Fedora webserver https setup


#1

Hi all,

Please yell if this is the wrong forum, …

i have a fedora server that i want to setup https on.

after pursuing what seemed like the appropriate install/test, i try to fire up my httpd and get the be low failure

in httpd/ssl.conf, i put

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLCACertificateFile /etc/letsencrypt/live/linuxlighthouse.com/fullchain.pem

but on httpd start, i get, …

[Sat Dec 12 13:14:10.608136 2015] [ssl:info] [pid 11866] AH01914: Configuring server www.linuxlighthouse.com:443 for SSL protocol
[Sat Dec 12 13:14:10.608860 2015] [ssl:debug] [pid 11866] ssl_engine_init.c(1615): AH02209: CA certificate: CN=linuxlighthouse.com
[Sat Dec 12 13:14:10.608888 2015] [ssl:debug] [pid 11866] ssl_engine_init.c(1615): AH02209: CA certificate: CN=Let’s Encrypt Authority X1,O=Let’s Encrypt,C=US
[Sat Dec 12 13:14:10.609095 2015] [ssl:debug] [pid 11866] ssl_engine_init.c(392): AH01893: Configuring TLS extension handling
[Sat Dec 12 13:14:10.609160 2015] [ssl:emerg] [pid 11866] AH02572: Failed to configure at least one certificate and key for www.linuxlighthouse.com:443
[Sat Dec 12 13:14:10.609195 2015] [ssl:emerg] [pid 11866] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned

suggestions? tia, jackc…


#2

Command line used for cert generation?

Vhost config?


#3

It says: “to find CA certificates for client authentication”. You’ll probably just want normal HTTPS access for your normal browsing users from the WWW for your server, right? No fancy client certificate authentication?

Therefore, you should look at the following directives: SSLCertificateFile and SSLCertificateKeyFile.

Also, if you don’t understand what you’re doing, you might want to consider reading more about it first.


#4

yes, i do need more reading, thanks for your pointers!!


#5

:stuck_out_tongue:

After all that reading you’ll find that you’ll just have to point two Apache directives to just the right files:

SSLCertificateFile /etc/letsencrypt/live/yourdomain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.tld/privkey.pem

:wink: But I recommend reading in the first place. But sometimes they teach you to do ten different steps you now don’t require to do, so I’ll just point you to the above directives, so you’ll won’t make it harder on yourself. But… Still… Read :stuck_out_tongue:

Oh, BTW… Which version of Apache does your server have? If it is below version 2.4.8, you still need SSLCertificateChainFile:

SSLCertificateFile /etc/letsencrypt/live/yourdomain.tld/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.tld/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.tld/privkey.pem

Notice the slight difference between the two sets of directives. I’ll leave it up to you on how and why :wink:

The second set of directive would also work on Apache versions 2.4.8 and higher, but SSLCertificateChainFile is deprecated on those versions, so it’s wiser not to use it any longer… You’ll never know when they remove support for it (if ever). :neutral_face:


#6

my apache Version is 2.4.16.

i see need SSLCertificateFile & SSLCertificateKeyFile.

i am looking at the quick start, but i am not seeing the directives to create them.

may i ask a bit of clarification where to start (guessing isnt working)

TIA, jackc…


#7

But you already have the file /etc/letsencrypt/live/linuxlighthouse.com/fullchain.pem right? In the same directory you should find a privkey.pem…


#8

Hello @jack.craig.aptos,

First of all, rollback any changes that you performed on ssl.conf because SSLCACertificateFile is not what you need.

I don’t know what your site conf is but the ssl part for your site ( sites-enabled/yourdomain.tld.conf or similar) should look like this:

<IfModule mod_ssl.c>

<VirtualHost *:443>
ServerAdmin user@yourdomain.tld
DocumentRoot /the/path/to/your/document/root/
ServerName yourdomain.tld
ServerAlias www.yourdomain.tld

SSLEngine on
SSLCertificateFile    /etc/letsencrypt/live/yourdomain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.tld/privkey.pem
</VirtualHost>

</IfModule>

Once you get this working on your site you could add a few more directives to tune ssl ciphers, stapling, compression, etc.

Cheers,
sahsanu


#9

a) i do have the privkey.pem.

b) i backed out my ssl.conf update.

c) your suggested text is to be added to httpd.conf, right?

d) i am going to take a wag here and say the ‘slight’ difference you referred to include a ‘chain’.pem not needed on my version apache, ??

e) having messed up on tryng this config myself, i’d like to do it right(albeit guided) this time around.


#11

try reloading apache :wink:


#12

sorry, i wasn’t quite correct, you meant,

ServerName linuxlighthouse . com
ServerAlias www.linuxlighthouse . com

restarting httpd comes up w/o errors to error_log,
but i dont see an hhtpd listening on 443.

telnet 0 443

gives connection refused (not not listening), i wonder if selinux is biting me, i’ll check that out, …

TIA, jackc…


#13

the image here seems to show some progress.

so while 3w.mydom now connects to https,
how do i do the same for localhost?

or is there a reason i should not?

HUGE Thanks for respondents & their patience with a newbie!! :joy:

i guess i am easily pleased, … :wink:


#14

i get …

108.220.213.121 uses an invalid security certificate.

so my question is how to expand my created certification to include my ip & localhost?

tia, jackc…


#15

The IP will give an invalid certificate, because the certificate is for the domain name - not the IP address, so using the IP address will not match with the certificate.

You have all the basics set up correctly there ( https://www.ssllabs.com/ssltest/analyze.html?d=linuxlighthouse.com ) although you ideally could do with updating and improving some aspects of your server ( as described in that link)


#16

Why on earth would you want to do that anyway?


#17

i think i mentioned being a newbie, so questions out of context are possible…

still i have tweaked my way to a grade A on qualys… (great pointer)

Thx again, jackc…


#18

To expand on Osiris’ comment, you wouldn’t, couldn’t (at least not with LE), and shouldn’t. If you want the green lock, just use the FQDN when you’re browsing to your server. Or ignore the warning, since you know perfectly well which host you’re accessing.