I edited '/etc/apache-sites-enabled/default-ssl.conf' to include the following:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/mydomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/mydomain.com.key
SSLCertificateChainFile /etc/apache2/ssl/mydomain.com.ca-bundle
The files exist and contain the relevant blocks from my Rapidssl. SSL is enabled via a2enmod ssl, have also checked port is open and checked error log.
The apache error log is clear and http is accessible.
When I visit the site I get this message in Chrome:
SSL connection error
ERRSSLPROTOCOL_ERROR
Hide details
Unable to make a secure connection to the server. This may be a problem with the server or it may be requiring a client authentication certificate that you don't have.
To me it seems to be pointing to the CA Bundle being not seen?
Related
I am confused with SSL certificates on apache. I have the SSL vhost setup in /etc/httpd/conf.d/ssl.conf which works fine, but when i try to use wget from another server to pull down some files i get "Unable to locally verify the issuer's authority."
The SSL was bought from cheapsslsecurity.com and the zip comes with multiple CRT files and i'm not sure what is what.
So we have the following files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationecureServerCA.crt
STAR_websitenamehere_com.crt
The vhost is currently setup like this:
SSLCertificateFile /etc/pki/tls/certs/STAR_websitenamehere_com.crt
SSLCertificateKeyFile /etc/pki/tld/private/websitenamehere.com.key
SSLCACertificateFile [i have tried all of them here except the STAR_ one and still the same error with wget]
The main SSL works in the web browser, but nothing i do seems to allow wget to pull anything without producing an error.
Error is "SSL Library Error: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate -- No CAs known to server for verification?"
Configuration:
SSLCertificateFile /etc/letsencrypt/live/mysite/fullchain.pem
SSLCertificateChainFile same as above
SSLCertificateKeyFile /etc/letsencrypt/live/mysite/privkey.pem
SSLCACertificateFile my own self-signed CA cert file appended to fullchain.pem
SSLVerifyDepth 10
I have verified my self-signed client cert against my self-signed CA, and installed it in my browser (Chrome and Firefox)
I have tried:
SSLCACertificateFile containing only my self-signed CA cert
without SSLCertificate ChainFile (which seems redundant to me)
but always get the same error.
LogLevel warn ssl:debug and LogLevel warn ssl:trace6 don't provide any further clues.
So, to debug this, I need to see the server-client conversation in plain text but, of course, the connection is encrypted.
What tools are available? How do the browser developers debug problems like this?
I have bought a an ssl certifcate from a respected authority on the internet. I am just having problems installing the certificate and enabling https on my server. I have only been given the certificate and the private key. How do I go about copying these files to my server and enabling https.
NOTE: I am running an amazon micro instance
First try to install mod_ssl on your server with the following command
yum install mod_ssl
Once it's installed you can update your httpd configuration file with your SSL certificate details.
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/mydomain.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mydomain.key
I just got commodo free ssl trial, and uploaded the ssl to my EC2 instance using AWS CLI, then changed the listener in the loadbalancer to the new ssl, but when I run ssl checker still shows the previous self signed certificate, which causes the browser warning when accessing the website, I have googled for hours trying to find and answer and followed everything in regards of updating the SSL but still no luck
Ok I had to figure it out myself, since it was the first time i had to install an SSL on an aws server, and thought i would post the answer in case someone else is going trough the same issue.
I have got my ssl from comodo which they provide 2 files (file.crt & file.ca-bundle), I went through load balancer to change my SSL first, not 100% sure if it is a required step, but I would recommend doing, so you would need the three ssl files (name.key "which is the one you submitted to your ssl provider", name.crt and name.ca-bundle).
1- in my case I was using an ubuntu instance with apache2, you will need to create a new ssl directory in /etc/apache2 (e.g /etc/apache2/ssl).
2- Upload all three files to the new directory.
3- navigate to /etc/apache2/sites-enabled -> and edit ssl-enabled.conf as follows:
<VirtualHost>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>
4- Restart your apache2 service and you should be all good to go.
Hope that was helpful
I have an EC2 instance on AWS, with Apache server.
I purchased an SSL certificate from Comodo and installed the following files in /etc/pki/tls/private/:
server.ca-bundle server.crt server.key
I also added the following lines to /etc/httpd/conf/httpd.conf:
<VirtualHost www.mydomain.com:443>
ServerName www.mydomain.com
DocumentRoot "/var/www/html"
SSLENGINE on
SSLCertificateFile /etc/pki/tls/private/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
SSLCertificateChainFile /etc/pki/tls/private/server.ca-bundle
</VirtualHost>
and restarted the http server.
But when trying to access my site through https://www.mydomain.com there is a certificate error warning (but if I continue through the warning, the site shows well).
I checked with ssltool.com and got:
The site tested www.mydomain.com is NOT the same as the Subject CN ip-10-203-65-225!
Needless to say, the key file was created with my domain name (CN=www.mydomain.com) and not with the name containing the ip.
When I enter "hostname" in the unix shell, I indeed get 'ip-10-203-65-225', which is something that Amazon gave it automatically. But even if I change it (in /etc/sysconfig/network) it is still seen as ip-10-203-65-225.
On the other hand, the same problem is viewed without installing the keys: Even if I remove those lines from httpd.conf, and remove the key files, the browsers warn about a certificate error, as if there is a self-signed certificate and with the same error on ssltool.com. So it seems that it's not that my key files are invalid but rather that the server doesn't use them at all...
I'm totally confused. Please can anybody help?
For some reasons, none of the pages I visited to seek for the answer mentioned that the above lines should be in
/etc/httpd/conf.d/ssl.conf
and not in
/etc/httpd/conf/httpd.conf
(and not inside a <virtualHost> section)
Your certificate was issued to a Common Name (CN) matching the hostname of your EC2 instance. You need to create a new CSR using the correct hostname and go through the entire process again. When you generate the new CSR, be sure to change the CN rather than accept the default.