Can't make httpd use correct SSL

ssl ssl-certificate httpd openssl certificate-authority
27,703

Solution 1

SSLCACertificateFile /var/cosign/certs/CA/publickey.pem

Unless that PEM file actually contains the CA certificate for the client certificates you wish to grant access, this is incorrect; to provide apache with a certificate chain, use SSLCertificateChainFile instead.

Apache must have the actual certificate and any intermediate certificates used to sign/produce the endpoint certificate, up to and including a root certificate that is trusted by browsers.

To verify the certificate they gave you, run:

openssl verify -CApath /path/to/CA/certs -purpose sslserver -verbose /your/certificate

Quite apart from the certificate issues, you're missing an SSLRequireSSL directive in your vhost; without it, apache will not check for a secure connection.

You should also not use _default_ as the virtualhost, and you're missing a ServerName.
Use either *:443 or IP:443 as the virtualhost.

Every vhost must have a valid ServerName set, and in addition, an SSL vhost must have a ServerName that corresponds to the certificate's CN.

For example:

<VirtualHost 1.2.3.4:443>
  ServerName your.certificates.common.name
  ServerAlias any.subject.alternate.names

  DocumentRoot /your/protected/content

  SSLEngine On
  SSLCertificateChainFile /path/to/your/issuers/CA/cert/bundle

  SSLCertificateFile /path/to/your/certificate.crt
  SSLCertificateKeyfile /path/to/your/private.key
 -OR- 
  SSLCertificateFile /path/to/your/combined.cert-and-keyfile

  SSLRequireSSL

</VirtualHost>

Study the documentation for a bit.

Solution 2

Run 

# Debian/Ubuntu
apache2ctl -S
# RHEL/CentOS
httpd -S

It should produce something like this:

*:443                   is a NameVirtualHost
         default server hostname (/etc/apache2/sites-enabled/000-default:1)
         port 443 namevhost hostname (/etc/apache2/sites-enabled/000-default:1)

Verify that you run the openssl command with the correct hostname to access your vhost, I'm assuming you have multiple vhosts for port 443 and the one that was defined in your distro's default setup takes precedence.

Share:
27,703

Related videos on Youtube

monkeymatrix
Author by

monkeymatrix

A regular bloke that often struggles with the odd bit of code.

Updated on September 18, 2022

Comments

  • monkeymatrix
    monkeymatrix almost 2 years

    I have a signed CA, issued by my university. I generated my CSR using their public key file as so:

    openssl genrsa -out myservername.key 2048 (new key)
openssl req -new -key myservername.key -out myservername.csr

    I sent them the CSR, they sent me back the signed .crt file.

    I created a directory for my CA keys and certs and placed them in there.

    The relevent part of my httpd.conf looks like this:

    <VirtualHost _default_:443>
SSLEngine on
SSLCACertificateFile /var/cosign/certs/CA/publickey.pem
SSLCertificateFile /var/cosign/certs/myserver.crt
SSLCertificateKeyFile /var/cosign/certs/myserver.key

DocumentRoot /var/www/html/
<Directory /var/www/html>
    Options -Indexes
    AllowOverride All
</Directory>

    But it's not using this certificate for SSL. If I do this command:

    openssl s_client -connect localhost:443 -showcerts

    I get this:

    CONNECTED(00000003)
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = portcharlotte, emailAddress = root@portcharlotte
verify error:num=18:self signed certificate
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU =     SomeOrganizationalUnit, CN = portcharlotte, emailAddress = root@portcharlotte
verify return:1
---
Certificate chain

    My CSR contained proper details, not this 'SomeState', 'SomeCity' nonsense which I'm guessing is a default.

    The openssl module is installed, and loaded.

    The only errors I get in logs are:

    [Fri Jan 25 13:27:40 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Jan 25 13:27:40 2013] [warn] RSA server certificate CommonName (CN) `portcharlotte' does NOT match server name!?

    I'm guessing this mismatch is because it's using the wrong certificate.

    My question is, how do I make it use the correct one? What am I missing?

  • adaptr
    adaptr over 11 years
    There will never be an entry for a port 80 namevhost hostname under a *:443 list.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

ssl certificate self signed instead of valid
Openssl: Extract root certificate from certificate chain?
What does "tlsv1 alert unknown ca" mean?
Squid: how to enable verification for SSL self-signed certificates
Invalid CA certificate with self signed certificate chain
Error while creating self-signed SSL certificate
OpenSSL Verify Peer (Client) Certificate in C++
How can the SSL client validate the server's certificate?
SSL certificate not accepted
How to create an OpenSSL Self-Signed Certificate using SAN?