Questions on SSL
Posted by: vc (164.90.16.---)
Date: November 24, 2014 10:00PM

Hi All,

I am new on setting up SSL on WAMP and currently have two questions. Thanks!!!


Version of Operating system: Windows Server 2008 R2 Standard, 64-bit
Version of Wamp Server installed: 2.1d 64-bit
Version of Apache you are running: 2.2.17
Version of MySQL you are running: 5.1.53
Version of PHP you are running: 5.3.4
What colour is your WampManager icon? ( in the system tray ) Orange
Do you have a HOSTS file? [c:\windows\system32\drivers\etc\hosts] Yes


On our production server, we have couple virtual hosts setup on httpd-vhosts.conf and one SSL virtual host set up on httpd-ssl.conf.

For example on httpd-vhosts.conf:

<VirtualHost *:80>
DocumentRoot "E:/wamp/www/DOMAIN1/"
ServerName www.DOMAIN1.com
</VirtualHost>

<VirtualHost *:80>
DocumentRoot "E:/wamp/www/DOMAIN2/"
ServerName www.DOMAIN2.com
</VirtualHost>

<VirtualHost *:80>
DocumentRoot "E:/wamp/www/DOMAIN3/"
ServerName www.DOMAIN3.com
</VirtualHost>

For httpd-ssl.conf, we have:

<VirtualHost *:443>
DocumentRoot "E:/wamp/www/SSLDOMAIN1/"
ServerName www.SSLDOMAIN1.com
…rest of ssl setup…
</VirtualHost>

(1) Problem: When visitors accessing [www.DOMAIN1.com], it works fine and route to “DOMAIN1” folder. But when they visit [www.DOMAIN1.com], it routes to “SSLDOMAIN1” folder. Is there any way to route visitors back to correct folder if there is no SSL define for that domain name? or any suggestions on fixing this issue?

(2) I’ve searched around and been guided to this link: [wiki.apache.org]. If I understand correctly: if we have two domain names with their own SSL certificates, in order to configure two SSL Virtual hosts on the same Apache, we will need to assign each separate domain with different IPs. How can I assign different local IP for each domain in WAMP?

Thanks!



Edited 1 time(s). Last edit at 11/24/2014 11:43PM by vc.

Options: ReplyQuote
Re: Questions on SSL
Posted by: RiggsFolly (---.as43234.net)
Date: November 24, 2014 11:06PM

Can you answer these basic questions so we know what you are using please [forum.wampserver.com]

---------------------------------------------------------------------------------------------
(Windows 7 Pro 32bit) (Wampserver 3.1.1 32bit)
<Apache 2.4.23/2.2.31> <PHP 7.2/7.1/7.0/5.6/5.5/5.4> <MySQL 5.7.19/5.6.17/5.5.28>
<MariaDB 10.1.21> <phpMyAdmin4.7.7> <MySQL Workbench 6.3.6.511>

Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin -- WAMPServer alternate Repo
-?-?-?- Backup your MySQL databases regularly Here is How dont regret it later! Yes even when developing -?-?-?-

Options: ReplyQuote
Re: Questions on SSL
Posted by: vc (164.90.16.---)
Date: November 24, 2014 11:44PM

oh oh, thanks for the reminder, I have updated my question.

For #2 - I assume I define the local IP address for each domain at the hosts file?

Thanks!

Options: ReplyQuote
Re: Questions on SSL
Posted by: RiggsFolly (---.as43234.net)
Date: November 25, 2014 01:15AM

Quote

(1) Problem: When visitors accessing [www.DOMAIN1.com], it works fine and route to “DOMAIN1” folder. But when they visit [www.DOMAIN1.com], it routes to “SSLDOMAIN1” folder. Is there any way to route visitors back to correct folder if there is no SSL define for that domain name? or any suggestions on fixing this issue?

Well it would send user to SSLDOMAIN1 because you told it to!?!?!?!

Normally a single site is pointed to by one VHOST definition and then if you want it to be a secure site as well you add a httpd-ssl.conf VHOST pointing to the SAME site. So basically you have 2 VHOSTS pointing to the same site. One is for unsecured access and one for secured access, the difference being *:80 or *:443.


A normal VHOST in httpd-vhost.conf
<VirtualHost *:80>
DocumentRoot "E:/wamp/www/DOMAIN1"
ServerName www.DOMAIN1.com
</VirtualHost>

A secure VHOST in httpd-ssl.conf
<VirtualHost *:443>
DocumentRoot "E:/wamp/www/DOMAIN1"
ServerName www.DOMAIN1.com
</VirtualHost>
... SSL Stuff




This tutorial may help


How to Configure WAMPServer to use HTTPS SSL


This is not a trivial process. This tutorial will, hopefully, get SSL working for you.
However getting it configured to match your secific requirements once it is working is TOTALLY DOWN TO YOU.

Additional reading for all who travel this road
Remember this is Apache and PHP we are configuring here and not WAMPServer, so it is all documented on the Apache and PHP sites if you get any issues or have any specific requirements.

Ok,

I have based this tutorial on the creation of a site called www.wamphelpers.dev So whereever you see that name change it to the site name you are trying to secure.

I started by creating a unsecured site, in \wamp\www\wamphelpers

added a Virtual Host for that site, in httpd-vhosts.conf

<VirtualHost *:80>
    DocumentRoot "c:/wamp/www"
    ServerName localhost
    ServerAlias localhost
    <Directory  "c:/wamp/www">
        AllowOverride All
        Require local
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "c:/wamp/www/wamphelpers"
    ServerName wamphelpers.dev
    ServerAlias www.wamphelpers.dev
    <Directory  "c:/wamp/www/wamphelpers">
        AllowOverride All
        Require local
    </Directory>
</VirtualHost>

Added its name to the C:\windows\system32\drivers\etc\hosts

127.0.0.1 wamphelpers.dev www.wamphelpers.dev
::1       wamphelpers.dev www.wamphelpers.dev


Now restart the dnscache as follows from a command windows launched using 'Run as Administrator'

net stop dnscache
net start dnscache


Then created a simple script in \wamp\www\wamphelpers\index.php

<?php
    echo 'Hello, this is the WAMPHELPERS.DEV site homepage';
?>

Now restart Apache and make sure that your simple unsecured site is working before continuing


---------- The openssl toolkit. ----------

The openssl.exe, ssleay32.dll and libeay32.dll come with, and are located in, the C:\wamp\bin\apache\apachex.y.z\bin folder
This should be all you need to create your self signed certificate !!

HOWEVER: These did not work for me on any of the versions of Apache that I had installed.
I always got an error message something like this.



Where the ordinal number changed depending on the apache version folder I was in.

If you get this error dont worry this is what you need to do.

---------- install the latest version of the OPENSSL TOOLKIT ----------

This can be obtained from here

Pick the Latest version of OpenSSL Light as this contains all you need.
Pick either the 'Win32 OpenSSL vxxx Light' or 'Win64 OpenSSL vxxx Light'
Pick the one that matches your WAMPServer and not necessarily your OS bit count i.e.
if WAMPServer is 32bit pick the Win32 even if you are running on a Windows 64 OS
if WAMPServer is 64bit pick the Win64

This will download an .exe install file which you can run to install this toolkit.

It will ask the following question, I suggest you answer it like this so you dont end up installing something into C:\windows\system32.
Afterall this is a toolkit and it changes reasonably often. Best to keep these things seperate and not make them system global.

OpenSSL install suggestion



Once that is installed ( to whichever folder you specified in the install ) you should be ready to start the process of generating keys and certificates!


---------- Generate keys and Certificates. ----------

STEP 1: Generate an RSA Private Key

First we need to create ourselves a certificate.
The normal (paid for) process is to create your certificate and then pass it to a signing authority.
This is why it costs money, as they have to do, due dilligence, to check that you are who you say you are and that site that you will use the certificate on is real and legitimate.

The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request) to be used for our Certificate.
The first step is to create your RSA Private Key.
This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.


Open up a Command window (Dos box) using Run as Administrator
Change Directory to where you installed the OpenSSL Toolkit above.
In my case this is

CD c:\apps\OpenSSL-Win32\bin

Make a folder for the output to be put in ( to keep the bin folder tidy ) I used website
md website

Now enter this command:
openssl genrsa -out website\server.key 2048

This should have created a file in the 'website' folder called privkey.pem, without a pass phrase key, check it exists.


Step 2: Generate a CSR (Certificate Signing Request)

During the generation of the CSR, you will be prompted for several pieces of information.
These are the X.509 attributes of the certificate.
One of the prompts will be for "Common Name (e.g. server FQDN or YOUR name) []:".
It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL.
So if the website to be protected will be `[www.wamphelpers.dev]`, then enter `www.wampheplers.dev` at this prompt.

Do not enter anything to the question: A challenge password []:] - Just press Enter.
If you do enter a passphrase here when you come to start Apache with SSL configured Apache will not start and will give this error message :-

*[error] Init: SSLPassPhraseDialog builtin is not supported on Win32*

Basically if you do enter a passphrase Apache is supposed to challenge you for that passphrase each time it starts.
This is obviously not going to make your life any easier but primarily on windows it does not actually work and will
cause Apache to crash when it attempts to ask for the passphrase, with the above error.

The command to generate the CSR is as follows:
openssl req -new -key website\server.key -out website\server.csr


Example question and answers:
    Country Name (2 letter code) [AU]:GB
    State or Province Name (full name) [Some-State]: Hampshire
    Locality Name (eg, city) []: Portsmouth
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: Wamp Helpers Ltd
    Organizational Unit Name (eg, section) []: Information Technology
    Common Name (e.g. server FQDN or YOUR name) []: www.wamphelpers.dev
    Email Address []: me@wamphelpers.dev

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []: ( leave blank just hit the enter key )
    An optional company name []: ( leave blank just hit the enter key )

Step 3: Generating a Self-Signed Certificate

At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test
your new SSL implementation while the CA is signing your certificate.

openssl x509 -req -days 365 -in website\server.csr -signkey website\server.key -out website\server.crt

PRE - WARNING
Because we are not getting this certificate signed by a Certificate Authority, this certificate will generate an error in the client browser to the effect that
the signing certificate authority is unknown and not trusted.
This is unavoidable as we are signing the certificate ourselves, but of course the web of trust does not know who we are.
See example later in this document showing how to tell your browser that you actually trust this certificate


Example output:
Loading 'screen' into random state - done
Signature ok
subject=/C=GB/ST=Hampshire/L=Portsmouth/O=WampHelpers Ltd/OU=Information Technology/CN=www.wamphelpers.dev/emailAddress=riggsfolly@wamphelpers.dev
Getting Private key

Step 4: Installing the Private Key and Certificate

Create these 2 directories under the version of Apache you are using.

md c:\wamp\bin\apache\apachex.y.z\conf\ssl.key
md c:\wamp\bin\apache\apachex.y.z\conf\ssl.crt

And copy the file we have just generated into them like so:
copy website\server.crt c:\wamp\bin\apache\apachex.y.z\conf\ssl.crt
copy website\server.key c:\wamp\bin\apache\apachex.y.z\conf\ssl.key


Step 5: Configure Apache to activate SSL

Edit httpd.conf, Check that this line is uncommented
LoadModule ssl_module modules/mod_ssl.so

Remove the comment '#' from this line also
Include conf/extra/httpd-ssl.conf

Then move that line after this block <IfModule ssl_module>.... </IfModule> like so

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf


Step 6: Configure PHP to activate SSL

Edit your php.ini ( use the wampmanager menus so you edit the correct one )

Remove the comment ';' from this line
extension=php_openssl.dll


Step 7: Configure your secure sites Virtual Host

Yup for all you Virtual Host nay sayers, now you cannot avoid the process.

Edit "\wamp\bin\apache\apachex.y.z\conf\httpd-ssl.conf"

This file is released by Apache and contains some default file location.
We can leave most of this file as it is, but we need to configure the virtual host in here to match our actual sites location and a few other things so:

find these lines
DocumentRoot "c:/Apache2/htdocs"
ServerName www.example.com:443
ServerAdmin admin@example.com
ErrorLog "c:/Apache2/logs/error.log"
TransferLog "c:/Apache2/logs/access.log"

and change them to
    DocumentRoot "c:/wamp/www/wamphelpers"
    ServerName wamphelpers.dev:443
    ErrorLog "c:/wamp/logs/ssl_error.log"
    TransferLog "c:/wamp/logs/ssl_access.log"

Find
SSLCertificateFile "c:/Apache2/conf/server.crt"

and change to
SSLCertificateFile "c:/wamp/bin/apache/apachex.y.x/conf/ssl.crt/server.crt"

Find
SSLCertificateKeyFile "c:/Apache2/conf/server.key"

and change to
SSLCertificateKeyFile "c:/wamp/bin/apache/apache2.2.26/conf/ssl.key/server.key"

Find
<Directory "c:/Apache2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

and change to
<Directory "c:/wamp/www/wamphelpers">
    SSLOptions +StdEnvVars
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1 localhost ::1
</Directory>


Find
SSLSessionCache        "shmcb:c:/Apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

and change it to
SSLSessionCache        "shmcb:c:/wamp/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
Find
<Directory "c:/Apache2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

and change to
CustomLog "c:/wamp/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


Basically look through the conf file and any command that is not commented out, but has a reference to a file or folder
should be changed to reference the WAMPServer folder structure and not 'C:/Apache2....'

Now make sure all these files we have changed are saved, and restart Apache using the wampmanager menus.


First test that the unprotected site is still working.

Then try using your new protected site by adding the 'https://' to the front of the domain name
i.e. `[www.wamphelpers.dev]` without the single quotes of course.



If Apache does not restart you have probably spelt something wrong. Test the configs like so :-

Open a command window
cd \wamp\bin\apache\apachex.y.z\bin
httpd -t

This will parse all the config files and should give you a file name and a line number where an error has been found.

Fix it and try again.



First access to your site will generate a message page something like this.
This is using FireFox, others will be slightly different, but the concept it the same.



This is because your certificate is not signed by a trusted authority, DONT PANIC, this is supposed to happen.

Click on, 'I Understand the risk' and that will show you a button saying 'Add Exception'
Press the Add Exception button, after checking that the certificates site details are in fact yours,
and you will not see this message again unless you clear the exception list.





BIG NOTE
As of Apache v2.2.12 and OpenSSL v0.9.8j it is now possible to secure more than one site per Apache instance.
This tutorial does not cover that process.
See here for more details:

Here

And here

And here

And like I said at the top, now you need to do some reseach on all the options available in the SSL config and make thing work as you want rather than using the default.

---------------------------------------------------------------------------------------------
(Windows 7 Pro 32bit) (Wampserver 3.1.1 32bit)
<Apache 2.4.23/2.2.31> <PHP 7.2/7.1/7.0/5.6/5.5/5.4> <MySQL 5.7.19/5.6.17/5.5.28>
<MariaDB 10.1.21> <phpMyAdmin4.7.7> <MySQL Workbench 6.3.6.511>

Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin -- WAMPServer alternate Repo
-?-?-?- Backup your MySQL databases regularly Here is How dont regret it later! Yes even when developing -?-?-?-



Edited 1 time(s). Last edit at 11/25/2014 11:12AM by RiggsFolly.

Options: ReplyQuote
Re: Questions on SSL
Posted by: vc (164.90.16.---)
Date: November 25, 2014 01:49AM

My bad, I think I had a bad illustration sad smiley It should be this:

In httpd-vhost.conf:

<VirtualHost *:80>
DocumentRoot "E:/wamp/www/DOMAIN1"
ServerName www.DOMAIN1.com
</VirtualHost>

In httpd-ssl.conf:

<VirtualHost *:443>
DocumentRoot "E:/wamp/www/DOMAIN2"
ServerName www.DOMAIN2.com
</VirtualHost>
... SSL Stuff

so the problem is when I access [www.DOMAIN1.com], it will go to [www.DOMAIN2.com]
(where there is no SSL for www.DOMAIN1.com)

Options: ReplyQuote
Re: Questions on SSL
Posted by: RiggsFolly (---.as43234.net)
Date: November 25, 2014 11:19AM

You are not getting it.

You dont have a definition in the httpd-ssl.conf to define a secure VHOST for 'https://www.domain1.com'

If you want to access domain1 normally AND securely you must have 2 definitions,

one in httpd-vhost.conf file for the normal unencrypted access on port 80
AND
one in the httpd-ssl.conf for the secure encrypted access on port 443

So for domain1 you need

httpd-vhost.conf:

<VirtualHost *:80>
DocumentRoot "E:/wamp/www/DOMAIN1"
ServerName www.DOMAIN1.com
</VirtualHost>

AND

httpd-ssl.conf:
<VirtualHost *:443>
DocumentRoot "E:/wamp/www/DOMAIN1"
ServerName www.DOMAIN1.com
</VirtualHost>


The reason you get sent to the wrong site with your currebt config is that when Apache cannot find the definition in httpd-ssl.conf for domain1 it will default to the first definition in the httpd-ssl.conf file just like it does when it cannot find a VHOST definition in the httpd-vhost.conf file for normal port 80 accesses.



Oh I assume you have chopped out what you considered unnecessary from your <VirtualHost...> definitions. If not see the big post for what else should be in a VHOST definition.

---------------------------------------------------------------------------------------------
(Windows 7 Pro 32bit) (Wampserver 3.1.1 32bit)
<Apache 2.4.23/2.2.31> <PHP 7.2/7.1/7.0/5.6/5.5/5.4> <MySQL 5.7.19/5.6.17/5.5.28>
<MariaDB 10.1.21> <phpMyAdmin4.7.7> <MySQL Workbench 6.3.6.511>

Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin -- WAMPServer alternate Repo
-?-?-?- Backup your MySQL databases regularly Here is How dont regret it later! Yes even when developing -?-?-?-



Edited 1 time(s). Last edit at 11/25/2014 11:24AM by RiggsFolly.

Options: ReplyQuote
Re: Questions on SSL
Posted by: vc (164.90.16.---)
Date: November 25, 2014 06:41PM

Got you! So if we don’t have SSL certificate for www.domain1.com and visitors somehow visit www.domain1.com via HTTPS, we will have to define domain1.com in httpd-ssl.conf to avoid routing to wrong site.

Options: ReplyQuote
Re: Questions on SSL
Posted by: RiggsFolly (---.as43234.net)
Date: November 25, 2014 08:46PM

Well yes, and no.

If you want domain1.com to be accessible via port 80 unsecure and 443 sll secure define it that way.

---------------------------------------------------------------------------------------------
(Windows 7 Pro 32bit) (Wampserver 3.1.1 32bit)
<Apache 2.4.23/2.2.31> <PHP 7.2/7.1/7.0/5.6/5.5/5.4> <MySQL 5.7.19/5.6.17/5.5.28>
<MariaDB 10.1.21> <phpMyAdmin4.7.7> <MySQL Workbench 6.3.6.511>

Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin -- WAMPServer alternate Repo
-?-?-?- Backup your MySQL databases regularly Here is How dont regret it later! Yes even when developing -?-?-?-

Options: ReplyQuote
Re: Questions on SSL
Posted by: vc (164.90.16.---)
Date: November 25, 2014 11:00PM

What’s if I don’t want domain1.com to be access via port 443 SSL? Can you please advise how to define that in httpd-ssl.conf (I assume)? Thanks!!

Options: ReplyQuote


Sorry, only registered users may post in this forum.