SSL certificate problem

Issues related to configuring your network
Fabien
Posts: 18
Joined: 2022/05/23 13:16:20

SSL certificate problem

Post by Fabien » 2022/07/13 15:02:56

Hello,

I tried to create a SSL certificate following this tutorial : https://www.digitalocean.com/community/ ... r-centos-7

My domain is http://rucheconnectee.mc.

I followed the instructions and, after having accepted the SSL certificate from my web browser :
+ the default Apache page appeared telling Apache was working, but my webpage doesn't display ;
+ at the left of the URL bar, a "non secured" warning appears ;
+ I can access to my web site using the server path (my website is in /var/www/html/rucheconnectee.mc) : http://rucheconnectee.mc/rucheconnectee.mc.

My virtualhost :

Code: Select all

<VirtualHost *:80>
     ServerName rucheconnectee.mc
     ServerAlias rucheconnectee.mc
     DocumentRoot /var/www/html/rucheconnectee.mc
     SSLEngine on
     SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
     SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost>

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.2
# SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
# SSLSessionTickets Off
What did I do wrong?

Thanks!

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: SSL certificate problem

Post by lightman47 » 2022/07/13 17:21:54

It's complaining about your Apache (httpd) version.
# Requires Apache 2.4.36 & OpenSSL 1.1.1

# Requires Apache >= 2.4
When did you last "yum update"?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSL certificate problem

Post by TrevorH » 2022/07/13 18:37:37

No, those are commented out. The first comment says that to use the statement under it that is also commented, you need to be using 2.4.11+.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSL certificate problem

Post by TrevorH » 2022/07/13 18:38:58

Those instructions are for creating a self-signed SSL certificate which will not be accepted by any web browser. You would do better to look at using letsencrypt to generate a real SSL cert and install that.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: SSL certificate problem

Post by lightman47 » 2022/07/13 18:40:09

ACK! :oops:

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSL certificate problem

Post by TrevorH » 2022/07/13 20:18:45

+ the default Apache page appeared telling Apache was working, but my webpage doesn't display ;
+ at the left of the URL bar, a "non secured" warning appears ;
+ I can access to my web site using the server path (my website is in /var/www/html/rucheconnectee.mc) :
1) You will need a virtual host for port 443 so that it matches your SSL config. If it's not matched then it will use the default /var/www/html.

2) the non-secure warning expected when using a self signed cert

3) fits with 1), docroot /var/www/html then you need to give it the subdirectory name to get inside it.

You need to specify your docroot for the SSL vhost. You need a real certificate.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Fabien
Posts: 18
Joined: 2022/05/23 13:16:20

Re: SSL certificate problem

Post by Fabien » 2022/07/14 08:15:37

Hello !

Thanks for your help !

Following your advices, I changed the VirtualHost declaration :

Code: Select all

<VirtualHost *:80 *:443>
    SSLEngine On
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /srv/www/example.www
</VirtualHost>
But I have another problem: this website is supposed to receive and display data from connected beehives, using Node-RED et MQTT on the 1880 and 1883 ports. I tried to modify the VirtualHost declaration:

Code: Select all

<VirtualHost *:80 *:443 *:1880 *:1883>
    SSLEngine On
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /srv/www/example.www
</VirtualHost>
Despite this, the data from the beehives don't display.

How can I perform this?

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: SSL certificate problem

Post by tunk » 2022/07/14 12:50:53

Firewall?

Fabien
Posts: 18
Joined: 2022/05/23 13:16:20

Re: SSL certificate problem

Post by Fabien » 2022/07/14 13:23:47

Hello !

These ports were already allowed by the firewall before I installed the SSL packets.

Code: Select all

$ sudo firewall-cmd --permanent --add-port=1880/tcp
Warning: ALREADY_ENABLED: 1880:tcp
success

$ sudo firewall-cmd --permanent --add-port=1883/tcp
Warning: ALREADY_ENABLED: 1883:tcp
success

$ sudo firewall-cmd --reload
success

$ sudo systemctl restart httpd
So, they're still open. Apparently.

Any tip?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSL certificate problem

Post by TrevorH » 2022/07/14 13:46:34

I think it very unlikely that httpd has anything to do with MQTT ports.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply