I bought Comodo PositiveSSL and got 4 crt files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
domain.com.crt
And I have this config:
<VirtualHost *:443>
ServerName domain.com
ServerAlias www.domain.com
SSLEngine on
SSLCertificateFile /var/www/domain.com/domain.com.crt
SSLCertificateKeyFile /var/www/domain.com/domain.com.key
ServerAdmin webmaster#localhost
DocumentRoot /var/www/domain.com/html
<Directory /var/www/domain.com/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
How do I use these 3 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
https connection works fines, but it seems that browsers don't see my signature. I think the problem is to add all 4 files to apache config, but I don't know how to do it.
These files are the certificate chain. There's a root domain certificate, there are intermediate certificates, and there's your own certificate.
Your own certificate is already referenced with the SSLCertificateFile. The root certificate is usually installed in the user's browser (that's what you pay for … the fact that they paid the browser vendor to include their root certificate).
But your certificate is not directly derived from the root certificate, but there are these intermediate certificates.
Because you do not have a certificate that is directly derived from one of the root certificates in the browser, you must deliver the entire certificate chain to the user. (Yes, the root cert, too, to have a complete chain.)
It is usually done by putting all of the three files into one cert file (let's say intermediate.comodo.crt) and referencing them in the Apache config, too. It would look like this:
…
SSLEngine on
SSLCertificateFile /var/www/domain.com/domain.com.crt
SSLCertificateChainFile /var/www/domain.com/intermediate.comodo.crt
SSLCertificateKeyFile /var/www/domain.com/domain.com.key
…
The certificates in this file must be in the right order … root on top, and then down the chain (IIRC, but you may need to try different orders).
If your server is public, use the SSLlabs service to test your setup: https://www.ssllabs.com/ssltest/ (Note, when testing multiple times with different configurations, you must clear their cache after each change. Otherwise you'll instantly get the results from their last test of your server.)
Related
I have a server running a LAMP stack:
me#server:~$ sudo apachectl -v
Server version: Apache/2.4.10 (Debian)
me#server:~$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
...
On this server I have many two domains - one with SSL and one without SSL - and everything is currently hunky-dory.
I am trying to add SSL to the second site but requests to the second site fail with the issue:
[FIREFOX]
domain2.com uses an invalid security certificate.
The certificate is only valid for the following names: domain1.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN
[CHROME]
NET::ERR_CERT_COMMON_NAME_INVALID
Note 1: I have checked my version of Apache allows multiple SSL sites on the same server.
This leads me to believe that the SSL files being read when domain2.com is called are actually the files relating to domain1.com.
Curiously, if I disable domain1.com using sudo apache dissite domain1, the SSL works just fine on https://domain2.com. This would indicate that the SSL is installed correctly but the sites across the server are not all configured correctly.
The .conf files are below:
me#server:~& cat /etc/apache2/sites-enabled/domain1
[...Port 80 config redacted...]
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/domain1/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain1/key.txt
SSLCertificateChainFile /etc/apache2/ssl/domain1/intermediate.crt
ServerName domain1.com
ServerAlias www.domain1.com
<Directory /var/www/domain1>
[REDACTED]
</Directory>
[Logging information redacted]
</VirtualHost>
me#server:~& cat /etc/apache2/sites-enabled/domain2
[...Port 80 config redacted...]
<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/domain2/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain2/key.txt
SSLCertificateChainFile /etc/apache2/ssl/domain2/intermediate.crt
ServerName domain2.com
ServerAlias www.domain2.com
<Directory /var/www/domain2>
[REDACTED]
</Directory>
[Logging information redacted]
</VirtualHost>
So it is clear both sites have the same configuration items applied but relative to the specific SSL files on the server for that site. Note, the SSL bundles for each site are provided from the same vendor.
Further, the certificates should be correct:
me#server:/etc/apache2/ssl/domain1$ openssl x509 -in server.crt -noout -subject
subject= /CN=www.domain1.com
me#server:/etc/apache2/ssl/domain2$ openssl x509 -in server.crt -noout -subject
subject= /CN=www.domain2.com
From all of this, please can some enlighten me as to why requests to domain2.com fail when domain1.com is enabled?
So yeah.. doing the above was all fine and should work.
If it doesn't work, be sure to check the spelling of the ServerName fields and to not work too late at night!
I have a problem, yesterday i create certificate with let's encrypt on my ec2 instance. Now i want to use them o my site, but i don't know how i can proceed. Have you any suggestions?
I tried to do this but i hadn't any results:
https://www.paulwakeford.info/2015/11/24/letsencrypt/
than, after using webroot plugin on let's encrypt, i install mod_ssl.so on my istance, i edit my security group and enable https on port 443 and than i modify my httpd.conf right here:
<VirtualHost *:443>
DocumentRoot /var/www/my-domain
ServerName my-domain.com
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/my-domain/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/my-domain/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/my-domain/chain.pem"
<Directory /var/www/my-domain>
AllowOverride All
</Directory>
</VirtualHost>
Have you any suggestions?
The tutorial you pointed out uses SSL certificate to Cloudfront distribution, a CDN. Are your using Cloudfront? Because if you are using you need to set certificate on the distribution (and maybe to apache server too), otherwise on the apache server.
Try this look into:
Enabling SSL on apache instance on EC2
and
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html
For the last, forget about "getting certificate" as you already have one issued by Lets Encrypt.
So I've got a login script (domain.com/script/index.php) that I need protected with a self-signed certificate, but installing a cert with Apache will apply it to my whole domain. My domain is a personal website, and the last thing I would want is for someone to go through the hassle of having to jump through the hoops of having to 'trust' my self-signed certificate.
Right now I have Webmin running on my server, and it currently has its own self-signed without applying it to my root website directory. Is there any way to secure my script directory without applying it to my root directory?
I'm gonna assume this is php and apache:
Just add this lines to your vhost configs:
SSLEngine on
SSLCertificateFile {{SERVER CRT PATH}}
SSLCertificateKeyFile {{SERVER CRT PATH}}
Make sure SSL dll is on in the php.ini
and apply like so:
# Local Php site
<VirtualHost *:83>
ServerName localhost
DocumentRoot C:/xampp2/htdocs/scripts/php
<Directory C:/xampp2/htdocs/scripts/php>
AllowOverride All
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile C:\xampp2\apache\conf\ssl.crt\server.crt
SSLCertificateKeyFile C:\xampp2\apache\conf\ssl.key\server.key
</VirtualHost>
Reference: http://robsnotebook.com/xampp-ssl-encrypt-passwords
restart apache then visit: https://localhost:83
Trying to setup SSL on Apache (on AWS Linux). Firefox gives me these details in it's nastygram:
The certificate is not trusted because it is self-signed.
The certificate is only valid for ip-###-##-#-##
I'm currently working under the assumption that this is a problem with the ChainFile or CA cert - quite possibly because I dont have the correct info in httpd.conf. Can you comment on the code below or let me know where else to look for the error?
httpd.conf:
<VirtualHost *:443>
DocumentRoot /var/www/html
ServerName https://###-##-#-##
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /home/ec2-user/StartSSLcert.pem
SSLCertificateKeyFile /home/ec2-user/StartSSLkey.pem
SSLCertificateChainFile /home/ec2-user/sub.class1.server.sha1.ca.pem
SSLCACertificateFile /home/ec2-user/ca.pem
</VirtualHost>
This page has been my primary reference: http://www.startssl.com/?app=21 However, it includes many lines of code not in other examples I've found online with no description of what they do.
I've been guess-and-checking between the example above and a simpler example like: http://www.sslshopper.com/apache-server-ssl-installation-instructions.html
Everything I try is either untrusted by Firefox or I get errors when restarting apache. Ideas?
by default, the ssl settings in:
/etc/httpd/conf.d/ssl.conf
override the corresponding block in:
/etc/httpd/conf/httpd.conf
When using AWS you need to edit ssl.conf
"The certificate is only valid for ip-###-##-#-##"
credit due here:
Cannot setup SSL keys on my apache server in AWS EC2
If your server have more than one IP address, replace the * with IP address inside""
See: http://httpd.apache.org/docs/2.4/mod/core.html#virtualhost
Whats more, make sure you create your private key, CSR correctly.
See:https://library.linode.com/security/ssl-certificates/commercial#sph_create-a-certificate-signing-request
We had confluence running in our company with the URL https://confluence:8443
We changed the domain name - let's say it is https://abc:8443. so server, same Apache instance and it has the new name and the cert for "abc"
It runs on Apache/TomCat, we could not figure out how to make this conversion look seamless to the users, so we created port 80 on the same server (say, server A) and installed confluence certificate on it and created a redirect to
Now if a user goes to http://confluence, it will go to the DNS server finds server A's IP goes to the IIS, get the redirect rule and goes https://abc:8443.
If a user goes to https://abc:8443, no problems there.
but if a user goes to http://confluence:8443 (most of the users have this bookmarked), it gets the cert error.
Can anyone please suggest a way to make this work in confluence, that is tomcat/Apache?
Thanks for your time.
Thanks,
Shiyam
You have two options:
Option 1: Server Name Indication
If your client browsers all support it, you can configure your HTTPD to use Server Name Indication (SNI), which allows the client to tell the server which host it is requesting. This assumes that you already have two distinct SSL certs for "abc" and "confluence", and that you configure the appropriate SSL certificate under each VirtualHost.
Of note is that Internet Explorer on Windows XP does not support SNI, but since Windows XP has already reached End of Life, your organization hopefully no longer has any such clients.
The example from the SNI page above, for reference, is:
Listen 192.168.1.1:443
LoadModule ssl_module modules/mod_ssl.so
SSLPassPhraseDialog builtin
AcceptMutex flock
SSLSessionCache shmcb:/var/cache/httpd/mod_ssl/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
NameVirtualHost 192.168.1.1:443
<VirtualHost 192.168.1.1:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/ssl/star.example.com.crt
SSLCertificateKeyFile /etc/ssl/star.example.com.key
ServerName "one.example.com"
DocumentRoot "/var/www/html/one"
CustomLog "/var/log/httpd/one-access.log" combined
ErrorLog "/var/log/httpd/one-error.log"
<Directory /var/www/html>
AllowOverride none
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost 192.168.1.1:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/ssl/star.example.com.crt
SSLCertificateKeyFile /etc/ssl/star.example.com.key
ServerName "two.example.com"
DocumentRoot "/var/www/html/two"
CustomLog "/var/log/httpd/two-access.log" combined
ErrorLog "/var/log/httpd/two-error.log"
<Directory /var/www/html>
AllowOverride none
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
Option 2: Wildcard SSL Certificate
If your server or clients do not both support SNI, but if "abc" and "confluence" are hosts on the same domain, you can also get a wildcard SSL certificate.
For example, if you obtain a wildcard cert for *.example.com, your single httpd server will be able to handle HTTPS requests for both abc.example.com and confluence.example.com without error.