Anyone With Experience Using Key and Certificate Files With MAMP PRO?


#1

Hello,

I have successfully installed Certbot using Homebrew on an iMac running El Capitan 10.11.6.

After some initial trouble, I realized that I had to choose “Other” as my web server software – as opposed to choosing “Apache” – because I run my web server using MAMP PRO 4.1, which uses its own proprietary version of Apache.

In other words, I think validation failed the first time around, because Certbot was looking for a running version of OS X’s built-in Apache, server, which I do not use. As I said, I use MAMP PRO instead.

After choosing the actual HTML directory for my domain in my MAMP PRO folder hierarchy – as per instructions I found online – Certbot sucessfully installed and verified all folders and files, which were installed in “/private/etc/letsencrypt”.

This includes a subfolder called “live” in which is another subfolder folder which bears my domain name. It is inside this last folder where the actual key and certificate files are found. These files are the following:

privkey.pem
fullchain.pem
chain.pem
cert.pem

However, these are only aliases, which appear to point right back to themselves when I do a “Get Info”.

Aside from the fact that those are aliases, and not the real files, the big problem is that MAMP PRO does not recognize .pem files. They are grayed out when I navigate to them.

I added the string “AddType application/x-x509-ca-cert .pem” to MAMP PRO’s “httpd-ssl.conf” file via the “File/Edit Template” menu, but that has not helped.

So I made copies of the “privkey.pem” and “fullchain.pem” files in the “live” folder, and changed the file extensions to “.key” and “.crt”. Then I set the paths to them in MAMP PRO on the SSL tab for my domain.

MAMP PRO recognizes the files, but I still cannot connect to the HTTPS version of my website, even after I restart MAMP PRO.

I am assuming that is because those files are just aliases, and not the real files themselves.

In another folder called “csr”, there is a file called “0000_csr-certbot”; and in a folder called “keys” there is another file called “0000_key-certbot”.

I made copies of these two files as well, and changed their extensions to “.crt” and “key”, and then set their path in MAMP PRO on the SSL tab for my domain.

But that still does not help. I still cannot connect to the HTTPS version of my server.

On top of all of that, if I create a second copy of my domain in MAMP PRO, and then set it up for SSL – even if those two files are wrong – I cannot connect to the regular HTTP version of my site either. Only after I remove the SSL version can I connect to the regular version again.

So I don’t know what to try next. I have run out of ideas. I would really appreciate some help with this.

Thanks so much!


#2

Hi @IslandBoy,

A CSR is not a certificate. You should never try to use the CSR as the certificate.

Can you tell me the output of running

ls -l /private/etc/letsencrypt/live/*

at your terminal prompt?

Are you saying that MAMP PRO is giving you some kind of graphical configuration interface, but that you still also have the ability to see the actual Apache configuration files that it creates?


#3

Hello Seth,

Thanks for responding so quickly.

As you can probably tell, I am totally new to trying to implement SSL on my MAMP PRO web server.

Here is my Terminal output:

-rw-r–r-- 1 root wheel 543B Feb 10 05:42 README
lrwxr-xr-x 1 root wheel 43B Feb 10 05:42 cert.pem@ -> …/…/archive/www.billkochman.com/cert1.pem
lrwxr-xr-x 1 root wheel 44B Feb 10 05:42 chain.pem@ -> …/…/archive/www.billkochman.com/chain1.pem
lrwxr-xr-x 1 root wheel 48B Feb 10 05:42 fullchain.pem@ -> …/…/archive/www.billkochman.com/fullchain1.pem
lrwxr-xr-x 1 root wheel 46B Feb 10 05:42 privkey.pem@ -> …/…/archive/www.billkochman.com/privkey1.pem

So would I be correct to assume that those are the actual original files — in the “archive” directory — of which the files in the “live” folder are the aliases?

Regarding MAMP PRO, yes. For each host that you set up, there is an SSL tab.

On that pane, there are various options, which include the following:

  1. a box to enable SSL for that domain.

  2. a button to navigate to the actual certificate, and thus set the path for MAMP PRO.

  3. a button to navigate to the actual key file, and thus set the path for MAMP PRO.

  4. a button to create a self-signed certificate, which is pointless, being as Firefox throws up a warning with self-signed certificates, and we both know that Google will even less accept one, given their current SSL push.

  5. a button to select the certificate chain file (Apache only), and thus set its path for MAMP PRO.

  6. a box to “Only allow https connections using TLS protocols.

As I said previously, once I figured out that I had to choose “Other” instead of “Apache” so that Certbot could verify the location of my actual HTML directory for billkochman.com, the installation of the aforementioned files went smoothly.

However, as I also said, when I click on the aforementioned buttons to set the paths, all of the .pem files are greyed out.

I just tried doing the same thing, but this time using the files in the “archive” folder instead, but the result is still the same. They are greyed out, because they are .pem files, which MAMP PRO apparently does not recognise.

BTW, on three of those folders I had to change permissions, just so I could see what was in them, because permissions were only set for root. So, I changed the second one from “wheel” to “admin” so I can see what is in there.

Also, yes, under MAMP PRO’s “File/Edit Template” option, you can edit different conf files. But I rarely mess with that, other than to make sure that the paths are pointing correctly to my errors folder.

I hope the above gives you an idea of what is going on.

Kind regards,

Bill


#4

That’s right. (The Unix term that we use is “symbolic links”, but that refers to the same thing as aliases.)

Are you pretty confident that the only thing that MAMP PRO doesn’t like is the extensions in the filenames, and that the format isn’t actually wrong?

You could try doing

sudo mkdir /etc/letsencrypt/mamp cd /etc/letsencrypt/mamp sudo ln -s ../live/www.billkochman.com/cert.pem cert.crt sudo ln -s ../live/www.billkochman.com/chain.pem chain.crt sudo ln -s ../live/www.billkochman.com/fullchain.pem fullchain.crt sudo ln -s ../live/www.billkochman.com/privkey.pem privkey.key

At that point you would have objects with the appropriate names (from MAMP PRO’s point of view) in /etc/letsencrypt/mamp, so maybe it would be prepared to accept them in its config.

Alternatively, you could bypass the MAMP PRO configuration interface completely and edit the configuration files directly; if they’re really Apache configuration files, it might be straightforward to set them to use the files that Certbot has already given you.


#5

Hello again Seth,

I have been waiting to hear from you. But it is actually a good thing that you took a while to respond, because I was tinkering with all of this, and using my noodle to try to figure it out. I am happy to report that I have had some successes over the past hour, and almost have it all worked out now. Furthermore, I more and or less did what you suggest in your latest message to me.

Following is a message which I had already prepared for you, but hadn’t sent yet, because I was still working on getting MAMP PRO working right with SSL. Only one kink remains:

—————

Based on what you told me earlier, I assumed that the files in the “archive” directory are the ones that MAMP PRO really needs to see, and not the aliased .pem files that I was pointing to previously.

So, I tried the following, and have met with some success:

  1. In the “archive” folder, I made a copy of three files:

chain1.pem
fullchain1.pem
privkey1.pem

  1. I manually renamed them in the OS X Finder as follows, based on my assumption of what each file is according to the Read Me file:

chain1.crt
fullchain1.crt
privkey1.key

  1. Next, I went back to the SSL tab in MAMP PRO for my billkochman.com http://billkochman.com/ virtual host.

  2. I enabled SSL again, and set the path for those three files.

  3. I rebooted both MAMP PRO’s Apache and mySQL servers.

  4. I tried going to https://www.billkochman.com https://www.billkochman.com/, and I met with success. However, none of the images on the web pages were appearing.

I had read earlier this morning that I might need to have both a regular http virtual host set up for www.billkochman.com http://www.billkochman.com/, as well as a https virtual host for www.billkochman.com http://www.billkochman.com/ set up, and they both must point to the same HTML directory. If you are interested, you can read about it at these two URLs on the MAMP PRO website:

http://documentation.mamp.info/en/MAMP-PRO-Mac/Settings/Hosts/SSL/

http://documentation.mamp.info/en/MAMP-PRO-Mac/How-Tos/#ssl_host

  1. So I recreated the regular http virtual host for www.billkochman.com http://www.billkochman.com/ in MAMP PRO’s “Host” list — it is all GUI, BTW — but I did not enable SSL for it, or set the paths to the various SSL files.

In short, I have two hosts in my Hosts list in MAMP PRO, both named www.billkochman.com http://www.billkochman.com/, and both point to the same HTML directory. The only difference is that one has SSL enabled, while the other one does not.

Once I did that, all of my images now appear in the https version of my site as well.

There was a problem where the regular http version of billkochman.com would not load in my web browser — Firefox 51.0.1. The progress wheel just kept spinning, and in the browser tab for that URL, where it says connecting, the text was just shaking back and forth left and right in the tab.

So, not only did I shut down MAMP PRO, but I rebooted my machine as well.

That solved the issue, and now BOTH the http and https versions of my site are loading in Firefox 51.0.1

The one remaining problem is this:

Because the https version of the side is apparently grabbing the images from the regular http version of the site, the little lock icon is half gray, and has a yellow caution sign on half of it. When I click on the lock, it says:

“Connection is not secure. Parts of this page are not secure (such as images).”

So how would I actually secure them?

I am wondering if I actually need to make a full duplicate of my HTML directory for www.billkochman.com, and use one for http, and the other one for https.

I would really like to avoid having to do that, because it will double the amount of work I have to do each time that I add new files to one version of the site, which I do often and on a regular basis. Plus, I will always want them both to have the same exact content. So again, we are talking about double the work if I have a separate HTML directory for SSL and non-SSL.

For simplicity’s sake, I would really like to have just the one https version of the site, and totally do away with the http version. It would certainly make Google and their AMP project very happy. BTW, I just spent weeks converting my entire site to the AMP standard and specifications, and I am still not done yet.

But, my concern is this, Seth: I run a blog, and all of my work — my articles, poetry, graphics, etc. — is syndicated to eight different social networks. We are talking about thousands of URLs leading back to my http site. So I just can’t abandon the non-SSL version of my site.

Is there some way that I can add something to MAMP PRO’s httpd.conf file, so that all http requests will automatically be redirected to https instead? My site has jus over 6,000 HTML documents that need to be updated, whenever I make a major HTML code change to the site, so I can’t be putting redirect files in all of my folders. There must be an easier way.

But about the insecure graphics, what do you suggest, since both versions of the site use the same HTML directory?

Thanks. I hope I haven’t given you too much details. Most folks don’t provide enough. :slight_smile:

Kind regards,

Bill


#6

Hi,

I was going to say two things as soon as I saw what you did:

① Please never use the archive versions. The reason is that if you refer to them directly, you won’t get the benefit of renewed versions of certs from certbot renew. In order to have your certs updated automatically when doing certbot renew, always use live and completely ignore archive.

② When you started talking about copying files, I was going to say “just set a redirect!”. And that continued to be true for everything that you said about the parallel versions and the existing links. Web servers support HTTP redirects and that is the right thing to do when switching an existing site from HTTP to HTTPS. Indeed, Certbot offers to do it automatically for you if you have an Apache site and you’re running with certbot --apache. You should never have to copy content or maintain parallel versions of the site; browsers will honor the redirect automatically and go to the secure version instead of the HTTP version.

Here, I see MAMP PRO’s GUI as something of a disadvantage in the sense that if you wanted to know how to add a redirect in Apache, there are at least 6 existing threads on this forum to tell you how to do it, with examples. So far, it appears that nobody is familiar with MAMP PRO while many people here are familiar with Apache. If you can’t find how to do it in the GUI, you might want to look for a forum specific to MAMP PRO. It’s not off-topic here, but I don’t expect that people on this forum will happen to know how to deal with it. (Your experience with the file extensions seems similar here: we can point you to existing threads that describe how to configure Apache with certificates obtained by Certbot, and Apache configurations don’t care at all what the file extension is, only that the file contents are correct.)


#7

Okay, I am a little confused here. Seth.

As I mentioned earlier, MAMP PRO does not recognize the files in /etc/letsencrypt/live/www.billkochman.com as valid files to use, because they are aliases, or symbolic links, as you refer to them.

That is why I thought I had to make actual copies of the real files in the “archive” folder, and rename those with the .crt and .key file extensions. That is in fact working, except for the problem we already discussed regarding unsecure graphics. Actually, there is another new problem. Because both versions of the site share the same HTML folder, when an internal link is clicked on my site, it takes the user to the non-SSL version of the file, which I obviously do not want.

At any rate, I want to do things the right way, so I ran the terminal commands you gave me, which did indeed a create a new “mamp” folder inside of /etc/letsencrypt/. But the same problem continues to exist, because those terminal commands just create more symbolic links of those same files, which MAMP PRO refuses to recognize as being valid.

So what if I took those original three copies that I made of the real files, and put those in the new “mamp” folder? Would that work without jeopardizing the certbot renew functionality?

Now, about all of the other redirect business. As I said, while I have been running a webserver for years, it has always been with a web GUI app. First it was WebSTAR, and for a number of years now, it has been MAMP PRO. So in a word, I am really a newbie and a greenhorn when it comes to adding redirects, which I assume would go in MAMP PRO’s httpd.conf file.

Let me remind you again, that MAMP PRO IS an Apache server. It just uses its own version of Apache in its MAMP folder in my /Applications folder.

So let me ask what may seem like a dumb question, or maybe not:

Can I just set up one redirect, so that all web browser requests directed to the non-SSL version of billkochman.com will be redirected to the SSL version, or do I have to create a redirect for every single HTML file on my site, and then some? that is over 6,000 individual HTML files.

Now, about Certbot, as I explained before, I had to choose “Other” instead of “Apache” as my web server, because when I chose “Apache”, Certbot was looking for an active OS X version of Apache in order to validate the files it had installed, instead of to MAMP PRO’s version of Apache.

So, as I explained before, the minute I chose “Other”, and then followed instructions by pointing Certbot to my actual HTML folder for billkochman.com, it recognized my domain as being valid, and the certificate and key files were installed and verified in /etc.

So what I am getting to is this question: Is there some Terminal command I can use so that Certbot can do the automatic switching from HTTP to HTTPS, and create the redirects for me, but inside of MAMP PRO’s copy of Apache, instead of inside of OS X’s copy of Apache?

I apologize for so many questions, but I really am trying to understand all of this, and do this right. Plus, my excuse is that I am sick right now, and in my 60s on top of it. :slight_smile:


#8

Well, now I have gone and screwed myself up royally.

After conducting some online research at the apache website, and in a few other places, I tried to add a virtual host redirect section to MAMP PRO’s httpd.conf template. After you add changes there, it appends them to the real httpd.conf file, I believe.

Anyway, I tried the following, based on what I read online:

<virtualhost *:80="">

ServerName www.billkochman.com
Redirect / https://www.billkochman.com/

<virtualhost *:443="">
ServerName www.billkochman.com

… SSL configuration goes here

When that seemed to fail to work, I then added the following rewrite rule to my domain’s .htaccess file, which is located at the top level of the www.billkochman.com root folder.

I don’t know what happened after that, but now neither my Apache server or my mySQL server will start.

I removed what I had added to the httpd.conf file. I removed the rewrite rule from the .htaccess file. I removed the host entry I had made for the SSL version of my domain in MAMP PRO’s hosts list. I removed all of the copies and symbolic links I had made for Let’s Encrypt’s files. I restarted MAMP PRO multiple times, rebooted my machine multiple times, and even then reinstalled MAMP PRO over top of my current installation, saving, of course, my db files, as well as all of my virtual hosts folders.

Despite doing all of that, I am still dead in the water, and don’t know what to do. Even the apache log file in the console doesn’t show anything. I am so frustrated now. I am just going to bed. :frowning:

Okay . . . Just an update to my last comment above . . .

I got both my Apache server and my mySQL server working again. Oh what a rellief!

But now everything is pretty much back in a virgin state insofar as SSL /Let’s Encrypt / Certbot are concerned.

In other words, Certbot is still installed, as are all of the original virgin Let’s Encrypt folders and files in /private/etc.

But everything I did after that is now gone.

There is now just my one domain www.billkochman.com, and not two.

I removed all of the SSL paths I had set in MAMP Pro for my domain, to the copies of the various certificate and key files in /etc.

If you can just tell me the correct way to add the redirect to the “Virtual Hosts” section of MAMP PRO’s httpd.conf Apache template, so that all http requests are sent to https instead, I will try again.

I also need to know if my previous idea will work. That is, can I make copies of those four files in “archive”, and put them in /etc/letsencrypt/mamp? Being as they are totally separate files – and not symbolic links or aliases – they should have no effect on the files in “archive” and thus not mess up that auto update feature, right? Or at least I hope not.

If I can just get those two things right, I think I might be able to get it working properly, without having two root folders for my domain – one SSL, and one non-SSL – as I was trying to do before.

Again, I apologize for taking up so much of your time, but I really want to get this done, so that my site doesn’t fall behind in the dust when the rest of the online world adopts SSL, and giants like Google refuse to even acknowledge sites that don’t implement it.

Thanks again for your time and patience.


#9

Hello again Seth,

It has been a few days since I last heard from you, but I wanted to let you know that I have made some significant progress since last writing to you.

After a lot of struggle, frustration and head-scratching, plus piles of online research and trying out a lot of different example codes in MAMP PRO’s httpd.conf template file, I finally got SSL and redirects to work properly, by using RedirectRematch. As a result, all requests for http URLs are now immediately redirected to their https counterparts from the top down.

So, in just a few weeks, I now have both AMP and SSL fully implemented on my main website.

There still remains the issue with MAMP PRO not recognising the .pem file symbolic links in the “live” folder as valid files, so I have had to continue using copies of the real files from the “archive” folder in a new subfolder called “mamp” under the “lets encrypt” folder.

I have been in touch with the MAMP PRO developers regarding this issue, and they tell me that they are currently reworking how their app creates an SSL version of a host. So, hopefully, they will find a more legit solution to how I am currently doing it.

One question you never responded to is whether or not my method will break the “certbot renew” functionality. My current understanding is that it won’t, being as I am not actually touching the files in the “archive” folder.

However, I also realize that because i am not using symbolic links/aliases, whenever I do renew, I am going to have to manually replace the certificate and key files that I am currently using in the “mamp” folder, with the new versions, meaning every three months.

One new issue I am now facing, which I haven’t yet resolved, is that I can’t get Googlebot to read my new sitemap file. Their automated message on the Webmaster Tools site says that it recognizes my robots.txt file, but that it cannot download it, so it cannot proceed with crawling the sitemap file itself. This has never happened before.

I am perplexed by this, because even if I set the file’s permissions to 777, Googlebot still can’t download it.

Googlebot also says I can just trash the robots.txt file if I really don’t need it. However, even if I remove it from the root folder, and reboot my web server, and try again to get Google to read my sitemap file, it STILL says that the robots.txt file is there, and that it cannot download it. So I don’t know what to think at this point.

I don’t know if it is an SSL redirection issue or not.

Any ideas?

Thanks!


#10

Hi @IslandBoy, I’m glad you’re making progress!

Your description of the situation with renewals is correct; you can perform renewals with Certbot but you’ll still have to repeat the configuration process that you did before if you’re not using the live versions of everything.

For your other questions, I’d suggest checking with a webmasters’ forum or Google forum of some sort, because I’m not familiar with the Googlebot stuff and it’s not exactly the topic of this forum. There’s probably somewhere else where people will know better.

I did notice that your robots.txt contents are a little wrong because the paths specified don’t begin with /, which they ought to. But I don’t know whether that has anything to do with the problems you’re seeing. (Maybe “cannot download” means “cannot parse” here?) There are probably also online tools that will check robots.txt for you and make sure it’s correct, so maybe one of those can help you diagnose the situation better.


#11

Hello Seth. Thanks again for your input.

Don’t you just love it when you make stupid mistakes that cause you headaches and frustration for days or much longer?

Well, either my machine has gremlins, or at some point – either because I was apparently very tired, or my eyes were blurry – I am not young anymore – the wrong node number ended up in my router’s port forwarding section, so that port 443 was NOT pointing to the machine where my web server is installed. Either that, or one of our frequent power fluctuations or outages messed up my router settings for port 443.

At any rate, once I fixed that, SSL and redirects are working fully and properly, and the Googlebot easily found my robots.txt file and sitemap file.

I did add the forward slashes at the beginning of each allow and disallow. If you have a minute to spare, can you check and verify that I got it right this time?

Thanks for your time. I really appreciate it.


#12

It looks like the robots.txt is right now; it does have a redundancy because you have one stanza for Googlebot and one stanza for everybody else, but the stanzas have identical contents. You could choose to remove the Googlebot one and leave the other one in place.


#13

Yes, I am aware of that. The reason why I did it that way was a sort of “insurance policy” due to the problems I was having with Googlebot. I figured that even if no other bots could connect to my server, I wanted to make sure that at least Googlbot could. After all, what is life for a website and webmaster, if not Google? :slight_smile: :slight_smile:

Yes, yes, master. I will combine them into one now that the Googlebot issue has passed.

Domo arrigato gozaimashita, my friend.


#14

Seth, as a final confirmation, can you please verify that I have the following paths set correctly. I just want to make sure that I don’t have fullchain.crt and chain.crt in reverse order here. Thanks!

Where MAMP PRO asks for the certificate file, I gave the path for “fullchain.crt”.

Where MAMP PRO asks for the certificate key file, I gave the path for “privkey.key”.

Where MAMP PRO asks for certificate chain file (Apache Only), I gave the path for “chain.crt”.


#15

Those sound reasonable, but the best thing to do is check with https://www.ssllabs.com/ssltest/ to make sure that your configuration is right.


#16

Well, I’ve still got an A there, so I’ll take that as meaning I’ve got it all right. :slight_smile:


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.