SSL certificate problem (again)

Issues related to configuring your network
Fabien
Posts: 18
Joined: 2022/05/23 13:16:20

SSL certificate problem (again)

Post by Fabien » 2022/10/20 15:44:27

Hello,

A few months ago, I installed a self-signed SSL certificate on CentOS7.

I tried to surf on my website using the https protocol, but I had security warnings on both Chrome and Firefox.

I eventually uninstalled the ssl packages on my CentOS7 and asked for another SSL certificate on Let's Encrypt : https://rucheconnectee.mc.

It worked fine, but on my CentOS7, I also use MQTT and Node-RED to collect data : https://rucheconnectee.mc/?les-ruches-connectees. The iframe I use to embed the Node-RED charts or the HTML link I use to display them don't work anymore : https://80.94.97.61:1880/ui/#!/1?socket ... Uj-BmbAAEr.

Then I opened the console to display the certs folder :

Code: Select all

ls -l
total 28
-rw-r--r--. 1 root root 1419 20 oct.  17:09 apache-selfsigned.crt.old
lrwxrwxrwx. 1 root root   49 23 juin  11:25 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root   55 23 juin  11:25 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r--r--. 1 root root 1302 15 juil. 12:09 ca.crt
-rw-r--r--. 1 root root  424 13 juil. 16:51 dhparam.pem
-rw-------. 1 root root 1537 20 oct.  17:10 localhost.crt.old
-rwxr-xr-x. 1 root root  610 28 mars   2022 make-dummy-cert
-rw-r--r--. 1 root root 2516 28 mars   2022 Makefile
-rwxr-xr-x. 1 root root  829 28 mars   2022 renew-dummy-cert
The ca.crt certificate is the one created by Let's Encrypt.

In order to list the SSL certicates, I pasted the following command:

Code: Select all

 openssl s_client -showcerts -connect 80.94.97.61:443
and I got this :

Code: Select all

CONNECTED(00000003)
depth=0 C = MC, ST = MONACO, L = Monaco, O = DENJS, OU = DENJS, CN = rucheconnectee.mc, emailAddress = fnguyen@gouv.mc
verify error:num=18:self signed certificate
verify return:1
depth=0 C = MC, ST = MONACO, L = Monaco, O = DENJS, OU = DENJS, CN = rucheconnectee.mc, emailAddress = fnguyen@gouv.mc
verify return:1
---
Certificate chain
 0 s:/C=MC/ST=MONACO/L=Monaco/O=DENJS/OU=DENJS/CN=rucheconnectee.mc/emailAddress=fnguyen@gouv.mc
   i:/C=MC/ST=MONACO/L=Monaco/O=DENJS/OU=DENJS/CN=rucheconnectee.mc/emailAddress=fnguyen@gouv.mc
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
---
Server certificate
subject=/C=MC/ST=MONACO/L=Monaco/O=DENJS/OU=DENJS/CN=rucheconnectee.mc/emailAddress=fnguyen@gouv.mc
issuer=/C=MC/ST=MONACO/L=Monaco/O=DENJS/OU=DENJS/CN=rucheconnectee.mc/emailAddress=fnguyen@gouv.mc
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1611 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Session-ID-ctx:
    Master-Key: XXXXXXXXXX
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    XXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXx
    XXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXX

    Start Time: 1666278785
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
closed
I looked at the VirtualHost declaration in the /etc/httpd/conf.d/ssl.conf file :

Code: Select all

#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/ca.crt

#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
So, apparently, Apache is using the right certificate, but the openssl command displays the SSL certificate is self-signed.

So, does my webserver use the right SSL certificate or the first one that I had self-signed?

Thanks for your help !

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSL certificate problem (again)

Post by TrevorH » 2022/10/20 15:59:12

First I don't think any of that looks very right. Letsencrypt should not install a ca.crt, at least not automatically. If you run /etc/pki/tls/misc/c_info /etc/pki/tls/certs/ca.crt then does it say it is the cert you think it is?

Also, and more importantly, https://80.94.97.61:1880/ui/#!/1?socket ... Uj-BmbAAEr is not an Apache httpd standard port to listen on so this is quite likely to be a different package and will need its own SSL certificate (or a copy of the one you already have). Differnet server programs use different configurations to point to the SSL cert and this looks liek a different thing than httpd.
openssl s_client -showcerts -connect 80.94.97.61:443
This is not an LE cert. If it was then it would say
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = your.domain.com
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Fabien
Posts: 18
Joined: 2022/05/23 13:16:20

Re: SSL certificate problem (again)

Post by Fabien » 2022/10/21 11:42:08

Hello!

Thanks for your detailed reply!

Here's the result of the /etc/pki/tls/misc/c_info /etc/pki/tls/certs/ca.crt command:

Code: Select all

$ /etc/pki/tls/misc/c_info /etc/pki/tls/certs/ca.crt

/etc/pki/tls/certs/ca.crt
subject= /C=MC/ST=MONACO/L=Monaco/O=DENJS/OU=DENJS/CN=rucheconnectee.mc/emailAddress=fnguyen@gouv.mc
issuer= /C=MC/ST=MONACO/L=Monaco/O=DENJS/OU=DENJS/CN=rucheconnectee.mc/emailAddress=fnguyen@gouv.mc
notAfter=Jul 15 10:08:42 2023 GMT
--------
The 1880 port is used by Node-RED to lisen to the sensors we use in our project.

So, if this certificate is the self-signed one, can I ask LE to generate another one to be used by my web server? Can I delete this one?

BShT
Posts: 584
Joined: 2019/10/09 12:31:40

Re: SSL certificate problem (again)

Post by BShT » 2022/10/21 12:52:35

use certbot and proxy apache then apache will listen 443 and proxy to 1880 and certbot can renew your certs

<VirtualHost *:80>
ServerName yourproject.com
DocumentRoot /var/www/html/yourproject
ProxyPass /.well-known !

ProxyPreserveHost On
ProxyPass / http://localhost:1880/
ProxyPassReverse / http://localhost:1880/
</VirtualHost>

Fabien
Posts: 18
Joined: 2022/05/23 13:16:20

Re: SSL certificate problem (again)

Post by Fabien » 2022/10/21 13:32:47

Hello!

Thanks for your reply!

Do you mean I have to add a virtualhost in my /etc/httpd/conf.d/virtualhost.conf to listen to the 1880 port ?

Your proposal made me look into this file, and I found this :

Code: Select all

<VirtualHost *:80 *:443 *:1880 *:1883>
     ServerName rucheconnectee.mc
     ServerAlias rucheconnectee.mc
     DocumentRoot /var/www/html/rucheconnectee.mc
     SSLEngine on
     #SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
     #SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

     #<Directory /var/www/vhosts/rucheconnectee.mc/httpsdocs>
     #   AllowOverride All
     #</Directory>
     #DocumentRoot /var/www/vhosts/rucheconnectee.mc/httpsdocs

     SSLCertificateFile /etc/letsencrypt/live/rucheconnectee.mc/cert.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/rucheconnectee.mc/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/rucheconnectee.mc/chain.pem
</VirtualHost>
Apparently, Apache is already listening to the 1880 port.

So, I should have a SSL certificate created by Let's Encrypt in my project file but it doesn't seem to be used.

Should I copy these instructions about my ssl.conf file and comment the lines referring to my ca.crt SSL certificate ?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSL certificate problem (again)

Post by TrevorH » 2022/10/21 13:57:28

Your problem is that you are not using the LE cert files.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

BShT
Posts: 584
Joined: 2019/10/09 12:31:40

Re: SSL certificate problem (again)

Post by BShT » 2022/10/21 13:58:55

the question is to use certbot to update your certificate automatically

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSL certificate problem (again)

Post by TrevorH » 2022/10/21 15:03:08

You still need to actually point your config files at the right certifcate files.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Fabien
Posts: 18
Joined: 2022/05/23 13:16:20

Re: SSL certificate problem (again)

Post by Fabien » 2022/10/21 15:26:30

Hello!

As you proposed, I declared the LE SSL certificate in my ssl.conf file and commented all the instructions referring to the ca.crt certificate (apparently, the self-signed one).

I retarted Apache and used openssl to know which SSL certificate was now used:

Code: Select all

$ openssl s_client -showcerts -connect 80.94.97.61:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = rucheconnectee.mc
verify return:1
---
Certificate chain
 0 s:/CN=rucheconnectee.mc
   i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXX
-----END CERTIFICATE-----
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
XXXXXXXXXX
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=rucheconnectee.mc
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4709 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Session-ID-ctx:
    Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Start Time: 1666365466
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed
I refreshed the webpage supposed to display the Node-RED data. After having accepted to surf on this page despite the warnings, everything now seems to work fine!

Many thanks!

Fabien
Posts: 18
Joined: 2022/05/23 13:16:20

Re: SSL certificate problem (again)

Post by Fabien » 2022/10/24 06:55:28

Hello,

Sorry, but I still have a question!

Despite the following declaration in httpd.conf :

Code: Select all

<VirtualHost *:80 *:443 *:1880 *:1883>
     ServerName rucheconnectee.mc
     ServerAlias rucheconnectee.mc
     DocumentRoot /var/www/html/rucheconnectee.mc
     SSLEngine on
     #SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
     #SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

     #<Directory /var/www/vhosts/rucheconnectee.mc/httpsdocs>
     #   AllowOverride All
     #</Directory>
     #DocumentRoot /var/www/vhosts/rucheconnectee.mc/httpsdocs

     SSLCertificateFile /etc/letsencrypt/live/rucheconnectee.mc/cert.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/rucheconnectee.mc/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/rucheconnectee.mc/chain.pem
</VirtualHost>
When I display this page (https://rucheconnectee.mc/?les-ruches-connectees), that embeds Node-RED - which uses the 1880 port - there's a security warning that remains even if the user accepts to surf on the website on Google Chrome - no warning in Firefox or Edge.

I tried to add:

Code: Select all

Listen 1880 https
under the

Code: Select all

Listen 443 https
line, but I get an error when Apache is restarted.

Is there any way to make the SSL certificate accepted by Google Chrome?

Thanks!

Post Reply