I have hosted my website in Azure. I have created a Virtual Machine on which i have installed LAMP stack as i am using php for my website. I have a sub domain along with the main domain. I want to install SSL for both.
My client has provided me the certificate for SSL installation. I search many Stack overflow post but could not find any post helpful for a beginner like me.
Thanks
Certificate Installation: Apache 2.4.8+
Under Linux, to check the version number of your Apache server, execute the following command:
apache2ctl -version
or
apachectl -version
Note : If your Apache server's version is less than 2.4.8, please skip this article and go this link
Prerequisites:
Concatenate the CAbundle and the certificate file which we sent you using the following command.
cat domain_com.crt domain_com.ca-bundle > ssl-bundle.crt
If you are Using GUI Text Editor (Ex: Notepad):
(i) To concatenate the certificate files into single bundle file, first open domainname.crt and domainname.ca-bundle files using any text editor.
(ii) Now copy all the content of domainname.crt and paste it on the top of domainname.ca-bundle file.
(iii) Now save the file name as ‘ssl-bundle.crt’.
Configure the Apache server:
Locate the Apache configuration file (example httpd.conf / ssl.conf), the configuration file name can be different depending on your apache version or flavour. Or in a Windows environment (EasyPHP, Wamp, ...) :
C:\Program Files\Apache Software Foundation\Apache X.X\conf\SSL2015
C:\Program Files\Apache Software Foundation\EasyPHP\SSL2015
In a standard installation under Linux, the SSL advanced configuration file is located here:
/etc/apache2/mods-enabled/ssl.conf
but it is not in this file that you will activate the certificate for a website. You'll have to edit the file
/etc/apache2/sites-enabled/default-ssl.conf
Use the following command to figure out where Apache is pulling its configuration from:
apache2ctl -V | grep SERVER_CONFIG_FILE
or just
apachectl -V | grep SERVER_CONFIG_FILE
The situation for ubuntu on Apache differs, as the configurations for 443 and 80 ports for each site are located in separate files. You can find it at /etc/apache2/sites-enabled/ Edit or create the file with the VirtualHost for 443 port to set up the secure connection.
Actually you can duplicate the record for port 80 (should be in your VirtulHost file by default) and change port 80 to port 443. Simply add it below non-secure module.
In the Virtual Host settings for your site, locate the SSL certificate settings section and verify that you have the following 2 directives within the Virtual Host. Please add them in if they are not present:
SSLCertificateKeyFile ( path to the private_key.key file used for the initial generation of the CSR)
SSLCertificateFile ( path to the PEM file containing the end entity certificate and the intermediates )
Example VirtualHost Configuration:
DocumentRoot /etc/httpd/htdocs
ServerName comodo.com
SSLEngine on
SSLCertificateFile /usr/local/ssl/crt/ssl-bundle.crt
SSLCertificateKeyFile /usr/local/ssl/private/private.key
Note: As with the example above, file names can be domainname.crt, server.key, your server however may use a different naming convention. If you are using a different file location than the example above, you will need to change the paths to match your files on the server.
If you want to enable OCSP Stapling for the website, please add the following directive to the Virtual Host section:
SSLUseStapling on
Also specify OCSP cache response location and size outside of the Virtual Host section using SSLStaplingCache directive:Converting a SSL certificate in Apache to Windows
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
Note: OSCP Stapling can be configured starting from Apache HTTP server 2.3.3 and later.
After making changes to your config file it is good practice to check the file for syntax errors using "apachectl configtest". The command will return Syntax Ok if there are no errors.
Restart your apache web server:
apachectl stop
apachectl start
To verify if you have correctly installed the SSL, please use our SSL Analyzer.
You can check this link.
https://support.comodo.com/index.php?/Knowledgebase/Article/View/1185/0/certificate-installation-apache-248
Is in azure provided free SSL? Otherwise you will not be able to install SSL with green bars. You can donate at https://letsencrypt.org/ to get SSL service with low price and develop your website even better.
Related
I am trying to install a certificate using certbot from LetsEncrypt on a Raspberry Pi. I have installed Apache2 and created a webserver at http://subdomain.mydomain.com on the Raspberry Pi. The certbot command obtains a certificate and writes it to http://subdomain.mydomain.com/.well-known/acme-challenge/<etc.>
Background Info: I am doing this because I need a local server to address IoT devices and my Ajax calls are failing because I am not allowed to mix http with https. The IoT devices are incapable of a hosting a webserver with SSL - they use a simple http:/192.168.1.xx/<string> format
I don't want to create a DNS entry at my registrar/ISP because I am trying to create a scalable solution and creating hundreds (perhaps thousands if we do well) of subdomain entries there is impractical. Creating my own DNS server is a possibility, but I would rather just do it all on the Pi - my bash installation script will take care of everything (once I get it to work!).
I tried first to create an entry into the local hosts (/etc/hosts) file which looks like this:
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.1.1 SubDomain
192.168.1.111 subdomain.mydomain.com
This works for commands like ping, but not for nslookup or dig and definitely not for certbot. The certbot command finds my main server - DNS is configured with a * to go to my Public IP for all unknown subdomains:
A * xx.xx.xx.xx //My public IP address
So then I installed dnsmasq (See: When using proxy_pass, can /etc/hosts be used to resolve domain names instead of "resolver"?) and followed the configuration options shown here: How to Setup a Raspberry Pi DNS Server
However, that doesn't work either. certbot still looks at my main (external DNS) and finds my Public (wildcard) IP. Here's a summary of the changes made in /etc/dnsmasq.conf
domain-needed ## enabled
bogus-priv ## enabled
no-resolv ## enabled
server=8.8.8.8 ## added (#server=/localnet/192.168.0.1 left as is)
server=8.8.4.4 ## added
cache-size=1500 ##increased from 150
How can I force certbot to find and use my local/private IP 192.168.1.111? Any alternative solutions using scripts/redirection?
Create a wildcard certificate using Let's Encrypt DNS validation. You will then have to renew the certificate manually. Otherwise, your server must be on the public Internet with correct DNS settings.
I finally solved my problem but I abandoned LetsEncrypt entirely. The answer was not in DNS, but in approaching it from a completely different angle. This was pretty much 95% of the solution.
Important! This only works if you have control over the browser. We do, since it is for our kiosk application which runs in a browser.
Step 1: Become your own CA
Step 2: Sign your SSL certificate as a CA
Step 3: Import the signed CA (.pem file) into the browser (under Authorities)
Step 4: Point your Apache conf file to the local SSL (the process generates .key and .crt files for this as well).
I am trying to make work icecast 2 and my letsencrypt SSL with no luck. So far what I did is built icecast 2 with openssl support and I also made it run but it always give the next error in the log file.
[2018-03-15 12:48:21] WARN connection/get_ssl_certificate Invalid private key file /usr/local/icecast/share/fullchain.pem
[2018-03-15 12:48:21] INFO connection/get_ssl_certificate No SSL capability on any configured ports
I have set these cert files readable by user: richard and of course I am also running the server itself with the richard user.
Maybe you have any idea what is wrong?
You may also see my config file here:
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
In the path section I have set the ssl-certificate part to the SSL.
<ssl-certificate>/usr/local/icecast/share/icecast/fullchain.pem</ssl-certificate>
Nothing so far. The server itself is starting on the port, however when visiting it through https:// it just doesn't load. with http:// the port (8443) works fine.
Any help appricated.
Actually, I solved the issue myself.
The problem was the SSL not the configurations. Seems the LetsEncrypt SSL that is generated (fullchain.pem) is not working correctly. So instead of using that, I have copied the content from cert.pem and privkey.pem and made a new file named icecast.pem and pasted both into one. (first cert and then the privkey) and now everything is works fine and secure!
I am a genius!!!
For the Icecast2 complete certificate, you can use the command:
cat /etc/letsencrypt/live/domain.com/fullcert.pem /etc/letsencrypt/live/domain.com/privkey.pem > /etc/icecast2/bundle.pem
This will concatenate and save both certificates to a single file called bundle.pem under icecast2 folder, to which you can point the icecast2 configuration.
I have also found this very helpful and complete guide for reference: https://mediarealm.com.au/articles/icecast-https-ssl-setup-lets-encrypt/
There is another way, by forwarding of Nginx, whose config is common on internet. So that the server only expose 80 and 443 port for http web. Then use letsencrypt for SSL of Nginx.
I have configured in apache conf/httpd.conf
It like this
And in my vhost.d Directory,I have configured some host like this
and then in my windows computer ,I have configure the driver host to bind the two Domains(test.hr.oa.com,demo.oa.com) to my server ip,but it's no working ,
When I visit the url ,it's always go to the /var/www/html ?
I have restart my apache ,it's no working ,and in httpd.conf file,there is no configure about "/var/www/html" ,but the all domains go to /var/www/html
Finally: I found two httpd.conf config files in my server. It like this
Previously,the apache have in my server,so I have tried
apachectrl restart
and
service httpd restart
they are both no working ,the Server tiped me that I should install httpd,
So I
yum install httpd
then the second httpd.conf file was added to my server.and Configuring the second config file is working.
So I want to know what's the relationship about apache and httpd?
I'm having hard time trying to setup an SSL certificate (it's a Comodo PositiveSSL purshased from NameCheap) on my EC2 micro instance (I'm using Amazon Linux AMI 2012.3, which is based on CentOS if I'm not mistaken).
Here's what I did:
I installed mod_ssl & OpenSSL
I enabled port 443 on my EC2's instance security group
I CHMODed the *.key & *.crt files to 777 as Comodo suggested
I'm certain the IP address & files path are correct (put a bunch of
0s in the example but it is correct in my ssl.conf)
I added this VirtualHost entry to ssl.conf
<VirtualHost 00.000.000.00:443>
############# I tried both with & without this section ##############
ServerName www.mydomain.com:443
ServerAlias www.mydomain.com
DocumentRoot /var/www
ServerAdmin webmaster#mydomain.com
######################################################################
SSLEngine on
SSLCertificateKeyFile /etc/ssl/mydomain_com.key
SSLCertificateFile /etc/ssl/mydomain_com.crt
SSLCertificateChainFile /etc/ssl/mydomain_com.ca-bundle
</VirtualHost>
Then I restarted apache...but I stil cannot access https://www.mydomain.com/ !!!
I checked with ssltool.com, it says
The Common Name on the certificate is: ip-00-00-00-000
The certificate chain consists of:
SomeOrganization, ip-00-00-00-000. Expires on: Apr 10 13:39:41 2013 GMT - that's 363 days from today.
The site tested mydomain.com is NOT the same as the Subject CN ip-00-00-00-000!.
I even went & copied the VistualHost to httpd.conf instead of ssl.conf & restarted apache, all in vain.
I've been banging my head against the wall for days now. I'm pretty sure I'm missing a tiny something to make this work, I just don't know what exactly.
I'd be infinitely grateful if someone can suggest something to make this work!
Sometimes this section
<VirtualHost _default_:443>
prevents your real SSL certificate from being used. If this is the case either comment VirtualHost default or move the SSLCertificate* attributes to it, ie.
<VirtualHost _default_:443>
SSLCertificateKeyFile /etc/ssl/mydomain_com.key
SSLCertificateFile /etc/ssl/mydomain_com.crt
SSLCertificateChainFile /etc/ssl/mydomain_com.ca-bundle
</VirtualHost>
Make sure you restart apache after that.
Amazon now provide a certificate manager! (for free)
If you use Elastic Beanstalk this is the new way to do:
It's free, You avoids errors due to the configuration and it's a better choice on a performance point of vue:
Because ELB supports SSL offload, deploying a certificate to a load
balancer (rather than to the EC2 instances behind it) will reduce the
amount of encryption and decryption work that the instances need to
handle.
from the doc:
The new AWS Certificate Manager (ACM) is designed to simplify and
automate many of the tasks traditionally associated with management of
SSL/TLS certificates. ACM takes care of the complexity surrounding the
provisioning, deployment, and renewal of digital certificates!
Certificates provided by ACM are verified by Amazon’s certificate
authority (CA), Amazon Trust Services (ATS).
Even better, you can do all of this at no extra cost. SSL/TLS
certificates provisioned through AWS Certificate Manager are free!
ACM will allow you to start using SSL in a matter of minutes. After
your request a certificate, you can deploy it to your Elastic Load
Balancers and your Amazon CloudFront distributions with a couple of
clicks. After that, ACM can take care of the periodic renewals without
any action on your part.
the doc:
https://aws.amazon.com/fr/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
Looking at your list, it happens that you forget to enable your configuration with your Virtual host.
sudo a2enmod ssl
sudo a2ensite default-ssl
sudo /etc/init.d/apache2 restart
There is a complete guide on how to install an SSL certificate on your EC2 here https://medium.com/#adnanxteam/how-to-add-ssl-certificate-to-laravel-on-ec2-aws-18104cc036d1
I am building a website and would not like to reconfigure the website from pointing to http://127.0.0.1 to http://www.example.com. Furthermore, the certificate that I am using is of course made with the proper domain name of www.example.com but my test environment makes calls to 127.0.0.1 which makes the security not work properly.
What I currently want to do is configure my development environment to assign the domain name www.example.com to 127.0.0.1 so that all http://www.example.com/xyz is routed to http://127.0.0.1:8000/xyz and https://www.example.com/xyz is routed to https://127.0.0.1:8080/xyz.
I am not using Apache. I am currently using node.js as my web server and my development environment is in Mac OS X Lion.
If you edit your etc/hosts file you can assign an arbitrary host name to be set to 127.0.0.1.
Open up /etc/hosts in your favorite text editor and add this line:
127.0.0.1 www.example.com
Unsure of how to avoid specifying the port in the HTTP requests you make to example.com, but if you must avoid specifying that at the request level, you could run nodejs as root to make it listen on port 80.
Edit: After editing /etc/hosts, you may already have the DNS request for that domain cached. You can clear the cached entry by running this on the command line.
dscacheutil -flushcache