After upgrading to Yosemite I am no longer able to use my web server. It was set up to accept SSL connections on port 443, but now netstat -a -n says it isn't even listening on that port. I looked in /etc/apache2 and noticed that extra/ had been moved to original/extra so I moved that back. There was also a copy of httpd.conf in original/ but the timestamp and size was unchanged and diff showed it was identical to my original httpd.conf. The only other file in /etc/apache2 which has a new timestamp is users/ but nothing in that directory is changed.
All my certificate files in ssl/ still have the correct permissions. I don't see anything in /var/log/apache2/error_log (aside from the normal startup messages). In fact, even if I try to access the web server on port 80 I get nothing in either error_log or access_log even though I unexpectedly get 403 Forbidden on every page I try to access.
I have read about problems with Yosemite updating Apache from 2.2 to 2.4, but my web server doesn't even seem to be functional to the point of fixing any error caused by that. In any case, I did try the solution here, but my httpd.conf file does not contain any Order or Allow lines (nor does any file in extra/) so I can't try the answer suggested there.
OK, this is an old topic, but here's an answer.
I believe you have to uncomment a few lines in httpd.conf.
Run:
sudo vi /etc/apache2/httpd.conf
Uncomment the following lines:
#LoadModule ssl_module libexec/apache2/mod_ssl.so
#Include /private/etc/apache2/extra/httpd-ssl.conf
A simple trick is to search the configuration file using VIM to find lines related to SSL and debug from there.
In VIM, the following will find all instances of ssl... press n to go to next found instance:
?ssl
Once you made changes, test your configuration using:
sudo apachectl configtest
If all is good, run:
sudo apachectl restart
If you get the following error:
SSLCertificateFile: file '/private/etc/apache2/server.crt' does not exist or is empty
Create a default self-signed SSL certificate:
cd /private/etc/apache2
openssl req -new -x509 -days 365 -nodes -out server.crt -keyout server.key
Enter localhost when asked for your Common Name.
Then run configtest and, if all is good, restart.
Related
Thanks you for taking the time out for helping. I am facing an issue with my apache server and the story goes like this:
I was running an ubuntu 18.04 server and my SSL(letsencrypt ssl obtained through certbot) got expired when I ran the command : certbot renew but it gave me errors relating to DNS. Then I thought it would be a good idea if I simply delete the existing certificate and install a new one so I googled how to delete a ssl certificate using certbot and got to know about sudo certbot delete but it didn't worked as expected and when I restarted the server apache didn't started and when I ran the command apache2ctl configtest it returned an error saying :
AH00526: Syntax error on line 20 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/tomebox.in/fullchain.pem' does not exist or is empty
Action 'configtest' failed.
The Apache error log may have more information.
Can anyone please help me understanding and resolving the issue and getting my website back to normal.
You'll need to edit the etc/apache2/sites-enabled/000-default-le-ssl.conf file to change the file being referenced, as you have deleted that file. You can create a new certificate to reference using certbot instructions, or delete 000-default-le-ssl.conf altogether if you are no longer using SSL.
To edit the file, navigate to the directory in SSH using
cd etc/apache2/sites-enabled/
and then edit the file as root using
sudo nano 000-default-le-ssl.conf
ctrl+ x will exit and give option to save when done. You may want to restart apache2 after:
sudo service apache2 restart
I'm a little bit confused about https communication with influxdb. I am running a 1.8 Influxdb instance on a virtual machine with a public IP. It is an Apache2 server but for now I am not willing to use it as a webserver to display web pages to clients. I want to use it as a database server for influxdb.
I obtained a valid certificate from Let's Encrypt, indeed the welcome page https://datavm.bo.cnr.it works properly over encrypted connection.
Then I followed all the instructions in the docs in order to enable https: I put the fullchain.pem file in /etc/ssl directory, I set the file permissions (not sure about the meaning of this step though), I edited influxdb.conf with https-enabled = true and set the path for https-certificate and https-private.key (fullchain.pem for both, is it right?). Then, systemctl restart influxdb. When I run influxdb -ssl -host datavm.bo.cnr.it I get the following:
Failed to connect to https://datavm.bo.cnr.it:8086: Get https://datavm.bo.cnr.it:8086/ping: http: server gave HTTP response to HTTPS client
Please check your connection settings and ensure 'influxd' is running.
Any help in understanding what I am doing wrong is very appreciated! Thank you
I figured out at least a part of the problem. It was a problem related to permissions on the *.pem files. This thing looks weird because if I tip the following, as documentation says, it does not connect.
sudo chmod 644 /etc/ssl/<CA-certificate-file>
sudo chmod 600 /etc/ssl/<private-key-file>
If, instead, I tip the second line with 644 all works perfectly. But this way I'm giving to anyone the permission to read the private key! I'm not able to figure out this point.
UPDATE
If I put inside /etc/ssl/ the symlinks that point to the .pem files that live inside /etc/letsencrypt/live/hostname the connection is refused. Only if I put a copy of the files the ssl connection starts.
The reason I am willing to put the links inside /etc/ssl/ is the automatic renew of the certificates.
Anyone can help?
I've been trying off and on to get a LAMP development server operational behind my corporate firewall (McAfee Web Gateway). I have a Ubuntu/Trusty64 image on a virtualbox VM provisioned through Vagrant. I cannot get "some" {most} repositories to load for a proper sudo apt-get update. I'm getting a 401 authentication required error on all 'security.ubuntu.com trusty-security/*' sources and 'archive.ubuntu.com trusty/*' sources and all fail to fetch. Therefore most all sudo apt-get install {whatever} fails and I cannot add the necessary PPA repository to install the LAMP environment I want.
I can turn off SSL verification for some things and can get many things installed - but I need SSL working correctly within this environment.
Digging deeper, I find that if I curl -v https://url.com:443, I get the
curl(60): ssl certificate error: unable to get local issuer certificate.
I have the generic bundle 'ca-bundle.crt' installed locally in /usr/local/share/ca-certificates/ and ran sudo update-ca-certificates which seemed to update ca-certificates.crt in etc/ssl/certs/.
I ran a strace -o stracker.out curl -v https://url.com:443 and searched for the failing stat() as suggested in here by No-Bugs_Hare and found that curl was looking for 'c099e901.0' in /etc/ssl/certs/ and it isn't there. Googling that particular HEXID is no joy and am stuck at this step.
Next I tried strace -o traceOppenSSL.out openssl s_client -connect url.com:443 to see if I can get more detail but can't see what causes the
verify error:num=20:unable to get local issuer certificate
followed by two other errors (I'm sure all relating to the first one), then displays the "Server Certificate" within a BEGIN / END block, followed by a bunch of other metadata. The entire session ends with
Verify return code: 21 (unable to verify the first certificate).
So, this is not my forte and I'm doing what I can to try and get this VM operational. Like I said earlier, I've been trying many things and understand most of the issue is the fact that I'm behind a McAfee firewall within my corporate structure. I don't know how to troubleshoot more than what I've explained above but I'm willing to dig deeper.
I have a few questions. Why is curl looking for that particular hex ID and where would I find or generate the beast? Are there other troubleshooting steps I should try? The VM is a server-class Ubuntu install, so I only have a SSH CLI terminal and no WindowManager GUI to work with this.
I'm trying to renew my SSL certificate but there is some problem i'm probably missing. after i'v done the following steps the server keep using the old certificate and i do'nt know why.
here'w what i have done:
Create new csr file (domain.csr) + key file (domain.key)
openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
Copy csr file content and paste it to my ssl provider + get approval.
get 5 files from them and upload them to the server (domain.der,domain.pem
,domain.cer, chain.cer , domain.p7b )
set on apache ssl.conf file ,
SSLCertificateFile (domain.cer) SSLCertificateKeyFile (domain.key).
restart apache
for some reason my server is still using my old certificate.
is the something i'm doing wrong?
Well you figured it out yourself but in case anyone else is in same situation, here's some of the things you can check.
First up check locally whether this works, by running the following openssl command on the server (a crucial step we skipped!):
openssl s_client -connect localhost:443
This will show the cert presented to the client from Apache. If that's not the right one, then you know Apache config is at fault. If it is the right one then something downstream is a problem.
In your case you terminate SSL at the load balancer and forgot to change the cert there. Another issue could be browser caching the SSL cert (restart it, Ctrl+F5 to force refresh or better yet try another browser or a third party website like ssllabs.com).
Assuming it's a problem with Apache then you need to check the config to check all instances of the cert have been replace. The below command will show all the vhosts and what config they are configured in:
/usr/local/apache2/bin/apachectl -S
Alternatively just use standard find and grep unix commands to search your Apache config for the old or new cert:
find /usr/local/apache2/conf -name "*.conf" -exec grep olddomain.cer {} \; -print
Both those commands assume apache is installed in /usr/local/apache2 but change the path as appropriate.
If all looks good and you've definitely restarted Apache then you can try a full stop and restart as I have noticed sometimes a graceful restart of Apache doesn't always pick up new config. Before starting the web server back up again, check you can't connect from your browser (to ensure you're connecting to the server you think you're connecting to) and that the process is down with the following command:
ps -ef | grep httpd
and then finally start.
Another thing to check is that the cert you are installing is the one you think it is, using this openssl command to print out the cert details (assuming the cert is in x509 format but there are similar commands for other formats):
openssl x509 -in domain.cer -text
And last but not least check the Apache log files to see if any errors in there. Though would expect that to mean no cert is loaded rather than just the old one.
Good answer from #Barry.
Another aspect is apache is not the front most web server. From this conversation. It is possible that there are other web servers in front of apache.
Something like - nginx. In our case it was AWS ELB. We had to change cert in ELB in order to change.
We had a similiar problem to what #Akshay is saying above.
In order for the server to update the certificates we had to run some commands for Google Cloud Compute Engine Load Balancer:
gcloud compute target-https-proxies update
Hope this helps someone that is using GCP for hosting apache.
Does anyone here have clear and detailed steps on how to get SSL on my local development machine? I've installed the latest version of WAMP (2.2c) on c:\wamp. The instructions I find on the net seem to be outdated in most cases and lacking the details I need to get things done right.
Guide: Openssl in WampServer 2.5
Prerequisite: There is normally no need to install openssl (it comes bundled with Wamp). Apache 2.4.9 includes 1.0.1g for instance.
System-Variable:
Open the Windows System panel ("WIN+Q" Search: system) > Advanced System Settings > Advanced > Environment variables
Add a new entry in system variables with name OPENSSL_CONF and its value being the path to openssl.cnf (usually somethings like C:\wamp\bin\apache\apache2.4.9\conf\openssl.cnf)
openssl folder structure:
In C:\wamp\bin\apache\apache#.#.#\conf create the following folder structure:
..
demoCA
|-----certs
|-----crl
|-----newcerts
|-----private
Configuring openssl.cnf:
I've followed Neil C. Obremski advice and cleared the following defaults:
countryName_default (was "AU")
stateOrProvinceName_default (was "Some-State")
0.organizationName_default (was "Internet Widgits Pty Ltd")
organizationalUnitName_default (was already empty)
Creating the certificate:
From command line browse to C:\wamp\bin\apache\apache#.#.#\bin\ and call "openssl req -new -out cacert.csr -keyout cacert.pem". If prompted enter a password and after that the DN informations like below.
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.......................++++++
....++++++
writing new private key to 'cacert.pem'
Enter PEM pass phrase: my_secret_pass
Verifying - Enter PEM pass phrase: my_secret_pass
`-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
`-----
Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:local
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
C:\wamp\bin\apache\apache2.4.9\bin>
In the same console window now use "openssl rsa -in cacert.pem -out cacert.key" and if asked enter the password previously entered.
Enter pass phrase for cacert.pem: my_secret_pass
writing RSA key
Remove the ".rnd" file in C:\wamp\bin\apache\apache2.4.9\bin
Still in the same window call "openssl x509 -in cacert.csr -out cacert.cert -req -signkey cacert.key -days 365". If you experience the following error "unable to write 'random state'". This is a known bug! To workaround this call "set RANDFILE=.rnd" and retry the previous command.
Congrats you are now the owner of a self signed certificate!
I've placed the built files (they are currently in bin folder) according this Site:
cacert.pem, cacert.key in C:\wamp\bin\apache\apache#.#.#\conf\demoCA\private
cacert.cert, cacert.csr in C:\wamp\bin\apache\apache#.#.#\conf\demoCA\certs
In httpd.conf enable SLL (search for "#Include conf/extra/httpd-ssl.conf") + alter the following entries in httpd-ssl.conf:
SSLSessionCache "shmcb:C:/wamp/logs/ssl_scache(512000)"
DocumentRoot "C:/wamp/www"
#ErrorLog
#TransferLog
SSLCertificateFile "C:/wamp/bin/apache/apache2.4.9/conf/demoCA/certs/cacert.cert"
SSLCertificateKeyFile "C:/wamp/bin/apache/apache2.4.9/conf/demoCA/private/cacert.key"
CustomLog "C:/wamp/logs/ssl_request.log" \
Now test your Apache installation by calling httpd -t.
If you get the following error "SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?)." enable the following entry "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" in httpd.conf
Wamp is now configured with https support :-)
I've also enabled "LoadModule status_module modules/mod_status.so" using the following configuration in httpd.conf:
<IfModule status_module>
ExtendedStatus On
<Location /server-status>
SetHandler server-status
</Location>
</IfModule>
You can check now your server status here
https://localhost/server-status/
Apache/2.4.9 (Win64) OpenSSL/1.0.1g PHP/5.5.12 Server at localhost Port 443
Notes:
I've made this tute while trying to get it working on my machine (this was my first attempt in using OpenSSL on windows/wamp).
This guide is not meant for production systems!
You might have to change a few things like names depending on your openssl.cnf
My intention was not to make the best tutorial around but instead to simply note all required changes to get SSL working in WAMP.
Make sure to set the right -days amount for your x509 certificate
I finally know why NSA can easily break into servers with such a complex process :D
Since Wamp bundles apache together with OpenSSL it might be better to separately install it??
I have WAMP 2.2E installed.
I ran into the same problem, and after about an hour of searching the internet and trying all sorts of things, I stumbled into discovering that openssl can be enabled by:
Clicking on the WAMP icon in the system tray,
Hovering on "PHP",
Then "PHP extensions",
Then looking very carefully for "php_openssl" in the long list of extensions.
After following the excellent instructions from KAGRAN22, I ran into 2 errors:
AH00526: Syntax error on line 48 of C:/wamp64/bin/apache/apache2.4.9/conf/extra/httpd-ssl.conf:
Invalid command 'SSLCipherSuite', perhaps misspelled or defined by a module not included in the server configuration
That error is resolved by uncommenting this line
LoadModule ssl_module modules/mod_ssl.so
in httpd.conf.
Next I got this:
AH00526: Syntax error on line 74 of C:/wamp64/bin/apache/apache2.4.9/conf/extra/httpd-ssl.conf:
SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
Which is resolved by uncommenting this line
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
in httpd.conf.
It should all work after that.
Facts:
It is not possible to configure SSL on WampServer Version 2.4 at least not in reasonable amount of time.
Normal person shouldn't be interested in dealing with this, because this is not practical nor normal way to do things.
SSL on Wamp is basicaly SM machine so if you have some masochistic needs please proceed with this.