SSL cert installation troubleshooting

Kernels & Hardware, configuring network, installing services

SSL cert installation troubleshooting

Postby roman » 2017-03-02 16:31

Hi there,

I am new to debian, new to the forum so please bear with me :) I did not give a more specific topic since I am unsure of where the problem actually lies :(
I am working for a non profit organization that had at one point commissioned a web development agency to setup a counselling platform. They set "us" (I wasn't working here yet) up with a root server and started programming. Alas they defaulted and now I was stuck with a half finished platform and a root server I did not have access to until earlier this week when I was enabled by my boss to talk to our IaaS provider regarding a rescue that brought me ssh access, yay. Why bother accessing the server I hear you asking ... well, that's because they didn't install a ssl cert and we can't very well have that given nature and (intended) design of the platform. So even though I have super user access to the CMS and could potentially finish the platform, I had to do something about the ssl. So i created a .key like so . Then i ordered a ssl cert at our IaaS provider got word back from them and here we are :)

Since the IaaS' page I had access to did not even tell me the exact version of Debian I did a

Code: Select all
# uname -a
Linux Debian-85-jessie-64-minimal 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08) x86_64 GNU/Linux

So they installed the LAMP stack necessary for the CMS manually. Well then apachectl -V or apache2ctl -V should tell me the apache version, right? Nope, command not found .. (neither were the man pages for a2enmod or a2ensite and the like which the apache2.conf says you should use to enable mods and sites ...)

Code: Select all
# dpkg -l | grep apache
rc  apache2                        2.4.10-10+deb8u8            amd64        Apache HTTP Server
rc  apache2-bin                    2.4.10-10+deb8u8            amd64        Apache HTTP Server (modules and other binary files)

So the packages had been removed and only the configs remained (and you can see the apache version). Tbh i did not know if configs get overwritten if you just reinstall a package so i backed them up (yeah, i am new to Linux in general and Debian in particular :lol: )

I would show you the output for tree but if you are experienced with apache2 2.4 you probably know the configs and their respective locations and if you did not i doubt you would still be reading :)

I found a guide (I promise it is not the only one i looked at but it's described configs were the only ones that matched mine - unlike the guides I found at Thawte or digicert).
So I created a directory and put in a .crt file with my intermediate keys and one containing the certificate and the .key file in there (btw do the names of the .crt files matter?).
Code: Select all
-rw-r--r-- 1 root staff 3.2K Feb 28 09:05 intermediate.crt
-rw-r--r-- 1 root staff 2.3K Feb 28 09:06 public.crt
-rw-r--r-- 1 root root  1.8K Feb 23 09:25

at first I skipped editing the ports.conf since there is a switch statement in there but since then I changed it in wake of my lousy efforts of troubleshooting

Code: Select all
# less ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

#Listen 80
Listen 443

<IfModule ssl_module>
        Listen 443

<IfModule mod_gnutls.c>
        Listen 443

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

in compliance with the guide I used
Code: Select all
a2enmod ssl
and it created the symlinks for ssl.conf and .load to the mods-enabled folder
Code: Select all
# ls -l mods-enabled/ | grep ssl
lrwxrwxrwx 1 root root 26 Mar  2 15:44 ssl.conf -> ../mods-available/ssl.conf
lrwxrwxrwx 1 root root 26 Mar  2 15:44 ssl.load -> ../mods-available/ssl.load

since the apache2.conf said to use the apache2 binaries I strayed from the guide as i did not create the symlink of the sites-availabled/default-ssl.conf myself. Instead I renamed it to sites-available/000-default-ssl.conf so i would be able to use the a2ensite command and it would create the symlinks for me.
Code: Select all
# ls -l sites-enabled/
total 0
lrwxrwxrwx 1 root root 39 Mar  2 15:46 000-default.ssl.conf -> ../sites-available/000-default-ssl.conf
lrwxrwxrwx 1 root root 35 Mar  2 16:03 000-default.conf -> ../sites-available/000-default.conf

now I edited 000-default-ssl.conf and changed the
SSLCertificateFile to match the cert i received
SSLCertificateKeyFile to match the key i created
SSLCertificateChainFile to match the intermediate certs i received

unlike the guide I did the syntax test :)
Code: Select all
# apachectl configtest
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using *.*.*.*. Set the 'ServerName' directive globally to suppress this message
Syntax OK

then i did the
Code: Select all
# /etc/init.d/apache2 restart
[....] Starting apache2 (via systemctl): apache2.serviceEnter passphrase for SSL/TLS keys for *.*.*.*:443 (RSA): ***************
. ok

but well, the site can still be reached via http on port 80 and can not be reached via https on port 443. I tried the and it says "URL not found".

I did neither edit the apache2.conf nor mods-available/ssl.conf nor .load. I thought that would not be necessary since I changed the config for the site and used the apache binaries to activate the module and site. So either I did something wrong so far or I neglected to do something else? Let me know if I need to provide more information but right know I do not know what would be helpful at this point, sorry.

p.s.: have to get home now but I will check the firewall settings first thing tomorrow :) though it would not surprise me if it was not activated ...

It's not a firewall issue. I am wondering why port 80 still seems to work when port 443 does not.

As i understand it, these parts of my apache2.conf
Code: Select all
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

# Include list of ports to listen on
Include ports.conf

# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf

# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf

and my ports.conf (see above) should tell apache not to listen to the former but rather the latter. But this seems to be ignored altogether since the CMS works even though the the DocumentRoot is set to /var/www/html in both the 000-default.conf (i did not a2dissite this one, should i have?)
Code: Select all
# less sites-enabled/000-default.conf
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Code: Select all
# less sites-enabled/000-default-ssl.conf
<VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

aparently i do only have one virtual host and its not pointing to the actual directory the CMS is in /var/www/CMS

Am i missing something really obvious? Maybe someone would please show me the forest for I can not seem to find it amidst the tress. :?: :oops:
Posts: 2
Joined: 2017-03-02 11:04

Re: SSL cert installation troubleshooting

Postby bw123 » 2017-03-04 22:54

roman wrote:Hi there,

I am new to debian, new to the forum so please bear with me :)

Well, I admire you for taking on something like this being new.

...they defaulted and now I was stuck with a half finished platform

Yeah I don't know if i'd do that. You get a do-over, a reinstall, or access to (notes from?) the original sysadmin at least. BUT being new to debian, don't even know if you want to do that. I mean, are you sure you're up to this?

I am working for a non profit organization

I'd ask for help on some mailing lists, someone will give you some help. Find someone with an @debian email address and send a polite request. I bet you'll get plenty of offers, or at least some referrals, but you might get a few questions first. Hang in there, if you really want to be the sysadmin, you'll need some help and a lot of patience
User avatar
Posts: 3080
Joined: 2011-05-09 06:02
Location: TN_USA

Re: SSL cert installation troubleshooting

Postby roman » 2017-03-07 08:24

thanks for the moral support :)

The platform is Joomla with some custom made Plugins and even though it's not thoroughly documented, it's manageable.

And while I am new to Debian itself, I am familiar with some of it's derivatives so I don't think I have to be too afraid :D Or rather I would not have to be, if it weren't for the fact that I am an idiot... The first thing i looked for, when getting access to the server was if there was apache running. Since it was, I wasted a lot of time wondering, why my configurations didn't work. :?: Well they might have but since the platform was running on an nginx that was up and running as well it didn't matter much. Took me the whole weekend to figure that out ... :oops: but once i knew I was able to manage :lol: Hopefully the next time i get on a server I did not setup myself, I will remember to thoroughly read the output of all the commands I type in ... :|
Posts: 2
Joined: 2017-03-02 11:04

Return to System configuration

Who is online

Users browsing this forum: No registered users and 7 guests