Develop Reference

Certbot DNS problem - not using /etc/hosts

I am trying to install a certificate using certbot from LetsEncrypt on a Raspberry Pi. I have installed Apache2 and created a webserver at http://subdomain.mydomain.com on the Raspberry Pi. The certbot command obtains a certificate and writes it to http://subdomain.mydomain.com/.well-known/acme-challenge/<etc.>
Background Info: I am doing this because I need a local server to address IoT devices and my Ajax calls are failing because I am not allowed to mix http with https. The IoT devices are incapable of a hosting a webserver with SSL - they use a simple http:/192.168.1.xx/<string> format
I don't want to create a DNS entry at my registrar/ISP because I am trying to create a scalable solution and creating hundreds (perhaps thousands if we do well) of subdomain entries there is impractical. Creating my own DNS server is a possibility, but I would rather just do it all on the Pi - my bash installation script will take care of everything (once I get it to work!).
I tried first to create an entry into the local hosts (/etc/hosts) file which looks like this:
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.1.1 SubDomain
192.168.1.111 subdomain.mydomain.com
This works for commands like ping, but not for nslookup or dig and definitely not for certbot. The certbot command finds my main server - DNS is configured with a * to go to my Public IP for all unknown subdomains:
A * xx.xx.xx.xx //My public IP address
So then I installed dnsmasq (See: When using proxy_pass, can /etc/hosts be used to resolve domain names instead of "resolver"?) and followed the configuration options shown here: How to Setup a Raspberry Pi DNS Server
However, that doesn't work either. certbot still looks at my main (external DNS) and finds my Public (wildcard) IP. Here's a summary of the changes made in /etc/dnsmasq.conf
domain-needed ## enabled
bogus-priv ## enabled
no-resolv ## enabled
server=8.8.8.8 ## added (#server=/localnet/192.168.0.1 left as is)
server=8.8.4.4 ## added
cache-size=1500 ##increased from 150
How can I force certbot to find and use my local/private IP 192.168.1.111? Any alternative solutions using scripts/redirection?

Create a wildcard certificate using Let's Encrypt DNS validation. You will then have to renew the certificate manually. Otherwise, your server must be on the public Internet with correct DNS settings.

I finally solved my problem but I abandoned LetsEncrypt entirely. The answer was not in DNS, but in approaching it from a completely different angle. This was pretty much 95% of the solution.
Important! This only works if you have control over the browser. We do, since it is for our kiosk application which runs in a browser.
Step 1: Become your own CA
Step 2: Sign your SSL certificate as a CA
Step 3: Import the signed CA (.pem file) into the browser (under Authorities)
Step 4: Point your Apache conf file to the local SSL (the process generates .key and .crt files for this as well).

Icecast 2 and SSL

I am trying to make work icecast 2 and my letsencrypt SSL with no luck. So far what I did is built icecast 2 with openssl support and I also made it run but it always give the next error in the log file.
[2018-03-15 12:48:21] WARN connection/get_ssl_certificate Invalid private key file /usr/local/icecast/share/fullchain.pem
[2018-03-15 12:48:21] INFO connection/get_ssl_certificate No SSL capability on any configured ports
I have set these cert files readable by user: richard and of course I am also running the server itself with the richard user.
Maybe you have any idea what is wrong?
You may also see my config file here:
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
In the path section I have set the ssl-certificate part to the SSL.
<ssl-certificate>/usr/local/icecast/share/icecast/fullchain.pem</ssl-certificate>
Nothing so far. The server itself is starting on the port, however when visiting it through https:// it just doesn't load. with http:// the port (8443) works fine.
Any help appricated.

Actually, I solved the issue myself.
The problem was the SSL not the configurations. Seems the LetsEncrypt SSL that is generated (fullchain.pem) is not working correctly. So instead of using that, I have copied the content from cert.pem and privkey.pem and made a new file named icecast.pem and pasted both into one. (first cert and then the privkey) and now everything is works fine and secure!
I am a genius!!!

For the Icecast2 complete certificate, you can use the command:
cat /etc/letsencrypt/live/domain.com/fullcert.pem /etc/letsencrypt/live/domain.com/privkey.pem > /etc/icecast2/bundle.pem
This will concatenate and save both certificates to a single file called bundle.pem under icecast2 folder, to which you can point the icecast2 configuration.
I have also found this very helpful and complete guide for reference: https://mediarealm.com.au/articles/icecast-https-ssl-setup-lets-encrypt/

There is another way, by forwarding of Nginx, whose config is common on internet. So that the server only expose 80 and 443 port for http web. Then use letsencrypt for SSL of Nginx.

I have configured vhost in apache,but it always go to default path?

I have configured in apache conf/httpd.conf
It like this
And in my vhost.d Directory,I have configured some host like this
and then in my windows computer ,I have configure the driver host to bind the two Domains(test.hr.oa.com,demo.oa.com) to my server ip,but it's no working ,
When I visit the url ,it's always go to the /var/www/html ?
I have restart my apache ,it's no working ,and in httpd.conf file,there is no configure about "/var/www/html" ,but the all domains go to /var/www/html
Finally: I found two httpd.conf config files in my server. It like this
Previously，the apache have in my server,so I have tried
apachectrl restart
and
service httpd restart
they are both no working ,the Server tiped me that I should install httpd,
So I
yum install httpd
then the second httpd.conf file was added to my server.and Configuring the second config file is working.
So I want to know what's the relationship about apache and httpd?

Setup an SSL certificate on an EC2 instance

I'm having hard time trying to setup an SSL certificate (it's a Comodo PositiveSSL purshased from NameCheap) on my EC2 micro instance (I'm using Amazon Linux AMI 2012.3, which is based on CentOS if I'm not mistaken).
Here's what I did:
I installed mod_ssl & OpenSSL
I enabled port 443 on my EC2's instance security group
I CHMODed the *.key & *.crt files to 777 as Comodo suggested
I'm certain the IP address & files path are correct (put a bunch of
0s in the example but it is correct in my ssl.conf)
I added this VirtualHost entry to ssl.conf
<VirtualHost 00.000.000.00:443>
############# I tried both with & without this section ##############
ServerName www.mydomain.com:443
ServerAlias www.mydomain.com
DocumentRoot /var/www
ServerAdmin webmaster#mydomain.com
######################################################################
SSLEngine on
SSLCertificateKeyFile /etc/ssl/mydomain_com.key
SSLCertificateFile /etc/ssl/mydomain_com.crt
SSLCertificateChainFile /etc/ssl/mydomain_com.ca-bundle
</VirtualHost>
Then I restarted apache...but I stil cannot access https://www.mydomain.com/ !!!
I checked with ssltool.com, it says
The Common Name on the certificate is: ip-00-00-00-000
The certificate chain consists of:
SomeOrganization, ip-00-00-00-000. Expires on: Apr 10 13:39:41 2013 GMT - that's 363 days from today.
The site tested mydomain.com is NOT the same as the Subject CN ip-00-00-00-000!.
I even went & copied the VistualHost to httpd.conf instead of ssl.conf & restarted apache, all in vain.
I've been banging my head against the wall for days now. I'm pretty sure I'm missing a tiny something to make this work, I just don't know what exactly.
I'd be infinitely grateful if someone can suggest something to make this work!

Sometimes this section
<VirtualHost _default_:443>
prevents your real SSL certificate from being used. If this is the case either comment VirtualHost default or move the SSLCertificate* attributes to it, ie.
<VirtualHost _default_:443>
SSLCertificateKeyFile /etc/ssl/mydomain_com.key
SSLCertificateFile /etc/ssl/mydomain_com.crt
SSLCertificateChainFile /etc/ssl/mydomain_com.ca-bundle
</VirtualHost>
Make sure you restart apache after that.

Amazon now provide a certificate manager! (for free)
If you use Elastic Beanstalk this is the new way to do:
It's free, You avoids errors due to the configuration and it's a better choice on a performance point of vue:
Because ELB supports SSL offload, deploying a certificate to a load
balancer (rather than to the EC2 instances behind it) will reduce the
amount of encryption and decryption work that the instances need to
handle.
from the doc:
The new AWS Certificate Manager (ACM) is designed to simplify and
automate many of the tasks traditionally associated with management of
SSL/TLS certificates. ACM takes care of the complexity surrounding the
provisioning, deployment, and renewal of digital certificates!
Certificates provided by ACM are verified by Amazon’s certificate
authority (CA), Amazon Trust Services (ATS).
Even better, you can do all of this at no extra cost. SSL/TLS
certificates provisioned through AWS Certificate Manager are free!
ACM will allow you to start using SSL in a matter of minutes. After
your request a certificate, you can deploy it to your Elastic Load
Balancers and your Amazon CloudFront distributions with a couple of
clicks. After that, ACM can take care of the periodic renewals without
any action on your part.
the doc:
https://aws.amazon.com/fr/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/

Looking at your list, it happens that you forget to enable your configuration with your Virtual host.
sudo a2enmod ssl
sudo a2ensite default-ssl
sudo /etc/init.d/apache2 restart
There is a complete guide on how to install an SSL certificate on your EC2 here https://medium.com/#adnanxteam/how-to-add-ssl-certificate-to-laravel-on-ec2-aws-18104cc036d1

Assigning a domain name to localhost for development environment

I am building a website and would not like to reconfigure the website from pointing to http://127.0.0.1 to http://www.example.com. Furthermore, the certificate that I am using is of course made with the proper domain name of www.example.com but my test environment makes calls to 127.0.0.1 which makes the security not work properly.
What I currently want to do is configure my development environment to assign the domain name www.example.com to 127.0.0.1 so that all http://www.example.com/xyz is routed to http://127.0.0.1:8000/xyz and https://www.example.com/xyz is routed to https://127.0.0.1:8080/xyz.
I am not using Apache. I am currently using node.js as my web server and my development environment is in Mac OS X Lion.

If you edit your etc/hosts file you can assign an arbitrary host name to be set to 127.0.0.1.
Open up /etc/hosts in your favorite text editor and add this line:
127.0.0.1 www.example.com
Unsure of how to avoid specifying the port in the HTTP requests you make to example.com, but if you must avoid specifying that at the request level, you could run nodejs as root to make it listen on port 80.
Edit: After editing /etc/hosts, you may already have the DNS request for that domain cached. You can clear the cached entry by running this on the command line.
dscacheutil -flushcache