I am enabling ssl on my apache running on localhost. I generated a self signed certificate and put it in a usual place:
[david#david web]$ ll /etc/ssl/certs/
...
-rwxrwxrwx. 1 david david 977 Mar 7 13:18 localhost.crt
-rwxrwxrwx. 1 david david 712 Mar 7 13:16 localhost.csr
-rwxrwxrwx. 1 david david 963 Mar 7 13:12 localhost.key
But when I restart Apache, the server fails and I receive the following in the error log:
[Fri Mar 07 13:29:17 2014] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Fri Mar 07 13:29:17 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Mar 07 13:29:17 2014] [error] (13)Permission denied: Init: Can't open server private key file /etc/ssl/certs/localhost.key
The permissions look ok to me, what am I doing wrong?
This is because you probably uploaded the file(s) first to one of your home directories and then moved them somewhere in the /etc directory.
To correct the context of this file, execute the following command:
restorecon -RvF /etc/ssl/certs/
and restar Apache service httpd restart.
Hope it helps.
David,
I would suggest first to change the permissions and ownership on the key file
Change ownership:sudo chown root:root localhost.key
Change permissions:sudo chmod 600 localhost.key
To fix the problem, I needed to remove the passphrase from the key
Remove passphrase: openssl rsa -in localhost.key -out localhost_nopp.key
After that, just change the SSLCertificateKeyFile parameter to point to localhost_nopp.key and restart Apache.
I am guessing this produces a "clean" file that Apache is now happy to use. Since this appears to a development/test environment, the assumption is that removing the passphrase will not cause a major security issue.
Thanks,
John
Related
I had XAMPP installed in D:/ drive (HDD 500GB) while I had to do a fresh installation of windows 10 in C:/ Drive (SSD 128GB).
I didnot change anything in D:/ drive before or after installation of windows. yet When I open the XAMPP interface and start apache it shows following error log.
Apache Error Log
[Mon Nov 29 22:47:59.081101 2021] [ssl:warn] [pid 1388:tid 604] AH01909: www.example.com:443:0 enter code here enter code hereserver certificate does NOT include an ID which matches the server name
[Mon Nov 29 22:47:59.159264 2021] [core:warn] [pid 1388:tid 604] AH00098: pid file E:/xampp/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Mon Nov 29 22:47:59.163263 2021] [ssl:warn] [pid 1388:tid 604] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
PHP Warning: 'vcruntime140.dll' 14.0 is not compatible with this PHP build linked with 14.16 in Unknown on line 0
[Mon Nov 29 22:47:59.171261 2021] [:emerg] [pid 1388:tid 604] AH00020: Configuration Failed, exiting
Seems like the quickest solution is to do a fresh install of XAMPP.
It pretty easy to transfer the XAMPP htdocs folder which contains your lifetime of code, it just simply copy and paste the htdocs folder into a new install of XAMPP.
For your databases it's pretty simple also:
Copy all your self created databases folders that are located in xampp/mysql/data
Copy ibdata1 file located in in xampp/mysql/data
Paste your database folders and the ibdata1 file into the xampp/mysql/data on a new install of XAMPP
done !
I'm trying to bring up an OwnCloud container on my docker server via docker compose. I'm using the stock OwnCloud image from Docker Hub. Here is my yaml file:
version: '3.1'
services:
owncloud:
image: owncloud
restart: always
ports:
- 80:80
- 443:443
volumes:
- '/etc/docker/owncloud/data:/var/www/html'
- '/etc/docker/owncloud/ssl.sh:/etc/apache2/ssl.sh'
networks:
default:
ipv4_address: 192.168.226.28
mysql:
image: mariadb
restart: always
environment:
MYSQL_ROOT_PASSWORD: ********
volumes:
owncloud_data:
driver: local
networks:
default:
external:
name: pub_net
It works great. The container comes up and I can access it via http. Now of course I want to access via https so you can see bash script I've sent into my container. Here are the contents of that script:
#!/bin/bash
a2enmod ssl
a2ensite default-ssl
openssl req -x509 -nodes -days 99999 -newkey rsa:2048 -subj "/C=US/ST=Ohio/L=Cleveland/O=Data/CN=fake.domain.com" -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
service apache2 restart
Now, if I manually bash into the container and run that script it works great. I can access OwnCloud via https. Here's where it get's annoying. I want to automate the process of running that script so when the container updates its part of the rebuild process. So far I've tried adding a "command" string in the yaml file like this:
version: '3.1'
services:
owncloud:
image: owncloud
restart: always
ports:
- 80:80
- 443:443
volumes:
- '/etc/docker/owncloud/data:/var/www/html'
- '/etc/docker/owncloud/ssl.sh:/etc/apache2/ssl.sh'
networks:
default:
ipv4_address: 192.168.226.28
command: /etc/apache2/ssl.sh
mysql:
image: mariadb
restart: always
environment:
MYSQL_ROOT_PASSWORD: ********
volumes:
owncloud_data:
driver: local
networks:
default:
external:
name: pub_net
When I run docker-compose up it does appear to run the script, except it runs it over and over again, and the apache service keeps restarting. Here is a snippet of the logs:
Restarting Apache httpd web server: apache2.
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
dule ssl already enabled
Site default-ssl already enabled
Generating a RSA private key
................+++++
...............+++++
writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key'
-----
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.226.28. Set the 'ServerName' directive globally to suppress this message
[Wed Oct 07 21:09:05.504798 2020] [ssl:warn] [pid 33] AH01906: 192.168.226.28:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Oct 07 21:09:05.504883 2020] [ssl:warn] [pid 33] AH01909: 192.168.226.28:443:0 server certificate does NOT include an ID which matches the server name
Restarting Apache httpd web server: apache2.
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
dule ssl already enabled
Site default-ssl already enabled
Generating a RSA private key
....................................+++++
...............................+++++
writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key'
-----
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.226.28. Set the 'ServerName' directive globally to suppress this message
[Wed Oct 07 21:09:15.145928 2020] [ssl:warn] [pid 33] AH01906: 192.168.226.28:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Oct 07 21:09:15.146014 2020] [ssl:warn] [pid 33] AH01909: 192.168.226.28:443:0 server certificate does NOT include an ID which matches the server name
Restarting Apache httpd web server: apache2.
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
dule ssl already enabled
Site default-ssl already enabled
Generating a RSA private key
...........................+++++
..........................................+++++
writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key'
-----
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.226.28. Set the 'ServerName' directive globally to suppress this message
[Wed Oct 07 21:09:29.712422 2020] [ssl:warn] [pid 33] AH01906: 192.168.226.28:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Oct 07 21:09:29.712500 2020] [ssl:warn] [pid 33] AH01909: 192.168.226.28:443:0 server certificate does NOT include an ID which matches the server name
I'm not sure where to go from here. Any ideas?
Docker container command should run for as long as you expect for container to run.
When your script starts, there is completely nothing else running in container. There is no apache2 or anything, just your script. And it ends with service apache2 restart and quits right after. It doesn't care about any background processes that you just started. It only cares that your foreground process - your bash script - has finished already.
As you can see in your image (using latest version at time of writing this): https://hub.docker.com/layers/owncloud/library/owncloud/latest/images/sha256-57e690e039c947e4de6bdae767b57b402d3ed9b9ed9f12ba5d31d3cf92def4b8?context=explore it is using CMD ["apache2-foreground"] to run. And that's how you should end your bash script so it also runs apache2 in foreground:
#!/bin/bash
a2enmod ssl
a2ensite default-ssl
openssl req -x509 -nodes -days 99999 -newkey rsa:2048 -subj "/C=US/ST=Ohio/L=Cleveland/O=Data/CN=fake.domain.com" -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem
apache2-foreground
I run an Ubuntu (17.04) server that is hosting multiple sites. One of the sites I'm hosting now is an eCommerce site and needs an SSL certificate. I've gone through many different tutorials and I've followed every step but when I go to the site with HTTPS I'm just getting an error page.
The domain name in the screenshots below is fake.
First I bought the SSL certificate from Comodo. They requested the CSR from the server so I generated it using this command:
openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr
I pasted the CSR and generated the CRT without issue. Now I have the CRT from Comodo and Updated my vhost for a secure connection:
<VirtualHost *:443>
ServerAdmin test#test.com
ServerName www.domain.com
ServerAlias domain.com
DirectoryIndex index.php
DocumentRoot /var/www/html/domain
SSLEngine on
SSLCertificateFile /etc/ssl/certs/www_domain_com.crt
SSLCertificateKeyFile /etc/ssl/private/domain_com.key
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
I then ran:
a2enmod ssl
And finally restarted apache. Now when I go to the site I'm only seeing this error page:
Looking at the apache error log the only hint to what might be wrong is the below message:
[Thu Aug 17 16:42:42.746221 2017] [mpm_prefork:notice] [pid 19871] AH00169: caught SIGTERM, shutting down
[Thu Aug 17 16:42:42.836087 2017] [ssl:warn] [pid 22306] AH01909: 2001:4802:7801:103:be76:4eff:fe20:7c04:443:0 server certificate does NOT include an ID which matches the server name
[Thu Aug 17 16:42:42.874200 2017] [ssl:warn] [pid 22316] AH01909: 2001:4802:7801:103:be76:4eff:fe20:7c04:443:0 server certificate does NOT include an ID which matches the server name
[Thu Aug 17 16:42:42.878354 2017] [mpm_prefork:notice] [pid 22316] AH00163: Apache/2.4.25 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Thu Aug 17 16:42:42.878374 2017] [core:notice] [pid 22316] AH00094: Command line: '/usr/sbin/apache2'
Any help would really be appreciated. This is the first time this server has had an SSL website so maybe I am missing a step with openSSL or something.
Your first mistake is buying a certificate from Namecheap. I just recently had similar problems getting their crt to work. It wasn't until I decided to with Let's Encrypt and used their certbot to generate the SSL certificate that I was able to resolve the problem. I cannot prove this, but I suspect there is a problem with Namecheap's bundling tool which builds the signed certificate.
Let's Encrypt is a completely free open source project to solve your HTTPS needs. I also have multiple virtual hosts and got up and running with Let's Encrypt in minutes.
https://letsencrypt.org/
I generated server.key using openssl CLI and then generated server.csr from that. Then I submitted server.csr to my company (this is all internal) and they gave me a text file which I renamed to server.crt
I followed this guide to install SSL Cert for XAMPP's Apache
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR193
Basically I edited the httpd-ssl.conf file with below:
SSLCertificateFile "conf/ssl.crt/server.crt"
SSLCertificateKeyFile "conf/ssl.key/server.key"
SSLCACertificatePath "conf/ssl.crt/"
SSLCACertificateFile "conf/ssl.crt/server.crt"
When I restarted my Apache server, it failed and gave error:
[Thu May 08 14:14:48.014710 2014] [ssl:warn] [pid 1924:tid 272] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu May 08 14:14:48.016664 2014] [ssl:warn] [pid 1924:tid 272] AH01907: RSA server certificate is not a leaf certificate (BasicConstraints: pathlen == 2 > 0 !?)
[Thu May 08 14:14:48.016664 2014] [ssl:warn] [pid 1924:tid 272] AH01909: RSA certificate configured for www.myservername.com:443 does NOT include an ID which matches the server name
[Thu May 08 14:14:48.016664 2014] [ssl:emerg] [pid 1924:tid 272] AH02238: Unable to configure RSA server private key
[Thu May 08 14:14:48.016664 2014] [ssl:emerg] [pid 1924:tid 272] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Thu May 08 14:14:48.016664 2014] [ssl:emerg] [pid 1924:tid 272] AH02311: Fatal error initialising mod_ssl, exiting. See C:/xampp/apache/logs/error.log for more information
Anyone knows why? How to fix this?
Here are my system info
Windows NT LGLAC046 6.1 build 7600 (Windows Server 2008 R2 Enterprise Edition) i586
Apache/2.4.4 (Win32) OpenSSL/0.9.8y PHP/5.4.19
OPENSSL_CONF C:/xampp/apache/bin/openssl.cnf
SSL Version OpenSSL/0.9.8y
I generated server.csr using openssl CLI and then generated server.key from that
You're supposed to generate a private key first:
openssl genrsa -des3 -out server.key 1024
then generate a csr:
openssl req -new -key server.key -out server.csr
If you're requesting a new certificate, you then send the CSR to the CA.
It sounds like what you have is a CA certificate, not a server certificate.
I have a problem installing the SSL certificates. The problem i think the server name doesn't match the certificate's server name.
Here the exact Apache problem:
[Wed Oct 02 18:33:23 2013] [warn] RSA server certificate CommonName (CN) `name1.name2.fr' does NOT match server name!?
[Wed Oct 02 18:33:23 2013] [error] Unable to configure RSA server private key
[Wed Oct 02 18:33:23 2013] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Wed Oct 02 18:34:00 2013] [warn] RSA server certificate CommonName (CN) `name1.name2.fr' does NOT match server name!?
[Wed Oct 02 18:34:00 2013] [error] Unable to configure RSA server private key
[Wed Oct 02 18:34:00 2013] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
We use RHEL 6. How can i see the server name and how to change it ?
Thanks in advance.
You have to set the Server's DNS name first:
so perform the command
$ sudo gksu gedit /etc/hostname to edit the hostname file
add the line www.example.com
$ sudo /etc/hosts and add the line:
127.0.0.1 www.example.com localhost
After that make sure to use that domain name in creating or signing the certificate
I had this warning in ssl_error_log:
[Wed Dec 11 14:02:41 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Dec 11 14:02:41 2013] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?
It is because that mod_ssl in CentOS (5.10) came with a default virtualhost which will use the default cert in /etc/pki/tls/certs/localhost.crt....
I removed the virtualhost section in conf.d/ssl.conf and the warning disappeared after reloading apache.