logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Wondering how to get rid of the not secure message
Author
wesman00



Joined: 10 Jan 2020
Posts: 9
Location: United States

PostPosted: Fri 10 Jan '20 23:15    Post subject: Wondering how to get rid of the not secure message Reply with quote

I'm using XAMPP to host apache on my main computer. I downloaded a webpage through a GitHub project and moved the files inside of it into the htdocs so it would show up when I went to localhost. I'm also running a Virtual Machine on the same computer and going to localhost does not show the apache page I am hosting. I solved this by going to the host computer's local IP address. I edited the windows host file so that when I put lrjenkins.bank into the address bar, it should go to my local IP address instead of 127.0.0.1. In the address bar, it shows that my connection is not secure. I plan to use this locally hosted site to mimic a fake bank to waste scammers' time when I let them connect to my virtual machine and log into my fake bank using fake login info (the password has to be hunter2 lol) to show fake money. If I put the host computer's local IP into the address bar then I am able to see the page and log in and everything, but seeing a string of numbers when I'm "logging into my bank" instead of lrjenkins.bank is not convincing and having not secure in the address bar is also a red flag. https://shellcreeper.com/how-to-create-valid-ssl-in-localhost-for-xampp/ I followed this tutorial to make a certificate and trust it in windows settings on my host just to verify that it works, and after following the guide and changing site.test to lrjenkins.bank everywhere I saw it and then trusting the certificate, but I got the error in chrome that tells me that the site is using HSTS and I have to type "thisisunsafe" to get the site to show and it still says not secure in the top so this tutorial made the problem worse. I reverted to the backup before I followed the tutorial and I still can't figure out how to make an SSL certificate that shows that my connection is secure. If at all possible, I would love to have the lock display that the certificate is issued to LR Jenkins Financial Group, exactly how the certificate for github.com works.
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 149
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Sat 11 Jan '20 21:52    Post subject: Reply with quote

Hello,

I followed the instructions at https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html to create a Root-CA, an Intermediate-CA and a Server-certificate (maybe it is an overkill creating a complete certificate-chain but using this approach is similar to the certificates used "out there").
I always used "LRJenkins Bank" as organization and for organizational unit I used "Security Team" for the root-CA and the intermediate-CA and "Online Bankin" for the server-certificate.

In paragraph "Configuring the Intermediate CA 1" I used the follwing snippet in "ca.conf"
Code:
[alt_names]
DNS.0 = lrjenkins.bank
DNS.1 = localhost
DNS.2 = 127.0.0.1


Within my test-environment I modified my Apache's config-file and used these two lines
Code:
SSLCertificateFile conf/ssl.crt/enduser-example-chain.crt
SSLCertificateKeyFile conf/ssl.key/enduser-example.key

where the file enduser-example-chain.crt contains the server-certificate followed by the intermediate-CA-certificate and the root-CA-certificate.
In addition I have addded the root-CA-certificate to my browser's trusted-CA-list. Within Firefox I now have a closed lock-symbol Smile - the only downside is that Firefox displays a message stating that this certificate was signed by a CA which is not in Firefox's default-certificate list - but only if you click on the closed-lock-symbol.

Maybe this helps?

Best regards
Matthias
Back to top
wesman00



Joined: 10 Jan 2020
Posts: 9
Location: United States

PostPosted: Mon 13 Jan '20 2:02    Post subject: Reply with quote

I appreciate the reply so much and I can't thank you enough. My only question is that since this is done using bash, would I be able to follow the instructions at the link you sent on my Windows machine which hosts the VM and the Apache with XAMPP server? I have the Linux subsystem for Windows installed so it may work using that but I know regular cmd in Windows doesn't use bash. I also have access to a Mac and a Debian system so I think maybe I could generate the certificates on those then just copy them over to my Windows machine. Would this be okay?
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 149
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Mon 13 Jan '20 7:22    Post subject: Reply with quote

Hello,

creating the certificates on Mac or Debian (or any other Linux) and then copying them to the Windows-machine is fine.
If you look for it there is also OpenSSL for Windows available - but finding up-to-date compiled Windows-versions is not as easy as simply using the Linux-based machines you already have available Smile

Best regards
Matthias
Back to top
wesman00



Joined: 10 Jan 2020
Posts: 9
Location: United States

PostPosted: Mon 13 Jan '20 10:04    Post subject: Reply with quote

Ok I'll use my linux machine because it has a lot of utilities already installed. My last question that I had not thought of yet is should I change the part where you put 127.0.0.1 to the internal IP of my host system? This is required to get the webpage to show up on my virtual machine. When I go to 127.0.0.1 on my VM, it says the page does not load. I need to instead go to 10.70.65.146 if I want data to load. I then edited my Windows host file to say
Code:
10.70.65.146 lrjenkins.bank
. Or would it be better if I changed 127.0.0.1 to lrjenkins.bank because the certificate should be valid when I am accessing the site through that domain. I don't care if the 10.70.65.146 part says secure or not because I will not be accessing it this way on my VM.
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 149
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Mon 13 Jan '20 11:05    Post subject: Reply with quote

Hello,

I've added the 127.0.0.1 to the list to also be able to connect to the webserver using this IP and also have a "closed lock" in my browser's address bar.
You can ommit this line in the config or replace it with any other data suitable for your environment.
The real important thing is that the hostname you will normally use in your browser is also in this list.

Greetings
Matthias Smile
Back to top
wesman00



Joined: 10 Jan 2020
Posts: 9
Location: United States

PostPosted: Thu 16 Jan '20 5:29    Post subject: Reply with quote

Ok I've run into a slight problem. When I run
Code:
openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt
I get a bunch of errors

https://shinytreecko.com/screenshots/Screen%20Shot%202020-01-15%20at%2010.24.49%20PM.png

Trying to get this to work on my Mac since Linux was also throwing errors that I forgot to screenshot. About to try on Linux the second I post this to the forum.
Back to top
wesman00



Joined: 10 Jan 2020
Posts: 9
Location: United States

PostPosted: Thu 16 Jan '20 7:36    Post subject: Reply with quote

Whoops I found the issue I had just misconfigured ca.conf so the entire tutorial is correct up until creating end user certificates where I stopped. I couldn't find the part of the tutorial where you made a server-certificate and used online banking, but I successfully created and signed a root-CA and an intermediate-CA which I'm almost 100% sure will work when it is on the machine hosting the apache server. I am hesitant to try yet though because I don't know if it will mess anything up before creating the server certificate.
Back to top
wesman00



Joined: 10 Jan 2020
Posts: 9
Location: United States

PostPosted: Fri 17 Jan '20 2:10    Post subject: Reply with quote

I just realized I hadn't looked at the tutorial carefully enough so ignore my previous 2 replies since I'm past those issues now, but at this point I made the enduser certificates specific for lrjenkins.bank after following the tutorial for the root-CA and intermediate-CA certificates completely correctly. I made all of them on my Linux machine and now I'm unsure of where each certificate needs to go. I have left the intermediate-CA and root-CA files on my linux machine but copied the enduser-certificates directory over to my Windows machine which is hosting XAMPP. I have files called enduserlrjenkins.bank.crt (located in XAMPP\apache\conf\ssl.crt) and enduser-lrjenkins.bank.key (located in XAMPP\apache\conf\ssl.key). I also have the .chain file and the .csr file but I don't know where those go. I also can't find a line in my Apache conf file where it says SSLCertificateFile or SSLCertificateKeyFile. Do I need to add these lines with the directories of each file after? Or do I need to find an existing line in one of the conf files with SSLCertificateFile and SSLCertificateKeyFile and change the directories those files are in. If yes to either of these questions, do you know what the conf file should be called? I'm thinking it's httpd-ssl.conf, but I'm unsure.
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 149
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Fri 17 Jan '20 7:22    Post subject: Reply with quote

Hello Wesley,

here is the complete output my Linux-Box when doing the mentioned tutorial. Yes, there are some errors/warnings, but it doesn't matter - the result was working fine for me. In addition I have added some bash-comments Smile which ca.conf to use and what to modify. Maybe it is a bit clearer now?

Admin note: Moved output to https://apaste.info/cXQe

Best regards
Matthias
Back to top
wesman00



Joined: 10 Jan 2020
Posts: 9
Location: United States

PostPosted: Wed 22 Jan '20 16:13    Post subject: Reply with quote

Thank you so much for your paste, I'm following every single line you have word-for-word, except for when I get to the part on line 95 where it says
Code:
openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
. I get an error that says this:
Code:
Using configuration from ca.conf
.//crlnumber: No such file or directory
error while loading CRL number
140198874997888:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('.//crlnumber','r')
140198874997888:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:

I think this is due to the line in ca.conf that says
Code:
crlnumber = $dir/crlnumber
. It does not output a file so the next line produces an error saying that it can't find the file specified.

Edit: so it looks like I may have forgotten to echo 1000 > crlnumber. I instead somehow ran echo 1000 > certserial twice. My bad!
Back to top
wesman00



Joined: 10 Jan 2020
Posts: 9
Location: United States

PostPosted: Wed 22 Jan '20 16:35    Post subject: Reply with quote

Ok, last question. For the files in enduser-certs, all of them get sent to the user except for the .csr file and a copy of each stays on the server. My question is where do the ones on the server go in my Apache installation? I'm using XAMPP which has Apache bundled in and I'm pretty sure the configuration is the same except a couple of directories like htdocs are different but I have those working the way they need to be. Then once each file is where it needs to be on the server, what should I do with the other files that I will be putting on the VM which will be going to the website?
I'm sorry for asking so many questions, but I've had struggles with OpenSSL on my actual server and trying to get certificates for the open-source FileBrowser service, Cockpit, and Plex and my experience with those wasn't fun given how much extra configuration each service needed on top of using certbot which is as easy as it gets. I still haven't figured out how to get an SSL certificate for Plex on my website but I'll work on that when I'm finished with this project.
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 149
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Sat 25 Jan '20 21:54    Post subject: Reply with quote

Hello,

on the client you need to install the public-keys (.crt) from your root-ca and the intermediate-ca into your browser as trusted Certificate Authorities - otherwise your browser will complain about the certificate being from an unknown/untrusted CA.
On your webserver you need the public-key (.crt), the private-key (.key) and the chain-file (lrjenkins.bank.chain) from the enduser-certs-directory.

@admin: sorry for putting that looong content into this formum and thank you for moving it to apaste.bin Smile

Best regards
Matthias
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 677

PostPosted: Sat 25 Jan '20 21:58    Post subject: Reply with quote

@mraddi

No problem, I think others can learn from the content.

Thanks for helping.
Back to top


Reply to topic   Topic: Wondering how to get rid of the not secure message View previous topic :: View next topic
Post new topic   Forum Index -> Apache