I want to setup https on my site
<VirtualHost 1.2.3.4:443>
...
SSLEngine on
SSLCertificateFile /usr/local/ssl/www.blabla.com/public.crt
SSLCertificateKeyFile /usr/local/ssl/www.blabla.com/private.key
SSLCACertificateFile /usr/local/ssl/www.blabla.com/intermediate.crt
...
</VirtualHost>
I've bought certificate and they provide me: ssl certificate code, root certificate code and intermediate certificate code. What is CertificateFile and CertificateKeyFile from these?
SSLCertificateKeyFile would have been passed in as the key when you created the request -- it doesn't come from the CA.
SSLCertificateFile is the "ssl certificate code" you got from the CA
SSLCAcertificate file is the "root certificate code" you got from the CA
The "intermediate certificate code" from the CA should be identified by SSLCertificateChainFile
Related
UPDATED :
I updated my CA to match the CA that my client certificate was issued from and my browser now prompts me to choose a certificate (and the correct certificate is listed) but the error "ERR_BAD_SSL_CLIENT_AUTH_CERT" persists.
OLD MESSAGE :
I need to make a certificate authentication with Apache.
My problem is that no certificate list pops up when the CA is set in Apache. However, not setting it brings the popup and allows me to select a certificate... but of course the authentication doesn't work and brings the following error :
ERR_BAD_SSL_CLIENT_AUTH_CERT
The configuration I have is the following :
ssl.conf :
SSLEngine on
SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite HIGH:MEDIUM
SSLCACertificateFile /etc/httpd/ca.cer
SSLCARevocationFile /etc/httpd/crl.pem
SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 10
SSLOptions +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_CN
vhost :
Include ssl.conf
SSLCertificateFile /etc/httpd/sub.domain.crt
SSLCertificateKeyFile /etc/httpd/sub.domain.key
The CA is also installed on my computer along with my client certificate, ready to be used.
There's nothing in the logs, just a line mentionning a closed SSL connection.
Been searching for a while and I can't find what could be causing this.
Alright so first the SSLVerifyDepth parameter wasn't properly set. I was able to find this by checking Apache's ssl_error_log file.
And second, the log file was saying that the CRL was not reacheable. Even if set what I thought was the correct CRL... but I actualy forgot the CRL of the CA that is above the clients CA !
Thanks again for helping me with checking the CA, case closed !
when making a wireshark trace to check if my Let's Encrypt certificate is correctly offered by our server, I see that the same certificate is being send twice in TLS handshake when 'Server Hello Done'.
How can this occur ? How to correct ?
The certificate details is 2 times exactly the same :
Extra info requested :
I trace this with wireshark by visiting a https-page of my Apache webserver (CentOS Linux release 7.4.1708 (Core)) with my Chrome browser on Fedora 25 client.
VirtualHost config :
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
Don't know if it matters, but I also have a second VirtualHost with a different Let's Encrypt certificate :
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my2.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my2.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my2.domain.tld/fullchain.pem
The Problem
This is caused by simultaneous config of SSLCertificateFile along with SSLCertificateChainFile.
From the mod_ssl documentation (Emphasis mine):
This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.
But if you check your fullchain.pem, you'll see that it includes the server certificate at the top, followed by the Let's Encrypt issuing CA. Apache is delivering the contents of SSLCertificateFile with the SSLCertificateChainFile concatenated after it. Since your server's certificate appears in both of them, it's duplicated in the final chain seen in the SSL handshake, just like you observed in Wireshark:
vhost.conf Sent To Client
+---------------+ +------------------+
| cert.pem |----------> |Server Certificate|
| | | + |
| + | +---> |Server Certificate|
| | | | + |
| fullchain.pem |----------> | CA Certificate |
+---------------+ +------------------+
The Fix
In modern Apache, don't use SSLCertificateChainFile directive anymore, and give fullchain.pem directly to SSLCertificateFile.
Again, from the mod_ssl documentation:
SSLCertificateChainFile is deprecated
SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.
So all you should need to do is change your vhost configuration from this:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
To this:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
I have a server running a LAMP stack:
me#server:~$ sudo apachectl -v
Server version: Apache/2.4.10 (Debian)
me#server:~$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
...
On this server I have many two domains - one with SSL and one without SSL - and everything is currently hunky-dory.
I am trying to add SSL to the second site but requests to the second site fail with the issue:
[FIREFOX]
domain2.com uses an invalid security certificate.
The certificate is only valid for the following names: domain1.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN
[CHROME]
NET::ERR_CERT_COMMON_NAME_INVALID
Note 1: I have checked my version of Apache allows multiple SSL sites on the same server.
This leads me to believe that the SSL files being read when domain2.com is called are actually the files relating to domain1.com.
Curiously, if I disable domain1.com using sudo apache dissite domain1, the SSL works just fine on https://domain2.com. This would indicate that the SSL is installed correctly but the sites across the server are not all configured correctly.
The .conf files are below:
me#server:~& cat /etc/apache2/sites-enabled/domain1
[...Port 80 config redacted...]
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/domain1/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain1/key.txt
SSLCertificateChainFile /etc/apache2/ssl/domain1/intermediate.crt
ServerName domain1.com
ServerAlias www.domain1.com
<Directory /var/www/domain1>
[REDACTED]
</Directory>
[Logging information redacted]
</VirtualHost>
me#server:~& cat /etc/apache2/sites-enabled/domain2
[...Port 80 config redacted...]
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/domain2/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain2/key.txt
SSLCertificateChainFile /etc/apache2/ssl/domain2/intermediate.crt
ServerName domain2.com
ServerAlias www.domain2.com
<Directory /var/www/domain2>
[REDACTED]
</Directory>
[Logging information redacted]
</VirtualHost>
So it is clear both sites have the same configuration items applied but relative to the specific SSL files on the server for that site. Note, the SSL bundles for each site are provided from the same vendor.
Further, the certificates should be correct:
me#server:/etc/apache2/ssl/domain1$ openssl x509 -in server.crt -noout -subject
subject= /CN=www.domain1.com
me#server:/etc/apache2/ssl/domain2$ openssl x509 -in server.crt -noout -subject
subject= /CN=www.domain2.com
From all of this, please can some enlighten me as to why requests to domain2.com fail when domain1.com is enabled?
So yeah.. doing the above was all fine and should work.
If it doesn't work, be sure to check the spelling of the ServerName fields and to not work too late at night!
I have 2 crt files for Apache server:
1_root_bundle.crt
2_my_domain_name.com.crt
And other bundle:
1_Intermediate.crt
2_my_domain_name.com.crt
root.crt
I have modified
/etc/apache2/sites-available/default-ssl.conf
And tried various combinations of above mentioned files but after Apache2 service restart SSL does not work, browser shows "Connection is not secure":
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/1_Intermediate.crt
SSLCertificateKeyFile /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateChainFile /etc/apache2/ssl/root.crt
How to make SSL on Apache server?
It is missing the key file with your certificate private key. Usually it has the .key extension like 2_my_domain_name.com.key and the file content starts with -----BEGIN PRIVATE KEY-----
You configuration should looks like this
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/2_my_domain_name.com.key
SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt
The SSLCertificateChainFile points to a all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate.
So ensure that 1_root_bundle.crt contains 1_Intermediate.crt content and is in PEM format (base64 with --- BEGIN CERTIFICATE --- ----END CERTIFICATE--- headers)
If you use apache >= 2.4.8 you could also concatenate all certificates in the file pointed at SSLCertificateFile
SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.
1) Install Apache HTTP Server, mod_ssl
2) Configure httpd
Remember to disable SSLv2 and SSLv3, because they are vulnerable.
# Toggle on the SSL/TLS Protocol Engine
SSLEngine On
# The signed certificate of the server
SSLCertificateFile /etc/pki/tls/myserver/myserver.crt
# The private key of the server
SSLCertificateKeyFile /etc/pki/tls/myserver/myserver.key
# The intermediate_certificate of the server
SSLCertificateChainFile /etc/pki/tls/myserver/tls-ca-chain.pem
# Accept only strong encryption
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
3) Check the permissions on the certificate files.
UPD:
How to create a key and certificate signing request in one step:
openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr
Next you have to send this csr file to one of the certificate authorities. They will send back your signed certificate, and the intermediate certificate(s).
You can also create a self-signed certificate.
You can use the bundle file with SSLCertificateChainFile.
SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCertificateChainFile /home/ubuntu/tad.com/intermediate_bundle.crt
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt
OR
If you are using bundle so it will work without SSLCertificateChainFile file.
SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt
I bought Comodo PositiveSSL and got 4 crt files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
domain.com.crt
And I have this config:
<VirtualHost *:443>
ServerName domain.com
ServerAlias www.domain.com
SSLEngine on
SSLCertificateFile /var/www/domain.com/domain.com.crt
SSLCertificateKeyFile /var/www/domain.com/domain.com.key
ServerAdmin webmaster#localhost
DocumentRoot /var/www/domain.com/html
<Directory /var/www/domain.com/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
How do I use these 3 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
https connection works fines, but it seems that browsers don't see my signature. I think the problem is to add all 4 files to apache config, but I don't know how to do it.
These files are the certificate chain. There's a root domain certificate, there are intermediate certificates, and there's your own certificate.
Your own certificate is already referenced with the SSLCertificateFile. The root certificate is usually installed in the user's browser (that's what you pay for … the fact that they paid the browser vendor to include their root certificate).
But your certificate is not directly derived from the root certificate, but there are these intermediate certificates.
Because you do not have a certificate that is directly derived from one of the root certificates in the browser, you must deliver the entire certificate chain to the user. (Yes, the root cert, too, to have a complete chain.)
It is usually done by putting all of the three files into one cert file (let's say intermediate.comodo.crt) and referencing them in the Apache config, too. It would look like this:
…
SSLEngine on
SSLCertificateFile /var/www/domain.com/domain.com.crt
SSLCertificateChainFile /var/www/domain.com/intermediate.comodo.crt
SSLCertificateKeyFile /var/www/domain.com/domain.com.key
…
The certificates in this file must be in the right order … root on top, and then down the chain (IIRC, but you may need to try different orders).
If your server is public, use the SSLlabs service to test your setup: https://www.ssllabs.com/ssltest/ (Note, when testing multiple times with different configurations, you must clear their cache after each change. Otherwise you'll instantly get the results from their last test of your server.)