0

Good afternoon all,

I'm totally stuck. Don't know how to follow, and what I'm doing wrong anymore. I hope you could help me with this, as I've read alot to solve the thing, but without success...

I've:

  • Windows 2012 R2 server
  • Apache 2.4.23 mounted on it, with MOD_JK to proxypass all requests to a Tomcat server on another machine.

I've bought an EXTENDED certificate on GoDaddy, so I can have the "green badge" on URL bar.

Now, I've downloaded the certificate from GoDaddy, and inside de ZIP, comes the propper certificate and a G2+G1+ROOT bundle one. So 2 files inside.

Placed them on a folder, and correctly specified inside the 443 VHOST as you next will see, but every SSL test I do on internet (SSLLabs, DigiCert...), it simply fails on the chaining process.

Site: cliente.merchbanc.es

https://www.ssllabs.com/ssltest/analyze.html?d=cliente.merchbanc.es&hideResults=on

https://www.sslshopper.com/ssl-checker.html#hostname=cliente.merchbanc.es

Don't know what I'm doing wrong... I've let the HTTPD.CONF prepared as it comes (with the proper and needed modules uncommented, of course), but without anything related with VHOSTS and SSL. And then, on the extra conf file VHOST, I've added all the VHOST thing + SSL (so I'm no using the SSL conf file. It is commented. All is on the VHOSTS conf file.).

It looks like this:

##################################################################################################################
# VHOSTS HTTP

# redirect all HTTP to HTTPS (optional)
<VirtualHost *:80>

    ServerAlias *
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]

</VirtualHost>

##################################################################################################################
# VHOSTS HTTPS

Listen 443

# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol        all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLProxyCipherSuite     ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

SSLPassPhraseDialog     builtin

SSLSessionCache        "shmcb:c:/lala/lele/ssl_scache(512000)"
SSLSessionCacheTimeout  300

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling                      on
SSLStaplingResponderTimeout         5
SSLStaplingReturnResponderErrors    off
SSLStaplingCache                    "shmcb:c:/lala/lele/ocsp(128000)"

<VirtualHost *:443>

    SSLEngine on
    SSLCertificateFile "blah/blahblah/cliente.merchbanc.es/123412341234.crt"
    SSLCertificateKeyFile "blah/blahblah/cliente.merchbanc.es/123412341324.key"
    #SSLCertificateChainFile "blah/blahblah/cliente.merchbanc.es/gd_bundle-g2-g1.crt"
    SSLCACertificatePath "blah/blahblah/cliente.merchbanc.es/GoDaddy_G2"

    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication

    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

    ...
    ... follows with the ProxyPassing part, but not the case now.
    ...

</VirtualHost>

Following the GoDaddy installation instructions webpage, I've changed the SSLCertificateChainFile directive, to the SSLCACertificatePath directive, as I'm using Apache on 2.4.23 version. But it does not solve anything.

After that, I've decided to download ALL the G2 certificates from here: https://certs.godaddy.com/repository

and put'em all inside the folder specified on the SSLCACertificatePath path: "blah/blahblah/cliente.merchbanc.es/GoDaddy_G2". But doesn't works too.

And finally, as I'm in Windows, I've decided to go certificate, after certificate, double-clicking em, and installing on the server, having them now inside the "Internet Options > Content > Certificates", all spread on the various existing tabs. And as common, doesn't makes a change at all.

Every time of course, restarting Apache and even after installing on Windows the certificates, restarting the server itself too.

So, what now? Hope you can help me, please.

Thanks and kind regards.

Mark.

Lightworker
  • 173
  • 1
  • 1
  • 7

3 Answers3

1

You need to uncomment the line for the Certificate Chain File

#SSLCertificateChainFile "blah/blahblah/cliente.merchbanc.es/gd_bundle-g2-g1.crt"

Should be:

SSLCertificateChainFile "blah/blahblah/cliente.merchbanc.es/gd_bundle-g2-g1.crt"
Dre
  • 1,375
  • 6
  • 12
  • Thanks but no. As it's said, "SSLCertificateChainFile" it's only necessary until Apache version 2.4.8. Adobe this, is not necessary, and then you need to specify SSLCACertificatePath, on the contrary. Anyway, I've tested uncommenting it, mixing with the SSLCACertificatePath too, and nothing. Doesn't work. EDIT: oh, and of course, I've corrected the path, which was the old one already... – Lightworker Mar 14 '17 at 16:48
  • Sorry I missed that. Something else I thought of, look around for an ssl.conf file. It may have some of the same values set that are competing with your main conf file. – Dre Mar 14 '17 at 17:41
  • I've already said that on OP too! "so I'm no using the SSL conf file. It is commented. All is on the VHOSTS conf file." ;) – Lightworker Mar 14 '17 at 17:48
0

Either the instructions (which you didn't identify) are garbled or you misread them.

The change in 2.4.8 up is that you can and should put your chain cert(s) in SSLCertificateFile instead of SSLCertificateChainFile. All versions will use certs in SSLCACertificate{File,Path} to complete your chain if not provided in SSLCertificate{Chain,}File, but SSLCA* certs will ALSO apply to client authentication if that is enabled, which may or may not be desired.

But to use SSLCACertificatePath (not ...File) each cert must be in a separate file, and each file must be named (or linked, which counts as a name) using hash of its Subject; on Unix it is conventional (but not strictly necessary) to use symlinks.

On Unix systems with OpenSSL installed following upstream convention (not all do) there is a script c_rehash somewhere (albeit possibly a location not in your normal PATH) that does this; if so there should be a man page for it (sometimes in a special section like 1ssl) which is also on the web. OpenSSL 1.1.0 (only) has an equivalent function rehash in the commandline executable openssl on some systems. Since you probably don't have these, you can manually run openssl x509 -hash (or equivalent but more exact -subject_hash) on each cert file and use those plus .0 to rename or copy the file(s). But SSLCACertificateFile (not ...Path) or SSLCertificate{Chain,}File are easier.

(added) In particular, to use SSLCACertificateFile you simply concatenate all needed CA certs, and optionally unneeded ones, into a single file. Since PEM format data is by design all printable/visible, you can do this by cutting and pasting in a plain text editor like Notepad, in addition to specific tools like cat in Unix or copy a+b+c in Windows or >>outfile to append in either.

PS: Apache doesn't use the Windows certificate store, so installing things in the Windows certificate store has absolutely no effect on it.

PPS: If you don't have OpenSSL commandline on Windows, there is a good prebuilt package at http://www.slproweb.com/products/Win32OpenSSL.html

dave_thompson_085
  • 3,100
  • 1
  • 15
  • 14
  • Well, thanks for all the info. I follow you somehow..., but having some problems to fully understand you in some aspects. Right now I'm using "SSLCertificateFile" for my certificate. "SSLCertificateKeyFile" for the key file and "SSLCACertificatePath" for the path where inside are ALL the G2 certificates I've downloaded from the REPOSITORY on GoDaddy. But this doesn't work. So, I would be glad to know exactly what I've have to use to make it functional. Thanks. – Lightworker Mar 15 '17 at 08:23
  • @Lightworker: as I said, **for SSLCACertificatePath** to work you must put each CA cert in a separate file and **each file must be named using hash of its Subject**; did you do that? If not, you can, but on Windows it's not easy. The best solution is to add the _needed_ certs, which can be identified by actually looking at the names in each cert, to SSLCertificateFile, and not use SSLCA* at all; the easiest solution is probably to use SSLCACertificateFile with a single file containing the CA certs concatenated. See added paragraph. – dave_thompson_085 Mar 16 '17 at 08:07
0

Thanks everyone for your help. All the information that you have given me is absolutly valuable and allowed me to configure my CONF file as it have to be. Perfectly.

Having said that, I've found my particular problem and it's solution.

My Apache frontal, is behind a WAF (web application firewall). The chaining was broken on it. So intermediate CAs where not served with primary certificate. Then, solved that: all in place!

What a headache boy...

Kind regards all!

Lightworker
  • 173
  • 1
  • 1
  • 7