My domain is: https://www.neasy.de
I ran this command:
git clone https://github.com/certbot/certbot
cd certbot
./certbot-auto certonly -a standalone -d neasy.de -d www.neasy.de
cd /etc/letsencrypt/live/neasy.de
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version): linux
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0
4 month ago i first used letsencrypt and I was success to use it. I learned I have to generate certificate
with and without www. prefix and it is important. My company has changed the domain name from neasy.app to neasy.de and for that I deleted my old certificate and generate new one for neasy.de
Now i am in a new trouble that if i write in my browser neasy.de it does not work even if i write www.neasy.de it does not work. But for at least once time if I write https://neasy.de or https://www.neasy.de it works, and for the next time i dont need to write https:// prefix.
This issue really seems weird to me any help will be appreciated. If you already tried writting https://neasy.de then you can open firefox browser private window
Since you're using Ubuntu please follow this guide:
https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache.html (jus make sure to choose your ubuntu release from the dropdown).
this will guide you through the whole process without manual work.
Just make sure to run all apt-related commands.
Was there a route for the old domain neasy.app which was redirecting the http traffic to https ? It looks like you forgot to update that route with the new domain name.
Usually when you enter any new website in the address bar of browser it by default uses http protocol. On the server site you have to do a 301 redirect from http to https.
Related
I'm stuck on how to fix this SSL error --
My SSL certs work fine on Chrome, but in Safari and Firefox I get an error that there is a host name mismatch if I go to www.domain.com instead of just domain.com
I've set up SSL Certificates using Certbot for my domain for both domain.com and www.domain.com
When I check on nginx to make sure that the certificates exist, I run sudo certbot --nginx, then select both of the domains when asked Which names would you like to activate https for?, and for both domain.com and www.domain.com, I get the result "You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry" and asks if I'd like to attempt to reinstall or renew and replace the cert.
I'm not sure what other steps I can take, as last time I installed certbot I simply followed the instructions, did the above for both www and non-www addresses, and it simply worked at both www and non-www!
Does anyone have any suggestions what to do next?
TLDR:
domain.com: works fine in firefox/safari, nginx says cert exists
www.domain.com: host name mismatch in firefox/safari, nginx says cert exists
why?!
After messing with it for a while, and trying #xyz's ssl checker I figured out the following things:
both certs were valid
When I re-installed the certs using certbot, the most recent cert would start working and the previous one would stop working
Turned out that i needed to add the other url as a subdomain to the existing cert and that fixed it!
I used:
sudo certbot -d domain.com -d www.domain.com
and that did the trick
You can check both domains from an external service, e.g. here:
https://www.sslshopper.com/ssl-checker.html
It will tell you if the certificate is correctly installed on both.
You should also open a new tab in Chrome, open developer tools, record network requests, then goto www.domain.com and see what redirects Chrome makes and what URL's it actually makes requests to. Maybe it has some automatic URL changing based on previously successfully resolved URL's.
I am new to SSL setup, please excuse me if my question is wrong.
I have deployed a Spring Boot application on AWS EC2 (Windows) instance with bunch of restful services, exposed through public IP address (AWS), i am able to access them publicly(http). I want to SSL(https) them now. I am in process of purchasing certificate, in one of the steps to setup, they have given these lines to validate a text file, is anyone aware of this ? Can you please suggest where i need to create ./well-known/pki-validation folder on my Spring Boot application(Tomcat) ?
The issuing vendor will provide you with a simple text-based file to place in sub-folders /.well-known/pki-validation/ in your site’s "home directory". If done properly, the vendor can view this file via HTTP:// and then issue the certificate upon confirmation.
1 Install certboot in the server.
git clone https://github.com/certbot/certbot
cd certbot
./certbot-auto --help
2 Obtain the certificate
In order to obtain the certificate you need to expose trough the server certain files. I do that using the target folder of spring boot tomcat.
./certbot-auto certonly --webroot -w {SpringBootProjectDir}/target/classes/static/ -d {yourDomain.com}
This command obtains the certificates and leaves them in:
/etc/letsencrypt/live/{yourDomain.com}/
Tomcat can't read the certificate provided since its not in p12 format. We have to generate the cert in this format. Use this command
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/{yourDomain.com}/fullchain.pem -inkey /etc/letsencrypt/live/{yourDomain.com}/privkey.pem -out /etc/letsencrypt/live/{yourDomain.com}/keystore.p12 -name tomcat -CAfile /etc/letsencrypt/live/{yourDomain.com}/chain.pem -caname root
It will ask you a password. Keep the password.
3 Configure the server
server.port=443
server.ssl.enabled=true
server.ssl.key-store: /etc/letsencrypt/live/{yourDomain.com}/keystore.p12
server.ssl.key-store-password: {password}
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
Restart the server and Thats it!
Well, My problem starts with Google Maps API. Working local everything is fine, but When i published my system in web (Digital Ocean Host) i discovered that Google Maps API only works with HTTPS protocol.
So, searching in the internet i found the https://letsencrypt.org/ , a good way to use HTTPS without pay, beacause i'm justing testing, not production yet.
But i'm using a JBOSS EAP 7 and i didn't found any tutorial in letsencrypt.org to JBOSS, so i found this link: https://knowles.co.za/creating-renewing-a-lets-encrypt-certificate-for-apache-and-wildfly/.
Following the WildFly tutorial i tried execute this step:
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem -inkey /etc/letsencrypt/live/YOURDOMAIN/privkey.pem -out YOURKEYSTORENAME.p12 -name KEYSTOREALIAS
PS: I changed the YOURDOMAIN to my domain.
I got the following error:
No such file or directory fullchain.pem
This file didn't should be created automatically ?
I have already tried a lots of options available for this problem on stackoverflow, unfortunately nothing is working for me so far.
It started with composer installation. My env details are listed below:
OS: Windows 7
PHP V 7.1.10, XAMPP version
I am running MINGW64, (which was installed with git v2.1.5)
curl --version
curl 7.56.1 (x86_64-w64-mingw32) libcurl/7.56.1 OpenSSL/1.0.2l (WinSSL) zlib/1.2.11 libidn2/2.0.4 libssh2/1.8.0 nghttp2/1.26.0
Release-Date: 2017-10-23
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 HTTPS-proxy MultiSSL Metalink
Now here it seems CURL with OpenSSL is installed correctly.
When I was doing composer require or install it was reported me an error as follows:
I searched and figured out that its the local certificate problem so I downloaded the certificate/bundle from https://curl.haxx.se/docs/caextract.html, placed the certificate under C:\xampp\php\extras\ssl\ and changed the PHP.ini
curl.cainfo="C:\xampp\apache\bin\curl-ca-bundle.crt"
openssl.cafile="C:\xampp\php\extras\ssl\curl-ca-bundle.crt"
this never worked. Then I placed my certificates under C:\Windows\System32\curl-ca-bundle.crt, changed the ini still it didn't work.
Then I downloaded cacert.pem from
https://gist.github.com/VersatilityWerks/5719158/download
and repeated steps to make it work with pem file.
However I am afraid still no success here.
Can anyone help me whats wrong going on here? Any help in this direction is much
appreciated.
This is for Windows users, using curl-7.57.0-win64-mingw or similar version.
I have already shared this on another thread, but I think Windows users might stumble upon this question and my answer might help. So, sharing the step-by-step process.
This error basically means, curl is failing to verify the certificate of the target URI. If you trust the issuer of the certificate (CA), you can add that to the list of trusted certificates (e.g. It's a local IIS certificate, and you trust it for your development purposes).
For that, browse the URI (e.g. on Chrome) and follow the steps
Right click on the HTTPS secure padlock 🔒 icon on address bar
Click on certificate, it'll open a window with the certificate details
Go to 'Certification Path' tab
Click the ROOT certificate
Click View Certificate, it'll open another certificate window
Go to Details tab
Click Copy to File... button, it'll open the export wizard
Click Next
Select 'Base-64 encoded X.509 (.CER)'
Click Next
Give a friendly name that you can remember e.g. 'MyDomainX.cer' (browse to desired directory) and save
Click Next
Click Finish, it'll save the certificate file
So what did we do?
We basically saved the root certificate for the desired site (that we actually trust) as a local file. What do we do next?
Add that certificate to the list of trusted certificates
Now open this .cer file and copy the contents (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----)
Now go to the directory where curl.exe is saved e.g. C:\SomeFolder\curl-7.57.0-win64-mingw\bin
Open the curl-ca-bundle.crt file with a text editor (right click and open with...)
Append the copied certificate text to the end of the file. Save
What did we do now?
We added the certificate (content) to curl's main certificate bundle. So now curl will recognize this certificate and allow the domain.
Now your command should execute fine on curl.
Just posting this here for posterity as I spent the last 2 hours on this.
NOTE: only tested on windows.
Make sure you have the curl version with ssl included ( the latest exe installer has it)
Download the cacert.pem from http://curl.haxx.se/docs/caextract.html
Rename cacert.pem to curl-ca-bundle.crt
Move the cacert.pem file to the curl.exe directory.
Fixed.
On my local dev machine (osx), I'm using jboss to server web services on 8443. When I hit the urls directly I get the json responses I'm looking for. The architecture we have at work includes a middle layer (apache/php) that does authentication and routing. If things authenticate then it forwards the request to the backend.
When I was working with apache on port 80 and jboss on 8081 (using http). Everything worked fine for me. Now that I'm trying to use 8443, things aren't working.
I recently changed the backend to server through https (8443) instead of http (8081). I can hit the requests on https 8443 directly and get the json response. When I hit apache and it authenticates then tries to redirect to the https 8443 I get the following message from chrome's inspector: "SSL: can't load CA certificate file /etc/pki/tls/certs/ca-bundle.crt".
My vhost is setup to catch *:80 requests. I think I might need to setup vhosts to accept 443 requests or install ca-certificates like talked about in How do I deal with certificates using cURL while trying to access an HTTPS url? . I'm looking to see if anyone knows what the proper direction should be.
When I look on the file system, the file /etc/pki/tls/certs/ca-bundle.crt doesn't exist. When I make the request to the middle layer, I see the request hit /var/log/apache2/access_log and nothing comes up in /var/log/apache2/error_log.
What is needed to resolve this issue? Is it a configuration of vhosts to catch request to 443? Is it to install ca-cert stuff like in the link? A combination of both? Or something else? Please provide enough info on how to solve it, or provide links that provide enough info.
I solved my issue and am doing a post for documentation purposes, in case anyone else has similar issues. There was a couple of issues I had to resolve to fix this.
PHP Install
My /etc/apache2/httpd.conf referenced my default osx php install instead of my home brew install of php. Solution was to edit the httpd.conf and point it to the right install.
#LoadModule php5_module /usr/local/opt/php53/libexec/apache2/libphp5.so
LoadModule php5_module /usr/local/Cellar/php53/5.3.29_4/libexec/apache2/libphp5.so
You can create a similar setup of php using home brew by the following commands:
brew install homebrew/php/php53
brew install homebrew/php/php53-igbinary --build-from-source
brew install homebrew/php/php53-intl
brew install homebrew/php/php53-mcrypt
brew install homebrew/php/php53-memcached
brew install homebrew/php/php53-mongo
brew install homebrew/php/php53-xdebug
Create the CA Cert Bundle File
The system is looking for /etc/pki/tls/certs/ca-bundle.cert which is a standard path on linux, but not on osx. We get around this by generating the file.
I generated the .keystore file using keytool and used jboss for my alias. In order to build the ca bundle file, we need it to be in the pem format, so we need to add the -rfc to our export statement. Below are the commands:
cd /usr/local/jboss-eap-6.4/standalone/configuration
keytool -export -alias jboss -file local-sbx.dev.yourcompany.com.crt -keystore .keystore -rfc
After you have the file, you can cat it out and verify that the file has the BEGIN CERTIFICATE and END CERTIFICATE stuff in it. If so, its in the right format.
Lastly, create the directory structure, move the cert to act like the bundle (which is just a bunch of certs appended to each other) and then restart apache:
mkdir -p /etc/pki/tls/certs/
sudo cp local-sbx.dev.yourcompany.com.crt /etc/pki/tls/certs/ca-bundle.crt
sudo apachectl restart