Join Log in
Score:0
Finaria avatar Server

This site is missing a valid, trusted certificate || Apache2 webserver, Windows root CA

bh flag
Finaria

I'm learning about certificates, HTTPS together and after 4 days I'm out of idea how to set up to become trusted. In my lab env. I have a Windows server with a CA role.

Previously I installed a VM-Dell OpenManage for my server. It has a graphical interface for requests and an import certificate for HTTPS access. I successfully generated a Certificate Signing Request and get a cert from my windows CA server (https://x.x.x.x/certsrv/) It was done under 2 min.

I thought I can try this, on an apache2 webserver (Ubunut20.04). Well, now I am stuck and still don't know how to get it to work.

1. Currently (after ~50 openssl req) I requested certificate with these commands:

openssl req -new -newkey rsa:2048 -nodes -addext “subjectAltName = DNS:*.mydomain.local” -keyout serverkey.key -out serverreq.csr

2. I opened my windows CA server from browser https://x.x.x.x/certsrv/ and Request Certificate-->Advanced Certificate Request-->paste the serverreq.csr content-->WebserverTemplate. Download the cert.

3. Back to linux, my conf file (/etc/apache2/sites-avaliable/mysite.conf): look like this.

<VirtualHost _default_:443>
        Protocols h2 http/1.1
                ServerName  mysite.local
                ServerAlias www.mysite.local
                DocumentRoot /var/www/html/mysite
                SSLEngine on
                SSLCertificateFile      /etc/ssl/certandkey/myservercert.crt
                SSLCertificateKeyFile   /etc/ssl/certandkey/myserverkey.key
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<VirtualHost *:80>
    ServerName mysite.local
    Redirect / https://mysite.local/
</VirtualHost>

Do I need to configure the # Server Certificate Chain: and # Certificate Authority (CA):?

Apache is running

4. After this, If I open the webpage it says

Certificate - missing
This site is missing a valid, trusted certificate (net::ERR_CERT_COMMON_NAME_INVALID).

But if I open the OpenManage it says

Certificate - valid and trusted
The connection to this site is using a valid, trusted server certificate issued by mydomain-DC-CA

Both certs are from the same windows CA server.

5. I tried to config /etc/ssl/openssl.cnf, but I do not really understand how. If I edit something, then nothing works.

What is wrong with my config, how can I config it? Is there any good tutorial? 90% of the time google shows only self-signed cert and browser magic. But I would like to config it with windows CA.

Thanks for help

Sorry for my english.

229
0 + 0
Gerrit avatar
cn flag
Gerrit
Can you show the outputs of: `openssl x509 -subject -in /etc/ssl/certandkey/myservercert.crt -noout` and `openssl x509 -checkhost mysite.local -in /etc/ssl/certandkey/myservercert.crt -noout`?
0
Reply
Finaria avatar
bh flag
Finaria
I have an error: `Hostname myserver does NOT match certificate`. How can I found out what is the hostname of the cert? `openssl x509 -in /etc/ssl/glpicertkey/glpiservercert.crt -text` with this I don't see the hostname within the cert. `root@myserver:/home/user# openssl x509 -checkhost myserver -in /etc/ssl/certandkey/servercert.crt -noout Hostname myserver does NOT match certificate root@myserver:/home/user# openssl x509 -subject -in /etc/ssl/certandkey/servercert.crt -noout subject=C = HU, ST = Hungary, L = City, O = mycompany, OU = IT, CN = mydomain.local`
0
Reply
Gerrit avatar
cn flag
Gerrit
mydomain.local is in the CN, and that doesn't match mysite.local, so that won't provide a match. Also you have to include the DNS entries in the Subject Alternative Names to see if it matches. I appended this info to my answer.
0
Reply
Score:0
Gerrit avatar Server
cn flag
Gerrit

Generating

You can use a small extension file (utf-8) to preset the entries you want and generate a CSR more easily. DNS entries must be punycode if not ASCII. (https://www.rfc-editor.org/rfc/rfc3492)

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = ext

[ ext ]
subjectKeyIdentifier=hash
keyUsage=digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = mysite.local
DNS.2 = www.mysite.local

[ dn ]
O=ACME
OU=TESTING
[email protected]
CN = mysite.local

You can save this as sslcert.cnf for example.

Remarks about wildcards

You can use a wildcard like *.example.com. They work only on one level. foo.bar.example.com won't be covered by *.example.com. Also *example.com doesn't work, the asterisk has to be in its own domain component.

Then, if you have no private key yet:

openssl req -nodes -newkey rsa:2048 -keyout sslcert.key -out sslcert.csr -config sslcert.cnf -utf8

Or if you already have private key sslcert.key

openssl req -key sslcert.key -out sslcert.csr -config sslcert.cnf -utf8

sslcert.csr will be the output (and also sslcert.key in the first example)

You can also add a subjectAltName section with -addext

openssl req -nodes -newkey rsa:2048 -keyout sslcert.key -out sslcert.csr -addext 'subjectAltName = DNS:example.com' -utf8

Name checking

You can use an openssl command to check if a certificate potentially matches the domain you use in browsing

openssl x509 -in sslcert.crt -noout -checkhost example.com

Historically the CN entry in the distinguished name of the subject was used in SSL hostname checking. And it still is conventionally filled with one of the domains, but Chrome for example will not accept a certificate which doesn't also use the Subject Alternative Names (SAN) section. And this is also the section used for multiname certificates (even if you use just a domain with and without www, that is already a multiname certificate). According to CA/Browser norms, any name you set in CN must also be included in the altnames section.

You can see those in the output of

openssl x509 -text -noout -in cert.crt | grep -F 'Subject Alternative Name:' -A 1

Unfortunately there is no ready made output switch for just the SAN section.

It looks like:

            X509v3 Subject Alternative Name:
                DNS:cert.local, DNS:cert.example.com

Webserver check

To see if your webserver returns the certificates and chains (if you have intermediates) that you have set, you can also use an openssl commandline (possibly from the webserver machine itself).

openssl s_client -connect example.com:443 -servername example.com -showcerts

If you are using a CA that is not included on the machine that executes the openssl command, you will get verification error, but at least you can see the certificates returned.

In the connect you can also use an ip-address, so if the webserver is on the same machine and also listens on loopback, you could say

openssl s_client -connect localhost:443 -servername example.com -showcerts

-servername is for selecting the right vhost if the webserver has multiple vhosts on port 443.

0 + 0
Finaria avatar
bh flag
Finaria
I run the command: `openssl req -key sslcert.key -out sslcert.csr -config sslcert.cnf` But in the cert there is no SAN, and after I open the site (F12) It says: `Certificate - Subject Alternative Name missing The certificate for this site does not contain a SAN extension containing a domain name or IP address` If I add this to you command, `-addext “subjectAltName = DNS:*.mydomain.local”` after that SAN appear, without it not. And I used the sscert.conf file, and It contains the SAN config. Then why it's not used? And Certificate missing still a problem.
0
Reply
Gerrit avatar
cn flag
Gerrit
Could you try the amended config file in my answer? It seems I happened to depend on some base settings in my systems openssl distribution. Do you still get a certificate missing when you have the right CN and DNS entries?
0
Reply
Finaria avatar
bh flag
Finaria
Still no luck. Can You explain how the hostname works? I think that's where I fail. My server hostname is glpi.mylab.local. My DNS/AD is mylab.local. `[ alt_names ] DNS.1 = glpi.mylab.local DNS.2 = www.glpi.mylab.local` `[ dn ] ... CN = glpi.mylab.local` If I cheskhost for any combination it's always mismatched. What am I doing wrong?
0
Reply
Finaria avatar
bh flag
Finaria
And this: `openssl req -nodes -newkey rsa:2048 -keyout sslcert.key -out sslcert.csr -config sslcert.cnf -utf8` working but there is no SAN in cert file. Only if I add this to my command: `-addext “subjectAltName = DNS:*glpi.mylab.local” `
0
Reply
Gerrit avatar
cn flag
Gerrit
*glpi is not right, or did you try some markup here? *.glpi.mylab.local can work for a www variant, but not for the variant without www.
0
Reply
Finaria avatar
bh flag
Finaria
Hy! Nope, still not working. My ssl config file look like this: `[ req] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn req_extensions = ext [ ext ] subjectKeyIdentifier=hash keyUsage=digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = glpi.mylab.local DNS.2 = www.glpi.mylab.local [ dn ] emailAddress=no CN = mylab.local` Request command: `openssl req -new -newkey rsa:2048 -nodes -keyout tsslkey.key -out tsslreq.csr -config sslcert.cnf -utf8`
0
Reply
Finaria avatar
bh flag
Finaria
DNS check: `openssl req -noout -text -in tsslreq.csr |grep DNS DNS:glpi.mylab.local, DNS:www.glpi.mylab.local` Adn still `This site is missing a valid, trusted certificate (net::ERR_CERT_COMMON_NAME_INVALID).` the hostname is glpi.mylab.local What is wrong?
0
Reply
Gerrit avatar
cn flag
Gerrit
I wonder if there is a second _default_ vhost_ on port 443 in Apache overriding your vhost.
0
Reply
Gerrit avatar
cn flag
Gerrit
You are checking the CSR. Did you also check the issued certificate?
0
Reply
Finaria avatar
bh flag
Finaria
You are right, I did not checked the cert. It's wrong: `X509v3 Subject Alternative Name: othername:<unsupported>` Why It's generated like this, when the request file is good? No other default vhost `a2dissite default-ssl.conf Site default-ssl already disabled`
0
Reply
Gerrit avatar
cn flag
Gerrit
The othername error might imply that the DNS name info has been stored by the CA in a format that is not supported by openssl. DNS names should be IA5STRING. But on second thought, the error seems to indicate that not even the DNS Name format is chosen or that another GeneralName is included that is not supported.. Maybe look at the "Subject Name" tab in your SSL issuing template. I have done signing with Windows CA of openssl CSR files, and that always went quite smoothly, but it may be that there are operational settings in the template used that add other info, incompatible with openssl.
0
Reply
Gerrit avatar
cn flag
Gerrit
Also as a precaution make sure that your openssl config file is stored in utf-8 or ascii and only has Unix newlines.
0
Reply
Finaria avatar
bh flag
Finaria
Success :). I I discarded the idea to make an own ssl.cnf file. I used the default one, but with -addtext SAN. Previously I dropped the "*" from subjectAltName. `openssl req -new -addext "subjectAltName = DNS:glpi.mylab.local" -newkey rsa:2048 -nodes -keyout testkey.key -out testreq.csr` After I imported the cert file there was a new error: `"Active content with certificate errors"` I just cleared the browser cache and the cert was accepted, all green. Thank you for the helping and patience.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.