Introduction -

I facing same problem since few day after creating certificate for Secure HTTPS sites. then whenever I am browsing sites with https it was showing me error like “Website Certified by Unknown Authority - unable to verify the identity of indiangnu.org site”

I was thinking that this might be problem with browser incompatibility issue and my borwser is not supporting HTTPS. But I was wrong and finally I found that there is some simple miss configuration on server side.

* Virtual Hosting of My Site -

<VirtualHost 192.168.1.200:443>
ServerAdmin webmaster@indiangnu.org
ServerName www.indiangnu.org
DocumentRoot /home/indgnu/public_html

User indgnu
Group indgnu
ScriptAlias /cgi-bin/ /home/indgnu/public_html/cgi-bin/

SSLEnable
SSLCertificateFile /usr/share/ssl/certs/indiangnu.org.crt
SSLCertificateKeyFile /usr/share/ssl/private/indiangnu.org.key
SSLCACertificateFile /usr/share/ssl/certs/intermediate.crt

SSLLogFile /var/log/apache/domlogs/indiangnu.org-ssl_data_log

</VirtualHost>

If you are using Certificate authorize by CA then you need to add this line and intermediate.crt Certificate of your CA.

SSLCACertificateFile /usr/share/ssl/certs/intermediate.crt

If you are using Self signed Certificate then you may not face this problem..

* The options might depends upon the version of Apache.

* Screenshot of error

Thank you,

Arun Bagul

Apache is the most widely used web server. For secure HTTP protocol we need to check whether mod_ssl (Secure Socket Layer) module of Apache is installed/loaded or not… this mod_ssl module may be loaded as static or daynamic module. The static mean SSL support will be part of apache binary and in case of dynamic loading the so ie shared object file will be load by apache during run time.

• How to chceck- is mod_ssl loaded ?

[root@indiangnu.org ~]# /usr/local/apache/bin/httpd -l
Compiled-in modules:
http_core.c
mod_env.c
mod_log_config.c
mod_mime.c
mod_negotiation.c
mod_status.c
mod_include.c
mod_autoindex.c
mod_dir.c
mod_cgi.c
mod_asis.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_access.c
mod_auth.c
mod_so.c
mod_setenvif.c
mod_ssl.c
mod_frontpage.c
suexec: enabled; valid wrapper /usr/local/apache/bin/suexec
[root@indiangnu.org ~]# httpd -l

• Apache configuration file

#set port 80 for HTTP and 443 for HTTPS

<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>

# Setting to vitual hosting

NameVirtualHost 192.168.1.100:80
NameVirtualHost 192.168.1.100:443

#virtual hosting for HTTP

<VirtualHost 192.168.1.100:80>
ServerName nishit.indiangnu.org
ServerAlias www.nishit.indiangnu.org
DocumentRoot /home/nishit/public_html
#BytesLog /usr/local/apache/domlogs/nishit.indiangnu.org-bytes_log
CustomLog /usr/local/apache/domlogs/nishit.indiangnu.org combined
ScriptAlias /cgi-bin/ /home/nishit/public_html/cgi-bin/
</VirtualHost>

# vitual hosting for HTTPS
<VirtualHost 192.168.1.100:443>
SSLEngine On
SSLCertificateFile /usr/local/apache/conf/ssl.crt/indiangnu.org.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/indiangnu.org.key
ServerName nishit.indiangnu.org
ServerAlias www.nishit.indiangnu.org
ServerAdmin webmaster@nishit.indiangnu.org
DocumentRoot /home/nishit/public_html
</VirtualHost>

#done

# Now restart apache server and check on which port apache is listening

[root@indiangnu.org ~]# netstat -nlp | grep :80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 14037/httpd
[root@indiangnu.org ~]# netstat -nlp | grep :443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 14037/httpd
[root@indiangnu.org~]#

#Then restart apache and browse the sites

• How to generate SSL Certificate

1)

[root@indiangnu.org~]# openssl genrsa -out /etc/ssl/certs/indiangnu.org.key 1024
Generating RSA private key, 1024 bit long modulus
…………..++++++
……………………………………………………..++++++
e is 65537 (0×10001)

2)

[root@indiangnu.org~]# openssl rsa -in /etc/ssl/certs/indiangnu.org.key -out /etc/ssl/certs/indiangnu.org.pem
writing RSA key
[root@indiangnu.org~]# ls
indiangnu.org.key
[root@indiangnu.org~]# cat indiangnu.org.key
—–BEGIN RSA PRIVATE KEY—–
MIICXAIBAAKBgQDIPCf524g9caXTu7nGd4Tsu+ou84e5L9uBeQ3u00b4A7z5j89M
8+bec9E4n4pd0QCBVgO6snCrd/BHKpa8QkL/o6nJaww3jPuNlPmw95GpjwETDTvv
9wH+k/eZtNWTG4vz5txUklcLekXrwPfBGWVkLQK9T0DfZFUdjYtZX6d/VQIDAQAB
AoGAayoe7w96bAAeEyLee4TOBHFSFYzK7+bYIQQr280Bp41An4RDG1lSD26G5Dom
sK1CCvaBCnOj73FCjKQThnAkMH8+PjugVJOknjrP4gZ+yGNN2QATG9RKfLOJ/Uzy
CNWCUynGFp8EXcoldMcGvtcGZeMx4WN12QtGTGXrkJj6FYUCQQD/v3J4K+ofA9Kx
ujKjthzasjGS+Lb48BWqy+SzSzIJWI04vsxTxnf1INzCwqVlrJiJUVrZR36GKaTr
0f6i6mOfAkEAyG6ydcmyc0eZnCpqicYsOQ+861M6sKw9Xt0YMfFV4rbybTToKZTL
2OjWhvN484KiAsvD1F+DD6UTizy4D6OYiwJBAJA4CLglo3/b6wuYQYg6YSkehYAo
yx20XbOUCSLmS5AjpHeUeKrhZ7IO1w7pLtYYL2h4PS/79ih4AW2OXPbIEGcCQDzF
i6i5KjlX6VR3a+wwQTJf+jkj+DSfVNBRm0dxVEg0jlbcZtRMwG4ZUwqCAhdbcYIF
hG/9McDpnX5nP6vGP7cCQF4BmpeqQ+pGlyCIh+oE7O7FZxxL8Q/ucRRqDUcKtcZr
opKSxvs6Uez9l14TqgiFVKShB3CRuBCFkAxyYqxYafI=
—–END RSA PRIVATE KEY—–

3)

[root@indiangnu.org~]# openssl req -new -key /etc/ssl/certs/indiangnu.org.key -out /etc/ssl/certs/indiangnu.org.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:MH
Locality Name (eg, city) [Newbury]:Mumbai
Organization Name (eg, company) [My Company Ltd]:IndianGNU.org
Organizational Unit Name (eg, section) []:System
Common Name (eg, your name or your server’s hostname) []:nishit.indiangnu.org
Email Address []:to@nishit.indiangnu.org

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@indiangnu.org~]#

4) If you want to force an SSL connection and redirect all traffic to port 80 to port 443 (HTTPS), use this instead:

RewriteEngine   on
RewriteCond     %{SERVER_PORT} ^80$
RewriteRule     ^(.*)$ https://%{SERVER_NAME}$1 [L,R]

Thank you,

Arun