[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 345
  • Last Modified:

Migrate SSL Certificate Apache

Hi guys, I need to migrate an SSL certificate sitting on a web server that is running a CPANEL back end. I have access to a private key, a CSR and the certificate.

I have tried to follow several online "guides" but it is still not working.

For the virtualhost setup in apache I currently have:

<VirtualHost *:443>
    ServerAdmin dean@xyznetworks.net.au
    DocumentRoot /var/www/html/xxx
    ServerName www.xxx.com.au 
    SSLEngine On
    SSLCertificateFile /root/downloads/ssl/xxx.crt
    SSLCertificateKeyFile /root/downloads/ssl/server.key
#  SSLCertificateChainFile /root/downloads/intermediate.crt
    ErrorLog logs/xxx-error_log
    CustomLog logs/xxx-access_log common
    Redirect / https://www.fastgear.com.au
</VirtualHost>

Is there something I am currently missing here? Lynx from the command line returns a HTTP 303, and obviouslythe site enver displays

Thanks
 
0
xyznetworks
Asked:
xyznetworks
  • 5
  • 4
1 Solution
 
PapertripCommented:
Your SSL options look correct.  I wonder if the Redirect for / is causing issues...

What does 'apachectl configtest' show?  Anything in the httpd and/or ssl and/or vhost logs?  What is the exact error from lynx?  Do you have a default ssl.conf that has more options set, or is that the only reference to ssl in any Apache configs?

Personally for testing SSL certs I use the following syntax, although Lynx might be sufficient as well.
openssl s_client -connect www.xxx.com.au:443

Open in new window

0
 
xyznetworksAuthor Commented:
Thanks for the response.

[root@www ~]# apachectl configtest
Syntax OK

I tried the openssl command you sugegsted and got this:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at xxx2.fastgear.com.au Port 443</address>
</body></html>
closed

An interesting point here is that the xxx2 address above is not the same as the live site address. Could this be causing an issue? When I import/migrate the relevant items how does that process identify or assign that hostname?

The redirect made no difference
0
 
xyznetworksAuthor Commented:
And some late news, if I try and access xxx2, it all works. When I migrated the certificate the hostname was xxx2, and it has since been changed to xxx

Know how I rectify this issue?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
PapertripCommented:
Need to see error_log excerpts from when you do your testing.

Also, if you remove the SSL options and set that vhost to port 80, are you able to access it as expected?
0
 
xyznetworksAuthor Commented:
Error log only shows:

[Mon Oct 24 03:21:47 2011] [notice] caught SIGTERM, shutting down
[Mon Oct 24 03:21:47 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Oct 24 03:21:47 2011] [notice] Digest: generating secret for digest authentication ...
[Mon Oct 24 03:21:47 2011] [notice] Digest: done
[Mon Oct 24 03:21:47 2011] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations
[Mon Oct 24 03:22:37 2011] [notice] caught SIGTERM, shutting down
[Mon Oct 24 03:22:37 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Oct 24 03:22:37 2011] [notice] Digest: generating secret for digest authentication ...
[Mon Oct 24 03:22:37 2011] [notice] Digest: done
[Mon Oct 24 03:22:37 2011] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations
[Mon Oct 24 07:37:56 2011] [notice] caught SIGTERM, shutting down
[Mon Oct 24 07:37:56 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Oct 24 07:37:57 2011] [notice] Digest: generating secret for digest authentication ...
[Mon Oct 24 07:37:57 2011] [notice] Digest: done
[Mon Oct 24 07:37:57 2011] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations

This is the server log, not the site log. The site log only shows missing html fiels, nothing related to this issue.

Turning off port 443 works - I can access the site
0
 
PapertripCommented:
We would need to see excerpts from ErrorLog logs/xxx-error_log as opposed to the server log.  You are absolutely certain there is nothing in the error_log during the time you are doing the testing, even if it's not strictly SSL related?

Let's leave the Redirect commented out for the sake of simplicity during troubleshooting.

Is the CN value for your imported cert www.xxx.com.au ?

Silly question but, are you sure the files you are pointing to are of the right sort?  ie:  are you sure /root/downloads/ssl/xxx.crt is the certificate and not something else?

Also, curious what may happen if you put the cert/key someplace other than ~root ?  For testing sake, I would copy those files to something like /etc/httpd/ssl-test, or someplace under your ServerRoot -- granted this is not required, but we need to start "simple" and eliminate possibilities.

Here is an excerpt from my httpd.conf for your reference
<VirtualHost 20x.1x5.x69.21x:443>
     ServerName mail.domain.com
     ServerAdmin webmaster@domain.com
     DocumentRoot /usr/share/roundcubemail
     SSLEngine on
     SSLProtocol all -SSLv2
     SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
     SSLCertificateFile /etc/pki/tls/certs/localhost.crt
     SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>

Open in new window


If any other expert is seeing something that I am not, please speak up!
0
 
xyznetworksAuthor Commented:
I have changed the location of the files to /etc/ssl/xxx/crt for each of the files.

I have 2 files:

localhost.key - this is the private key file
intermediate.crt - this is the certificate

I note that when the site loads I get a certificate error and it tells me that the certificate is issued to mx01.domain.com and issued by mx01.domain.com

I think this is a problem. If I simply copy these from another site, how do I ensure the above error does not persist?

There are no SSL errors in the error_log
0
 
PapertripCommented:
I note that when the site loads I get a certificate error and it tells me that the certificate is issued to mx01.domain.com and issued by mx01.domain.com
Wait so the site does respond?  In your original question you said that it did not.

The CN value in the certificate needs to match the hostname of the site/service you are using it for.  You will need to generate a new certificate for the name of the site you are trying to secure, or look into wildcard/SAN certs.

http://www.digicert.com/subject-alternative-name.htm
http://help.godaddy.com/article/567
0
 
xyznetworksAuthor Commented:
Yes, the site does display now, but with cert errors...I changed a few things, namely removal of the intermediate line in the config. So thanks for your help with all of this. I will now try and generate a new CN and see what happens.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now