RE: How to set up SSL certificate (not self-signed) on virtual host on Ubuntu?
06-24-2015, 11:01 PM
(06-24-2015, 07:49 PM)hotshot Wrote:Sorry I didn´t want to be an intruder in your post.Code:################################################################
# Apache VHOST configuration file
# Automatically generated by Sentora 1.0.0
# Generated on: 11:30 24th Jun 2015 CEST
#==== YOU MUST NOT EDIT THIS FILE : IT WILL BE OVERWRITTEN ====
# Use Sentora Menu -> Admin -> Module Admin -> Apache config
################################################################
Listen 80
Listen 443
# Configuration for Sentora control panel.
<VirtualHost *:80>
ServerAdmin marek@hotshot.sk
DocumentRoot "/etc/sentora/panel/"
ServerName hshot
ErrorLog "/var/sentora/logs/sentora-error.log"
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
AllowOverride All
Require all granted
</Directory>
# Custom settings are loaded below this line (if any exist)
</VirtualHost>
################################################################
# Sentora generated VHOST configurations below.....
################################################################
<virtualhost *:443>
ServerAdmin marek@hotshot.sk
ServerName fitcity.sk
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/fitcity_sk"
SSLEngine on
SSLCertificateFile /var/sentora/hostdata/zadmin/ssl/fitcityfinal.sk.crt
SSLCertificateKeyFile /var/sentora/hostdata/zadmin/ssl/fitcityfinal.sk.key
SSLCertificateChainFile /var/sentora/hostdata/zadmin/ssl/intermediate.crt
/var/sentora/hostdata/zadmin/ssl/intermediate.crt
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
ErrorLog "/var/sentora/logs/domains/zadmin/fitcityX-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/fitcityX.tld-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/fitcityX-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/fitcity_sk">
Options +FollowSymLinks -Indexes
AllowOverride All
Require all granted
</Directory>
</virtualHost>
# <virtualhost *:80>
# ServerName fitcity.sk
# Redirect permanent / https://fitcity.sk/
# </virtualhost>
# END DOMAIN: fitcity.sk
################################################################
This is my Sentora VHOST config file (httpd-vhosts.conf). I tried both intermediate.crt with same result. With this configuration, when I open fitcity.sk it opens Sentora CP except my site...
When I put to my console: openssl s_client -connect fitcity.sk:443
I get:
Code:openssl s_client -connect fitcity.sk:443 CONNECTED(00000003)
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/OU=GT06217787/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=fitcity.sk
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIElzCCA3+gAwIBAgIDBTatMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
NTYgQ0EgLSBHMzAeFw0xNTA2MjEwMzQ0MzBaFw0xNjA2MjQxMjQwMjJaMIGOMRMw
EQYDVQQLEwpHVDA2MjE3Nzg3MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv
bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTETMBEGA1UEAxMKZml0Y2l0eS5zazCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMVENShvjeKewXS0nipy17UNPhod
bVGd903wfVKPTGPtMOMa3+cHS1XAX8ZNTzFSnp1n3t2a/+8TcGPjrg+fyddRGfpu
S7EaHrdfPUHP1HyvfRnWTTwKFltdkhnpZzVVZl3XcLVIsVISgz4HBGC/Jj04aCCO
6xWKEwCzhkw/ahYRASN6CfQsZda7bciAmPMXDkgAf/dSc5zDTQx4ZV8ZOZk1AtW/
exH1hHEL7Yp/ic0GG3HggCGO04brVLPHyIyNTtVDY5nJntiZX6f9rZUaZXftyI4g
t5amdT8bf0UJgQk+Bul7Ar3nSj1Lj/i51ln5ugv5Ut3iBgtwyJqDrMXna9MCAwEA
AaOCAUIwggE+MB8GA1UdIwQYMBaAFMOc8/zTRgg0u85Gf6B8W/PiCMtZMFcGCCsG
AQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2d2LnN5bWNkLmNvbTAmBggr
BgEFBQcwAoYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcnQwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAVBgNVHREEDjAMggpm
aXRjaXR5LnNrMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9ndi5zeW1jYi5jb20v
Z3YuY3JsMAwGA1UdEwEB/wQCMAAwQQYDVR0gBDowODA2BgZngQwBAgEwLDAqBggr
BgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0GCSqGSIb3
DQEBCwUAA4IBAQAh1z4+BpoRzwcwzY6o3g2Yty6ZuPPrHrs6XUQJl/DXglDv8lR7
71vaHSuuvQ65ccC6r3pmx259I0MWTEHLpy9eclejfO2v34dTWk79iDRY0YkcP5cf
++OfoCFARRlksw45i6uqDBjlp/CB3rOJBMHpdM2YSM1/W5MHyB0M9xyn01E+rnlI
LgeUz4eeWT9+K9Xt1qTX9shifmGxQOmH2tDSv71e08vCz7PXNxPSFm4NRMdX/HDh
zhz36WcIqv3SS7dZxVlPqL1GarmAl+FZ1kc9p9FvEqWxVtXBSn6ei3O9jT2xZQf0
vxkq/w/7xbiDIvqYLyWKcEeE1aVMeUepypYS
-----END CERTIFICATE-----
subject=/OU=GT06217787/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=fitcity.sk
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 2994 bytes and written 477 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: B9C8CE17E687E59323A448496BB440A7CA25083658C7EE7929E895BA7F2CA1AC
Session-ID-ctx:
Master-Key: 34B07A28EFCBA4CC09DAA693041E800A0EB7A473D15B2B14AFF87A4B3B5A2BEC4ECA86987EF2EAEB3E8B8B9D713BA43D
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 00 7f 92 68 75 04 8c e5-a0 0f 9b 4c cb aa ad a2 ...hu......L....
0010 - 29 e0 68 0d 1a c6 ed 2d-8c ba a2 21 99 28 2a e5 ).h....-...!.(*.
0020 - e3 d1 83 7f 18 84 a6 8e-0d 7c a8 2e d8 bb 52 c9 .........|....R.
0030 - 22 26 10 26 4c 3f 6d 54-06 d8 b4 91 08 dc 1d 0e "&.&L?mT........
0040 - 1c ca 28 dd 06 9a 2e 29-ae 05 16 83 62 af 54 89 ..(....)....b.T.
0050 - 56 03 50 f8 cf 58 53 92-35 88 d4 d0 71 47 9b 2f V.P..XS.5...qG./
0060 - 39 7f c5 49 29 9c ab 85-95 88 4a 6c bf 46 7b a2 9..I).....Jl.F{.
0070 - ce 45 6c d9 b3 8c 48 39-04 92 bf 9c 43 03 2f dd .El...H9....C./.
0080 - 9b b8 3a ed 77 13 39 ee-fc 16 cd f9 c8 90 47 3b ..:.w.9.......G;
0090 - 27 16 b5 a5 98 c0 e9 2b-e6 72 d5 29 b9 d4 84 43 '......+.r.)...C
00a0 - 9b c3 1b 97 a9 5f dc 0e-a0 35 f2 dd e6 b5 a4 98 ....._...5......
00b0 - 34 fa fc eb ef 61 6c 3d-a7 fd 31 42 36 ce 80 f5 4....al=..1B6...
Start Time: 1435001436
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
CAN SOMEBODY HELP PLEASE???
Finally https is working for my site, with a 403 error but it is finally working. Just need help with that 403 error.
Check out this post from Me.B
Restore the httpd-vhosts.conf made by sentora, the one without "Listen 443" and all the conf to make your Vhost work with SSL. Leave it as it was written by Sentora. And then follow Me.B guide
(12-07-2014, 07:39 AM)Me.B Wrote: In few lines the best solution is:
1. create a new conf file that contain your SSL host that will look like this
Quote:<virtualhost *:443>
ServerName ssl.domain.com
ServerAlias ssl.domain.com
ServerAdmin you@domain.com
DocumentRoot "/var/zpanel/hostdata/zadmin/public_html/ssl.domain.com"
php_admin_value open_basedir "/var/zpanel/hostdata/zadmin/public_html/ssl.domain.com:/var/zpanel/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/zpanel/logs/domains/zadmin/ssl.domain.com-error.log"
CustomLog "/var/zpanel/logs/domains/zadmin/ssl.domain.com-access.log" combined
CustomLog "/var/zpanel/logs/domains/zadmin/ssl.domain.com-bandwidth.log" common
<Directory />
Options FollowSymLinks Indexes
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 510 /_errorpages/510.html
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 404 /_errorpages/404.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
SSLEngine On
SSLCertificateFile /var/zpanel/logs/domains/zadmin/ssl/secure1.pem
SSLCertificateKeyFile /var/zpanel/logs/domains/zadmin/ssl/secure1.key
</virtualhost>
All zpanel path's should be replaced by sentora.
You will need first to create a normal ssl.domain.com ( sub domain) could a be domain so replace ssl.domain.com with the correct URL you will use.
Notice the path for the SSL certificates that you can change.
Once you create this config file as ssl.domain.com.conf place it in
/etc/zpanel/config/apache/ ( or /etc/sentora/ )
Then check your apache main config file & add include the new conf file you created.
Restart apache. If your SSL certficate is ok ( take care to remove the password or apache will request it after each restart), you should now have
http://ssl.domain.com working &
https://ssl.domain.com both pointing same root.
Then add a .htaccess to enforce https only if you need that or you can keep both working.
I think the old way in the wiki should not be used & hope in next release we auto generate the ssl host instead of having this manual setup. The wiki how to fail to explain the need for override. As once you enable ssl the default domain/subdomain with SSL will no longer work on HTTP & this is why you will be required to add a vhost port override to avoid nasty errors. My way will allow both SSL & non SSL working but require a lot more manual admin off panel.
This topic is FOR EXPERIENCED ADMIN.
M B
