Server certificate problems

JRWatchet · March 15, 2020, 3:44pm

Apologies for delay, been caught up in this virus thing!

I need to get a .crt certificate for localhost.crt as found this is what is used by apache for the server, not the server web name. It also needs ca-bundle.crt and ca-bundle.trust.crt as all called from within the htppd and ssl conf files

Sorry, programmer but a bit naive here

9peppe · March 15, 2020, 4:18pm

No Certificate Authority will give you a certificate for localhost. Replace whatever lines refer to a localhost certificate with those:

(I think your webserver configuration is seriously messed up, though)

mnordhoff · March 16, 2020, 5:32am

If you mean you need files named localhost.crt and so forth, containing a certificate for your real website name:

Why? Can't you modify the Apache configuration?
Can you replace the files with symlinks to the appropriate targets in /etc/letsencrypt/live/? (This might be more complicated if things like Docker or SELinux are involved, but normally it should be easy.)

JRWatchet · March 16, 2020, 11:20am

Thanks for all this, perhaps I need to clarify in one reply. Server is Centos7 running multiple VPS web servers and mailboxes all now set up with SSL. The main httpd.conf file has the server host defined as port 80 and port 443 in a Vhost config file and points to cerets at /etc/letencrypt/live/server.watchet.net

However, entering https://server.watchet.net brings up errors and shows:-

server.watchet.net uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name server.watchet.net. The certificate expired on 11 March 2017 11:42. The current time is 16 March 2020 10:57.

On a search there are 3 certs at /etc/pki/tls/certs where they are “ca-bundle.crt, ca-bundle.trust.crt, localhost.crt” and these are with the same date as mentioned above. There are also some certs at /etc/pki.tls/private including localhost.key

More research shows these are referred to from /etc/httpd/conf.d/ssl.conf where there are entries

Server Certificate:

Point SSLCertificateFile at a PEM encoded certificate. If

the certificate is encrypted, then you will be prompted for a

pass phrase. Note that a kill -HUP will prompt again. A new

certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you’ve both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

Certificate Authority (CA):

Set the CA certificate verification path where to find CA

certificates for client authentication or alternatively one

huge file containing all of them (file must be PEM encoded)

#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

Sorry, but although a programmer I can not get my head around what is happening! Yes I can change and test the lines in ssl.conf but not sure what I need to point them to!

Many thanks
John
UK

9peppe · March 16, 2020, 12:06pm

what’s the output of httpd -S ?

JRWatchet · March 16, 2020, 11:59pm

After the list of domains and aliases

*:443 server.watchet.net (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

system · April 15, 2020, 11:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.