I have an EC2 instance that is using Amazon's custom linux install with built in apache. This install also has openssl installed. That being said, there does not appear to be a mod_ssl.so to load up in httpd.conf.
So, I want to know the best way to get apache to be ssl enabled so I can setup my SSL virtual host (note that I have already setup the cert/signatures). Ideally, I would like to not have to rebuild/reinstall apache.
Try this command:
yum install mod_ssl
A summary of what needs to be done to enable SSL on apache server on EC2:
Get SSL certificate (which you already did)
Install mod_ssl as Jose Vega said
Add the following lines to your httpd.conf 3.
NameVirtualHost *:443
<VirtualHost *:443>
ServerName www.example.com
# other configurations
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/mydomain.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mydomain.key
</VirtualHost>
Finally, don't forget to open port 443 on your EC2 instance
I managed to enable SSL on my ec2 instance and to install a free ssl certificate from startssl.com. I made a few mistakes, this is the basic approach:
Signup to startssl.com by clicking Control Panel link
Complete the signup process. You will need to verify your email address.
Validate your domain under Validation Wizard -> Domain Name Validation
Get a Certificate by Certificate Wizard
Choose: Web Server SSL/TLS Certificate
Enter a password that will be used to encrypt the private key. You will need this later.
I chose keysize of 4096
Save the encrypted private key as ssl.encrypted.key someplace
?? I forget what happened next
Save the certificate file as ssl.crt someplace. For me I had to wait 30 minute then it appeared under Tool Box -> Retrive Certificate
Use openssl to decrypt the encrypted ssl.encrypted.key file
sudo openssl rsa -in ssl.encrypted.key -out ssl.unencrpted.key
startssl.com also have a decrypt option on their website, but it didn't work for me
putty/ssh onto your ec2 machine
install mod_ssl
sudo yum install mod_ssl
Replace the default certificate and key
sudo vi /etc/pki/tls/certs/localhost.crt
Paste in the contents of ssl.crt
Make sure it pastes correctly! I always lose the first 6 characters
Use :%d to delete the existing certificate if required
[ESC] wq
sudo vi /etc/pki/tls/private/localhost.key
Paste in the contents of ssl.unencrypted.key
Again make sure it pastes correctly!
[ESC] wq
Check the configuration
apachectl configtest
Restart
sudo service httpd restart
I had issues restarting and I think what fixed it was sudo kill -9 httpd
You should install the SSL module, since mod SSL does not ship with most instances by default, but that depends on the Apache version you are using in your AWS instance. To check which one you are using, you can run this command in your command line:
httpd -v
For Apache 2.2
yum install mod_ssl
For Apache 2.4
yum install mod24_ssl
If you are using Amazon Lightsail, be sure to go into Networking from the Lightsail dashboard and add HTTPS/443 in your Firewall:
Here's what worked for me, via shell, with a wildcard cert that had a CA bundle (on Lightsail servers, HTTPS/443 enabled). Mileage may vary. Test on https://www.digicert.com/help/ after install. For brevity, I've shortened the certs/keys here (obviously).
It's worth noting also that I did not need to set up a VirtualHost for the domain.
# Overwrite these files on Amazon Linux + mod_ssl (or mod24_ssl)
# /etc/pki/tls/certs/ca-bundle.crt
# /etc/pki/tls/certs/localhost.crt
# /etc/pki/tls/private/localhost.key
## BEGIN
# INSTALL AS ROOT
sudo -su root
sudo cat > /etc/pki/tls/certs/localhost.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgIMNY9yk7s651tb2YasMA0GCSqGSIb3DQEBCwUAMEwxCzAJ
KoZIhvcNAQELBQADggEBACu8MsClqLbO1NqjXw+igERhLRkISgnkIjB1p69zh3V0
/3b68mkC+8pL3HNLgL0qIM9sPKKOl/Iyky2EfwfQDoZEWNB0qWKIOovH5Oj9z5DE
-----END CERTIFICATE-----
EOF
sudo cat > /etc/pki/tls/private/localhost.key <<EOF
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCL6UsW9yC0Faev
1zeEJcF6E7P6XYqT25rWMj5xzUM8gi/4nLpGr+tOBlFJYSbLlEHJKG6QLO9Ku896
MwTtWyOrTlPtpJEi9LUrLmOUXtD1WN2Ekql/ZLaO7pxUtVTRF4MyYspGgU1ZjkxY
vQLnZs85bnG2dLz7Q4xxlj4=
-----END PRIVATE KEY-----
EOF
sudo cat > /etc/pki/tls/certs/ca-bundle.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIESzCCAzOgAwIBAgIOSMqBefg+ikLz9c3isT8wDQYJKoZIhvcNAQELBQAwTDEg
bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTYxMDE0MDAwMDAwWhcNMjQw
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
-----END CERTIFICATE-----
EOF
# RESTART
sudo service httpd restart
#DONE
Related
I know this is a super similar question to many other questions, but none of them either give a straight answer or one that works for me...
I have gotten two files from Let's encrypt:
cert.pem
key.pem
I need to get them into a crt and key format for use on an nginx server.
I have tried:
openssl rsa -outform der -in key.pem -out key.key
and
openssl x509 -outform der -in cert.pem -out cert.crt
but get the following error when starting up nginx:
# service nginx restart
Performing sanity check on nginx configuration:
nginx: [emerg] cannot load certificate "/etc/ssl/nginx/cert.crt": PEM_read_bio_X509_AUX() failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
The extension .pem indicates that the file format is PEM (Privacy-Enhanced Mail). However, the extension does not tell anything about the content of the file. The content may be a certificate, a private key, a public key, or something else.
The extension .crt indicates that the content of the file is a certificate. However, the extension does not tell anything about the file format. The file format may be PEM, DER (Distinguished Encoding Rules) or something else. If the file is text and contains -----BEGIN CERTIFICATE-----, the file format is PEM. On the other hand, if the file is binary, it is highly likely that the file format is DER.
The extension .key indicates that the content of the file is a private key. However, the extension does not tell anything about the file format. The file format may be PEM, DER or something else. If the file is text and contains -----BEGIN PRIVATE KEY----- (or something similar), the file format is PEM. On the other hand, if the file is binary, it is highly likely that the file format is DER.
Diagrams below from "Illustrated X.509 Certificate" illustrate relationship among ASN.1 (X.680), DER (X.690), BASE64 (RFC 4648) and PEM (RFC 7468).
Both ssl_certificate and ssl_certificate_key of ngx_http_ssl_module expect that the file format is PEM as the reference document says. Therefore, you don't have to change the file format of your cert.pem and key.pem because their file extension .pem indicates that their file format is already PEM. Just write like below in your Nginx configuration file.
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
If you prefer .crt and .key extensions, just rename them like below.
$ mv cert.pem cert.crt
$ mv key.pem key.key
When you want to set up NGINX with Let's Encrypt, then you can do it automatically by using the application certbot.
To install certbot for nginx:
on Ubuntu/Debian:
sudo apt install python-certbot-nginx
on Arch linux:
sudo pacman -S certbot-nginx
on Centos:
sudo yum install epel-release
sudo yum install certbot-nginx
Then you need to make a very simple configuration file for your domain. The directory should be the same for all the mentioned operating systems
/etc/nginx/sites-available/example.com
In here you just add this information:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
location / {
proxy_pass http://127.0.0.1:5000 #Example
}
}
Then create the symlink to activate the domain
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
Remember to change example.com with your domain, and switch proxy_pass to your service or directory of hosted files.
Now you should restart NGINX:
sudo nginx -t
This one will return an error if you have errors in your configuration.
If everything is ok then restart NGINX
sudo systemctl restart nginx.service
Now certbot comes into the picture:
sudo certbot --nginx -d example.com -d www.example.com
At this point Let's encrypt will try to reach your nginx server, and if everything is OK - this means:
Firewall settings allow for port 80 and 443 to pass
Portforwarding throug network for the 2 ports are allowed
Then you will get to pick easy or secure access. I recommend the secure option.
When you have clicked [enter] then the process will be finished and certbot will have generated all your certification files and added them to the correct path.
Your configuration file in /etc/nginx/sites-avalible/example.com will have been updated with all the correct settings.
You may be required to restart nginx once again.
I hope it was helpful. Good luck
[Sources]
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7
https://wiki.archlinux.org/index.php/Certbot#Nginx
I have a Godaddy Domain for example , website.com which points to a amazon ec2 instance. I bought a ssl certificate from Godaddy for website.com . How can I configure ec2 instance to make website.com https?
If you are using Ubuntu for the server instance, follow the following points:
Log in to the ec2 instance using ssh or putty
Enable ssl module by executing this command: sudo a2enmod ssl
You may have to restart the apache server through systemctl: sudo systemctl restart apache2
Make a ssl folder under your html directory and open it:
sudo mkdir /var/www/html/my_ssl
cd /var/www/html/my_ssl
Generate csr and key files:
sudo openssl req -nodes -newkey rsa:2048 -keyout my_website.key -out my_website.csr
You'll have to provide these details: Country, State, City, Organization, Unit, FQDN, email, a challenge password, Optioanl company name.
Note that the FQDN can be website.com or example.website.com
Open the csr file through nano or vi and copy its contents: vi /var/www/html/my_ssl/my_website.csr
Go to your godaddy certificate, click on new certificate, choose the second option that handles csr, and paste the contents into it. If no problem is found, you can continue to the next step.
Godaddy will send an email to one of the standard admin emails of the site. If none of them exists, make sure you create it. It will take around half an hour for the certificate to change from pending to valid.
Download the key files from godaddy and put them in the apache ssl folder: /etc/apache2/ssl/certs
Open the default-ssl.conf file for modification : sudo vi /etc/apache2/sites-available/default-ssl.conf
Add your website name, and change the default values for ServerAdmin email, ServerAlias, DocumentRoot, set SSLEngine on, and the paths of SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile.
Finally set the modified file to be the default configuration and restart your apache:
sudo a2ensite default-ssl.conf
sudo service apache2 restart
Is there anyoune out there who got a running arangoDB database working with a letsencrypt certificate? I just can't find out to geht this running.
ArangoDB is running on a digitalOcean droplet and I could get it running togehter with a self-signed certificate following this tutorial. So arangoDB is sucessfully running on port: 8530
Now my approach was replacing the self-signed certificate with a letsencrypt cert.
So I added a subdomain in DigitalOcean to the droplet. e.g.: db.example.com an then generated the cert-files:
sudo -H ./letsencrypt-auto certonly --standalone -d db.example.com
You will end up with 4 files: cert.pem chain.pem fullchain.pem privkey.pem
As I understood, these files are:
Private Key --------> privkey.pem
Public Key ---------> cert.pem
Certificate Chain --> chain.pem
As described in the tutorial I mentioned, you nee the certificate and the key in one file. So i did
cat chain.pem privkey.pem | sudo tee server.pem
to have a file containing the certificate and the private key.
Then I modified the file /etc/arangodb3/arangod.conf to let arango know where the keyfile is and modified the ssl section:
[ssl]
keyfile = /etc/letsencrypt/live/db.example.com/server.pem
But after restarting arango, the server is not available. When trying to connect the browser to: https://db.example.com:8530. Firewall settings for the droplet should all be ok, because I could access this address with the self-signed cetificate before.
I then tried to modify the endpoint in /etc/arangodb3/arangod.conf from
endpoint = ssl://0.0.0.0:8530
to
endpoint = ssl://db.example.com:8530
and also
tcp://db.example.com:8530
None of it was working. Has somebody out there an idea what I am doing wrong?
Please use the ip of the interface you want to use when specifying the endpoint e.g. endpoint = ssl://42.23.13.37:8530 (ip address should list your interfaces along with addresses in use). Then it could help to use the fullchain.pem to create the server.prm (cat fullchain.pem privkey.pem > server.pem). Make sure the resulting server.pem is accessible and readable by the arangodb user. If the server is still not starting correctly please provide logs of the server. To access the logs use systemctl -fu arangodb3.service or follow the logs with tail -f <logfile> if you use some custom location for logging.
I have just tested a setup with letsencrypt certificates and it was working after ensuring all above points.
My registrar, gandi, gave me an intermediate cert to install, so I have 3 files:
Private key file (server.key)
Certificate file (mycert.crt)
Intermediate cert (GandiSomething.pem)
I'm using the SSL Beta service on heroku. The heroku CLI heroku _certs:add, takes exactly two arguments, CRT and KEY. how do I install the intermediate cert?
Paul is right, you can combine certificates:
cat ssl.crt middle.crt root.crt > all.crt
Be assured that newlines at the end of cert files!
And upload it to Heroku (use add if you haven't SSL Endpoint yet):
heroku certs:update --app $YOUR_APP --confirm $YOUR_APP all.crt private.key
But there are some tricks you haven't forget:
Update your DNS CNAME record. Change target from <app>.herokuapp.com to secure <domain>.herokudns.com (be careful, if you have *.your.domain record it can catch requests and forward it to another server)
Check the cert chain works right: SSL Checker
Flush local DNS: Flush DNS tips (antivirus also can patch and cache you connections)
Restart your browser (to flush browser's cache too)
Check your app with browser by https:// connection
The solution here is to combine the intermediate cert and the generated cert into one file, as described here. Because that link is shady, here's how the cert file should look once combined:
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
wfsm5p9GJKaxB825DOgNghYAHZaS/KYIoA==
-----END CERTIFICATE-----
Then, this command will work:
heroku _certs:add --app name-of-my-app file-with-combined-certs.crt myserver.key
Just pass it in as an argument. Put the intermediate in the middle, it takes it as another argument. Then check heroku certs and report back if it doesn't work.
I found a issue that when I'm using apache benchmark(ab) with http,it is working fine but when I'm running ab with HTTPS , I'm getting error "benchmarking : SSL read failed - closing connection". Any ideas how could it be resolved
Try Siege, it's similar to ab, but it can handle https with not trusted certificates.
With Siege you can create a file with URLs you want to test (-f option), the -c tells how many users (concurrency) and -t how much time (e.g.: 1M one minute, 2H two ours)
siege -c 10 -t 1m -f file.txt
If you are using Debian, you can do a apt-get install siege
This appears to be bug that occurs on some servers:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49382
This also happens if you are using an intermediate certificate authority (StartSSL free tier) that is not trusted by the client and misconfigured your SSL certificate.
You need to add the intermediate CA's certificate to your webserver's SSL certificate so that it looks like this:
-----BEGIN CERTIFICATE-----
..YOUR CERT......
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
..INTERMEDIATE CA CERT......
-----END CERTIFICATE-----
Try installing the certificate in the machine from where you perform the request.