HTTPS web server

[gregaryb]

I am using Linux Mint on a desktop computer

I am trying to setup a web site on it.
I have a domain name find-a-tradie.com.au

I have setup 2 x A records in https://theconsole.webcentral.au/execute2/domain/manage?currentTab=overview&domainId=7212271#
One with <blank>.find-a-tradie.com.au
One with www.find-a-tradie.com.au
Initially it was a http website and I was able to access it with http://www.find-a-tradie.com.au
I want to be able to access it via http://find-a-tradie.com.au as well.

I tried to setup SSL on my Linux machine but I have no idea if I have done it correctly.
At any rate I am now no longer able to access my web site with http://www.find-a-tradie.com.au
Firefox annoyingly keeps defaulting to https://www.find-a-tradie.com.au and it cann not find it.

There are NO decent instructions that I have been able to find to adequately explain how to setup a https web server on Linux mint.
No decent explanations on how to create or get certificates.
Just cursory explanations that just do not help much.

Can anyone direct me to a decent set of instructions that explain the steps properly?

 

[Brickwizard]

Firefox annoyingly keeps defaulting to https://www.find-a-tradie.com

check your Firefox security settings it may be set to HTTPS only which is the latest higher security standard

 

[MikeWalsh]

@gregaryb :-

I concur with @Brickwizard on this one. Most modern browsers have the ability to use 'HTTPS-only', and it can be turned on/off as & when you want.

I use a couple of 'Puppy'-native browser-based apps across our home LAN, for file-sharing, etc. These invariably use the older HTTP standard, so I tend to use the Pale Moon browser exclusively for these.......I leave the 'HTTPS-only' feature turned off.

I have several other browsers for internet browsing, and in these, 'HTTPS-only' is permanently on. Not everybody is aware of this feature yet; most major browsers these days ship with it 'on' by default.


Mike.

 

[f33dm3bits]

You didn't share enough decent information for someone to help you, for starters what web-server software are you using?

 

[gregaryb]

I worked out how to setup multiple web sites on my server.

I changed the 80 to 443 for https.
And created a folder www.find-a-tradie.com.au for my web site under /var/www/http

It all seems to be working sort of.
But now I don't know how to solved this:

Install A Certificate In Linux System To Keep It Secure - LinuxForDevices

In this article, we'll discuss how to install a certificate in Linux system, its importance, and its use cases. Nowadays, in a world where cyberattacks are

www.linuxfordevices.com

I have tried following this to create a self signed certifcate: https://linuxconfig.org/how-to-generate-a-self-signed-ssl-certificate-on-linux.
Then I did this to covert the .pem file to a .crt file: openssl x509 -outform der -in your-cert.pem -out your-cert.crt
Now I am trying to follow this to install it by following this: https://www.linuxfordevices.com/tutorials/linux/install-certificate
But I get this error


openssl verify -verbose -CAfile /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/certificate.crt
C = AU, ST = Victoria, L = Melbourne, O = find-a-tradie, OU = Web Admin, CN = Gregary Boyles, emailAddress = [email protected]
error 18 at 0 depth lookup: self-signed certificate
error /etc/ssl/certs/certificate.crt: verification failed

 

[gregaryb]

I have generated these files and copied them all to /etc/ssl/certs

 

[f33dm3bits]

I worked out how to setup multiple web sites on my server.

You could have just answered with that you are using Apache, you will need to setup a ssl configuration in your virtual-host. Check under "Basic Configuration Example"

 

[ActionParsnip]

I just hit your website. Your Common Name (CN) is currently
CN = find-a-tradie

This should be:
CN = find-a-tradie.com.au

Then have an alternative name of "www.find-a-tradie.com.au" as well, so that both names are certified. If your certificate is selfsigned (I think this is what you have) which is fine.

 

[KGIII]

This is a cursory explanation, but there's plenty of documentation. Use Let's Encrypt for your SSL, as you're currently trying to use a self-signed/invalid certificate.

 

[gregaryb]

I am trying to create batch file to do all this.
#!/bin/bash
openssl req -newkey rsa:4096 -x509 -sha512 -days 3650 -nodes -out certificate.pem -keyout privatekey.pem
openssl x509 -outform der -in certificate.pem -out certificate.crt
sudo mv certificate.pem,certificate.crt,privatekey.pem /usr/local/share/ca-certificates
update-ca-certificates
openssl verify -verbose -CAfile /etc/ssl/certs/ca-certificates.crt /usr/local/share/ca-certificates/certificate.crt

How would I input the certificate information into the 'openssl req -newkey rsa:4096 -x509 -sha512 -days 3650 -nodes -out certificate.pem -keyout privatekey.pem' command?

Is this likely to work for me?

printf 'AU\nVictoria\nMelbourne\n......find-a-tradie.com.au\nwww.find-a-tradie.com.au\n' | openssl req -newkey rsa:4096 -x509 -sha512 -days 3650 -nodes -out certificate.pem -keyout privatekey.pem

 

[ActionParsnip]

Add the option:

-config san.cnf

To your command. Make the san.cnf file. It will have the below text in it:


[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = AU
stateOrProvinceName = YourProvince
localityName = YourLocality
organizationName = Find-A-Tradie
commonName = find-a-tradie.com.au
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = find-a-tradie.com.au
DNS.2 = www.find-a-tradie.com.au

Obviously change it as you need, adding more DNS names will need the next successive number adding. You can update Province and Locality as you need. They aren't super important really. The names being certified are important.

 

[ActionParsnip]

If you want to use a real SSL authority rather than self signed, then your command will need to be changed to:

openssl req -out find-a-tradie.com-$(date +%Y-%m-%d).csr -newkey rsa:4096 -nodes -sha256 -keyout find-a-tradie.com-$(date +%Y-%m-%d).key -days 730 -config san.cnf

This will spit a CSR out for you and the private key file. You can then take the CSR to a certificate authority like GlobalSign, give them some money and they'll give you a certificate and the chain file(s). You can then put those in your webserver config

Remember to restart the web service to apply the new setting, make sure it starts OK then test the website in an incognito browser tab and under your standard change request processes.

 

[redcrazykid]

If you use Apache, there is a command log you open with a text file, and most servers have documentation to show you where

# DO NOT ALLOW IP FROM etc...