Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Self-signed certificate not working |
|
| Author |
|
lpark
Joined: 06 Nov 2020
Posts: 9
Location: Germany
|
 Posted: Mon 09 Nov '20 18:37 Post subject: Self-signed certificate not working |
 |
|
OS: Ubuntu 16.04
I'm trying to enable a self-signed certificate for apache. I already created the certs with the following command:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
The "common name" is my IP-address. Also I edited the ssl-params.conf like:
| Code: | SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLSessionTickets Off
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" |
My default-ssl.conf is:
| Code: | <IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName pvapp.test-campus.de
DocumentRoot /var/www/client/pvapp-client/dist
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
</IfModule> |
And the testServer.conf for the vhost is:
| Code: | <VirtualHost *:80>
#ServerName testConnection.de
#ServerAlias www.testConnection.de
ServerAdmin webmaster@test.de
DocumentRoot /var/www/client/pvapp-client/dist
Redirect permanent / https://pvapp.test-campus.de
<Directory /var/www/client/pvapp-client/dist>
AllowOverride All
Order allow,deny
Allow from All
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
</IfModule>
</Directory>
ErrorLog ${APACHE_LOG_DIR}/test.com-error.log
CustomLog ${APACHE_LOG_DIR}/test.com-access.log combined
</VirtualHost> |
I'm redirecting to an https://.... page but can't reach the page. Without that redirect it's working on the standard IP but it's just http. Conf files are enabled with a2ensite and firewall checked.
When calling the website in chrome its responding "couldn't fine the server IP".
Don't know what to change to get this working. Appreciate all help!  |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Tue 10 Nov '20 18:03 Post subject: |
|
|
Redirect issues aside, perceived wisdom is you should not put IP addresses in the common name (CN) field of X509 certificates. There's any amount of information on the internet over this, but this page at Stackoverflow gives a number of references as to why this is a problem. See answer two in particular.
https://stackoverflow.com/questions/5136198/what-strings-are-allowed-in-the-common-name-attribute-in-an-x-509-certificate
So for the purposes of testing your redirect code, why don't you set the CN of your self signed certificate to pvapp.test-campus.de, being sure to add that as a host entry against the relevant IP address in your local hosts file.
Also, I have encountered problems when using permanent (301) redirects rather than temporary (302). The problem is browsers (as much as proxies) will cache this result, and not bother contacting the server in the future. This can be a real pain if you make a mistake during testing, or subsequently decide to change the site logic on your server. So I'd recommend using 302 redirects (the default), i.e.
| Code: | | Redirect temp / https://pvapp.test-campus.de |
Remember to clear your browser cache before retesting, and maybe turn on Developer Tools (Shift+Control+I) on your browser to see the connection traffic. |
|
| Back to top |
|
lpark
Joined: 06 Nov 2020
Posts: 9
Location: Germany
|
| Posted: Thu 12 Nov '20 11:11 Post subject: |
|
|
| All right, thanks. |
|
| Back to top |
|
|
|
|
|
|
