Context: production server with SSL installed. Running apache server. PHP.
Problem: for an specific url like (for example: www.domain.com/whatever/edit/*) I want to ask users to use their certificate in order to authenticate them for an specific task.
I have read that this way of authentication is called two-way authentication SSL. I don't know whether I am right or not.
What I have tried on server configuration is the following
<VirtualHost _default_:433>
ServerAdmin webmaster#localhost
DocumentRoot /Applications/MAMP/htdocs/smartdataprotection/web/
Options FollowSymLinks
Options Indexes FollowSymLinks MultiViews
LogLevel warn
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/ssl_access.log combined
SSLEngine on
SSLCertificateFile /Applications/MAMP/htdocs/certificates/server.cer
SSLCertificateKeyFile /Applications/MAMP/htdocs/certificates/server.key
SSLOptions +StdEnvVars
# Below for 2 way ssl
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /Applications/MAMP/htdocs/certificates/ca.cer
What I would like to get is something similar to the following screen capture:
Thank you very much in advanced any help will be very welcome and highly appreciate.
Regards.
I think that you're missing SSLCipherSuite directive . In apache documentation:
This complex directive uses a colon-separated cipher-spec string
consisting of OpenSSL cipher specifications to configure the Cipher
Suite the client is permitted to negotiate in the SSL handshake phase.
Also normally you want to login in a site with certificate in specific location not directly in www.yourdomain.com, for example in a button link with goes to wwww.yourdomain.com/yourApp/loginCert so you have to configure <Location> inside the <VirtualHost>.
Finally check the file indicated in the SSLCACertificateFile directive, this file is a concatenation of CA certificates in a PEM format, which issues the certificates allowed to login in your site, if your certificate is not issued by one of the CAs inside this file they will be not showed up in the browser popup.
The configuration could looks like:
<VirtualHost _default_:433>
...
<Location /yourApp/loginCert>
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCACertificateFile conf/trustedCA.cer
SSLVerifyClient required
SSLVerifyDepth 10
SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate
</Location>
Hope this helps,
Related
Basically facebook scraper (https://developers.facebook.com/tools/debug/og/object/) tells that:
Curl Error : SSL_CACERT SSL certificate problem: unable to get local issuer certificate
Tested my site's url here:
https://whatsmychaincert.com/?mysite.com
and this tells:
my site is misconfigured. This is the chain it should be using.
I'm scared to download the chain file from this site as I guess I already have it all from GoDaddy.
Coming back to my facebook scraper problem. I did google search and found that the Curl error is due to PHP version. As I checked, I have latest PHP running. But I still downloaded cacert.pem from official site and added in the same folder where my ssl certs reside(/etc/ssl/certs). Then edited php.ini located /opt/bitnami/php/etc.
so it reads:
curl.cainfo ="/etc/ssl/certs/cacert.pem"
Restarted apache still the issue persisted. So I focused on fixing the SSL cert issue.
This is how my default-ssl.conf looks like:
SSLCertificateFile /etc/ssl/certs/a639a4be86615af.crt
SSLCertificateKeyFile /etc/ssl/certs/mysite.key
SSLCertificateChainFile /etc/ssl/certs/mysite.com.chain.crt (downloaded from https://whatsmychaincert.com/)
SSLCACertificateFile /etc/ssl/certs/a639a4be86615af.pem
Bytheway my site shows https connection. But in Firefox I dont see any images loaded. Could that related to the (unable to get local issuer certificate)
What's wrong with my configuration? How do I fix it?
EDIT:
I'm using wordpress bitnami set.So I edited two paths for the ssl config. /etc/apache2/sites-available/default-ssl.conf and /opt/bitnami/apache2/conf/extra/httpd-ssl.conf
My latest SSL config file:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin hello#mysite.com
ServerName mysite.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/b8ad60af28cd1745.crt
SSLCertificateKeyFile /etc/ssl/private/mysite.key
SSLCertificateChainFile /etc/ssl/certs/b8ad60af28cd1745.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
Unlike browsers PHP Curl doesn't reconstruct the certificate tree from other sources. So if your cert tree is incomplete, CURL cannot verify your site certificate.
Your VirtualHost configuration should have following:
SSLCertificateFile - your site certificate
SSLCertificateKeyFile - key for the CertificateFile
SSLCertificateChainFile - file containing all intermediate certificates from leaf to root (so curl can connect your certificate to the one in /etc/ssl/certs/cacert.pem)
Since 2.4.8 you can put all certificates from leaf to root into SSLCertificateFile (https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile)
You can test your SSL configuration using https://www.ssllabs.com/ssltest/index.html which also reports incomplete certificate tree.
I am trying to run a Site WEB on "Private Network" or by "Public Network via HTTPS (SSL) on XAMPP. I flow this etaps:
1- "C:\xampp\apache\makecert.bat" to make the Certificate.
2- httpd.conf Remove (#) form LoadModule ssl_module modules/mod_ssl.so
3- php.ini Remove (;) from extension=php_openssl.dll
Restart apache and chrome!
localhost uses an invalid security certificate. The certificate is not trusted because it is self-signed. Error code: SEC_ERROR_UNKNOWN_ISSUER
https://192.168.1.100 Peer’s Certificate issuer is not recognized.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
Open your "apache/conf/httpd.conf" file and add the following lines (right after closing </Directory> tag):
<VirtualHost *:443>
DocumentRoot "C:\xampp\htdocs"
ServerName localhost:443
SSLEngine on
SSLCertificateFile "conf/ssl.crt/server.crt"
SSLCertificateKeyFile "conf/ssl.key/server.key"
<Directory "C:\xampp\htdocs">
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
then restart your "Apache" and check back again "https://localhost".
Introduction
I'm using PHP 5.6 and Apache 2.4 in the back-end of my web site where I use SSL to authenticate clients as an optional form of entering the site. I want to get some SSL_CLIENT_* variables which are contained in the certificate but aren't being shown by Apache 2.4, therefore, I cannot access them using $_SERVER.
Description
I want to get the following environment variables from the client certificate:
SSL_CLIENT_S_DN_CN
SSL_CLIENT_SAN_OTHER_msUPN_0
SSL_CLIENT_SAN_Email_0
When I dump $_SERVER in PHP 5.6 I can see what is returned by the variable SSL_CLIENT_VERIFY. If it returns GENEROUS, all three variables are shown; if it is SUCCESS only the first on the list above, SSL_CLIENT_S_DN_CN, is shown; and, if SSL_CLIENT_VERIFY is NONE, there is no certificate supplied by the client.
I used XAMPP v3.2.2 on Windows 10 (Apache 2.4 and PHP 7.0) locally and I can access all the variables, but, somehow, I cannot do the same using a remote Debian 9 server running Apache 2.4 and PHP 5.6.
I tried unsuccessfully to set up the SSLRequire (which is deprecated according to the docs - mod_ssl) option and Require as well.
I resorted to StackOverflow and ServerFault search for similar questions, involving SSL client certificates, but all the questions I came across involve SSL basic configuration (HTTP to HTTPS, Proxy, etc.) and creating headers with existing environment variables, like SSLRequire that works this way, for what I understood by reading the docs.
In the default-ssl.conf I tried to set the headers using the variables, but when I do the following:
print_r(getallheaders());
PHP 5.6 returns NULL:
Array ( [...] [SSL_CLIENT_SAN_OTHER_msUPN_0] => (null) [SSL_CLIENT_SAN_Email_0] => (null) )
The question again is how to get the variables SSL_CLIENT_SAN_OTHER_msUPN_0 and SSL_CLIENT_SAN_Email_0 from the client certificate.
Attachments
1. My Apache 2.4 SSL configuration file:
default-ssl.conf
<VirtualHost *:443>
ServerName myserver.name #Omitted
RequestHeader set SSL_CLIENT_SAN_OTHER_msUPN_0 "%{SSL_CLIENT_SAN_OTHER_msUPN_0}s"
RequestHeader set SSL_CLIENT_SAN_Email_0 "%{SSL_CLIENT_SAN_Email_0}s"
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
# Configuracoes de cache
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Note "Cache desabilitado no servidor/host"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# Configuracao do SSL
SSLEngine on
# [...] Certificados AC e certificados da aplicacao: OMITTED
SSLOptions +StdEnvVars +OptRenegotiate -StrictRequire +FakeBasicAuth -ExportCertData
# Solicita certificado SSL/TLS do cliente
SSLVerifyClient optional_no_ca
SSLVerifyDepth 3
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +OptRenegotiate -ExportCertData -StrictRequire +FakeBasicAuth +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
2. PHP 5.6 file
index.php
<?php //index.php
// Get client certificate data
$cn = $_SERVER['SSL_CLIENT_S_DN_CN'];
$email = $_SERVER['SSL_CLIENT_SAN_Email_0'];
$id = $_SERVER['SSL_CLIENT_SAN_OTHER_msUPN_0'];
$client_certificate_data = [
'cn' => $cn,
'email' => $email,
'id' => $id
];
echo json_encode(
$client_certificate_data,
JSON_NUMERIC_CHECK
);
// Output: {"cn":"EXAMPLE CN CONTENT HERE","email":null,"id":null}
The Apache directive SSLOptions +StdEnvVars passes the SSL information as environment variables to Php. See these links for more information:
Using SSL Client Certificates with PHP and SSLOptions Directive
If SSL_CLIENT_VERIFY is set to NONE it means no certificate was sent by the client. In this case of course no information about a client certificate can be provided.
In all other cases you should get SSL_CLIENT_S_DN_CN. SSL_CLIENT_SAN_* you get only if the client certificate contains SAN entries, i.e. the difference you see is probably due to different client certificates used.
I have install the SSL certification on my bitnami google cloud hosting.
certificate has been property installed and even
I can access :
https://domain.com
but when I try to access
https://domain.com/xyz
its giving me 404 not found error
Below is my binami.conf file
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
DocumentRoot "/opt/bitnami/apache2/htdocs/domain/public/"
<Directory "/opt/bitnami/apache2/htdocs/htdocs/domain/public/">
Options FollowSymLinks MultiViews
AddLanguage en en
LanguagePriority en
ForceLanguagePriority Prefer Fallback
AllowOverride All
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3 >
Require all granted
</IfVersion>
</Directory>
# Error Documents
ErrorDocument 503 /503.html
# Bitnami applications installed with a prefix URL (default)
Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>
Can anyone please help me, what went wrong
For more information
Am using google cloud platform with Bitnami LAMP stack
In the <VirtualHost _default_ *:80>, you are setting:
DocumentRoot "/opt/bitnami/apache2/htdocs/domainDIR/public/"
However, in the <VirtualHost *:443>, you are setting:
DocumentRoot "/opt/bitnami/apache2/htdocs/domain/public/"
Where is your web application located? Both paths should be the same one.
#DusanBajic
<VirtualHost _default_ *:80>
DocumentRoot "/opt/bitnami/apache2/htdocs/domainDIR/public/"
<Directory "/opt/bitnami/apache2/htdocs/domainDIR/public/">
Options FollowSymLinks MultiViews
AddLanguage en en
LanguagePriority en
ForceLanguagePriority Prefer Fallback
AllowOverride All
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3 >
Require all granted
</IfVersion>
</Directory>
# Error Documents
ErrorDocument 503 /503.html
Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>
Just guessing but I think that bitnami.conf should only have this for the ssl part.
# Default SSL Virtual Host configuration.
<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH !RC4"
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/opt/bitnami/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "/opt/bitnami/apache2/htdocs"
SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
<Directory "/opt/bitnami/apache2/htdocs">
Options FollowSymLinks MultiViews
AddLanguage en en
LanguagePriority en
ForceLanguagePriority Prefer Fallback
AllowOverride All
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3 >
Require all granted
</IfVersion>
</Directory>
# Error Documents
ErrorDocument 503 /503.html
# Bitnami applications installed with a prefix URL (default)
Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>
# Bitnami applications that uses virtual host configuration
Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-vhosts.conf"
and you should put your <VirtualHost *:443> code from above (top) into the /extras/httpd-ssl.conf file.
Then restart apache via Putty (or whatever you use)
sudo /opt/bitnami/ctlscript.sh restart apache
I'll try to test it sometime this week and edit as necessary ( 8^{D=
Generally speaking, 404 NOT FOUND can be served from 1 of 2 places in this situation. The Apache server may be responding with 404 or the request received by Apache is routed to the application and the application serves the 404.
If the application were serving 404 NOT FOUND, as the application owner, one could presumably log every request to see this occur. As you've not mentioned the application much at all, we must assume this is not the source and investigate the Apache server.
The configurations you've provided for both HTTP (:80) and HTTPS (:443) serve static resources with <Directory "">. However, the paths to both directory and DocumentRoot are different between HTTP and HTTPS as mentioned by #Juan.
"/opt/bitnami/apache2/htdocs/domainDIR/public/" != "/opt/bitnami/apache2/htdocs/domain/public/"
If you do not have 2 different directories for serving static resources based on HTTP(S), then this is the most likely cause of the 404. Apache cannot find "/opt/bitnami/apache2/htdocs/domain/public/" when serving over HTTPS.
Note that at present, the Bitnami LAMP image on Google Cloud deploys with Apache 2.4.25 and thus shouldn't ever meet the <IfVersion < 2.3> criteria. It's safe to keep though if using the same configuration elsewhere.
I have a problem with .htaccess configuration. My webserver is Apache2, and my website was coded by PHP. But, I have some trouble with .htaccess.
While I'm accessing it via non-ssl (http://mywebsite.dev), my .htaccess was work. I use .htaccess for URL Rewrite and handling error by custom template. But, when I access it via SSL (https://mywebsite.dev), for Index page was work. But, when I access https://mywebsite.dev/page/about, it's display 404 Not Found (displaying default 404 Not Found page, not my custom page. It's mean, my .htaccess code not load).
For my URL structure, it was http://mywebsite.dev/?load=page&page=about. If I access http://mywebsite.dev/page/about, it works. But, not via SSL. What is problem? Btw, my /etc/apache2/sites-available/website.conf code is:
<VirtualHost *:80>
ServerName mydomain.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/website/
<Directory /var/www/html/website>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
# LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# enabled or disabled at a global level, it is possible to
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
And, my .htaccess code is:
RewriteEngine On
RewriteRule ^page/([A-Za-z0-9-]+)/?$ index.php?load=page&page=$1 [NC]
ErrorDocument 404 /public/404.html
I'm developing it with in Windows using Laragon. And for Production env is: Ubuntu 16, PHP 7, and Apache2. Thanks.
Sorry for grammar mistakes, or you don't understand what I mean. Thank you very much was reading my question :)
The line <VirtualHost *:80> tells apache that this configuration only applies for traffic coming on all interfaces (*) but only on the port 80 (:80). The AllowOverride All isn't applied on https (port 443) since it doesn't match.
To fix this, you need an other virtual host, <VirtualHost *:443>. You can either duplicate the content in the two virtual hosts or use an include, see this server fault answer.