I have been working really hard on installing an OpenSSL certificate so my web-app can show the beautiful “HTTPS” in the URL, however, I can’t get it and it’s driving me insane!!
I have a Linux VPS with Ubuntu 14.04 and Apache 2.4.7.
I have done the following things:
1.- Enable SSL module:
sudo a2enmod ssl
2.- Restart Apache:
sudo service apache2 restart
3.- Create SSL directory inside de Apache2 directory:
sudo mkdir /etc/apache2/ssl
4.- Execute the following command to create a self-signed ssl certificate :
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ` /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt`
5.- Fill in questions:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company
Organizational Unit Name (eg, section) []:Department of Kittens
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:your_email#domain.com
6.- Configure apache to utilize ssl:
sudo nano /etc/apache2/sites-available/default-ssl.conf
7.- Modify the following data:
ServerAdmin admin#example.com
ServerName my_domain.com
ServerAlias www.my_domain.com
DocumentRoot /var/www/html
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
8.- Enable “default-ssl.conf” file:
sudo a2ensite default-ssl.conf
9.- Restart Apache again:
sudo service apache2 restart
According to what I have read that should be all… what am I missing??
Thank's in advanced.
Related
I have a Godaddy Domain for example , website.com which points to a amazon ec2 instance. I bought a ssl certificate from Godaddy for website.com . How can I configure ec2 instance to make website.com https?
If you are using Ubuntu for the server instance, follow the following points:
Log in to the ec2 instance using ssh or putty
Enable ssl module by executing this command: sudo a2enmod ssl
You may have to restart the apache server through systemctl: sudo systemctl restart apache2
Make a ssl folder under your html directory and open it:
sudo mkdir /var/www/html/my_ssl
cd /var/www/html/my_ssl
Generate csr and key files:
sudo openssl req -nodes -newkey rsa:2048 -keyout my_website.key -out my_website.csr
You'll have to provide these details: Country, State, City, Organization, Unit, FQDN, email, a challenge password, Optioanl company name.
Note that the FQDN can be website.com or example.website.com
Open the csr file through nano or vi and copy its contents: vi /var/www/html/my_ssl/my_website.csr
Go to your godaddy certificate, click on new certificate, choose the second option that handles csr, and paste the contents into it. If no problem is found, you can continue to the next step.
Godaddy will send an email to one of the standard admin emails of the site. If none of them exists, make sure you create it. It will take around half an hour for the certificate to change from pending to valid.
Download the key files from godaddy and put them in the apache ssl folder: /etc/apache2/ssl/certs
Open the default-ssl.conf file for modification : sudo vi /etc/apache2/sites-available/default-ssl.conf
Add your website name, and change the default values for ServerAdmin email, ServerAlias, DocumentRoot, set SSLEngine on, and the paths of SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile.
Finally set the modified file to be the default configuration and restart your apache:
sudo a2ensite default-ssl.conf
sudo service apache2 restart
I just started to learn programming and tried to install SSL on my site.
I used a 90-day free trial SSL from Comodo and it worked well.
I purchased a new SSL from Comodo and generated CSR on the server (on my putty terminal)
My site is a Wordpress run by Bitnami and AWS.
Error message is that my site name is mismatched.
https://www.ssllabs.com/ssltest/analyze.html?d=www.cheeselab.co.kr#whyNotTrusted
How could I solve this problem? I tried to re-install it from the scratch but I don't know what I have to do.
Below codes are what I did
sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 204
sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
sudo nano /opt/bitnami/apache2/conf/cert.csr
sudo nano /opt/bitnami/apache2/conf/cert2.crt
sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami.conf
renamed the file from server.crt to cert2.crt
(above codes worked well)
sudo /opt/bitnami/ctlscript.sh restart apache
but error message with above code as below
Invalid command 'sudo', perhaps misspelled or defined by a module not included in the server configuration apache config test fails, aborting Monitored apache
For several OSX versions, I've been using these tutorials to set up a local development environment, including SSL.
I've also always been able to create dynamic virtual hosts based on the folder structure like this:
# Auto-VirtualHosts with .dev
<VirtualHost *:8080>
ServerName dev
ServerAlias *.dev
CustomLog "/Users/username/Sites/logs/dev-access_log" combinedmassvhost
ErrorLog "/Users/username/Sites/logs/dev-error_log"
VirtualDocumentRoot /Users/username/Sites/%-2+
</VirtualHost>
<VirtualHost *:8443>
ServerName dev
ServerAlias *.dev
Include "/Users/username/Sites/ssl/ssl-shared-cert.inc"
CustomLog "/Users/username/Sites/logs/dev-access_log" combinedmassvhost
ErrorLog "/Users/username/Sites/logs/dev-error_log"
VirtualDocumentRoot /Users/username/Sites/%-2+
</VirtualHost>
The included SSL file there is like this:
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile "/usr/local/etc/httpd/server.crt"
SSLCertificateKeyFile "/usr/local/etc/httpd/server.key"
And to generate that certificate I run this code:
$ cd /usr/local/etc/httpd
$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt
This has always worked okay for me, locally. I can run curl successfully, and especially in WordPress development I can run cron tasks that presumably use curl.
Upon upgrading to High Sierra, I get the following error in WordPress:
There was a problem spawning a call to the WP-Cron system on your site. This means WP-Cron events on your site may not work. The problem was:
cURL error 60: SSL certificate problem: self signed certificate
And on the command line, when I run curl to a local HTTPS URL, I get this error:
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I've tried reinstalling all the items from the initial tutorial, but so far nothing has helped. I've also tried installing curl from the Homebrew version instead of the built in, but this didn't seem to have any effect. Is there something known about High Sierra that would make it more picky about this? If so, is there anything I can do to bypass this for local development?
You have to add your self-signed certificate to the curl CA certificate store.
First you have to generate the ca bundle by running the perl script stored in:
/usr/local/Cellar/curl/7.56.1/libexec/mk-ca-bundle.pl
Edit the generated file:
/usr/local/Cellar/curl/7.56.1/libexec/ca-bundle.crt
and add your self-signed certificate using the same syntax.
You can obtain the certificate with:
openssl s_client -showcerts -connect my.server.com:443
Copy everything from :
-----BEGIN CERTIFICATE-----
to
-----END CERTIFICATE-----
including the BEGIN and ENDlines.
Create then a file ~/.curlrc containing:
cacert /usr/local/Cellar/curl/7.56.1/libexec/ca-bundle.crt
I have one apache server which is configured with ssl.
SSLCertificateFile /etc/certs/localhost.crt
SSLCertificateKeyFile /etc/private/localhost.key
Now i need to replace the certificate with a new one(Provided by our department).
For that i have shared the csr and they send back the certificate.
Now the file that they have shared is *.p7b (contains the certificate in PEM/base64 encoded format. is a .p7b file with the DER encoded certificate and the issuing CA certificate.)
But in apache ssl.conf i need to provide the crt file. How to get the crt files from p7b
Install openssl on Red Hat Linux server / CentOS 7
Firstly we need to install httpd on our server, to install httpd type the below command,
yum install httpd
After installing httpd, Now we need to install mod_ssl,
yum install mod_ssl
Now, we have install openssl as well on the server,
yum install openssl
After installing httpd, mod_ssl & openssl, we need to generate key using below command,
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr (You can skip steps by pressing enter)
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.cert
cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/
cp ca.csr /etc/pki/tls/private
vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
Replace by
SSLCertificateFile /etc/pki/tls/certs/ca.crt
and
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Replace by
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
11. httpd -t (check whether the above change are correct or not)
12. vim /etc/httpd/conf/httpd.conf
Go to the bottom of the file and write
<VirtaulHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
servername localhost
Documentroot /var/www/html
</VirtualHost>
Save & Exit
13. httpd -t (check whether the above change are correct or not)
14. firewall-cmd –permanent –add-service=https
15. firewall-cmd –permanent –add-port=443/tcp
16. firewall-cmd --reload
17. service httpd restart
I have an EC2 instance that is using Amazon's custom linux install with built in apache. This install also has openssl installed. That being said, there does not appear to be a mod_ssl.so to load up in httpd.conf.
So, I want to know the best way to get apache to be ssl enabled so I can setup my SSL virtual host (note that I have already setup the cert/signatures). Ideally, I would like to not have to rebuild/reinstall apache.
Try this command:
yum install mod_ssl
A summary of what needs to be done to enable SSL on apache server on EC2:
Get SSL certificate (which you already did)
Install mod_ssl as Jose Vega said
Add the following lines to your httpd.conf 3.
NameVirtualHost *:443
<VirtualHost *:443>
ServerName www.example.com
# other configurations
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/mydomain.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mydomain.key
</VirtualHost>
Finally, don't forget to open port 443 on your EC2 instance
I managed to enable SSL on my ec2 instance and to install a free ssl certificate from startssl.com. I made a few mistakes, this is the basic approach:
Signup to startssl.com by clicking Control Panel link
Complete the signup process. You will need to verify your email address.
Validate your domain under Validation Wizard -> Domain Name Validation
Get a Certificate by Certificate Wizard
Choose: Web Server SSL/TLS Certificate
Enter a password that will be used to encrypt the private key. You will need this later.
I chose keysize of 4096
Save the encrypted private key as ssl.encrypted.key someplace
?? I forget what happened next
Save the certificate file as ssl.crt someplace. For me I had to wait 30 minute then it appeared under Tool Box -> Retrive Certificate
Use openssl to decrypt the encrypted ssl.encrypted.key file
sudo openssl rsa -in ssl.encrypted.key -out ssl.unencrpted.key
startssl.com also have a decrypt option on their website, but it didn't work for me
putty/ssh onto your ec2 machine
install mod_ssl
sudo yum install mod_ssl
Replace the default certificate and key
sudo vi /etc/pki/tls/certs/localhost.crt
Paste in the contents of ssl.crt
Make sure it pastes correctly! I always lose the first 6 characters
Use :%d to delete the existing certificate if required
[ESC] wq
sudo vi /etc/pki/tls/private/localhost.key
Paste in the contents of ssl.unencrypted.key
Again make sure it pastes correctly!
[ESC] wq
Check the configuration
apachectl configtest
Restart
sudo service httpd restart
I had issues restarting and I think what fixed it was sudo kill -9 httpd
You should install the SSL module, since mod SSL does not ship with most instances by default, but that depends on the Apache version you are using in your AWS instance. To check which one you are using, you can run this command in your command line:
httpd -v
For Apache 2.2
yum install mod_ssl
For Apache 2.4
yum install mod24_ssl
If you are using Amazon Lightsail, be sure to go into Networking from the Lightsail dashboard and add HTTPS/443 in your Firewall:
Here's what worked for me, via shell, with a wildcard cert that had a CA bundle (on Lightsail servers, HTTPS/443 enabled). Mileage may vary. Test on https://www.digicert.com/help/ after install. For brevity, I've shortened the certs/keys here (obviously).
It's worth noting also that I did not need to set up a VirtualHost for the domain.
# Overwrite these files on Amazon Linux + mod_ssl (or mod24_ssl)
# /etc/pki/tls/certs/ca-bundle.crt
# /etc/pki/tls/certs/localhost.crt
# /etc/pki/tls/private/localhost.key
## BEGIN
# INSTALL AS ROOT
sudo -su root
sudo cat > /etc/pki/tls/certs/localhost.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgIMNY9yk7s651tb2YasMA0GCSqGSIb3DQEBCwUAMEwxCzAJ
KoZIhvcNAQELBQADggEBACu8MsClqLbO1NqjXw+igERhLRkISgnkIjB1p69zh3V0
/3b68mkC+8pL3HNLgL0qIM9sPKKOl/Iyky2EfwfQDoZEWNB0qWKIOovH5Oj9z5DE
-----END CERTIFICATE-----
EOF
sudo cat > /etc/pki/tls/private/localhost.key <<EOF
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCL6UsW9yC0Faev
1zeEJcF6E7P6XYqT25rWMj5xzUM8gi/4nLpGr+tOBlFJYSbLlEHJKG6QLO9Ku896
MwTtWyOrTlPtpJEi9LUrLmOUXtD1WN2Ekql/ZLaO7pxUtVTRF4MyYspGgU1ZjkxY
vQLnZs85bnG2dLz7Q4xxlj4=
-----END PRIVATE KEY-----
EOF
sudo cat > /etc/pki/tls/certs/ca-bundle.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIESzCCAzOgAwIBAgIOSMqBefg+ikLz9c3isT8wDQYJKoZIhvcNAQELBQAwTDEg
bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTYxMDE0MDAwMDAwWhcNMjQw
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
-----END CERTIFICATE-----
EOF
# RESTART
sudo service httpd restart
#DONE