I have a windows server VM, running server 2019, on a company network, and it is to be used as a web server with Apache. I have got a copy of apache 2.4 installed on it and it serves http pages just fine, but I am trying to set up SSl for https connections.
I have been talked through using the MMC to add the certificates snap in then using this to generate a request. (This is AKA the key file I think?) and sent this file to the necessary admin in the business to provide me with a ceritificate so that the users browsers display a green address bar when visiting the site via https on the company intranet.
They sent me back the following files:
certnew.cer
certnew.p7b
intermediate.cer
root.cer
I then did a lot of googling and found various gides about how to use these files, and I have come to the following conclusions: (please correct if wrong).
Cer files and crt files are the same thing. They can have some kind
of different encoding in the contents, but you generaly use a .cer
file in the same place(s) you could use a .crt file, so if Apache
instructions are mentioning one, I can probably use the other and
just rename the file extension.
The file I sent off was the private key file that I will need to use
in the SSL configuration.
There was some kind of changes between Apache 2.4 and earlier
versions, so I should be carefull when looking at guides about SSL to
ensure it's correct for 2.4 versions.
I need to enable SSL in the main http config file and add the details for my certificate files and server into the httpd-ssl.conf file
The relivant part of that file currently looks like this:
<VirtualHost *:443>
# General setup for the virtual host
DocumentRoot "${SRVROOT}/htdocs"
ServerName <servername>
ServerAdmin <internal email>
ErrorLog "${SRVROOT}/logs/error.log"
TransferLog "${SRVROOT}/logs/access.log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile "${SRVROOT}/conf/primary.crt"
#SSLCertificateFile "${SRVROOT}/conf/server-dsa.crt"
#SSLCertificateFile "${SRVROOT}/conf/server-ecc.crt"
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "${SRVROOT}/conf/private.key"
#SSLCertificateKeyFile "${SRVROOT}/conf/server-dsa.key"
#SSLCertificateKeyFile "${SRVROOT}/conf/server-ecc.key"
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
SSLCertificateChainFile "${SRVROOT}/conf/certificate.crt"
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath "${SRVROOT}/conf/root.cer"
SSLCACertificateFile "${SRVROOT}/conf/root.cer"
So I took a copy of the files I had been sent, as well as my key file I sent to them, and renamed them as above so they are refrenced in the ssl config file.
When I try to start the apache service, it fails if I enable SSL in the main http file with a generic error. (but still works fine when i comment out the SSL in the main conf file.) So I then tried to launch the httpd.exe file from a command prompt to get some error that is more helpful, and after running the file with no error responce, I checked in the error logs, and the following lines of errors are shown for my most recent attempt:
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file D:/Apache24/conf/private.key)
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] AH02311: Fatal error initialising mod_ssl, exiting. See D:/Apache24/logs/error.log for more information
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] AH02564: Failed to configure encrypted (?) private key <servername>:443:0, check D:/Apache24/conf/private.key
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSAPrivateKey)
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Sun Oct 30 15:06:02.661255 2022] [ssl:emerg] [pid 3484:tid 512] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
AH00016: Configuration Failed
I don't really know what any of that means, but I'm guessing it's teling me there is something wrong with my private key file, but I have no idea how to tell what is wrong or how to fix it. I have checked that the modules for ssl are enabled in the main apache conf file.
Can anyone provide any guidence?
Thanks.
Meta: this Q is not programming or development and is arguably multiple questions, but this semi-A is much too long for comments. I will delete (or agree to a mod deleting) if needed.
request ... is AKA the key file I think?
Absolutely not, and I think this is most of your problem. The whole security of 'public-key' cryptography, also called 'asymmetric', is based on you not ever sending, giving, or otherwise providing your private key to anyone else.
The 'request' is a CSR and is basically temporary; once the certificate is issued the CSR is no longer needed or used. If you want to be tidy, you could delete it.
users browsers display a green address bar
The green bar was only for Extended Validation (EV) certificates, which from real public CAs cost quite a bit of money. It's possible your company has tweaked all the PCs (or all the relevant ones) to accept an internal or ad-hoc CA as valid for EV, but I don't see why they'd bother, as browsers dropped the green bar several years ago. What you get now is a padlock on the URL/address bar for HTTPS with any valid certificate (regardless of validation class), and for an invalid certificate you get either a warning/error icon modifying or replacing the padlock and/or a complete warning/error page.
Cer files and crt files are the same thing ... I can probably ... just rename the file extension.
Kind of. There are two main encodings used for a (single) certificate in a file and some other places: DER also called binary, and PEM also (and incorrectly) called by Microsoft base64. People variously use both extensions .cer .crt (and sometimes others as well) for both formats. Much software can use both, but httpd can only use PEM -- in a file with any name or extension, even FeeblyGorp.snork if that's what you want.
However, an HTTPS server actually needs (in addition to the privatekey) not just a certificate but a chain consisting of several (almost always at least 2, and usually 3 or 4) certificates. There is more variation in handling such a chain. The simpler way is just to take the certificates and concatenate them. Another way that developed in the past and is still used is a particular type of PKCS7 message which conventionally has the extension .p7b or .p7c (although again most programs can handle any name, in spite of Microsoft persistently trying to make you believe a filename's extension somehow controls the content, which it does not and never did). Apache supports only the plain-sequence in PEM method, not the PKCS7 method.
The file I sent off [the CSR] was the private key file
No. See above.
There was some kind of changes between Apache 2.4 and earlier versions, so I should be carefull when looking at guides about SSL to ensure it's correct for 2.4 versions.
There are changes not just between the 2.2 and 2.4 'families', but between point releases within 2.4. Search the documentation for "version 2.4." to see. If you try to use something that is newer than the version you are running it will almost certainly give an error message, but if you use an older feature it will still work on newer versions with very rare exceptions.
I need to enable SSL in the main http config file and add the details for my certificate files and server into the httpd-ssl.conf file
Not really. httpd reads one config file initially, and if that file contains one or more <Include> directives referring to other files it reads them also; I expect that is what you mean by 'enable SSL in the main config file' -- you're not enabling SSL as such, you're using a file that happens to provide SSL configuration. httpd can handle all the config in one file just fine, but people often find it more convenient to put logical 'pieces' such as different vhosts, or in your case the SSL config, in separate files that can be named to reflect each one's contents. In short, you must add the SSL related config, but you aren't required to put it in a separate file with a specific name.
So, net, your problem is that you need the privatekey in a file usable by httpd, meaning one of a few PEM formats. When you create a certificate request with MMC/cert it stores the privatekey within the Windows certificate store in a hidden location; normally when you get the resulting cert from the CA you load it into the same store with MMC and it is matched up with the hidden privatekey so that Windows-specific programs like IIS can use both of them together. Once you do that it may be possible to export the privatekey with the cert as a PFX/PKCS12 file, which httpd cannot use directly but which can be converted to suitable PEM file(s) using OpenSSL if you have or get that. However, if the key is marked unexportable, you're out of luck.
The usual (and simple) way to get a cert for httpd is OpenSSL: it can create the privatekey in a PEM file and the CSR, and when you get back the cert (and chain) you just combine them with the privatekey you already have.
Related
I'm on a workstation that doesn't have a FQDN. I'm developing in Ruby and using the mail gem. I host my own mail server on the LAN. I want to forward outgoing emails to this server, off to a gmail recipient (example).
Due to the fact I'm on my workstation (localhost), it not being recognized as part of one of my LAN domains (I have a static IP), it isn't being recognized by Postfix (from my mail server log):
Mar 25 08:44:30 machine.mydomain1.com postfix/smtpd[9653]: sacl_check: mbr_user_name_to_uuid(mygmail#gmail.com) failed: No such file or directory
Mar 25 08:44:30 machine.mydomain1.com postfix/cleanup[9657]: sacl_check: mbr_user_name_to_uuid(mygmail#gmail.com) failed: No such file or directory
Mar 25 08:44:30 machine.mydomain1.com postfix/smtp[9658]: 92946D63CD4: to=<mygmail#gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.14, delays=0.01/0.01/0/0.11, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as AE8ECD63CDA)
Mar 25 08:44:31 machine.mydomain1.com postfix/smtp[9661]: AE8ECD63CDA: to=<mygmail#gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.195.26]:25, delay=0.52, delays=0/0.01/0.34/0.16, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[173.194.195.26] said: 550-5.7.1 [206.248.184.17 11] Our system has detected that this message is 550-5.7.1 not RFC 5322 compliant: 550-5.7.1 'From' header is missing. 550-5.7.1 To reduce the amount of spam sent to Gmail, this message has been 550-5.7.1 blocked. Please visit 550-5.7.1 https://support.google.com/mail/?p=RfcMessageNonCompliant 550 5.7.1 and review RFC 5322 specifications for more information. a2si7453997iog.10 - gsmtp (in reply to end of DATA command))
Mar 25 08:56:42 machine.mydomain1.com postfix/smtpd[9764]: NOQUEUE: reject: RCPT from unknown[192.168.1.4]: 554 5.7.1 <mygmail#gmail.com>: Relay access denied; from=<alpha#mydomain3.ca> to=<mygmail#gmail.com> proto=ESMTP helo=<mydomain3.ca>
I can use the mail gem properly on another box that has a FQDN just fine. I just can't seem to get it to work on my workstation. As it states in the mail server log:
'From' header is missing. 550-5.7.1 To reduce the amount of spam sent to Gmail, this message has been 550-5.7.1 blocked.
I'm assuming this is the machine name from, and not the email sender from. How can I tell the mail server that I'm not localhost? I've messed with the relay and other directives in postfix to no avail. So I'm trying to modify the Ruby syntax to make the server recognize me.
Any insight appreciated as to how I can get this to work. It's my development box and it's working on my production server, but I'd like to have it working on my dev box.
Adding the following fixed it, a config item for the gem:
mail.header['From'] = 'machine.mydomain.com'
Also making sure the relay information in postfix is set properly.
I have been looking at options to ship logs from Windows, I have already got logstash set up, and I currently ship logs from Linux (CentOS) servers to my ELK stack using the logstash-forwarder and ssl encryption.
For compliance reasons encryption is pretty much essential in this environment.
I was hoping to use logstash-forwarder in Windows as well, but after compiling with Go I ran in to issues shipping Event Logs, and I found some people saying that it wasn't possible because of file locking issues, which the logstash-forwarder people appear to be working on, but I can't really wait.
Anyway, eventually I found out that nxlog seems to be able to ship logs in an encrypted format using ssl, I've found a few posts about similar topics and while I've learned quite a bit about how to ship the logs across and how to set up nxlog, I am still at a loss with how to set up logstash to accept the logs so I can process them.
I've asked in the #nxlog and #logstash irc channels, and got some confirmation in #nxlog that it is possible, no further information on how it should be configured.
Anyway, I have taken the crt file created for use with my logstash-forwarder (I will create a new one if needed when I am happy that this will work) and renamed it with a pem extension, which I believe should work as it is readable in ASCII format. I have created the environment variable for %CERTDIR% and put my file in there, I have written the following config file for nxlog from the other articles I have read, I think it is right, but I am not 100% sure:
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
# Enable json extension
<Extension json>
Module xm_json
</Extension>
# Nxlog internal logs
<Input internal>
Module im_internal
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
Module im_msvistalog
# Uncomment im_mseventlog for Windows XP/2000/2003
# Module im_mseventlog
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>
<Output sslout>
Module om_ssl
Host lumberjack.domain.com
Port 5000
CertFile %CERTDIR%/logstash-forwarder.crt
AllowUntrusted TRUE
OutputType Binary
</Output>
<Route 1>
Path eventlog, internal => sslout
</Route>
What I want to know is what input format to use in logstash I have tried shipping logs in to a lumberjack input type (using the same config as my logstash-forwarders use) with the following config:
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
But when the service started I get the following in the nxlog logfiles:
2014-11-06 21:16:20 INFO connecting to lumberjack.domain.com:5000
2014-11-06 21:16:20 INFO nxlog-ce-2.8.1248 started
2014-11-06 21:16:21 INFO successfully connected to lumberjack.domain.com:5000
2014-11-06 21:16:22 INFO remote closed SSL socket
2014-11-06 21:16:22 INFO reconnecting in 1 seconds
2014-11-06 21:16:23 INFO connecting to lumberjack.domain.com:5000
2014-11-06 21:16:24 INFO reconnecting in 2 seconds
2014-11-06 21:16:24 ERROR couldn't connect to ssl socket on lumberjack.antmarketing.com:5000; No connection could be made because the target machine actively refused it.
When I turned the logging up to DEBUG I see a massive amount of logs flying through, but I think the key part is:
2014-11-06 21:20:18 ERROR Exception was caused by "rv" at om_ssl.c:532/io_err_handler(); [om_ssl.c:532/io_err_handler()] -; [om_ssl.c:501/om_ssl_connect()] couldn't connect to ssl socket on lumberjack.domain.com:5000; No connection could be made because the target machine actively refused it.
I assume this points to me using the wrong input method on logstash, but I guess it could also be an issue with my ssl certs or the way it is configured. I don't appear to be getting any logs on the logstash server being generated at the time I make the connection from my Windows machine.
Thanks to b0ti for the help, there were a number of issues, my logstash config was crashing the service, but I also had issues with my nxlog setup as well as my ssl certs being set up in the correct way.
I found this post about creating ssl certs, which covers the way they are set up really nicely for self signed certs for use as a web service.
The main thing wrong with nxlog was as b0ti pointed out I was trying to ship in binary when that will only work when shipping to nxlog server. I also noticed in the docs that the default for AllowUntrusted is false, so I just had to delete it once I was happy ssl was working.
<Output sslout>
Module om_ssl
Host lumberjack.domain.com
Port 5001
CAFile %CERTDIR%\nxlog-ca.crt
OutputType LineBased
</Output>
Creating the CA key, and secure it as this needs to be kept secret (cd to /etc/pki/tls):
certtool --generate-privkey --bits 2048 --outfile private/nxlog-ca.key
chown logstash:logstash private/nxlog-ca.key
chmod 600 private/nxlog-ca.key
And then Self Signed CA Cert, which will need to be transferred to your clients:
certtool --generate-self-signed --load-privkey private/nxlog-ca.key --bits 2048 --template nxlog-ca-rules.cnf --outfile certs/nxlog-ca.crt
The cnf file is standard only with this option modified:
# Whether this is a CA certificate or not
ca
The logstash input method:
input {
tcp {
port => 5001
type => "nxlogs"
ssl_cacert => "/etc/pki/tls/certs/nxlog-ca.crt"
ssl_cert => "/etc/pki/tls/certs/nxlog.crt"
ssl_key => "/etc/pki/tls/private/nxlog.key"
ssl_enable => true
format => 'json'
}
}
Generate the private key:
certtool --generate-privkey --bits 2048 --outfile private/nxlog.key
chown logstash:logstash private private/nxlog.key
chmod 600 private/nxlog.key
Generate the CSR (Certificate Signing Request):
certtool --generate-request --bits 2048 --load-privkey private/nxlog.key --outfile private/nxlog.csr
Sign the Cert with the CA private key
certtool --generate-certificate --bits 2048 --load-request private/nxlog.csr --outfile certs/nxlog.crt --load-ca-certificate certs/nxlog-ca.crt --load-ca-privkey private/nxlog-ca.key --template nxlog-rules.cnf
Again the only important part over the standard inputs for the cnf file will be:
# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
encryption_key
# Whether this certificate will be used for a TLS client
tls_www_client
I've tested this and it works well, I just need to get the filters set up now
The binary data format is nxlog specific, you should only use it if you send to nxlog.
OutputType Binary
If this doesn't help, check the logstash logs since it's the remote end (logstash) which closes the connection.
I've just downloaded wampserver with Apache/2.4.4 (Win64) OpenSSL/1.0.1g PHP/5.4.12. Not a standard download, the original openssl version was too old.
I'm trying to create a new soapclient, but when the wsdl is at an ssl url apache crashes with no error.
$wsdl = 'https://www.undisclosedlocation.com/wsdl/mywsdl.wsdl";
$sclient = new SoapClient($wsdl,array('trace'=>1));
no hits, no runs, no errors. All i get is:
The connection was reset
The connection to the server was reset while the page was loading.
on the browser. Even in my debugger i just "session prematurely finished"
The wsdl isn't available on a url without ssl, but if i copy it to a local location it works, but then all the namespaces are off.
I'm using a self-signed certificate and get one more error.
[Sun Apr 13 22:45:50.192400 2014] [ssl:warn] [pid 19:tid 76] AH01909: RSA certificate configured for mydomain:443 does NOT include an ID which matches the server name
It seems that the problem is with your certifcate. There are at leas two problems:
Self signed certificate, which is not trusted by your client
The certificate doesn't contain the DNS name of your website
Most of the systems will discard the connection when one of those errors occurs.
Try to add the following setting before:
$context = stream_con**strong text**text_create(array(
'ssl' => array(
'verify_peer' => false,
'allow_self_signed' => true
)
));
See the following Stackoverflow question: Disable certificate verification in PHP SoapClient
Frontend developer desperately trying to get a WAMP running on Windows 7 (Home Premium, 64 bit, SP1). I've tried WAMPSERVER and XAMPP. Starting the Apache service failed on both, returning the exact same critical error in their error.log-files:
[Thu Dec 13 14:38:56.905257 2012] [mpm_winnt:crit] [pid 4868:tid 280]
(OS 109)The pipe has been ended. : AH00404: Child: Unable to read
socket data from parent
[Thu Dec 13 14:38:57.028264 2012] [mpm_winnt:crit] [pid 5100:tid 408]
AH00427: Parent: child process exited with status 3 -- Aborting.
I've googled for over 2 hours for this problem and have tried several things. Checking/freeing up Port 80, using a different port, turning off MSSE's real-time protection, disabling LMHOSTS Lookup, dozens of reinstalls... All to no avail.
Please help :(
Go to Control Panel -> Administrative Tools -> Services. Find "Web Deployment Agent Service" right click and stop. Start up Apache and see if it sticks. If so, right click on Web Deployment Agent again and go to properties and set the startup type to Manual.
In my case, the error log was this:
[crit] (OS 109)The pipe has been ended. : setup_inherited_listeners: Unable to read socket data from parent
The solution was that Apache was set to listen on IPv6 interface, but there was no IPv6 interface enabled.
I just recently added the SSL Endpoint add-on to my "example" app, and
updated my SSL Cert and Private Key from DNSimple to Heroku (according to this article:
http://ryan.mcgeary.org/2011/09/16/how-to-add-a-dnsimple-ssl-certificate-to-heroku/
) thanks to this command:
$ heroku certs:add STAR_example_com-bundle.pem STAR_example_com-private.key --app example
Adding SSL endpoint to example... done
example now served by oita-4417.herokussl.com
Certificate details:
subject: /OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.example.com
start date: 2012-07-28 02:00:00 CEST
expire date: 2013-07-29 01:59:59 CEST
common name(s): *.example.com, example.com
issuer: /OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.example.com
SSL certificate is verified by a root authority.
But now, when I try to access to my app with https://example.com (and sub-domains such as https://foo.example.com), I have a
warning (inside a big red page, using Chrome)...
How could I fix this? Maybe I have to wait some hours? Thanks!