logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Self-signed certificate not working
Author
lpark



Joined: 06 Nov 2020
Posts: 9
Location: Germany

PostPosted: Mon 09 Nov '20 18:37    Post subject: Self-signed certificate not working Reply with quote

OS: Ubuntu 16.04

I'm trying to enable a self-signed certificate for apache. I already created the certs with the following command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt

The "common name" is my IP-address. Also I edited the ssl-params.conf like:

Code:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder On
    Header always set X-Frame-Options DENY
    Header always set X-Content-Type-Options nosniff
    SSLCompression off
    SSLUseStapling on
    SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
    SSLSessionTickets Off
   
    SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"


My default-ssl.conf is:

Code:
<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerName pvapp.test-campus.de
                DocumentRoot /var/www/client/pvapp-client/dist

                SSLEngine on

                SSLCertificateFile    /etc/ssl/certs/apache-selfsigned.crt
                SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                 BrowserMatch "MSIE [2-6]" \
                               nokeepalive ssl-unclean-shutdown \
                               downgrade-1.0 force-response-1.0

                 ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
        </VirtualHost>
</IfModule>


And the testServer.conf for the vhost is:

Code:
<VirtualHost *:80>
    #ServerName testConnection.de
    #ServerAlias www.testConnection.de
    ServerAdmin webmaster@test.de
    DocumentRoot /var/www/client/pvapp-client/dist
    Redirect permanent / https://pvapp.test-campus.de

    <Directory /var/www/client/pvapp-client/dist>
        AllowOverride All
        Order allow,deny
        Allow from All

        <IfModule mod_rewrite.c>
            Options -MultiViews
            RewriteEngine On
            RewriteCond %{SERVER_PORT} 80
        </IfModule>
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/test.com-error.log
    CustomLog ${APACHE_LOG_DIR}/test.com-access.log combined
</VirtualHost>


I'm redirecting to an https://.... page but can't reach the page. Without that redirect it's working on the standard IP but it's just http. Conf files are enabled with a2ensite and firewall checked.

When calling the website in chrome its responding "couldn't fine the server IP".

Don't know what to change to get this working. Appreciate all help! Smile
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Tue 10 Nov '20 18:03    Post subject: Reply with quote

Redirect issues aside, perceived wisdom is you should not put IP addresses in the common name (CN) field of X509 certificates. There's any amount of information on the internet over this, but this page at Stackoverflow gives a number of references as to why this is a problem. See answer two in particular.

https://stackoverflow.com/questions/5136198/what-strings-are-allowed-in-the-common-name-attribute-in-an-x-509-certificate

So for the purposes of testing your redirect code, why don't you set the CN of your self signed certificate to pvapp.test-campus.de, being sure to add that as a host entry against the relevant IP address in your local hosts file.

Also, I have encountered problems when using permanent (301) redirects rather than temporary (302). The problem is browsers (as much as proxies) will cache this result, and not bother contacting the server in the future. This can be a real pain if you make a mistake during testing, or subsequently decide to change the site logic on your server. So I'd recommend using 302 redirects (the default), i.e.

Code:
Redirect temp / https://pvapp.test-campus.de


Remember to clear your browser cache before retesting, and maybe turn on Developer Tools (Shift+Control+I) on your browser to see the connection traffic.
Back to top
lpark



Joined: 06 Nov 2020
Posts: 9
Location: Germany

PostPosted: Thu 12 Nov '20 11:11    Post subject: Reply with quote

All right, thanks. Smile
Back to top


Reply to topic   Topic: Self-signed certificate not working View previous topic :: View next topic
Post new topic   Forum Index -> Apache