[SOLVED] Setting up https in Apache

Trilby · 2015-10-29 21:50:05

I have a website up and running (here) - but I just learned that attempting to use a https url fails due to an Unacceptable TLS certificate. This would be a minor annoyance if it weren't for some browsers automatically adding https if a user only types in a domain name.

I set up https according to the apache wiki page, but I don't really understand all the moving parts despite trying to learn about them. I had followed these steps early on:

# cd /etc/httpd/conf
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout apache.key -out apache.crt -days 1095
# chmod 400 apache.key
# chmod 444 apache.crt

I also revised my config files (including vhosts) according to that section of the wiki.

Yet https urls failed to get to the page unless (with firefox) I added an exception (dwb/webkit doesn't seem to provide that option in an obvious way).

Today I just regenerated the key and crt files and upon restarting apache (systemctl restart httpd) I had the following error in the log:

[Thu Oct 29 17:14:43.571176 2015] [ssl:warn] [pid 1432] AH01906: www.darwinsdogs.org:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Oct 29 17:14:43.571204 2015] [ssl:warn] [pid 1432] AH01909: www.darwinsdogs.org:443:0 server certificate does NOT include an ID which matches the server name

I then tried the CSR steps in the wiki instead:

# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out apache.key
# chmod 400 apache.key
# openssl req -new -sha256 -key apache.key -out apache.csr
# openssl x509 -req -days 1095 -in apache.csr -signkey apache.key -out apache.crt

Upon restarting the httpd there was still the following new error in the log:

[Thu Oct 29 17:20:04.896666 2015] [ssl:warn] [pid 1679] AH01909: www.darwinsdogs.org:443:0 server certificate does NOT include an ID which matches the server name

I did some reading on the common name (CN) value which sadly our wiki has no information about, but it seems it is very important. I learned that the CN had to match the domain name visited and the fully qualified domain name. I suspect my understanding of FQDNs is flawed, as previously I thought that to be the host name of the actual machine plust the domain name (astro.darwinsdogs.org in this case) but no one would ever visit astro.darwinsdogs.org, they'd visit darwinsdogs.org or ww.darwinsdogs.org (each of the last two are in vhosts.conf). These forums, for example, are at bbs.archlinux.org, but the server they are on is luna.archlinux.org - I thought the latter would be the FQDN.

So now I didn't know whether CN should be astro.darwinsdogs.org, www.darwinsdogs.org, or just darwinsdogs.org - or if I'd need more than one certificate for each (on the same single server). Then I ran into the suggestion that CNs can have wildcards which was a great relief. I regenerated the key and crt (using the CSR method in the wiki) and used *.darwinsdogs.org as the CN.

This seemed to make progress as there are now no SSL errors in the log, but I do get the reassuring indicator that it (seems to be) there:

[Thu Oct 29 17:26:12.897697 2015] [mpm_prefork:notice] [pid 1940] AH00163: Apache/2.4.16 (Unix) OpenSSL/1.0.2d PHP/5.6.13 configured -- resuming normal operations
[Thu Oct 29 17:26:12.897742 2015] [core:notice] [pid 1940] AH00094: Command line: '/usr/bin/httpd'

Yet visiting the https site still gives an error in the browser.

What am I missing in getting this running correctly so when someone tries to visit https://darwinsdogs.org or https://www.darwinsdogs.org they will be directed to the proper site (the same place as if they used http://...)?

mauritiusdadd · 2015-10-30 08:07:16

Hi Trilby,
are you using a self signed certificate by any chance? Because Firefox show the following warning:

darwinsdogs.org uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_unknown_issuer)

Also it seems that the certificate is not valid for https://darwinsdogs.org:

The certificate is only valid for *.darwinsdogs.org

I think the problem is that, according to the CN field, there must be a full stop in the url right before darwinsdogs.

x33a · 2015-10-30 08:33:48

As mauritiusdadd said, you are using a self-signed cerificate. That is the cause of your problem. You need to use a certificate issued by a valid certificate authority to make the warnings go away.

Trilby · 2015-10-30 11:33:32

mauritiusdadd wrote:

I think the problem is that, according to the CN field, there must be a full stop in the url right before darwinsdogs.

So wild card are not allowed? Does that mean I'd need several certificates one each for every possible form of the url?

x33a wrote:

You need to use a certificate issued by a valid certificate authority to make the warnings go away.

Thanks, I don't see anything in our wiki on how to do this. I've keep searching for instructions, but most of what I find is inconsistent - each source says different things: like the CN being so important, but some sources say wild cards are allowed, some say it must be the website url, some say it must be the FQDN. Then as for getting a certificate from a certificate authority, many sites suggest this is important and discuss it conceptually, but I've been unable to find instructions on how to do this for apache. I did just find this one this moring:

https://blog.netnerds.net/2009/10/secur … hority-ca/

I'll give this a try this afternoon unless someone can help clarify the confusion(s).

mauritiusdadd · 2015-10-30 12:15:16

Trilby wrote:

mauritiusdadd wrote:
I think the problem is that, according to the CN field, there must be a full stop in the url right before darwinsdogs.
So wild card are not allowed? Does that mean I'd need several certificates one each for every possible form of the url?

I'm sorry, maybe I vas not clear enough: yes, for what I know wildcard are allowed, however you have a dot between the wildcard and darwinsdogs.org so the string *.darwinsdogs.org will match only domain names like www⁣.darwinsdogs.org, mobile.darwinsdogs.org, test.darwinsdogs.org, etc. but it will not match darwinsdogs.org. I think that if you want to use a single certificate for multiple domains which cannot be expressed using wildcards, then you should use a SAN (Subject Alternative Names) Certificate:

http://stackoverflow.com/questions/5935 … k-together
http://apetec.com/support/GenerateSAN-CSR.htm
https://rtcamp.com/wordpress-nginx/tuto … ive-names/ (a bit redundant with the above link)

Last edited by mauritiusdadd (2015-10-30 12:16:37)

Trilby · 2015-10-30 12:44:46

mauritiusdadd wrote:

yes, for what I know wildcard are allowed, however you have a dot between the wildcard and darwinsdogs.org

Ah, thanks, that is definitely part of it. With firefox I do currently see a different detail message for https for the domain name and https for www.domain - the latter is just a self signed error while the former is the CN mismatch. So setting the CN to *darwinsdogs.org should fix one of the problems.

Now I just need to get a authority signed cert.

x33a · 2015-10-30 12:50:55

@ Trilby,

first decide on a certificate authority. Then search on their website on how to get it issued. Once you have the certificates with you, linking them with apache is the same as for self-signed certificates.

So setting the CN to *darwinsdogs.org should fix one of the problems.

That wouldn't work afaik. Since *darwinsdogs.org would be valid for something like awesomedarwinsdogs.org as well. Afaik, wild card certificates do need a dot before the domain name. Then only will they become valid for the sub-domains.

Last edited by x33a (2015-10-30 12:53:36)

Trilby · 2015-10-30 13:00:21

Thanks - but that's a little discouraging. The ones I'm finding sell them for several hundred dollars per year. Is that the case, or am I looking at the wrong product? That's more than I pay for the hosting.

Frankly there is no need for https. But I just don't want users staring at an error page if their browser automatically prepends https. I can close port 443, but browsers will still just show an error page. Is there any way to ensure a user gets an informative error page directing them to http if they attempt to use https?

x33a · 2015-10-30 13:12:03

Trilby wrote:

Thanks - but that's a little discouraging. The ones I'm finding sell them for several hundred dollars per year. Is that the case, or am I looking at the wrong product? That's more than I pay for the hosting.

Startcom gives them for free for non-commercial purposes. Also, (hopefully) in a couple of months https://letsencrypt.org/ (backed by Mozilla, EFF etc.) will start offering free certificates for everyone.

Frankly there is no need for https. But I just don't want users staring at an error page if their browser automatically prepends https.

I have never heard of a browser redirecting automatically to https. Can you show me an example? Maybe it's due to some plugin?

I can close port 443, but browsers will still just show an error page. Is there any way to ensure a user gets an informative error page directing them to http if they attempt to use https?

You should be able to use Apache redirection to automatically redirect users to http.

https://encrypted.google.com/search?hl= … 0to%20http

Last edited by x33a (2015-10-30 13:13:24)

Trilby · 2015-10-30 13:24:27

x33a wrote:

I have never heard of a browser redirecting automatically to https. Can you show me an example? Maybe it's due to some plugin?

My memory was slightly flawed, there is no clear statement that the browser filled it in, but this thread suggests its easy to get to a https site likely without typing that in explicitly:
https://bbs.archlinux.org/viewtopic.php?id=202845

Although in hindsight, that may be due to an autocompletion of the google url to the previously used https. So perhaps I am concerned for no reason.

Thanks also for the Startcom recommendation. The site is definitely not for profit. And for other reasons were are considering being officially established as a non-profit - so if we do I'll set up a cert with Startcom. (Though currently the Startcom site doesn't give wildcard certs for free - so I'd need several different ones).

Until then I'll just leave well enough alone - I'll fix the current wildcard cert and just keep it self-signed.

EDIT: for what it's worth, I just changed the CN to *darwinsdogs.org and now it doesn't match anything - so *.darwinsdogs.org is better.

Last edited by Trilby (2015-10-30 15:24:22)

Arch Linux

#1 2015-10-29 21:50:05

[SOLVED] Setting up https in Apache

#2 2015-10-30 08:07:16

Re: [SOLVED] Setting up https in Apache

#3 2015-10-30 08:33:48

Re: [SOLVED] Setting up https in Apache

#4 2015-10-30 11:33:32

Re: [SOLVED] Setting up https in Apache

#5 2015-10-30 12:15:16

Re: [SOLVED] Setting up https in Apache

#6 2015-10-30 12:44:46

Re: [SOLVED] Setting up https in Apache

#7 2015-10-30 12:50:55

Re: [SOLVED] Setting up https in Apache

#8 2015-10-30 13:00:21

Re: [SOLVED] Setting up https in Apache

#9 2015-10-30 13:12:03

Re: [SOLVED] Setting up https in Apache

#10 2015-10-30 13:24:27

Re: [SOLVED] Setting up https in Apache

Board footer