i have a website on my localhost, so to test the secure connection i did generate ssl certificate offline for localhost only, the thing is i used exact the same method as i did on my laptop, but it is not work for the new pc that i just setup. But it works fine on my laptop.
what could be the problem.
i did go through this too, but it not solved my problem
Setup HTTPS on wildcard subdomain on localhost
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster#muster.project
ServerName muster.project
ServerAlias *.muster.project
DocumentRoot /var/www/project/muster/web
<Directory "/var/www/project/muster/web">
AllowOverride All
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
Interestingly, it is only work for the
https://muster.project
but not for https://anything.muster.project
Same method, same system both lubuntu,
i did change the ServerAlias to
www.muster.project *.muster.project it is also not works
i changed the not works either.
there are no error log either...
the only things i get was
rsa server certificate is a ca certificate (basicconstraints ca == true )
i don't think this is matter since the domain without subdomain works.
did i need to set the /etc/hosts file? even though i did! it is not work.
got some idea how to solve this? it is been few days already fixing it without success. Thanks for the helps!
Hier are the tutorial i followed
thomas-leister[dot]de/allgemein/apache-webserver-ssl-verschlusselung-einrichten/
Wildcards certificates only works for one level :
If you have a certificate for *.project it's valid for anything.project but not for anything.muster.project
Finally i found the Problem...
i set the wildcards DNS according to this sites
https://www.leaseweb.com/labs/2013/08/wildcard-dns-ubuntu-hosts-file-using-dnsmasq/
it seems it has nothing to do with the ssl (locally , it might be different for live website)..
i don't know why my laptop works even i don't set the dnsmasq...
however it is works now. maybe it will help if someone face this problem.
Related
I'm using Apache as a reverse proxy to redirect all requests. I need to forward client cert details to my apps within the request. For testing purposes, I'm simply trying to attach CN to the forwarded request. This is my conf file (simplified):
<VirtualHost _default_:443>
ServerName localhost
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/CA.pem
SSLCertificateKeyFile /etc/ssl/private/CA.key
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +ExportCertData +StdEnvVars
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}:8443/myapp?cn=%{SSL_CLIENT_S_DN_CN}
</VirtualHost>
If I navigate to https://localhost browser asks for a cert, and then I get redirected to:
https://localhost:8443/myapp?cn=
So it appears that it's not reading SSL_CLIENT_S_DN_CN. What am I missing?
EDIT: If I set request header, e.g.:
RequestHeader set XYZ %{SSL_CLIENT_S_DN_CN}e
I don't see it in dev tools, either. So there must be something wrong with my configuration. %{SERVER_NAME} works, %{SSL_CLIENT_S_DN_CN} doesn't.
I would like to have ONLY https traffic. I want all of it to be driven to https://example.com and https://www.example.com.
At present this is what works and doesn't work:
https://www.example.com - ok!
http://www.example.com - shows a list of files in my webroot for some reason
https://example.com - This site can’t be reached / example.com refused to connect.
http://example.com - The example.com page isn’t working. example.com didn’t send any data.
I am using Ubuntu 14 (trusty) and here is my current enabled virtual host config:
<IfModule mod_ssl.c>
<VirtualHost xxx.xxx.xxx.xxx:443>
ServerAdmin info#example.com
ServerName www.example.com:443
ServerAlias example.com:443
DocumentRoot /var/www/example.com/public_html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
Any help much appreciated as going nuts!
Did you tried made permanent redirect? https://wiki.apache.org/httpd/RedirectSSL
I am trying to install a certificate for all my subdomain on GCE VM, here is what I've done so far:
Allow HTTPS traffic is enabled in the VM settings.
I enabled the certificate on apache and default-ssl.conf looks like this
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin fadi#domain.com
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ProxyPreserveHost On
ProxyPass /console https://0.0.0.0:8080/console
ProxyPassReverse /console https://0.0.0.0:8080/console
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
But still I can not reach my server on https but am still able to access it via http, even though I enabled ssl using
sudo a2ensite default-ssl.conf
sudo service apache2 restart
Can someone help me please figure out this issue! the app is actually running on apache tomcat but proxied through apache if that make any difference!
443 is the default port used by Compute Engine for its services . Better you use any other port like 7443 or 8443 , then i guess it will work . I myself faced this issue on Compute Engine with Tomcat , and used other than the default ports . And also don't forget to mention whatever port you choose in the Firewall Rules section in the Networking . Let me know if that works !!
I purchased an SSL certificate and had it validated. The vendor then sent me the files.
This is my first time adding an SSL to ubuntu.
In my sites enabled folder in Apache I added a new conf file example-ssl.conf
I then added the following
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin info#example.ie
ServerName example.ie
ServerAlias www.example.ie
DocumentRoot /var/www/html/example/
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.crt
SSLCertificateKeyFile /etc/ssl/private/example_private.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
I then ran sudo a2ensite example-ssl.conf
But got an error...
Site example-ssl not properly enabled: /etc/apache2/sites-enabled/example-ssl.conf is a real file, not touching it
So I decided to change default-ssl.conf with the same information as above,
I then ran sudo a2ensite default-ssl.conf which worked.
I restarted apache,
but when I go to https://www.example.com , I get an unable to connect error as if the site doesnt exist at all. "Firefox can't establish a connection to the server at www.example.ie."
Thank you
EDIT: A bit of background, I set this up using Digital Ocean. I've now realised this is happening with all my droplets when I try to use https. So perhaps its a more generic setting on linux I need to enable
You don't show any "Listen 443" directive. That's step one if you expect Apache to listen for connections on a new port.
Also everything you posted is a no-op if mod_ssl isn't loaded due to your ifModule.
We've got multiple subdomains, each with it's own virtualhost entry in httpd.conf and (for those supporting https) in ssl.conf as well. Our main www subdomain has a GoDaddy cert associated with it. The subdomain I'm configuring right now on our dev server ("api.bulbstorm.com") has an ssl.conf virtualhost entry that looks like this:
<VirtualHost 172.16.247.153:443>
DocumentRoot "/var/www/api"
ServerName api.bulbstorm.com:443
ErrorLog logs/api-error_log
CustomLog logs/api-access_log common
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /var/www/certs/api/server.crt
SSLCertificateKeyFile /var/www/certs/api/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
<Directory "/var/www/api">
Options +FollowSymLinks
RewriteEngine On
AllowOverride All
Order allow,deny
Allow from all
</Directory>
php_value include_path "/var/www/inc"
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
... the crt & key files in /var/www/certs/api/ were generated using openssl per instructions found here.
The api subdomain originally pointed to the godaddy cert for the www subdomain. But even though I've changed the virtualhost entry associated with the api subdomain to point to the self-signed certificate/key pair (and have restarted httpd, completely cleared browser settings related to the previous exception for the godaddy cert, etc.) browsers are still throwing warnings saying that the cert is for the www domain. When I look at the cert the browsers are pulling it looks like they're still getting the godaddy cert.
Higher up in the ssl.conf file there are these lines:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
This cert/key pair is different than the godaddy cert/key pair referenced in the virtualhost entry for the www subdomain, which looks like this:
SSLCertificateFile /etc/www.bulbstorm.com_ssl/www.bulbstorm.com.crt
SSLCertificateKeyFile /etc/www.bulbstorm.com_ssl/www.bulbstorm.com.key
SSLCertificateChainFile /etc/www.bulbstorm.com_ssl/gd_intermediate_bundle.crt
Any light that anyone can shed on the issue I'm having will be appreciated.
The "answer" to this question was to repost it on serverfault.com.