Topic: Configuring local Apache https website in Windows

[DavidSpector]

I have implemented (see partial config file below) two virtual hosts on my local development windows computer:

"localhost", which corresponds to folder C:/Web, and is http. It contains many websites.
"www.nsrusa.local", which corresponds to folder C:/Web/nsr, and is self-signed https. It is one website.
The HOSTS file contains the line "127.0.0.1 www.nsrusa.local".

There are two major problems:

1. Browsing to https://www.nsrusa.local/ brings up the Firefox "Your connection is not secure" message (verified by using the Firefox Network tool). A minor problem is that it resolves to C:\Web instead of the correct C:\Web\nsr.

2. Browsing to http://localhost/nsr/ should fail (because of SSLRequireSSL), but succeeds.

# Config file excerpt:
# Virtual Host

# localhost = C:/Web
<VirtualHost *:80>
DocumentRoot "c:/Web"
ServerName localhost
<Directory "c:/Web">
AllowOverride All
Options Indexes MultiViews FollowSymLinks
#Require all granted
</Directory>
</VirtualHost>

# www.nsrusa.local = C:/Web/nsr
<VirtualHost *:443>
DocumentRoot "c:/Web/nsr"
ServerName www.nsrusa.local
SSLEngine on
SSLCertificateFile "C:/WAMP/apache2/conf/nsrlocal.crt"
SSLCertificateKeyFile "C:/WAMP/apache2/conf/nsrlocal.key"
<Directory "c:/Web/nsr">
SSLRequireSSL
AllowOverride All
Options Indexes MultiViews FollowSymLinks
#Require all granted
</Directory>
</VirtualHost>
[/code][/list]

[DavidSpector]

I solved these problems by:

1. Downloading the correct version of OpenSSL light 32-bit for Windows from https://slproweb.com/products/Win32OpenSSL.html and installing it.

2. Following this procedure to generate a security certificate:

Add to system environment variable "Path": C:\Program Files (x86)\OpenSSL\bin
Set system environment variable "OPENSSL_CONF" to C:\Program Files (x86)\OpenSSL\bin\openssl.cfg

Executing these commands in an admin command prompt window:

[James Blond]

Why don't you use a real certificate like from lets encrypt?

[DavidSpector]

Good question. Here are my reasons:

1. This is a development machine. I don't mind telling Firefox to accept the certificate.

2. Let's Encrypt does not issue certificates the way the OpenSSL command does. It provides software that automatically installs and renews certificates. It is intended for production machines.

[Steffen]

See : https://letsencrypt.org/docs/certificates-for-localhost/

[DavidSpector]

Steffen, Thanks, I had forgotten this page. Good stuff. In particular, it recommends creating a self-signed Certificate Authority on the local computer, then using that to create certificates for specific local or application websites. This prevents Man In The Middle attacks if a malicious user can gain local access.

There are already good pages on the Web explaining the details of using OpenSSL.exe (Windows) to generate first the CA cert, then the domain cert.

However, it is still true that Let's Encrypt works with server management tools to make it easy to move the whole Web to HTTPS security. Let's Encrypt has no service to generate certificates manually for local use, nor do they encourage this.

That having been said, it is also possible (I have done it) to copy the Let's Encrypt certificate from an existing server (in my case managed and automatically renewed every few months by WHM/cPanel) down to a local computer, and then enter the domain name in the HOSTS file. Then, when you enter the domain name in a local browser (https://www.example.com), you get the local website instead of the remote website. You get the same green-icon HTTPS service on the local as on the remote. But then you have to comment out the HOSTS entry if you want to see how your remote site works.

The technique I described here allows concurrent display of both remote and local websites, since it uses different domain names.