Posts: 12
Threads: 1
Joined: Jun 2015
Reputation:
0
Sex: Undisclosed
Thanks: 3
Given 0 thank(s) in 0 post(s)
RE: How to set up SSL certificate (not self-signed) on virtual host on Ubuntu?
06-24-2015, 11:43 PM
(This post was last modified: 06-24-2015, 11:44 PM by stiuvert0007.)
(06-24-2015, 06:05 PM)Diablo925 Wrote: SSLCertificateChainFile /etc/apache2/ssl/tilabmx.com.ca-bundle <-- Worng
need to be pem,crt,cer
THanks Diablo now my conf file is:
PHP Code: Listen 443
<VirtualHost *:443> ServerName tilabmx.com ServerAlias www.tilabmx.com ServerAdmin hcmarcos@tilabmx.com DocumentRoot "/var/sentora/hostdata/zadmin/public_html/tilabmx_com" php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/tilabmx_com:/var/sentora/temp/" php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid$ SSLEngine on SSLCertificateKeyFile /etc/apache2/ssl/tilabmx.com.key SSLCertificateFile /etc/apache2/ssl/tilabmx_com.crt SSLCertificateChainFile /etc/apache2/ssl/bundle.crt SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!A$ SSLHonorCipherOrder on ErrorLog "/var/sentora/logs/domains/zadmin/tilabmx.com-error.log" CustomLog "/var/sentora/logs/domains/zadmin/tilabmx.com-access.log" combined CustomLog "/var/sentora/logs/domains/zadmin/tilabmx.com-bandwidth.log" common <Directory "/var/sentora/hostdata/zadmin/public_html/tilabmx_com"> Options FollowSymLinks Indexes AllowOverride All Order Allow,Deny Allow from all </Directory> AddType application/x-httpd-php .php3 .php ErrorDocument 500 /_errorpages/500.html ErrorDocument 403 /_errorpages/403.html ErrorDocument 404 /_errorpages/404.html ErrorDocument 510 /_errorpages/510.html DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm </virtualHost>
But I get a 403 error. Why? I hope you can help me.
My site is https://tilabmx.com
Posts: 4 ,002
Threads: 193
Joined: Jul 2014
Reputation:
83
Sex: Undisclosed
Thanks: 72
Given 435 thank(s) in 395 post(s)
RE: How to set up SSL certificate (not self-signed) on virtual host on Ubuntu?
06-25-2015, 07:13 PM
Don't double post!
Posts: 7
Threads: 1
Joined: Jun 2015
Reputation:
0
Thanks: 0
Given 0 thank(s) in 0 post(s)
RE: How to set up SSL certificate (not self-signed) on virtual host on Ubuntu?
07-01-2015, 03:08 AM
(06-24-2015, 11:43 PM)stiuvert0007 Wrote: (06-24-2015, 06:05 PM)Diablo925 Wrote: SSLCertificateChainFile /etc/apache2/ssl/tilabmx.com.ca-bundle <-- Worng
need to be pem,crt,cer
THanks Diablo now my conf file is:
PHP Code: Listen 443
<VirtualHost *:443> ServerName tilabmx.com ServerAlias www.tilabmx.com ServerAdmin hcmarcos@tilabmx.com DocumentRoot "/var/sentora/hostdata/zadmin/public_html/tilabmx_com" php_admin_value open_basedir "/var/sentora/hostdata/zadmin/public_html/tilabmx_com:/var/sentora/temp/" php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid$ SSLEngine on SSLCertificateKeyFile /etc/apache2/ssl/tilabmx.com.key SSLCertificateFile /etc/apache2/ssl/tilabmx_com.crt SSLCertificateChainFile /etc/apache2/ssl/bundle.crt SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!A$ SSLHonorCipherOrder on ErrorLog "/var/sentora/logs/domains/zadmin/tilabmx.com-error.log" CustomLog "/var/sentora/logs/domains/zadmin/tilabmx.com-access.log" combined CustomLog "/var/sentora/logs/domains/zadmin/tilabmx.com-bandwidth.log" common <Directory "/var/sentora/hostdata/zadmin/public_html/tilabmx_com"> Options FollowSymLinks Indexes AllowOverride All Order Allow,Deny Allow from all </Directory> AddType application/x-httpd-php .php3 .php ErrorDocument 500 /_errorpages/500.html ErrorDocument 403 /_errorpages/403.html ErrorDocument 404 /_errorpages/404.html ErrorDocument 510 /_errorpages/510.html DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm </virtualHost>
But I get a 403 error. Why? I hope you can help me.
My site is https://tilabmx.com
Hi! I see you are using Transformer ) How did you manged to make SSL working? I can help you with Transformer if you need something ( www.fitcity.sk)
Posts: 7
Threads: 1
Joined: Jun 2015
Reputation:
0
Thanks: 0
Given 0 thank(s) in 0 post(s)
RE: How to set up SSL certificate (not self-signed) on virtual host on Ubuntu?
07-01-2015, 04:25 AM
(06-24-2015, 11:01 PM)stiuvert0007 Wrote: (06-24-2015, 07:49 PM)hotshot Wrote: Code: ################################################################
# Apache VHOST configuration file
# Automatically generated by Sentora 1.0.0
# Generated on: 11:30 24th Jun 2015 CEST
#==== YOU MUST NOT EDIT THIS FILE : IT WILL BE OVERWRITTEN ====
# Use Sentora Menu -> Admin -> Module Admin -> Apache config
################################################################
Listen 80
Listen 443
# Configuration for Sentora control panel.
<VirtualHost *:80>
ServerAdmin marek@hotshot.sk
DocumentRoot "/etc/sentora/panel/"
ServerName hshot
ErrorLog "/var/sentora/logs/sentora-error.log"
CustomLog "/var/sentora/logs/sentora-access.log" combined
CustomLog "/var/sentora/logs/sentora-bandwidth.log" common
AddType application/x-httpd-php .php
<Directory "/etc/sentora/panel/">
Options +FollowSymLinks -Indexes
AllowOverride All
Require all granted
</Directory>
# Custom settings are loaded below this line (if any exist)
</VirtualHost>
################################################################
# Sentora generated VHOST configurations below.....
################################################################
<virtualhost *:443>
ServerAdmin marek@hotshot.sk
ServerName fitcity.sk
DocumentRoot "/var/sentora/hostdata/zadmin/public_html/fitcity_sk"
SSLEngine on
SSLCertificateFile /var/sentora/hostdata/zadmin/ssl/fitcityfinal.sk.crt
SSLCertificateKeyFile /var/sentora/hostdata/zadmin/ssl/fitcityfinal.sk.key
SSLCertificateChainFile /var/sentora/hostdata/zadmin/ssl/intermediate.crt
/var/sentora/hostdata/zadmin/ssl/intermediate.crt
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
ErrorLog "/var/sentora/logs/domains/zadmin/fitcityX-error.log"
CustomLog "/var/sentora/logs/domains/zadmin/fitcityX.tld-access.log" combined
CustomLog "/var/sentora/logs/domains/zadmin/fitcityX-bandwidth.log" common
<Directory "/var/sentora/hostdata/zadmin/public_html/fitcity_sk">
Options +FollowSymLinks -Indexes
AllowOverride All
Require all granted
</Directory>
</virtualHost>
# <virtualhost *:80>
# ServerName fitcity.sk
# Redirect permanent / https://fitcity.sk/
# </virtualhost>
# END DOMAIN: fitcity.sk
################################################################
This is my Sentora VHOST config file (httpd-vhosts.conf). I tried both intermediate.crt with same result. With this configuration, when I open fitcity.sk it opens Sentora CP except my site...
When I put to my console: openssl s_client -connect fitcity.sk:443
I get:
Code: openssl s_client -connect fitcity.sk:443 CONNECTED(00000003)
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/OU=GT06217787/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=fitcity.sk
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIElzCCA3+gAwIBAgIDBTatMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
NTYgQ0EgLSBHMzAeFw0xNTA2MjEwMzQ0MzBaFw0xNjA2MjQxMjQwMjJaMIGOMRMw
EQYDVQQLEwpHVDA2MjE3Nzg3MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv
bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTETMBEGA1UEAxMKZml0Y2l0eS5zazCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMVENShvjeKewXS0nipy17UNPhod
bVGd903wfVKPTGPtMOMa3+cHS1XAX8ZNTzFSnp1n3t2a/+8TcGPjrg+fyddRGfpu
S7EaHrdfPUHP1HyvfRnWTTwKFltdkhnpZzVVZl3XcLVIsVISgz4HBGC/Jj04aCCO
6xWKEwCzhkw/ahYRASN6CfQsZda7bciAmPMXDkgAf/dSc5zDTQx4ZV8ZOZk1AtW/
exH1hHEL7Yp/ic0GG3HggCGO04brVLPHyIyNTtVDY5nJntiZX6f9rZUaZXftyI4g
t5amdT8bf0UJgQk+Bul7Ar3nSj1Lj/i51ln5ugv5Ut3iBgtwyJqDrMXna9MCAwEA
AaOCAUIwggE+MB8GA1UdIwQYMBaAFMOc8/zTRgg0u85Gf6B8W/PiCMtZMFcGCCsG
AQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2d2LnN5bWNkLmNvbTAmBggr
BgEFBQcwAoYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcnQwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAVBgNVHREEDjAMggpm
aXRjaXR5LnNrMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9ndi5zeW1jYi5jb20v
Z3YuY3JsMAwGA1UdEwEB/wQCMAAwQQYDVR0gBDowODA2BgZngQwBAgEwLDAqBggr
BgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0GCSqGSIb3
DQEBCwUAA4IBAQAh1z4+BpoRzwcwzY6o3g2Yty6ZuPPrHrs6XUQJl/DXglDv8lR7
71vaHSuuvQ65ccC6r3pmx259I0MWTEHLpy9eclejfO2v34dTWk79iDRY0YkcP5cf
++OfoCFARRlksw45i6uqDBjlp/CB3rOJBMHpdM2YSM1/W5MHyB0M9xyn01E+rnlI
LgeUz4eeWT9+K9Xt1qTX9shifmGxQOmH2tDSv71e08vCz7PXNxPSFm4NRMdX/HDh
zhz36WcIqv3SS7dZxVlPqL1GarmAl+FZ1kc9p9FvEqWxVtXBSn6ei3O9jT2xZQf0
vxkq/w/7xbiDIvqYLyWKcEeE1aVMeUepypYS
-----END CERTIFICATE-----
subject=/OU=GT06217787/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=fitcity.sk
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 2994 bytes and written 477 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: B9C8CE17E687E59323A448496BB440A7CA25083658C7EE7929E895BA7F2CA1AC
Session-ID-ctx:
Master-Key: 34B07A28EFCBA4CC09DAA693041E800A0EB7A473D15B2B14AFF87A4B3B5A2BEC4ECA86987EF2EAEB3E8B8B9D713BA43D
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 00 7f 92 68 75 04 8c e5-a0 0f 9b 4c cb aa ad a2 ...hu......L....
0010 - 29 e0 68 0d 1a c6 ed 2d-8c ba a2 21 99 28 2a e5 ).h....-...!.(*.
0020 - e3 d1 83 7f 18 84 a6 8e-0d 7c a8 2e d8 bb 52 c9 .........|....R.
0030 - 22 26 10 26 4c 3f 6d 54-06 d8 b4 91 08 dc 1d 0e "&.&L?mT........
0040 - 1c ca 28 dd 06 9a 2e 29-ae 05 16 83 62 af 54 89 ..(....)....b.T.
0050 - 56 03 50 f8 cf 58 53 92-35 88 d4 d0 71 47 9b 2f V.P..XS.5...qG./
0060 - 39 7f c5 49 29 9c ab 85-95 88 4a 6c bf 46 7b a2 9..I).....Jl.F{.
0070 - ce 45 6c d9 b3 8c 48 39-04 92 bf 9c 43 03 2f dd .El...H9....C./.
0080 - 9b b8 3a ed 77 13 39 ee-fc 16 cd f9 c8 90 47 3b ..:.w.9.......G;
0090 - 27 16 b5 a5 98 c0 e9 2b-e6 72 d5 29 b9 d4 84 43 '......+.r.)...C
00a0 - 9b c3 1b 97 a9 5f dc 0e-a0 35 f2 dd e6 b5 a4 98 ....._...5......
00b0 - 34 fa fc eb ef 61 6c 3d-a7 fd 31 42 36 ce 80 f5 4....al=..1B6...
Start Time: 1435001436
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
CAN SOMEBODY HELP PLEASE??? Sorry I didn´t want to be an intruder in your post.
Finally https is working for my site, with a 403 error but it is finally working. Just need help with that 403 error.
Check out this post from Me.B
Restore the httpd-vhosts.conf made by sentora, the one without "Listen 443" and all the conf to make your Vhost work with SSL. Leave it as it was written by Sentora. And then follow Me.B guide
(12-07-2014, 07:39 AM)Me.B Wrote: In few lines the best solution is:
1. create a new conf file that contain your SSL host that will look like this
Quote:<virtualhost *:443>
ServerName ssl.domain.com
ServerAlias ssl.domain.com
ServerAdmin you@domain.com
DocumentRoot "/var/zpanel/hostdata/zadmin/public_html/ssl.domain.com"
php_admin_value open_basedir "/var/zpanel/hostdata/zadmin/public_html/ssl.domain.com:/var/zpanel/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/zpanel/logs/domains/zadmin/ssl.domain.com-error.log"
CustomLog "/var/zpanel/logs/domains/zadmin/ssl.domain.com-access.log" combined
CustomLog "/var/zpanel/logs/domains/zadmin/ssl.domain.com-bandwidth.log" common
<Directory />
Options FollowSymLinks Indexes
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 403 /_errorpages/403.html
ErrorDocument 510 /_errorpages/510.html
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 404 /_errorpages/404.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
SSLEngine On
SSLCertificateFile /var/zpanel/logs/domains/zadmin/ssl/secure1.pem
SSLCertificateKeyFile /var/zpanel/logs/domains/zadmin/ssl/secure1.key
</virtualhost>
All zpanel path's should be replaced by sentora.
You will need first to create a normal ssl.domain.com ( sub domain) could a be domain so replace ssl.domain.com with the correct URL you will use.
Notice the path for the SSL certificates that you can change.
Once you create this config file as ssl.domain.com.conf place it in
/etc/zpanel/config/apache/ ( or /etc/sentora/ )
Then check your apache main config file & add include the new conf file you created.
Restart apache. If your SSL certficate is ok ( take care to remove the password or apache will request it after each restart), you should now have
http://ssl.domain.com working &
https://ssl.domain.com both pointing same root.
Then add a .htaccess to enforce https only if you need that or you can keep both working.
I think the old way in the wiki should not be used & hope in next release we auto generate the ssl host instead of having this manual setup. The wiki how to fail to explain the need for override. As once you enable ssl the default domain/subdomain with SSL will no longer work on HTTP & this is why you will be required to add a vhost port override to avoid nasty errors. My way will allow both SSL & non SSL working but require a lot more manual admin off panel.
This topic is FOR EXPERIENCED ADMIN.
M B
I tried like this with no effect..Why is only one certificate file in your config? I have two- main.crt and intermediate.crt. Also I tried to include in several apache2 config files your config file with no effect... Is somebody here who could make step by step guide to how to do this please?
Posts: 12
Threads: 1
Joined: Jun 2015
Reputation:
0
Sex: Undisclosed
Thanks: 3
Given 0 thank(s) in 0 post(s)
RE: How to set up SSL certificate (not self-signed) on virtual host on Ubuntu?
07-10-2015, 04:10 AM
(07-01-2015, 04:25 AM)hotshot Wrote: I tried like this with no effect..Why is only one certificate file in your config? I have two- main.crt and intermediate.crt. Also I tried to include in several apache2 config files your config file with no effect... Is somebody here who could make step by step guide to how to do this please? Sorry for leave this thread, I was very busy with school. Have you managed to work your server with SSL?
I´m no expert but I have 4 sites working with http and https thanks to the guide of Me.B
If you have used the solution in the wiki, try to revert all that. Remove all overrides and SSL configs that you changed and leave it like Sentora´s default vhost config.
My SSL certificate is a PositiveSSL from Comodo. They give you 4 files AddTrustExternalCARoot.crt, COMODORSAAddTrustCA.crt, COMODORSADomainValidationSecureServerCA.crt and the yourdomain_com.crt certificate file. You have to make a bundle with this files but RapidSSL give you different files.
I don´t know what files they give you but I can tell you that I have 2 sites working with SSL with Cloudflare.
They give you an option to secure your site with a Self-signed certificate to encrypt your server to Cloudflare server, then they encrypt the communication from their servers to the end user with a free certificate. Check out this: https://zoquiaqui.com (I have another site working like this)
As you didn´t buy any certificate this will probably be the best option for you. I can help you step-by-step to configure this. Send me a MP then we´ll post the how to, for helping others.
|