2

I'm trying to setup a self-signed SSL cert so I can develop my app with SSL (so I can finally get my sites running with SSL...). I've created a Angular site with a headless API (Lumen), and tried to setup a multi-domain SSL cert using a question from ServerFault:

How to create a multi-domain self-signed certificate for Apache2?

The test command checked out, so I tried installing the cert with the following Apache config:

<VirtualHost *:80>
        ServerAdmin contact@gamersplane.com
        ServerName api.gamersplane.local
        DocumentRoot /var/www/GamersPlane.api/public
        <Directory /var/www/GamersPlane.api/public/>
                Options Indexes FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>

        ErrorLog "|/usr/bin/cronolog /var/log/gamersplane/%Y/%m/%d/error.log"

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel notice

        CustomLog ${APACHE_LOG_DIR}/gamersplane/access.log combined

        SSLEngine on
        SSLCertificateFile /var/www/GamersPlane.api/ssl/gamersplane.local.pem
        SSLCertificateKeyFile /var/www/GamersPlane.api/ssl/gamersplane.local.key
</VirtualHost>

Unfortunately, when I hit my site, I get This site can’t provide a secure connection. I tried googling for this, but everything seems specific to certain sites/configs, and I can't figure out how to debug what's wrong.

I setup the Apache config via a Digital Ocean guide, which also recommended these configs, which I wasn't sure about. I tried with and without them, no luck:

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
</Directory>

I'd love assistance on understanding how to debug/resolve these sorts of issues.

Rohit
  • 123
  • 6

2 Answers2

5

You need to configure another apache VirtualHost and a Listen on port 443.

See: https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

And I wouldn't use self signed certificates even for development when you can have certificates signed by a public certificate authority for free from https://letsencrypt.org/

Mircea Vutcovici
  • 16,706
  • 4
  • 52
  • 80
  • +1 for letsencrypt.org ! A lot of people still doesn't know. – Rainer Oct 02 '17 at 05:50
  • You can't get public CA certs ( including Letsencrypt ones) for a non-public DNS name, such as ones ending in `.local` – garethTheRed Oct 02 '17 at 06:35
  • Yah, I was gonna ask, I'd have to do something like `mydomain.com` and point it to my dev server, right? Which I guess is fine, though I'd have to keep swapping the hostfile to check prod. I already got a letsencrypt for prod. Thanks for the 443 though. Such an obvious mistake... – Rohit Oct 02 '17 at 11:18
  • You can find free sub-domains and for a small fee you can have your own domain where you can have sub-domains as many as you like. Self signed certificates are dangerous because people get used to accept them without verifying their signature. – Mircea Vutcovici Oct 02 '17 at 11:48
  • Yah, that's fair. I have no intention of using self-signed for production, just for dev. – Rohit Oct 02 '17 at 12:30
3

I modified your config to something useful. Should work like it is but not tested.

# only if not already listen to port 443 ! apache ssl module have to be enabled, too !
Listen 443

<VirtualHost *:443>
    ServerAdmin contact@gamersplane.com
    ServerName api.gamersplane.local
    # ServerAlias api2.gamersplane.local
    DocumentRoot /var/www/GamersPlane.api/public
    <Directory /var/www/GamersPlane.api/public/>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
    </Directory>

    ErrorLog "|/usr/bin/cronolog /var/log/gamersplane/%Y/%m/%d/error.log"

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel notice

    CustomLog ${APACHE_LOG_DIR}/gamersplane/access.log combined

    SSLEngine on
    SSLCertificateFile /var/www/GamersPlane.api/ssl/gamersplane.local.pem
    SSLCertificateKeyFile /var/www/GamersPlane.api/ssl/gamersplane.local.key
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite 'HIGH:!aNULL:!eNULL:!EXP:!DES:!MD5:!PSK:!RC4:!SRP:!DSS:!CAMELLIA:!SHA'
    # depending on apache version also useful options:
    SSLCompression off
    SSLInsecureRenegotiation off
</VirtualHost>
Rainer
  • 314
  • 1
  • 4
  • Thanks for all the extra SSL configs at the bottom; I was wondering how I harden it, but left that for another day. – Rohit Oct 02 '17 at 11:21