logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Having issues getting HTTPS working on my local dev server
Author
TitanCMD



Joined: 03 May 2022
Posts: 8

PostPosted: Tue 03 May '22 21:45    Post subject: Having issues getting HTTPS working on my local dev server Reply with quote

I have Ubuntu 20.04 LTS and Apache 2.4.41

I installed the SSL certificate and when I go to my website it says it is not secure. When I go to my site the https is crossed out, but when I click on it I can download the certificate and then add it to Windows and Firefox as trusted certificates, but it still shows as not secure.

Here is my Virtual Hosts File

Code:
<VirtualHost *:443>
   ServerName domain.com
   DocumentRoot /var/www/domain.com/public_html

   SSLEngine on
   SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
   SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost>


Please let me know if you need any other info

Thanks!
Back to top
Otomatic



Joined: 01 Sep 2011
Posts: 212
Location: Paris, France, EU

PostPosted: Wed 04 May '22 11:28    Post subject: Reply with quote

Hi,

With a self-signed certificate, all browsers will say that it is not secure.

Firefox is (to my knowledge) the only browser that uses its own certificate store.
If you install the certificates in the Firefox stores properly:
The apache-selfsigned.crt
-- Firefox, Tools -> Options -> Privacy and security
- Certificates -> View Certificates.
- Store "Authorities" then Import
The client or Site certificate(s) with the suffix ".pfx or .p12"
-- Firefox, in the "Your Certificates" store.
The password will be requested.

Firefox takes into account the self-signed certificates with information on a local https site:
- Secure connection
- Connection verified by a certificate issuer not recognized by Mozilla
Back to top
TitanCMD



Joined: 03 May 2022
Posts: 8

PostPosted: Wed 04 May '22 19:05    Post subject: Reply Reply with quote

Dang, okay, I was hoping it would act the same as a live site. I will keep that in mind when building out these sites.

I did import it properly in Firefox, but yea it's self signed.
Back to top
TitanCMD



Joined: 03 May 2022
Posts: 8

PostPosted: Wed 04 May '22 21:48    Post subject: Reply with quote

Is the only way around this to buy a certificate for my local server?
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Thu 05 May '22 6:22    Post subject: Reply with quote

You can create your own CA and import the CA's certificate into Firefox's and Windows's Cert-Store. This way you will get rid of the not-secure-hint.
The note that this is a not a CA shipped by Mozilla will stay.
Back to top
TitanCMD



Joined: 03 May 2022
Posts: 8

PostPosted: Thu 05 May '22 6:30    Post subject: Reply with quote

I have installed the certificate with the mmc console, under Trusted Root Certificates. Did I generate a bad certificate?
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Thu 05 May '22 7:09    Post subject: Reply with quote

It is not a bad certificate. It is only decided by browsers to not display this one as fully trusted - even if you have added it to the cert-store as trusted certificate.

Create a CA-certificate, create a server's CSR, sign it with the CA's certificate (to get a cert) and install the CA's certificate (the public part) within your browser's cert-store and the server's certificate within your webserver -> then you will get rid of the "this is an insecure page"-message.

You can do this certificate-stuff on the command-line (which is possible but hard to do) or you can use tools for this. I'm using XCA (https://hohnstaedt.de/xca/) for managing my own CA for my test-/dev-servers.
Back to top
TitanCMD



Joined: 03 May 2022
Posts: 8

PostPosted: Fri 06 May '22 3:49    Post subject: Reply with quote

I'm not shy of the command line, thats how I made the cert:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

It's an Ubuntu web server. Is XCA on Debian Linux distros?
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Fri 06 May '22 10:06    Post subject: Reply with quote

I've never used XCA on Linux (only on Windows Smile).

Here are some steps to create your own CA and a webserver-certificate.

create CA

first create a Certificate Authority. For this you have to crate a private key
Code:
openssl genrsa -aes256 -out ca-key.pem 4096

The key is named "ca-key.pem" and has a length of 4096 bits. The key is passwort-protected (because of the "-aes256"-option) and has to be kept secure as a bad guy can create/sign arbitrary certificates which are trusted by the clients.

Now that a secret key for the CA is available we need the root-certificate which has to be imported by the clients/browsers later in this HowTo to trust the certificates issued/signed by this CA.
The root-certificate "ca-root.pem" is created with the following command - you may need the password for the key created in the step above:
Code:
 openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 1024 -out ca-root.pem -sha512

In this case the CA will be valid 1024 days. During creation you will be asked for some attributes for the CA - an example
Code:
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Baden-Wuerttemberg
Locality Name (eg, city) []:Pforzheim
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example-Company
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:ca.example.com
Email Address []:admin@example.com

Now you can import the "ca-root.pem"-file into your browser's/computer's truststore.

Now lets create a certificate for the webserver
As the CA is completed we can create our first certificate.
A private key is the base. Similar to the CA a private key is created:
Code:
openssl genrsa -out webserver-key.pem 4096

Adding a password is not practicable in most cases as webserver have to ask for the password at every startup.
Now we will create a CSR - some attributes will be asked. The field "Common Name" has to be filled with the hostname the clients will connect to (either an ip-address 192.168.2.2 or www.example.com). You can leave the challenge-password empty:
Code:
openssl req -new -key webserver-key.pem -out webserver.csr -sha512

If I remember correctly from earlier tests the FQDN of the CA's certificate and the FQDN of the webserver's certificate have to be different.

Create an extfile for the webserver's certificate which contains at least one line for "alt_names" (you can add multiple lines "DNS.2 = ...", "DNS.3 = ...", ... to create a certificate valid for multiple hostnames) as newer browers don't trust the subject-fields's "cn":
Code:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.example.com

The "webserver.csr" can now be processed by the CA. This will create the public key for the private.key. Both (the webserver-key.pem and the webserver-pub.pem) will be needed on the webserver for encryption.
The webserver-pub.pem will be created using the following command and will be valid for 365 days:
Code:
openssl x509 -req -in webserver.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out webserver-pub.pem -days 365 -sha512 --extfile webserver.ext

The "-CAcreateserial" is automatically skipped if a serial-file is present which will be used in this case.
The webserver-key.pem and webserver-pub.pem can now be used within your webserver's configuration for encryption.
Your Browsers should trust your certificate and only give some minor hint that it is signed by a CA added manually and not trusted by default.

Afterwards you can verify that your certificate is signed correctly with
Code:
openssl verify -verbose -CAfile root-ca.pem webserver-pub.pem


Based on https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ and https://thomas-leister.de/selbst-signierte-tls-zertifikate-mit-eigener-ca/
Back to top
TitanCMD



Joined: 03 May 2022
Posts: 8

PostPosted: Fri 06 May '22 23:32    Post subject: Reply with quote

Thank you so much for helping me, I am following along. I was wondering where I should put the extfile in my system?

I am guessing there is a special directory for extfiles in Ubuntu, and what should I name it, eg, 'webserverconfig.ext'?
Back to top
TitanCMD



Joined: 03 May 2022
Posts: 8

PostPosted: Sat 07 May '22 0:16    Post subject: Reply with quote

Wait! I found it, no need to reply.. moving on!
Back to top
TitanCMD



Joined: 03 May 2022
Posts: 8

PostPosted: Sat 07 May '22 0:47    Post subject: Reply with quote

Okay, I finished everything without errors. However, its still saying not secure when I go to my domain. I went into Internet Options and cleared the SSL cache, I reloaded apache2 with 'sudo systemctl reload apache2', I cleared the cache on my browser and restarted it. No dice.

On the last step I got this:

I ran:

Code:
openssl verify -verbose -CAfile ca-root.pem webserver-pub.pem


and got this:

Code:

webserver-pub.pem: OK


Here is my webserver.ext file:

Code:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherme>
subjectAltName = @alt_names

[alt_names]
DNS.1 = domain.com


Also, here is my VirtualHosts File. Do I need to add anything to it?

Code:

<VirtualHost *:443>
   ServerName domain.com
   DocumentRoot /var/www/domain.com/public_html

   SSLEngine on
   SSLCertificateFile /etc/ssl/certs/ca-root.pem
   SSLCertificateKeyFile /etc/ssl/private/ca-key.pem
</VirtualHost>


Your steps most likely worked, but now the issue is somewhere else in my client, maybe the server.
Back to top


Reply to topic   Topic: Having issues getting HTTPS working on my local dev server View previous topic :: View next topic
Post new topic   Forum Index -> Apache