SSL/TSL Buggerup

etienne_marais

etienne_marais

Honorary Master
Joined
Mar 16, 2008
Messages
16,250
Reaction score
19,740
Location
Centurion
I started of with a self-signed certificate to get the hang of things before installing an issued certificate.

I followed a guide on the web to self signing which entailed creating a cert directory in your home directory, which in turn contains a index.txt as well as private and certs subdirectories. I did a self signing cert. and index.txt was updated accordingly (automatically). Using openssl.

Then I created a request file, sent it to domains.co.za and asked them to create a real certificate for me. They later sent the results in an email: ServerCertificate.cer, CACertificate-Intermediate-1.cer, CACertificate-ROOT-2.cer and PKCS7.p7b

I followed their instructions for apache2, but that only seems to require ServerCertificate.cer as SSLCertificateFile and CACertificate-Intermediate-1.cer as SSLCertificateChainFile.

I have not idea what CACertificate-ROOT-2.cer and PKCS7.p7b are for.

Restarting apache2 has not effect, and when I check my domain with https://www.ssllabs.com/ssltest/analyze.html?d=www.btsza.co.za
it insists that it is still self-signed (Issuer btsza.co.za Self-signed) and not trusted.

Can somebody help please. The amount of theory behind all this is beyond me and I have a feeling I will be stabbing in the dark with google to get this sorted out.

My end goal is not apache as such, but a different daemon that makes use of wss to listen on.

On Ubuntu 16.04
 
gregmcc said:
Did you setup the cert, key and intermediate cert in apache?

Try this guide:
https://www.digicert.com/csr-ssl-installation/apache-openssl.htm
Click to expand...

I tried the instructions from domains.co.za for apache2 but I think my problem lies elsewhere, I am currently digging into /etc/ssl/openssl.cnf

b.t.w., do you know when /etc/ssl is accessed, I am currently having a look at /etc/ssl/openssl.cnf and there is of course the certs and private subdirectories but instructions for apache2 does not seem to have it as requirement that the certificates/keys are placed there, there is not a daemon of sorts running or something in the kernel ? In particular, how does it know where to check for CA certs ?
 
Last edited:
Normally to maintain the complete SSL chain you need to combine the root and intermediate certifcates into a single files
You can just copy and past each ones info into a single file so that the complete chain is recognized

That will be the SSLCertificateChainFile

Shouldn't need the PKCS7.p7b it is just everything in a different format

Then look at your apache logs to see what is not being accepted
 
Thanks a lot, one step closer:

# /var/log/apache2/error.log
[Wed Dec 27 08:18:16.871678 2017] [ssl:emerg] [pid 31920:tid 140672511526784] AH02572: Failed to configure at least one certificate and key for www.btsza.co.za:443
[Wed Dec 27 08:18:16.871743 2017] [ssl:emerg] [pid 31920:tid 140672511526784] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Wed Dec 27 08:18:16.871751 2017] [ssl:emerg] [pid 31920:tid 140672511526784] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Wed Dec 27 08:18:16.871763 2017] [ssl:emerg] [pid 31920:tid 140672511526784] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Wed Dec 27 08:18:16.871767 2017] [ssl:emerg] [pid 31920:tid 140672511526784] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
Click to expand...

The two CA files are now merged as @Gary suggested and I am getting a new error (above) now.

From what I googled this relates to PKCS7 and Ubuntu not going hand in hand. So I tried to convert to base64 on a windows platform and uploading back to the server again (as per a guide found on google), but I get the same errors.

The directives in apache are as follow (i reverted back to the original .cer files as opposed to the PKCS7 -> BASE64 converted files as the PKCS7 had the certificate and CA, but no intermediate certificate).

SSLCertificateFile /etc/ssl/certs/ServerCertificate.cer
SSLCertificateKeyFile /etc/ssl/private/domainscoza.key
SSLCertificateChainFile /etc/ssl/certs/CACertificate-ROOT-2.cer

(domainscoza.key is just poorly named, this is in fact my own private key used during cert. request)

where CACertificate-ROOT-2.cer contains the intermediate CA first and then the root CA.

Is it suggested to contact the certificate provider and ask them to re-issue and be sure it is indeed base64 ?

When I start apache I am prompted for a password for my private key I used during the certificate request creation phase, I take this as a good sign.
 
Just wondering , would “let’s encrypt” not be an easier option here ?
 
scud said:
Just wondering , would “let’s encrypt” not be an easier option here ?
Click to expand...

Quite possibly, but as I am new to this I was under the (perhaps erroneous) assumption that things would go smoother using a commercial service.
 
Well I use let’s encrypt for business application. It’s very easy to setup , maybe check it out https://letsencrypt.org

Edit : note sure how it would work with your daemon, but I assume you would install the Certbot app to at least install the certs
 
Last edited:
Looks like you are not using the correct format for the keys. No matter which CA you use it should be a simple process.

Also make you are using the keys in the correct place, ie not swapping the private/server/inter certs around.
 
gregmcc said:
Looks like you are not using the correct format for the keys. No matter which CA you use it should be a simple process.

Also make you are using the keys in the correct place, ie not swapping the private/server/inter certs around.
Click to expand...

Problem was a conflicting vhost setup - same vhost in two files, and in one of them there were no SSL cert file directives.
 
etienne_marais said:
My end goal is not apache as such, but a different daemon that makes use of wss to listen on.
Click to expand...

Although tangential to your issue, you could proxy via nginx to your wss daemon. I found it much easier to setup and maintain nginx than apache, especially so when proxying to wss. Admittedly, this was apache 2.2 where mod_proxy_wstunnel was not included out the box... plus I had issues with the 2.4 version at the time which couldn't upgrade cleanly to pure websocket transport. This was a couple of years ago so there should have been advances as far as apache's concerned.
 
scud said:
Well I use let’s encrypt for business application. It’s very easy to setup , maybe check it out https://letsencrypt.org

Edit : note sure how it would work with your daemon, but I assume you would install the Certbot app to at least install the certs
Click to expand...

His wss server will have to serve some static files in the least, so he could alias the .well-known directory, thereby allowing letsencrypt certicate updates.
 
In the past I followed the below guide, 3 simple steps and it was installed and I had a valid SSL certificate configured with apache using certbot the Letsencrypt client.

https://www.digitalocean.com/commun...ure-apache-with-let-s-encrypt-on-ubuntu-16-04



I however have an Idea you have already messed with the standard config :D so the above might give some hassles. If not thank me later. Digital Ocean Guides are awesome by the way,
 
I have a secondary server that needed SSL as well, I made use of an lets encrypt type of proxy which bypasses the need to install certbot, and in my case I don't want that, nor any webserver running, the downside of using this approach is that you need a port open for the mentioned proxy but that is hopefully of minimal concern.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X