Installing SSL Cert on Linode server for subdomain
In the DNS settings we have an A record named 'share' that points to our Linode web server.
On our store we have a page that has an iframe whose src points to a php script over at the Linode webserver, right now connection is refused when the store is set to site wide SSL even though the src URL has been edited to HTTPS.
Presumably there is either no cert on the Linode server, or something is wrong that I have no idea what I'm doing about but this is the only thing I have to go on at the moment.
If I/my client purchase's a cert for the Linode server, will that presumably fix the issue of the connection bring refused for the iframe?
17 Replies
As a side note, why pay for a certificate? that fiasco ended a long time ago and now certificates are free! Take a look here as an example
Now that the URL is https nothing shows up in console, the iframe just shows up as Unable to Connect (Firefox), and Refused to Connect (Chrome).
If I put in the url,
I just assumed based on experience you pay for certs for business websites; would a free one work?
Yes, free certificates will work fine, there are no certificates for "business" or anything like that, they are all the same effectively. The reason we had to pay for them up until recently, was because of a marketing scam and finally that is over. Essentially the certificates use the same cryptography, all that mattered was browser acceptance.
What we've seen recently, is those selling certificates have come up with various scare tactics, to lure unsuspecting people into buying what essentially is free.
@IfThenElse:
The certificate must be installed on the web server that hosts the domain, so I'd guest in your case that would be the linode server. So once you setup dehydrated (or similar Let's Encrypt client) your iframe should work, in theory at least since I don't know any details about your setup.
I'm not really sure what our setup is either.
Our domain, storename.com is from godaddy.
The CNAME dns listing named www points to our store over at BigCommerce.
But our store has a page that calls to share.storename.com
According to the DNS, the share subdomain is on Linode at the server ip.
By 'hosts the domain', it's hosting the subdomain in this case right? The share.storename.com domain?
I'm trying to set up Dehydrate but I'm a little confused as it seems to assume a regular linux user and I haven't used it in years. I tried to run the ./dehydrated command and it claims the WELLKNOWN directory doesn't exist and wants me to set permissions?
I uploaded all the files via ftp to /root/dehydrated.
I created a dehydrated folder in etc/pki/
I created the domains.txt and sorta just put in
I edited config to add in my email (Does the email matter?) I kept 'wellknown'/basedir default since I assumed that if I passed it the config file and it's location then it would use the location of the config file automatically? I think this part I messed up.
Basedir is the directory of dehydrated script, but the instructions didn't say to move it to the pki/dehydrated folder, only the config file, which I did.
I'm a little confused; you can basically assume I haven't touched linux in a long time and thus a newb all over again.
make sure the directory /root/dehydrated exists (we put the script here, to run as root)
make sure the directory /etc/pki/letsencrypt exists (we put the certificates here, must be accessible by the apache web server)
put the dehydrated script under /root/dehydrated
create the file /etc/pki/letsencrypt/domains.txt
edit this file and ONLY write the domain you host, in your case that would be: share.storename.com
copy the config file from /root/dehydrated/docs/examples to /root/dehydrated
edit this file and change:
BASEDIR="/etc/pki/letsencrypt"
CONTACT_EMAIL="your email here"
WELLKNOWN="/home/myuser/public_html/.well-known/acme-challenge"
The above WELLKNOWN path is just an example, you need to know the exact directory your webserver uses, also create the directories .well-known and .well-known/acme-challenge.
The command that executes dehydrated is:
/root/dehydrated/dehydrated --cron --config /root/dehydrated/config --keep-going --challenge http-01
The certificates will be generated under /etc/pki/letsencrypt/certs/share.storename.com/ you then need to modify your Apache configuration to point to the certificate files.
There's two www directories. One under /var/ and another at the root level /www/
The one that's /www/ has a folder in it that's accessed through that iframe; the src goes to share.storename.com/tell.php and tell.php is located under /www/stories/htdocs/
But only the /var/www/ has an index.html, if I type in the ip for the server that I use to log in it goes to the store page.
I tried putting "public_html/.well-known/acme-challenge" in both /www/'s, as well as /home/username/ there is only one non-root user and root didn't have a home folder. None of these options appear to be working and I keep getting the error: "ERROR: WELLKNOWN directory doesn't exist, please create /var/www/dehydrated and set appropriate permissions.
I see apache2 in /etc/ exists, but not /etc/httpd/conf/httpd.conf, there is not httpd folder under etc. Is there a way to check? AFAIK it should've been /www/.
edit: the tell.php file / the /www/stories/htdocs is definately public facing as I changed tell.php to print hello world and it worked.
ServerAlias
ServerAdmin
DocumentRoot /www/stories/htdocs/
CustomLog /var/log/apache2/access_stories.log combined
ErrorLog /var/log/apache2/error_stories.log
Is the document root where I point wellknown to or does that still not explain the error?
edit 2: I think I understand what's happening, the new path for WELLKNOWN isn't actually being passed in. As it keeps saying '/var/www/dehydrated' when it should be saying something else.
edit 3: Supposedly it is using the config file, but the variables aren't being used. Am I supposed to remove the comment hashtags?
edit 4: APPARENTLY YES.
edit 5: Still claims the directory doesn't exist. Are the permissions needed to be set a certain way? They're 755 atm.
edit 6: I am still dumb, forgot a level in the path, the cert is made now I just need to figure how to get apache to point to it!
edit 7: The prompts say I am successful, 'creating fullchaiin.pem', 'walking chain', 'done!'; but I cannot seem to find the certs folder.
edit 8: For some reason I am still stupid and had to right click and refresh in filezilla.
Based on the virtualhost you posted, I'm guessing the wellknown variable should point to:
WELLKNOWN="/www/stories/htdocs/.well-known/acme-challenge"
Make sure to create the above directory structure with proper ownership permissions (probably the same as htdocs).
@IfThenElse:
You need to get in touch with whoever setup the server in the first place.
Based on the virtualhost you posted, I'm guessing the wellknown variable should point to:
WELLKNOWN="/www/stories/htdocs/.well-known/acme-challenge"
Make sure to create the above directory structure with proper ownership permissions (probably the same as htdocs).
He's dead. Hence why I'm doing this.
But I appear to have managed to create the certs, now my problem is the tutorials I've googled are different from what's generated:
SSLEngine on
SSLCertificateFile /etc/ssl/crt/primary.crt
SSLCertificateKeyFile /etc/ssl/crt/private.key
SSLCertificateChainFile /etc/ssl/crt/intermediate.crt
Supposedly I need to add these lines to the VirtualHost entry, but whats generated looks like:
cert-number.csr
cert-number.pem
chain-number.pem
fullchain-number.pem
privkey-num.pom
I ended up running the command twice after uncommenting my email address, so I don't know if that affected anything.
There are also another 5 files of the same first word and extension, 'cert.csr' etc; but no .crt file or .key file.
Try this:
SSLCertificateFile /etc/pki/letsencrypt/certs/stories.storename.com/cert.pem
SSLCertificateKeyFile /etc/pki/letsencrypt/certs/stories.storename.com/privkey.pem
SSLCertificateChainFile /etc/pki/letsencrypt/certs/stories.storename.com/chain.pem
(ignore the files with numbers, the above files should be symbolic links to the newest and valid certificates)
@IfThenElse:
Dead? May the digital pathways of the eternal fiber optic ethernet rest his binary soul.
Try this:
SSLCertificateFile /etc/pki/letsencrypt/certs/stories.storename.com/cert.pem SSLCertificateKeyFile /etc/pki/letsencrypt/certs/stories.storename.com/privkey.pem SSLCertificateChainFile /etc/pki/letsencrypt/certs/stories.storename.com/chain.pem
(ignore the files with numbers, the above files should be symbolic links to the newest and valid certificates)
I restarted apache and got this error (On trying to reload the iframe):
> An error occurred during a connection to share.storename.com. SSL received a record that exceeded the maximum permissible length. Error code: SSLERRORRXRECORDTOO_LONG
Is the VirtualHost supposed to stay on port 80 or change it to 443?
Sometimes the default configuration already has such an entry defined, no need to create a new one.
But, the WELLKNOWN directory must be accessible via port 80, so that Let's Encrypt and Dehydrated can work.
Yes all SSL/TLS connections go through 443.
edit: Still dumb, I uploaded a php file with a syntax error.
Thanks for all of your help, all of this was extremely new for me thank you for your patience!
Particularly this one: "WELLKNOWN="/home/myuser/public_html/.well-known/acme-challenge""
Right now I managed to get it to work with with subdomains (finance.mydomain.com and baseball.mydomain.com) by just changing well known to the latest newest subdomain, and then dumping my virtualhost information all into one file.