Knowing that my apache certificates were to expire, I went through the process of renewing them. I got them all in place. My website worked wonderful. Checking the cert from IE showed the new expiration date. Perfect... or so I thought. When the original expiration date hit, I couldn't access the website. My log is showing a Java cert expired. I can't find it on my system.
I've done simple things like find / -name "*.crt" I've gone through our company admin guide. I've checked several websites. But I can't determine where there is an expired cert. Is there a way to get Java to tell you more information about the error?
My system info:
3 servers: FrontEnd, Middleware, DB. Using Apache, Tomcat, ecm. Closed system so I can't copy the log.
Error message from log on FrontEnd:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sun Feb 01 20:44:51 UTC 2015
If you have and apache http server normally the ssl certificate is configured in /etc/httpd/httpd.conf or in a separate file under /etc/httpd directory like /etc/httpd/sites/vhosts_your_site. The property is SSLCertificateFile defined inside a <VirtualHost> tag. You can grep for:
grep -r "SSLCertificateFile" /etc/httpd/
Typically the configuration looks like:
<VirtualHost your_ip:443>
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path_to_your_cds.crt
SSLCertificateKeyFile /path_to_your_private.key
SSLCertificateChainFile /path_to_your_cdschain.crt
...
</VirtualHost>
See the apache documentation for more details.
Could be also possible to configure a ssl certificate in tomcat, however since you've an apache I think that it's more probably the configuration is there.
Anyway if you want to check if the ssl certificate is configured under tomcat check in the $CATALINA_BASE/conf/server.xml file if there is a <connector> with attribute scheme="https".
If your connector uses JSSE the certificate keystore path is in <connector keystoreFile='your_ks_path'>, if you use an ARP connector then is in <connector SSLCertificateFile='your_cert.cer'>.
For more details take a look at tomcat ssl documentation.
Hope this helps,
If you don't you Apache as an SSL Proxy it could be that your Apache is using a certificate which is stored in a Java Keystore File (jks). So you should check for jks files: find / -name "*.jks"
Related
I have trouble installing the ssl certificate in a server.
The vhost file looks like this
`<VirtualHost <ip>:443>
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/YourIntermediateCertificate.crt
</VirtualHost>`
I have tried SSL checker and the results are as follwing.
the error it shows is
The certificate is not trusted in all web browsers. You may need to
install an Intermediate/chain certificate to link it to a trusted root
certificate. Learn more about this error. The fastest way to fix this
problem is to contact your SSL provider.
An intermediate certificate is already installed. The common name for server in the image should be same as host name. I am not sure why it is "CloudFlare Origin Certificate". Need help in solving this issue. Thanks!!
I have researched and found an answer for this issue.
To resolve the issue we need to enable the proxy for all A, AAAA, and CNAME records using cloudflare dashboard. Below is the explanation for why to enable the proxy.
Normally, the request hit the origin(server) directly and response is served. To encrypt this communication we use SSL certificate. But, the SSL certificate is also used for the identity of the origin server. Here in the above case, no chain certificate file is provided to identify the origin server i.e yourdomain.com, rather the certificate is issued to cloudflare.
After enabling the proxy, the request hits cloudflare and the same request is sent to the origin server, the response from origin server is received by the cloudflare proxy and it is sent to the user. In this way the users browser thinks cloudflare proxy as the origin server and identifies cloudflare since it has its own ssl ( we don't need to bother ).
After enabling proxy, we don't need any chain certificate file to be installed in the origin server. We just need to install the server certificate issued by cloudflare.
I have a sub-domain I want to install a valid SSL (possibly free SSL). I used to access my website through the public address of my server. Now I am using subdomain to access my website. I want to add a valid SSL to my server to secure my website. I am using XAMPP. How can I install SSL properly because when I access my website using HTTPS I am getting a NET::ERR_CERT_AUTHORITY_INVALID and where can I get a valid SSL Certificate?
The most popular Free SSL certificate you can get from letsencrypt.
Than here is the steps you can get your certificate works on localhost machine (XAMPP):
Create new folder crt, in default XAMPP location C:\xampp\apache\crt
Paste there 2 files: cert.conf and make-cert.bat
Now edit cert.conf and Run make-cert.bat
Change {{DOMAIN}} text using the domain we want to use, in this case site.test and save.
Double click the make-cert.bat and input the domain site.test when prompted. And just do enter in other question since we already set the default from cert.conf.
After that, you will see site.test folder created. In that folder we will have server.crt and server.key. This is our SSL certificate.
Double click on the server.crt to install it on Windows so Windows can trust it.
And then Select “Place all certificate in the following store” and click browse and select Trusted Root Certification Authorities.
Edit your host file
5.1 Open notepad as administrator.
5.2 Edit C:\Windows\System32\drivers\etc\hosts (the file have no ext)
5.3 Add this in a new line:
127.0.0.1 site.test
This will tell windows to load XAMPP when we visit http://site.test You can try and it will show XAMPP dashboard page.
Add the site in XAMPP conf.
We need to enable SSL for this domain and let XAMPP know where we store the SSL Cert. So we need to edit C:\xampp\apache\conf\extra\httpd-xampp.conf
And add this code at the bottom:
## site.test
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs"
ServerName site.test
ServerAlias *.site.test
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "C:/xampp/htdocs"
ServerName site.test
ServerAlias *.site.test
SSLEngine on
SSLCertificateFile "crt/site.test/server.crt"
SSLCertificateKeyFile "crt/site.test/server.key"
</VirtualHost>
After that, you will need to restart Apache in XAMPP. It’s very simple, simply open XAMPP Control Panel and Stop and re-Start Apache Module.
Restart your browser
Arguably most popular free SSL Provider (and the one I use) will be LetsEncrypt.
Steps for installation will vary based on OS, like this for Ubuntu
You may get free ssl using this link [1]. You need to select the Software that you're using for example Apache and select what operating system you are using in my case I am using Debian 9. If you're unsure about your system, you need to ssh to your server and execute the command "$ cat /etc/*release" if you're using Linux.Once you have selected the correct software and system, it will give you instructions on how to get SSL.
You may follow the instructions here [2] on how to install SSL.
Hope this information helps you.
[1] https://certbot.eff.org/lets-encrypt/debianstretch-apache
[2] https://www.sslshopper.com/apache-server-ssl-installation-instructions.html
The most common solution of free SSL is LetsEncrypt.
LetsEncrypt provides a variety of clients for most OSs. I recommend using the client ACMESharp.
Follow the following steps on Powershell (as described in the official documentation of the project)
1) Install ACMESharp
Import-Module ACMESharp
2) Initialize the vault
Initialize-ACMEVault
3) Create new ACME registration using email
New-ACMERegistration -Contacts mailto:somebody#example.org -AcceptTos
4) Submit the domain identifier
New-ACMEIdentifier -Dns myserver.example.com -Alias dns1
5) Handle the Challenge to Prove Domain Ownership
Pick a method to porve that you own your domain, I recommend HTTP
Challenge.
(Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler manual).Challenge
If you do not get the challenge details like file path and content in the output , try this:
(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges | Where-Object {$_.Type -eq "http-01"}
You'll probably have to allow hidden locations to be accessed via apache, so the challenge can reach .well-known location.
You could use something like the following config, depending on your custom needs (as mentioned in this post as well):
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_FILENAME} !.well-known/
RewriteRule "(^|/)\.(?!well-known)" - [F]
</IfModule>
6) Submit the Challenge Response to Prove Domain Ownership (HTTP method)
Submit-ACMEChallenge dns1 -ChallengeType http-01
The challenge does not get updated instantly so try updating on the results until it's valid.
(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges |Where-Object {$_.Type -eq "http-01"}
Once it's valid, try:
Update-ACMEIdentifier dns1
7) Request and Retrieve the Certificate
New-ACMECertificate dns1 -Generate -Alias cert1
Submit-ACMECertificate cert1
The certificate might not be issued instantly so try:
Update-ACMECertificate cert1
Until it's ok.
8) Export the public and private keys
Private key:
Get-ACMECertificate cert1 -ExportKeyPEM "path\to\cert1.key.pem"
Certificate signing request:
Get-ACMECertificate cert1 -ExportCsrPEM "path\to\cert1.csr.pem"
Lets encrypt public certificate:
Get-ACMECertificate cert1 -ExportCertificatePEM "path\to\cert1.crt.pem" -ExportCertificateDER "path\to\cert1.crt"
Issuer's public certificate:
Get-ACMECertificate cert1 -ExportIssuerPEM "path\to\cert1-issuer.crt.pem" -ExportIssuerDER "path\to\cert1-issuer.crt"
You don't practically need all of the above, anyway, but the private key is absolutely necessary so keep it safe.
For more documentation visit the github repo of the project.
I have setup the dispatcher in Apache for windows OS. After that trying to configure certificates to enable HTTPS in httpd.config file, then getting below exception every time. Not sure what's wrong here. Using apache 2.2.25 and generated key using openssl.
Any help on this problem?
Please use quotes for the file path:
SSLCertificateFile "<path-to-file>"
SSLCertificateKeyFile "<path-to-file>"
The path you are using contains multiple "spaces" which probably are interpreted as another parameter.
I am unable to ssl my website ainoapp.io, although i can use https://www.ainoapp.io/ as all our pages show up correctly however, site is still not secure.
Here are steps that i did on EC2 ubuntu apache system (after Godaddy approved the certificate).
enabled ssl and header module
uploaded files c969b7f1a54c0a63.crt and gd_bundle-g2-g1.crt to /etc/apache2/ssl
created two conf files in /etc/apache2/sites-available: ainosite.conf and ainosite-ssl.conf
enabled default-ssl.conf, ainosite-ssl.conf and ainosite.conf such that sites-enabled has these entries only.
EC2 instance accept inbound traffic 443
port.conf listen to port 80 and 443
restart apache
Below are the snippets:
Am I missing something here, any ideas would be a great help.
Thanks in advance.
Scrutinize the wording of the error (warning) message carefully.
The browser is not really complaining about your SSL configuration.
It's complaining that you're being inconsistent with the images on the page -- they are still <img src="http://... instead of also using HTTPS (or being relative links, or protocol agnostic).
I believe this is also referred to as a "mixed content" warning.
i am new to site maps, and Google sitemap generator.
i am working on a test server and neither localhost nor live. its basically a local test server.
I have installed it and also enabled remote access and am now able to access the admin console using http.
the problem is i need to enable https as well.
when i try to access it through https, i get an "SSL CONNECTION ERROR".
i know that google's documentation on this topic says something like:
To set up HTTPS on Linux:
1.Edit the file /usr/local/google-sitemap-generator/conf/httpd.conf.
2.In the VirtualHost section, edit the SSL settings.
3.Save the file.
4.Restart Apache to effect the changes.
But in the file httpd.conf, there are no "SSL settings" for me to edit.
Can someone remove this 'vagueness' from the directions?
Thanks
I suppose, you have to add to /usr/local/google-sitemap-generator/conf/httpd.conf something like this (into virtualhost directive)
SSLEngine on
SSLCertificateFile /etc/google-sitemap-generator/server.crt
SSLCertificateKeyFile /etc/google-sitemap-generator/server.key
This link was helpful for me: http://groups.google.com/group/google-sitemap-generator/browse_thread/thread/a5b0575efad76328
In my case server.crt and server.key files were generated by openssl command (http://www.akadia.com/services/ssh_test_certificate.html).
Make sure mod_ssl is enabled in Apache (run a2enmod).