it tells me:
WARNING: You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed
If I re-run SelfSSL on the first site (to fix it), the first site works but then the second site is broken.
It seems like SelfSSL is doing something in a way that is designed to work with only one Website, but I can't seem to put my finger on exactly what it's doing and figure out how to suppress it. I would manually configure SSL but I don't have a certificate server handy, but maybe there is a way to get SelfSSL to just gen the cert and let me install it?
FWIW I have also followed the guidance of several posts that indicate changes to the permissions of the RSA directory are in order, etc. but to no avail. I don't work with SSL everyday so I may be overlooking something that someone with more experience might notice, or perhaps there is a diagnostic process that I could follow to get to the bottom of the issue?
We had a similar problem today. Our IT guy said he solved it by basically using ssldiag instead of selfssl to generate the certs.
See the reply from jayb123 at this URL: http://social.msdn.microsoft.com/forums/en-US/netfxnetcom/thread/15d22105-f432-4d8f-a57a-40941e0879e7
I have to admit I don't fully understand what happened, but I'm on the programming side rather than the network admin side.