Google Sitemap Generator - set up HTTPS on Linux - ssl

i am new to site maps, and Google sitemap generator.
i am working on a test server and neither localhost nor live. its basically a local test server.
I have installed it and also enabled remote access and am now able to access the admin console using http.
the problem is i need to enable https as well.
when i try to access it through https, i get an "SSL CONNECTION ERROR".
i know that google's documentation on this topic says something like:
To set up HTTPS on Linux:
1.Edit the file /usr/local/google-sitemap-generator/conf/httpd.conf.
2.In the VirtualHost section, edit the SSL settings.
3.Save the file.
4.Restart Apache to effect the changes.
But in the file httpd.conf, there are no "SSL settings" for me to edit.
Can someone remove this 'vagueness' from the directions?
Thanks

I suppose, you have to add to /usr/local/google-sitemap-generator/conf/httpd.conf something like this (into virtualhost directive)
SSLEngine on
SSLCertificateFile /etc/google-sitemap-generator/server.crt
SSLCertificateKeyFile /etc/google-sitemap-generator/server.key
This link was helpful for me: http://groups.google.com/group/google-sitemap-generator/browse_thread/thread/a5b0575efad76328
In my case server.crt and server.key files were generated by openssl command (http://www.akadia.com/services/ssh_test_certificate.html).
Make sure mod_ssl is enabled in Apache (run a2enmod).

Related

Why Lightsail bitnami after LetsEncrypy change index.html location

My Node.Js Bitnami Lightsail instance had its frontend code at /opt/apache/htdocs and http://example.com was working perfectly pointing to that directory (my backend located under opt/projects).
After executing Certbot LetsEncrypt my domain is now pointing to a different folder /var/www/html
Please advise on:
In certbot instruction page I choose Apache for "My HTTP website is running", there wasn't a Bitnami option, was that the right call?
Is this the right configuration and just move my code to html folder?
Does my backend code has to move too? if so where?
Any other well-known issues that I might face?
Cheers.
Bitnami Engineer here,
We do not have any guide to configure certbot and Bitnami, but we have a guide that helps you configure the Let's Encrypt SSL certificate using lego. We have a tool that configures everything so you do not need to worry about editing the Apache's conf files or setting the renew process.
sudo /opt/bitnami/bncert-tool
You can learn more about it here.
In case you want to manually create a SSL certificate, you can also run the lego tool directly
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/opt/bitnami/letsencrypt" run
You will later need to configure the Apache's conf files to use that new certificate file. You can learn more about it here
Note: If you used certbot and it modified the Apache's configuration, you will need to undo those changes to use the proper folder. You will need to review the /opt/bitnami/apache2/conf/httpd.conf, /opt/bitnami/apache2/conf/bitnami/bitnami.conf and /opt/bitnami/apache2/conf/vhosts/* files

How to properly install SSL to my server?

I have a sub-domain I want to install a valid SSL (possibly free SSL). I used to access my website through the public address of my server. Now I am using subdomain to access my website. I want to add a valid SSL to my server to secure my website. I am using XAMPP. How can I install SSL properly because when I access my website using HTTPS I am getting a NET::ERR_CERT_AUTHORITY_INVALID and where can I get a valid SSL Certificate?
The most popular Free SSL certificate you can get from letsencrypt.
Than here is the steps you can get your certificate works on localhost machine (XAMPP):
Create new folder crt, in default XAMPP location C:\xampp\apache\crt
Paste there 2 files: cert.conf and make-cert.bat
Now edit cert.conf and Run make-cert.bat
Change {{DOMAIN}} text using the domain we want to use, in this case site.test and save.
Double click the make-cert.bat and input the domain site.test when prompted. And just do enter in other question since we already set the default from cert.conf.
After that, you will see site.test folder created. In that folder we will have server.crt and server.key. This is our SSL certificate.
Double click on the server.crt to install it on Windows so Windows can trust it.
And then Select “Place all certificate in the following store” and click browse and select Trusted Root Certification Authorities.
Edit your host file
5.1 Open notepad as administrator.
5.2 Edit C:\Windows\System32\drivers\etc\hosts (the file have no ext)
5.3 Add this in a new line:
127.0.0.1 site.test
This will tell windows to load XAMPP when we visit http://site.test You can try and it will show XAMPP dashboard page.
Add the site in XAMPP conf.
We need to enable SSL for this domain and let XAMPP know where we store the SSL Cert. So we need to edit C:\xampp\apache\conf\extra\httpd-xampp.conf
And add this code at the bottom:
## site.test
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs"
ServerName site.test
ServerAlias *.site.test
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "C:/xampp/htdocs"
ServerName site.test
ServerAlias *.site.test
SSLEngine on
SSLCertificateFile "crt/site.test/server.crt"
SSLCertificateKeyFile "crt/site.test/server.key"
</VirtualHost>
After that, you will need to restart Apache in XAMPP. It’s very simple, simply open XAMPP Control Panel and Stop and re-Start Apache Module.
Restart your browser
Arguably most popular free SSL Provider (and the one I use) will be LetsEncrypt.
Steps for installation will vary based on OS, like this for Ubuntu
You may get free ssl using this link [1]. You need to select the Software that you're using for example Apache and select what operating system you are using in my case I am using Debian 9. If you're unsure about your system, you need to ssh to your server and execute the command "$ cat /etc/*release" if you're using Linux.Once you have selected the correct software and system, it will give you instructions on how to get SSL.
You may follow the instructions here [2] on how to install SSL.
Hope this information helps you.
[1] https://certbot.eff.org/lets-encrypt/debianstretch-apache
[2] https://www.sslshopper.com/apache-server-ssl-installation-instructions.html
The most common solution of free SSL is LetsEncrypt.
LetsEncrypt provides a variety of clients for most OSs. I recommend using the client ACMESharp.
Follow the following steps on Powershell (as described in the official documentation of the project)
1) Install ACMESharp
Import-Module ACMESharp
2) Initialize the vault
Initialize-ACMEVault
3) Create new ACME registration using email
New-ACMERegistration -Contacts mailto:somebody#example.org -AcceptTos
4) Submit the domain identifier
New-ACMEIdentifier -Dns myserver.example.com -Alias dns1
5) Handle the Challenge to Prove Domain Ownership
Pick a method to porve that you own your domain, I recommend HTTP
Challenge.
(Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler manual).Challenge
If you do not get the challenge details like file path and content in the output , try this:
(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges | Where-Object {$_.Type -eq "http-01"}
You'll probably have to allow hidden locations to be accessed via apache, so the challenge can reach .well-known location.
You could use something like the following config, depending on your custom needs (as mentioned in this post as well):
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_FILENAME} !.well-known/
RewriteRule "(^|/)\.(?!well-known)" - [F]
</IfModule>
6) Submit the Challenge Response to Prove Domain Ownership (HTTP method)
Submit-ACMEChallenge dns1 -ChallengeType http-01
The challenge does not get updated instantly so try updating on the results until it's valid.
(Update-ACMEIdentifier dns1 -ChallengeType http-01).Challenges |Where-Object {$_.Type -eq "http-01"}
Once it's valid, try:
Update-ACMEIdentifier dns1
7) Request and Retrieve the Certificate
New-ACMECertificate dns1 -Generate -Alias cert1
Submit-ACMECertificate cert1
The certificate might not be issued instantly so try:
Update-ACMECertificate cert1
Until it's ok.
8) Export the public and private keys
Private key:
Get-ACMECertificate cert1 -ExportKeyPEM "path\to\cert1.key.pem"
Certificate signing request:
Get-ACMECertificate cert1 -ExportCsrPEM "path\to\cert1.csr.pem"
Lets encrypt public certificate:
Get-ACMECertificate cert1 -ExportCertificatePEM "path\to\cert1.crt.pem" -ExportCertificateDER "path\to\cert1.crt"
Issuer's public certificate:
Get-ACMECertificate cert1 -ExportIssuerPEM "path\to\cert1-issuer.crt.pem" -ExportIssuerDER "path\to\cert1-issuer.crt"
You don't practically need all of the above, anyway, but the private key is absolutely necessary so keep it safe.
For more documentation visit the github repo of the project.

How to stop Chrome from redirecting to HTTPS?

A few days ago, Chrome started redirecting all of my vHosts in Wampserver to https. Everything was working fine until a couple days ago, then one day I logged on to work on my site and Chrome said that the site couldn't be reached, even though I used the same URL i always did in the past. Wamp is running as well as Apache and MySQL and none of those services have any errors in the error log.
I have already tried removing the domain(I use a fake .dev extension for my local sites) with chrome://net-internals/#hsts but that didn't do anything. I also tried installing SSL to see if Chrome would detect it as a secure connection... nothing. I even tried reinstalling Wamp completely(even though the vHosts work fine in other browsers) and nothing changed.
The only thing that works in Chrome is accessing the sites via http://localhost/site. The redirect to HTTPS happens for all of my Apache vHosts. I've googled and googled and can't find anything that actually fixes the problem.
Chrome v63 forces .dev domains to HTTPS. The Internet Engineering Task Force RFC2606 specified what top level domains should be used for local development, and .dev isn't on that list.
Google owns the .dev top level domain and automatically redirects all .dev domain names to an HTTPs version of the site via preloaded HSTS.
With .dev being an official generic top-level domain (gTLD), we're better changing our local development suffix from .dev to something else, even if there are other solutions (e.g. https with self-signed certificates). So you should use .test, .example, .invalid or .localhost as your local development TLDs instead.
I can't improve the answer of #benedikt, as it is correct. There are good temporary fixes:
typing "badidea" on the warning page, this might not work if you have SSL set up (hacked together) locally. It bypasses the warning, but my local SSL isn't setup correctly and shows another local site.
narayon also suggests a link to a chrome forum, which I haven't tried.
My workaround was to update all my ".dev" development TLDs to ".d3v"
Still short enough to type quickly, descriptive, and probably future-proof.
I have found a quick work-around that worked for my needs and may help someone else.
I use Browser Sync when developing and I just set the proxy argument to "testsite.dev" and it will serve up correctly in Chrome.
Here is the command I am using:
browser-sync start --proxy "testsite.dev" --port "3000" --files "./**/*.*"
I too use the .dev extension and will change to some other domain in the future but for my existing .dev sites, when the privacy error shows up, click anywhere on the screen and type 'badidea' and chrome will redirect you to the site. It works!
Solution 1 - choose a reserved and future-proof gLTD like .localhost or .test
Edit your hosts file (for Windows it is C:\Windows\System32\Drivers\etc\hosts)
127.0.0.1 testsite.localhost
Solution 2 - install a self-signed certificate for .dev
Create the certificate. Open Powershell as Admnistrator and run:
P.S. Make sure to install mkcert first
C:\Users\John> mkcert *.testsite.dev
This will create a wildcard certificate that will work for all .testsite.dev sites
Copy these keys from C:\Users\John to C:\xampp\apache\crt\testsite_dev (create the crt folder if it doesn't exist)
Add entries in your C:\Windows\System32\Drivers\etc\hosts file
127.0.0.1 testsite.dev
127.0.0.1 www.testsite.dev
Open your C:\xampp\apache\conf\extra\httpd-vhosts.conf and add an entry
<VirtualHost *:443>
DocumentRoot "C:/xampp/htdocs"
ServerName testsite.dev
ServerAlias www.testsite.dev
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
SSLEngine on
SSLCertificateFile "crt/testsite_dev/_wildcard.testsite.dev.pem"
SSLCertificateKeyFile "crt/testsite_dev/_wildcard.testsite.dev-key.pem"
</VirtualHost>
Restart Apache
(Extra) step - make your OS & browser trust self-signed certificates, otherwise it won't work

Unable to SSL Godaddy verified certificate on AWS EC2 (Ubuntu) apache system

I am unable to ssl my website ainoapp.io, although i can use https://www.ainoapp.io/ as all our pages show up correctly however, site is still not secure.
Here are steps that i did on EC2 ubuntu apache system (after Godaddy approved the certificate).
enabled ssl and header module
uploaded files c969b7f1a54c0a63.crt and gd_bundle-g2-g1.crt to /etc/apache2/ssl
created two conf files in /etc/apache2/sites-available: ainosite.conf and ainosite-ssl.conf
enabled default-ssl.conf, ainosite-ssl.conf and ainosite.conf such that sites-enabled has these entries only.
EC2 instance accept inbound traffic 443
port.conf listen to port 80 and 443
restart apache
Below are the snippets:
Am I missing something here, any ideas would be a great help.
Thanks in advance.
Scrutinize the wording of the error (warning) message carefully.
The browser is not really complaining about your SSL configuration.
It's complaining that you're being inconsistent with the images on the page -- they are still <img src="http://... instead of also using HTTPS (or being relative links, or protocol agnostic).
I believe this is also referred to as a "mixed content" warning.

Determine which certificate expired

Knowing that my apache certificates were to expire, I went through the process of renewing them. I got them all in place. My website worked wonderful. Checking the cert from IE showed the new expiration date. Perfect... or so I thought. When the original expiration date hit, I couldn't access the website. My log is showing a Java cert expired. I can't find it on my system.
I've done simple things like find / -name "*.crt" I've gone through our company admin guide. I've checked several websites. But I can't determine where there is an expired cert. Is there a way to get Java to tell you more information about the error?
My system info:
3 servers: FrontEnd, Middleware, DB. Using Apache, Tomcat, ecm. Closed system so I can't copy the log.
Error message from log on FrontEnd:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Sun Feb 01 20:44:51 UTC 2015
If you have and apache http server normally the ssl certificate is configured in /etc/httpd/httpd.conf or in a separate file under /etc/httpd directory like /etc/httpd/sites/vhosts_your_site. The property is SSLCertificateFile defined inside a <VirtualHost> tag. You can grep for:
grep -r "SSLCertificateFile" /etc/httpd/
Typically the configuration looks like:
<VirtualHost your_ip:443>
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path_to_your_cds.crt
SSLCertificateKeyFile /path_to_your_private.key
SSLCertificateChainFile /path_to_your_cdschain.crt
...
</VirtualHost>
See the apache documentation for more details.
Could be also possible to configure a ssl certificate in tomcat, however since you've an apache I think that it's more probably the configuration is there.
Anyway if you want to check if the ssl certificate is configured under tomcat check in the $CATALINA_BASE/conf/server.xml file if there is a <connector> with attribute scheme="https".
If your connector uses JSSE the certificate keystore path is in <connector keystoreFile='your_ks_path'>, if you use an ARP connector then is in <connector SSLCertificateFile='your_cert.cer'>.
For more details take a look at tomcat ssl documentation.
Hope this helps,
If you don't you Apache as an SSL Proxy it could be that your Apache is using a certificate which is stored in a Java Keystore File (jks). So you should check for jks files: find / -name "*.jks"