Nearly every week during the past few years has featured a headline about the latest data breach, malware attack, ransomware demand, or unrecoverable corporate data loss. Those stories are frequently followed by news that the CEOs at those companies were forced to resign.
Problem with SSL Sites Certification
Hello,
I am installing SSL Certification on my Linux Centos Server. And I am trying the first Domains. It is almost working. But I have one strange problem. If I use a URL to the Site root (www) it comes as Secure. But if I use a URL to any internal directory it comes as Unsecure, depending on using www or a slash at the end.
Please try it in your Chrome Browser, but, clear its Cache memory between the tests. I have added SSL to 2 of our Sites:
segurosagro.com.br
multisites.com.br
And I created a simple directory called testredirect which has just an index.html file with an image.
1) segurosagro.com.br/testred
It comes as Unsecure.
2) segurosagro.com.br/testred
It works, and comes as Secure.
3) www.segurosagro.com.br/testredirect
It also works, and comes as Secure.
In the same way:
1) multisites.com.br/testredi
It comes as Unsecure.
2) multisites.com.br/testredi
It works, and comes as Secure.
3) www.multisites.com.br/testredirect
It also works, and comes as Secure.
My actual httpd.conf <virtualhosts> entries for segurosagro.com.br and multisites.com.br are as below. You will see that they are slightly different. This is due to tests I was doing trying to solve the problem:
#-------------------------
# multisites.com.br
#-------------------------
<virtualhost 66.226.75.86:80>
ServerAdmin webmaster@multisitesdomini
ServerName www.multisites.com.br
ServerAlias multisites.com.br
ServerAlias www.multisites.net.br
DocumentRoot /var/www/html/multisites/w
ScriptAlias /cgi-bin/ /var/www/html/multisites/w
<Directory "/var/www/html/multisites/
Options ExecCGI Includes
AllowOverride None
</Directory>
ErrorLog logs/multisites-error-log
TransferLog logs/multisites-access-log
#
#Redirection to https
#
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI
</virtualhost>
#-------------------------
# segurosagro.com.br
#-------------------------
<virtualhost 66.226.75.86:80>
ServerAdmin webmaster@multisitesdomini
ServerName www.segurosagro.com.br
ServerAlias segurosagro.com.br
DocumentRoot /home/segurosagro/www
ScriptAlias /cgi-bin/ /home/segurosagro/www/cgi-
<Directory "/home/segurosagro/www/cgi
Options ExecCGI Includes
AllowOverride None
</Directory>
TransferLog logs/segurosagro-access-lo
#
#Redirection to https
#
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI
</virtualhost>
Thanks for any help.
I am installing SSL Certification on my Linux Centos Server. And I am trying the first Domains. It is almost working. But I have one strange problem. If I use a URL to the Site root (www) it comes as Secure. But if I use a URL to any internal directory it comes as Unsecure, depending on using www or a slash at the end.
Please try it in your Chrome Browser, but, clear its Cache memory between the tests. I have added SSL to 2 of our Sites:
segurosagro.com.br
multisites.com.br
And I created a simple directory called testredirect which has just an index.html file with an image.
1) segurosagro.com.br/testred
It comes as Unsecure.
2) segurosagro.com.br/testred
It works, and comes as Secure.
3) www.segurosagro.com.br/testredirect
It also works, and comes as Secure.
In the same way:
1) multisites.com.br/testredi
It comes as Unsecure.
2) multisites.com.br/testredi
It works, and comes as Secure.
3) www.multisites.com.br/testredirect
It also works, and comes as Secure.
My actual httpd.conf <virtualhosts> entries for segurosagro.com.br and multisites.com.br are as below. You will see that they are slightly different. This is due to tests I was doing trying to solve the problem:
#-------------------------
# multisites.com.br
#-------------------------
<virtualhost 66.226.75.86:80>
ServerAdmin webmaster@multisitesdomini
ServerName www.multisites.com.br
ServerAlias multisites.com.br
ServerAlias www.multisites.net.br
DocumentRoot /var/www/html/multisites/w
ScriptAlias /cgi-bin/ /var/www/html/multisites/w
<Directory "/var/www/html/multisites/
Options ExecCGI Includes
AllowOverride None
</Directory>
ErrorLog logs/multisites-error-log
TransferLog logs/multisites-access-log
#
#Redirection to https
#
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI
</virtualhost>
#-------------------------
# segurosagro.com.br
#-------------------------
<virtualhost 66.226.75.86:80>
ServerAdmin webmaster@multisitesdomini
ServerName www.segurosagro.com.br
ServerAlias segurosagro.com.br
DocumentRoot /home/segurosagro/www
ScriptAlias /cgi-bin/ /home/segurosagro/www/cgi-
<Directory "/home/segurosagro/www/cgi
Options ExecCGI Includes
AllowOverride None
</Directory>
TransferLog logs/segurosagro-access-lo
#
#Redirection to https
#
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI
</virtualhost>
Thanks for any help.
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
You really should follow David's suggestion above, this will be the easiest and safest path to what you want to achieve
- Make and move a backup copy of your files *.conf currently inside /etc/apache2/sites-availab
- restore your *.conf to the no https and no rewrite status, do the same to *ssl*.conf
- update /sites-enabled/ so that they have only your standard non https sites
------- now you are in a state similar to your initial state
check that with
apachectl configtest
which sould say OK without an other text
Go to David's link and select the right version
Now install and run the srcipts provided (I would suggest to place them into /root/letsencrypt/)
The prgramm will
- look at all your active sites
- ask you to get certificate for all or a selected subset of these sites
- ask you if you want to place an automatic redirect
And voilà, it's done
.. almost...: you need to activate and autmatic renewal of the certificate, since it ids frre but valid 3 months only.
my cron job for this is
21 13 * * 3 /root/letsencrypt/certbot-
(day 3 in the week, each week,,at 13:12).
(since it uses very few resources, doing that weekly is not a real waste)
- Make and move a backup copy of your files *.conf currently inside /etc/apache2/sites-availab
- restore your *.conf to the no https and no rewrite status, do the same to *ssl*.conf
- update /sites-enabled/ so that they have only your standard non https sites
------- now you are in a state similar to your initial state
check that with
apachectl configtest
which sould say OK without an other text
Go to David's link and select the right version
Now install and run the srcipts provided (I would suggest to place them into /root/letsencrypt/)
The prgramm will
- look at all your active sites
- ask you to get certificate for all or a selected subset of these sites
- ask you if you want to place an automatic redirect
And voilà, it's done
.. almost...: you need to activate and autmatic renewal of the certificate, since it ids frre but valid 3 months only.
my cron job for this is
21 13 * * 3 /root/letsencrypt/certbot-
(day 3 in the week, each week,,at 13:12).
(since it uses very few resources, doing that weekly is not a real waste)
To clarify a bit more David Favor's answer: add aliases to the DNS name. Technically, add an subjectAltName field.
Here's an example of how I generate/manage certs...
So first you generate a cert.
Then you have to manage cert auto renewal + when renewals occur, restart all services which require pulling in the new cert.
So first you generate a cert.
Then you have to manage cert auto renewal + when renewals occur, restart all services which require pulling in the new cert.
# First time generation.
# I use /var/www/html or DNS verification, because certbot-auto randomly seems to break using other directories
certbot-auto certonly --no-self-upgrade --non-interactive --rsa-key-size 4096 --email david\@davidfavor.com --agree-tos --webroot -w /var/www/html -d segurosagro.com.br -d www.segurosagro.com.br
# CRON job for - Auto renew + Auto reingest cert when auto renew occurs...
0 */1 * * * (echo '#####' && date && certbot-auto renew --non-interactive --post-hook "service apache2 reload; service dovecot reload") >> /var/log/ssl-renewals.log 2>&1
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
The last version of certbot handles restarting Apache when needed
The problem you mention with certbot-auto might come from a slight versions difference between the "standard" version (ie the one you get with ap-get install). Downloading the script and using it does not have those problem and the srcipt updates itself (if needed) before renewing yhe certs
The problem you mention with certbot-auto might come from a slight versions difference between the "standard" version (ie the one you get with ap-get install). Downloading the script and using it does not have those problem and the srcipt updates itself (if needed) before renewing yhe certs
The link I would recommend is
https://certbot.eff.org/docs/install.html
and more precisely installing and using certbot-auto a s detailed at
https://certbot.eff.org/docs/install.html#certbot-auto
This is really a no-brainer!
https://certbot.eff.org/docs/install.html
and more precisely installing and using certbot-auto a s detailed at
https://certbot.eff.org/docs/install.html#certbot-auto
This is really a no-brainer!
Hi, guys, I thank you a lot for all the suggestions and comments. I have submitted everything to my technician, and I will tell you later how the things have gone.
Mário Lima./
Mário Lima./
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Excel 2016 Part … 129 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
Fix your SSL cert.
Your current cert....
1) Correctly provides www.segurosagro.com.br coverage.
2) Incorrectly provides segurosagro.com.br coverage.
Your cert should cover both segurosagro.com.br + www.segurosagro.com.br or all manner of strange problems will arise.
Use free https://LetsEncrypt.org to simplify your life.