| Author |
|
TitanCMD
Joined: 03 May 2022
Posts: 8
|
 Posted: Tue 03 May '22 21:45 Post subject: Having issues getting HTTPS working on my local dev server |
 |
|
I have Ubuntu 20.04 LTS and Apache 2.4.41
I installed the SSL certificate and when I go to my website it says it is not secure. When I go to my site the https is crossed out, but when I click on it I can download the certificate and then add it to Windows and Firefox as trusted certificates, but it still shows as not secure.
Here is my Virtual Hosts File
| Code: | <VirtualHost *:443>
ServerName domain.com
DocumentRoot /var/www/domain.com/public_html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost> |
Please let me know if you need any other info
Thanks! |
|
| Back to top |
|
Otomatic
Joined: 01 Sep 2011
Posts: 212
Location: Paris, France, EU
|
| Posted: Wed 04 May '22 11:28 Post subject: |
|
|
Hi,
With a self-signed certificate, all browsers will say that it is not secure.
Firefox is (to my knowledge) the only browser that uses its own certificate store.
If you install the certificates in the Firefox stores properly:
The apache-selfsigned.crt
-- Firefox, Tools -> Options -> Privacy and security
- Certificates -> View Certificates.
- Store "Authorities" then Import
The client or Site certificate(s) with the suffix ".pfx or .p12"
-- Firefox, in the "Your Certificates" store.
The password will be requested.
Firefox takes into account the self-signed certificates with information on a local https site:
- Secure connection
- Connection verified by a certificate issuer not recognized by Mozilla |
|
| Back to top |
|
TitanCMD
Joined: 03 May 2022
Posts: 8
|
| Posted: Wed 04 May '22 19:05 Post subject: Reply |
|
|
Dang, okay, I was hoping it would act the same as a live site. I will keep that in mind when building out these sites.
I did import it properly in Firefox, but yea it's self signed. |
|
| Back to top |
|
TitanCMD
Joined: 03 May 2022
Posts: 8
|
| Posted: Wed 04 May '22 21:48 Post subject: |
|
|
| Is the only way around this to buy a certificate for my local server? |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Thu 05 May '22 6:22 Post subject: |
|
|
You can create your own CA and import the CA's certificate into Firefox's and Windows's Cert-Store. This way you will get rid of the not-secure-hint.
The note that this is a not a CA shipped by Mozilla will stay. |
|
| Back to top |
|
TitanCMD
Joined: 03 May 2022
Posts: 8
|
| Posted: Thu 05 May '22 6:30 Post subject: |
|
|
| I have installed the certificate with the mmc console, under Trusted Root Certificates. Did I generate a bad certificate? |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Thu 05 May '22 7:09 Post subject: |
|
|
It is not a bad certificate. It is only decided by browsers to not display this one as fully trusted - even if you have added it to the cert-store as trusted certificate.
Create a CA-certificate, create a server's CSR, sign it with the CA's certificate (to get a cert) and install the CA's certificate (the public part) within your browser's cert-store and the server's certificate within your webserver -> then you will get rid of the "this is an insecure page"-message.
You can do this certificate-stuff on the command-line (which is possible but hard to do) or you can use tools for this. I'm using XCA (https://hohnstaedt.de/xca/) for managing my own CA for my test-/dev-servers. |
|
| Back to top |
|
TitanCMD
Joined: 03 May 2022
Posts: 8
|
| Posted: Fri 06 May '22 3:49 Post subject: |
|
|
I'm not shy of the command line, thats how I made the cert:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
It's an Ubuntu web server. Is XCA on Debian Linux distros? |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Fri 06 May '22 10:06 Post subject: |
|
|
I've never used XCA on Linux (only on Windows  ).
Here are some steps to create your own CA and a webserver-certificate.
create CA
first create a Certificate Authority. For this you have to crate a private key
| Code: | | openssl genrsa -aes256 -out ca-key.pem 4096 |
The key is named "ca-key.pem" and has a length of 4096 bits. The key is passwort-protected (because of the "-aes256"-option) and has to be kept secure as a bad guy can create/sign arbitrary certificates which are trusted by the clients.
Now that a secret key for the CA is available we need the root-certificate which has to be imported by the clients/browsers later in this HowTo to trust the certificates issued/signed by this CA.
The root-certificate "ca-root.pem" is created with the following command - you may need the password for the key created in the step above:
| Code: | | openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 1024 -out ca-root.pem -sha512 |
In this case the CA will be valid 1024 days. During creation you will be asked for some attributes for the CA - an example
| Code: | Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Baden-Wuerttemberg
Locality Name (eg, city) []:Pforzheim
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example-Company
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:ca.example.com
Email Address []:admin@example.com |
Now you can import the "ca-root.pem"-file into your browser's/computer's truststore.
Now lets create a certificate for the webserver
As the CA is completed we can create our first certificate.
A private key is the base. Similar to the CA a private key is created:
| Code: | | openssl genrsa -out webserver-key.pem 4096 |
Adding a password is not practicable in most cases as webserver have to ask for the password at every startup.
Now we will create a CSR - some attributes will be asked. The field "Common Name" has to be filled with the hostname the clients will connect to (either an ip-address 192.168.2.2 or www.example.com). You can leave the challenge-password empty:
| Code: | | openssl req -new -key webserver-key.pem -out webserver.csr -sha512 |
If I remember correctly from earlier tests the FQDN of the CA's certificate and the FQDN of the webserver's certificate have to be different.
Create an extfile for the webserver's certificate which contains at least one line for "alt_names" (you can add multiple lines "DNS.2 = ...", "DNS.3 = ...", ... to create a certificate valid for multiple hostnames) as newer browers don't trust the subject-fields's "cn":
| Code: | authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com |
The "webserver.csr" can now be processed by the CA. This will create the public key for the private.key. Both (the webserver-key.pem and the webserver-pub.pem) will be needed on the webserver for encryption.
The webserver-pub.pem will be created using the following command and will be valid for 365 days:
| Code: | | openssl x509 -req -in webserver.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out webserver-pub.pem -days 365 -sha512 --extfile webserver.ext |
The "-CAcreateserial" is automatically skipped if a serial-file is present which will be used in this case.
The webserver-key.pem and webserver-pub.pem can now be used within your webserver's configuration for encryption.
Your Browsers should trust your certificate and only give some minor hint that it is signed by a CA added manually and not trusted by default.
Afterwards you can verify that your certificate is signed correctly with
| Code: | | openssl verify -verbose -CAfile root-ca.pem webserver-pub.pem |
Based on https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/ and https://thomas-leister.de/selbst-signierte-tls-zertifikate-mit-eigener-ca/ |
|
| Back to top |
|
TitanCMD
Joined: 03 May 2022
Posts: 8
|
| Posted: Fri 06 May '22 23:32 Post subject: |
|
|
Thank you so much for helping me, I am following along. I was wondering where I should put the extfile in my system?
I am guessing there is a special directory for extfiles in Ubuntu, and what should I name it, eg, 'webserverconfig.ext'? |
|
| Back to top |
|
TitanCMD
Joined: 03 May 2022
Posts: 8
|
| Posted: Sat 07 May '22 0:16 Post subject: |
|
|
| Wait! I found it, no need to reply.. moving on! |
|
| Back to top |
|
TitanCMD
Joined: 03 May 2022
Posts: 8
|
| Posted: Sat 07 May '22 0:47 Post subject: |
|
|
Okay, I finished everything without errors. However, its still saying not secure when I go to my domain. I went into Internet Options and cleared the SSL cache, I reloaded apache2 with 'sudo systemctl reload apache2', I cleared the cache on my browser and restarted it. No dice.
On the last step I got this:
I ran:
| Code: | | openssl verify -verbose -CAfile ca-root.pem webserver-pub.pem |
and got this:
| Code: |
webserver-pub.pem: OK
|
Here is my webserver.ext file:
| Code: |
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherme>
subjectAltName = @alt_names
[alt_names]
DNS.1 = domain.com
|
Also, here is my VirtualHosts File. Do I need to add anything to it?
| Code: |
<VirtualHost *:443>
ServerName domain.com
DocumentRoot /var/www/domain.com/public_html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ca-root.pem
SSLCertificateKeyFile /etc/ssl/private/ca-key.pem
</VirtualHost>
|
Your steps most likely worked, but now the issue is somewhere else in my client, maybe the server. |
|
| Back to top |
|
