I am adding ssl to my website, but I still have that "Untrusted connection" warning.
I first generated my own certificate as follows:
Code:
# generate mysite.coms's RSA keypair with 3072 bits and encrypt it
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes-128-cbc -out mysite_key.pem
# generate a certificate signing request. Used FQDN of server (i.e. mysite.com). Use email with dot to prevent spam. Didn't include an "extra" password
openssl req -new -key mysite_key.pem -sha256 -days 365 -out mysite_csr.pem
# Remove pass-phrase from the key
cp mysite_key.pem mysite_key.pem.tmp
openssl rsa -in mysite_key.pem.tmp -out mysite_key.pem
rm -f mysite_key.pem.tmp
# sign the certificate with the key itself. Skip this step if using a CA (NOTE. I DID THIS STEP)
openssl x509 -req -in mysite_csr.pem -signkey mysite_key.pem -sha256 -days 365 -out mysite_crt.pem
# Copy the files to the correct locations (don't move since it will cause problems with selinux). Be sure to keep at read only by root
cp mysite_key.pem /etc/pki/tls/private/mysite_key.pem
cp mysite_csr.pem /etc/pki/tls/private/mysite_csr.pem
cp mysite_crt.pem /etc/pki/tls/certs/mysite_crt.pem
rm -f mysite_key.pem
rm -f mysite_csr.pem
rm -f mysite_crt.pem
Things worked fine, but I obviously had the untrusted connection warning.
I then went to
https://www.startssl.com/, gave them /etc/pki/tls/private/mysite_csr.pem, and got a certificate. I saved it as /etc/pki/tls/certs/mysite_startssl.crt.
My /etc/httpd/conf/httpd.conf file is shown below. I also updated my /etc/httpd/conf.d/ssl.conf file with my ssl credentials, however, I don't think it was necessary since I have my ssl credentials in a virtual host.
When starting up Apache, I get the following warnings:
Code:
[Thu May 15 08:39:20 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 15 08:39:20 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:39:20 2014] [notice] Digest: generating secret for digest authentication ...
[Thu May 15 08:39:20 2014] [notice] Digest: done
[Thu May 15 08:39:20 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:39:20 2014] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.5.12 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
I've also tried commenting out
SSLCertificateFile /etc/pki/tls/certs/easysbt_crt.pem , but then get the following error. Note that since I originally was using selfsigned keys, I did generate a certificate even though my instructions told me to skip it if I was using a CA certificate.
Code:
[Thu May 15 08:38:56 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 15 08:38:56 2014] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/httpd/conf/httpd.conf:1053)
EDIT. I also tried using my startssl certificate for SSLCertificateFile, and not using SSLCACertificateFile (even though this just seems wrong), and get the following:
Code:
[Thu May 15 08:53:28 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 15 08:53:28 2014] [warn] RSA server certificate CommonName (CN) `www.mysite.com' does NOT match server name!?
[Thu May 15 08:53:28 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:53:29 2014] [notice] Digest: generating secret for digest authentication ...
[Thu May 15 08:53:29 2014] [notice] Digest: done
[Thu May 15 08:53:29 2014] [warn] RSA server certificate CommonName (CN) `www.mysite.com' does NOT match server name!?
[Thu May 15 08:53:29 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:53:29 2014] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.5.12 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
EDIT2. Also, tried changing my ServerName from mysite.com to
www.mysite.com, but still have warnings.
Code:
[Thu May 15 08:59:16 2014] [notice] caught SIGTERM, shutting down
[Thu May 15 08:59:16 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 15 08:59:17 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:59:17 2014] [notice] Digest: generating secret for digest authentication ...
[Thu May 15 08:59:17 2014] [notice] Digest: done
[Thu May 15 08:59:17 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:59:17 2014] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.5.12 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
Please provide any recommendation. Thank you
Code:
<VirtualHost *:80>
ServerName mysite.com
ServerSignature Off
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
#strong encryption ciphers only
#see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateFile /etc/pki/tls/certs/mysite_crt.pem
SSLCertificateKeyFile /etc/pki/tls/private/mysite_key.pem
SSLCACertificateFile /etc/pki/tls/certs/mysite_startssl.crt
ServerName mysite.com
ServerAlias www.mysite.com mysite.net www.mysite.net mail.mysite.com smtp.mysite.com ftp.mysite.com
DocumentRoot /var/www/mysite/html
<Directory "/var/www/mysite/html">
allow from all
Options +Indexes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
## If the request is for a valid directory, file, or link, don't do anything
RewriteCond %{REQUEST_FILENAME} -d [OR]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -l
RewriteRule ^ - [L]
#remove the trailing slash
RewriteRule (.+)/$ $1
#Replaces file if "." is not in the string (i.e. it will not replace file.html, but will replace file
RewriteRule ^([^.]+)$ $1.html [L]
</IfModule>
</Directory>
</VirtualHost>
