When apache ignores your SSL certificate!

Almost everybody realizes nowadays that pages where login and passwords are used must use encrypted datatransfer like https. To use secure connection webserver must have correctly configured certificate.

Usually certificates are bought from some Certificate Authority and these cost around $100 per year. Here i will show how to make your own cert for free and very simple.

  1. Create private 1024bit RSA key encrypted with des3 into file server.key:
    openssl genrsa -des3 -out server.key 	1024

    http://www.openssl.org/docs/apps/genrsa.html#

  2. Create new certificate signing request for private key located in file server.key and plase request into server.csr. This asks information about your site and most important common name must match your site name:
    openssl req -new -key server.key -out 	server.csr

    http://www.openssl.org/docs/apps/req.html#

  3. Finally create certificate in X.509 format from request in file server.csr, sign it with server.key and save results in server.crt, certificate is valid for 365 days.http://www.openssl.org/docs/apps/x509.html#

vhost conf in /etc/httpd/conf/httpd.conf for https with newly created certificate and private key looks like this:

<VirtualHost *:443>
ServerName marguspala.com
DocumentRoot /var/www/marguspala.com
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key
</VirtualHost>

If you are lucky then now after apache restart you have encrypted connection, if not so lucky then apache will not start 🙂

Problems:

  • If you have several https enabled sites then whatever you want to use you end up only in one site. Probably you are using default httpd.conf and you must enable name based virtual hosts for https. Add this line to httpd.conf
    NameVirtualHost *:443
  • No matter what certificate you define apache still uses its own that you dont know about and have not seen before.
    If you navigate to webpage, rightclick, view page info etc then you can see certificate data that you entered when creating signing request. If this is not what you enterd then something is not correct.
    I searched whole server to see if there are any other certificates present and found one at /etc/pki/tls/certs/localhost.crt:

    find / 	-name *crt

    Something was using this cert but this was not defined in httpd.conf but instead in /etc/httpd/conf.d/ssl.conf. Command findig this out was

    find / |xargs grep localhost.crt

    Changing location of SSLCertificateFile and SSLCertificateKeyFile in ssl.conf made server work.

Some more useful tips

openssl x509 -text -in /etc/pki/tls/certs/localhost.crt

shows sertificate information

openssl s_client -connect marguspala.com:443

connects to https enabled website and shows among others this website certificate info.


1 thought on “When apache ignores your SSL certificate!

  1. Pingback:How to download ca certificate chain « Margus Pala is fixing IT!

Leave a Reply

Your email address will not be published.


*