logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.



Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Wondering how to get rid of the not secure message
Author
wesman00



Joined: 10 Jan 2020
Posts: 6
Location: United States

PostPosted: Fri 10 Jan '20 23:15    Post subject: Wondering how to get rid of the not secure message Reply with quote

I'm using XAMPP to host apache on my main computer. I downloaded a webpage through a GitHub project and moved the files inside of it into the htdocs so it would show up when I went to localhost. I'm also running a Virtual Machine on the same computer and going to localhost does not show the apache page I am hosting. I solved this by going to the host computer's local IP address. I edited the windows host file so that when I put lrjenkins.bank into the address bar, it should go to my local IP address instead of 127.0.0.1. In the address bar, it shows that my connection is not secure. I plan to use this locally hosted site to mimic a fake bank to waste scammers' time when I let them connect to my virtual machine and log into my fake bank using fake login info (the password has to be hunter2 lol) to show fake money. If I put the host computer's local IP into the address bar then I am able to see the page and log in and everything, but seeing a string of numbers when I'm "logging into my bank" instead of lrjenkins.bank is not convincing and having not secure in the address bar is also a red flag. https://shellcreeper.com/how-to-create-valid-ssl-in-localhost-for-xampp/ I followed this tutorial to make a certificate and trust it in windows settings on my host just to verify that it works, and after following the guide and changing site.test to lrjenkins.bank everywhere I saw it and then trusting the certificate, but I got the error in chrome that tells me that the site is using HSTS and I have to type "thisisunsafe" to get the site to show and it still says not secure in the top so this tutorial made the problem worse. I reverted to the backup before I followed the tutorial and I still can't figure out how to make an SSL certificate that shows that my connection is secure. If at all possible, I would love to have the lock display that the certificate is issued to LR Jenkins Financial Group, exactly how the certificate for github.com works.
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 105
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Sat 11 Jan '20 21:52    Post subject: Reply with quote

Hello,

I followed the instructions at https://raymii.org/s/tutorials/OpenSSL_command_line_Root_and_Intermediate_CA_including_OCSP_CRL%20and_revocation.html to create a Root-CA, an Intermediate-CA and a Server-certificate (maybe it is an overkill creating a complete certificate-chain but using this approach is similar to the certificates used "out there").
I always used "LRJenkins Bank" as organization and for organizational unit I used "Security Team" for the root-CA and the intermediate-CA and "Online Bankin" for the server-certificate.

In paragraph "Configuring the Intermediate CA 1" I used the follwing snippet in "ca.conf"
Code:
[alt_names]
DNS.0 = lrjenkins.bank
DNS.1 = localhost
DNS.2 = 127.0.0.1


Within my test-environment I modified my Apache's config-file and used these two lines
Code:
SSLCertificateFile conf/ssl.crt/enduser-example-chain.crt
SSLCertificateKeyFile conf/ssl.key/enduser-example.key

where the file enduser-example-chain.crt contains the server-certificate followed by the intermediate-CA-certificate and the root-CA-certificate.
In addition I have addded the root-CA-certificate to my browser's trusted-CA-list. Within Firefox I now have a closed lock-symbol Smile - the only downside is that Firefox displays a message stating that this certificate was signed by a CA which is not in Firefox's default-certificate list - but only if you click on the closed-lock-symbol.

Maybe this helps?

Best regards
Matthias
Back to top
wesman00



Joined: 10 Jan 2020
Posts: 6
Location: United States

PostPosted: Mon 13 Jan '20 2:02    Post subject: Reply with quote

I appreciate the reply so much and I can't thank you enough. My only question is that since this is done using bash, would I be able to follow the instructions at the link you sent on my Windows machine which hosts the VM and the Apache with XAMPP server? I have the Linux subsystem for Windows installed so it may work using that but I know regular cmd in Windows doesn't use bash. I also have access to a Mac and a Debian system so I think maybe I could generate the certificates on those then just copy them over to my Windows machine. Would this be okay?
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 105
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Mon 13 Jan '20 7:22    Post subject: Reply with quote

Hello,

creating the certificates on Mac or Debian (or any other Linux) and then copying them to the Windows-machine is fine.
If you look for it there is also OpenSSL for Windows available - but finding up-to-date compiled Windows-versions is not as easy as simply using the Linux-based machines you already have available Smile

Best regards
Matthias
Back to top
wesman00



Joined: 10 Jan 2020
Posts: 6
Location: United States

PostPosted: Mon 13 Jan '20 10:04    Post subject: Reply with quote

Ok I'll use my linux machine because it has a lot of utilities already installed. My last question that I had not thought of yet is should I change the part where you put 127.0.0.1 to the internal IP of my host system? This is required to get the webpage to show up on my virtual machine. When I go to 127.0.0.1 on my VM, it says the page does not load. I need to instead go to 10.70.65.146 if I want data to load. I then edited my Windows host file to say
Code:
10.70.65.146 lrjenkins.bank
. Or would it be better if I changed 127.0.0.1 to lrjenkins.bank because the certificate should be valid when I am accessing the site through that domain. I don't care if the 10.70.65.146 part says secure or not because I will not be accessing it this way on my VM.
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 105
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Mon 13 Jan '20 11:05    Post subject: Reply with quote

Hello,

I've added the 127.0.0.1 to the list to also be able to connect to the webserver using this IP and also have a "closed lock" in my browser's address bar.
You can ommit this line in the config or replace it with any other data suitable for your environment.
The real important thing is that the hostname you will normally use in your browser is also in this list.

Greetings
Matthias Smile
Back to top
wesman00



Joined: 10 Jan 2020
Posts: 6
Location: United States

PostPosted: Thu 16 Jan '20 5:29    Post subject: Reply with quote

Ok I've run into a slight problem. When I run
Code:
openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt
I get a bunch of errors

https://shinytreecko.com/screenshots/Screen%20Shot%202020-01-15%20at%2010.24.49%20PM.png

Trying to get this to work on my Mac since Linux was also throwing errors that I forgot to screenshot. About to try on Linux the second I post this to the forum.
Back to top
wesman00



Joined: 10 Jan 2020
Posts: 6
Location: United States

PostPosted: Thu 16 Jan '20 7:36    Post subject: Reply with quote

Whoops I found the issue I had just misconfigured ca.conf so the entire tutorial is correct up until creating end user certificates where I stopped. I couldn't find the part of the tutorial where you made a server-certificate and used online banking, but I successfully created and signed a root-CA and an intermediate-CA which I'm almost 100% sure will work when it is on the machine hosting the apache server. I am hesitant to try yet though because I don't know if it will mess anything up before creating the server certificate.
Back to top
wesman00



Joined: 10 Jan 2020
Posts: 6
Location: United States

PostPosted: Fri 17 Jan '20 2:10    Post subject: Reply with quote

I just realized I hadn't looked at the tutorial carefully enough so ignore my previous 2 replies since I'm past those issues now, but at this point I made the enduser certificates specific for lrjenkins.bank after following the tutorial for the root-CA and intermediate-CA certificates completely correctly. I made all of them on my Linux machine and now I'm unsure of where each certificate needs to go. I have left the intermediate-CA and root-CA files on my linux machine but copied the enduser-certificates directory over to my Windows machine which is hosting XAMPP. I have files called enduserlrjenkins.bank.crt (located in XAMPP\apache\conf\ssl.crt) and enduser-lrjenkins.bank.key (located in XAMPP\apache\conf\ssl.key). I also have the .chain file and the .csr file but I don't know where those go. I also can't find a line in my Apache conf file where it says SSLCertificateFile or SSLCertificateKeyFile. Do I need to add these lines with the directories of each file after? Or do I need to find an existing line in one of the conf files with SSLCertificateFile and SSLCertificateKeyFile and change the directories those files are in. If yes to either of these questions, do you know what the conf file should be called? I'm thinking it's httpd-ssl.conf, but I'm unsure.
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 105
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Fri 17 Jan '20 7:22    Post subject: Reply with quote

Hello Wesley,

here is the complete output my Linux-Box when doing the mentioned tutorial. Yes, there are some errors/warnings, but it doesn't matter - the result was working fine for me. In addition I have added some bash-comments Smile which ca.conf to use and what to modify. Maybe it is a bit clearer now?

Admin note: Moved output to https://apaste.info/cXQe

Best regards
Matthias
Back to top


Reply to topic   Topic: Wondering how to get rid of the not secure message View previous topic :: View next topic
Post new topic   Forum Index -> Apache