0

I just bought some SSL certs from a CA and I'm having problems getting them to work with the default SSL site deployed with apache2 (Debian 10).

Strangely, I never made a certificate request. I just had to prove I was the owner of the site, then the certificate was downloaded in a *.zip with these files (and the first line of each file):

ca_bundle.crt                -----BEGIN CERTIFICATE-----
certificate.crt              -----BEGIN CERTIFICATE-----
private.key                  -----BEGIN RSA PRIVATE KEY-----

I deployed those to /etc/ssl/.../ or /etc/apache2/ssl.crt/ and referred to them in the config file. My /etc/apache2/sites-enabled/default-ssl.conf looks like this (I removed most comments):

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@example.com
                ServerName example.com
                ServerAlias www.example.com
                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on
                SSLCertificateFile    /etc/ssl/certs/certificate.crt
                SSLCertificateKeyFile /etc/ssl/private/private.key
                #SSLCertificateChainFile /etc/apache2/ssl.crt/ca_bundle.crt
                SSLCACertificatePath /etc/ssl/certs/
                SSLCACertificateFile /etc/apache2/ssl.crt/ca_bundle.crt

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
        </VirtualHost>
</IfModule>

After running systemctl restart apache2, loading the https:// version of the site gives me the familiar "Warning: potential security risk ahead" as if it were a self-signed cert.

I think I don't understand which options do what.

Since this is such a basic question, I thought I'd find some good explanations on stack-exchange, but it appears I'm not alone in understanding this. It also appears that there isn't really a good answer out there yet.

Stewart
  • 341
  • 1
  • 3
  • 12
  • The error message in the browser should tell you what is wrong with the certificate. It sounds like your configuration is correct (as far as the certificate goes) because you *ARE* getting an SSL response, just with an error included. My guess is the SAN doesn't match the hostname you are using to visit the site and/or listening on. – DubStep Jan 20 '21 at 22:32
  • Depending on the browser you may need to click 'details' or 'advanced' or similar. If you can't get any better info from the browser, and have openssl (preferably at the same client) try `openssl s_client -connect host:port -servername host` (if 1.1.1 can omit the `-servername host` part) and see what it says for 'Verify error'; this isn't guaranteed to give the same result because OpenSSL uses a different truststore than most browsers, but it might help. Also, if the website is on the public n try `sslabs.com/ssltest` -- that does a lot of tests and gives explanations. – dave_thompson_085 Jan 21 '21 at 03:33
  • Ah, got it! The `openssl s_client` command helped me understand. The problem was simply that I was connecting to the server via IP, not FQDN. When I enabled the port forwarding for port 443 on the router and used the FQDN, it worked. – Stewart Jan 21 '21 at 07:25

0 Answers0