Answer the question
In order to leave comments, you need to log in
M
M
minaev0072017-07-14 12:21:05
minaev007, 2017-07-14 12:21:05
How to establish a secure connection using letsencrypt?
Launched a project on Ubuntu 14.04 Apache2 on Django. Can't connect ssl. The certificate seems to be worth it. There must be something wrong in the config.
Here is a working version of the settings on http. Everything works here:
/etc/apache2/sites-available/000-default.conf:
<VirtualHost *:80>
ServerName mysite.com.ua
ServerAdmin [email protected]
DocumentRoot /var/www/myproject/myproject
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /static /var/www/myproject/static
<Directory /var/www/myproject/static>
Require all granted
</Directory>
<Directory /var/www/myproject/myproject>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIDaemonProcess myproject python-path=/var/www/myproject python-home=/var/www/myproject/myprojectenv
WSGIProcessGroup myproject
WSGIScriptAlias / /var/www/myproject/myproject/wsgi.py
</VirtualHost>/etc/apache2/sites-available/default-ssl.conf remains unchanged:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin [email protected]
DocumentRoot /var/www/html
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>Thus the resource successfully works through http
I try to put https.
etc/apache2/sites-available/000-default.conf:
<VirtualHost *:80>
ServerName mysite.com.ua
Redirect permanent / https://mysite.com.ua
</VirtualHost>configure /etc/apache2/sites-available/default-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin [email protected]
ServerName mysite.com.ua
DocumentRoot /var/www/myproject/myproject
<Directory /var/www/myproject/myproject>
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/mysite.com.ua/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com.ua/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/mysite.com.ua/chain.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>And that's it. Opera writes the site cannot provide a secure connection. Firefox says SSL received a record that is longer than the maximum allowed. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
In one of the manuals that everyone has already mixed up in their heads, they wrote that there are modules that are not connected by default, but they need to be installed:
$ sudo a2enmod expires
$ sudo a2enmod headers
$ sudo a2enmod rewrite
$ sudo a2enmod sslDid it from the very beginning. That is, ssl is enabled.
Please tell me how to solve the problem. Thanks in advance.
1 answer(s)
@shambler81
In order not to be confused at all, take out the ssl config for your site in a separate file.
V
Viktor Taran, 2017-07-14 @shambler81
what are you doing
1. copy your regular site config.
Put it next to it and name it lalla-ssl
2. Change the port in it
3. connect mana certificates, certbot will help you. https://certbot.eff.org/
4. The certificate will be issued only for the domain that is bound to the server.
5. Check it for the certificate class should be A +
6. if not, then add more pieces of configs.
Here's an example of my config, unfortunately I don't have nginx at hand for Apache, but on the certbota site, all OSes and types of installations are completely written, follow the manu.
server {
listen 443 ssl http2;
server_name site.ru.ru www.site.ru.ru;
# enable SSL connection
#include bx/conf/ssl.conf;
ssl_stapling on;
ssl_certificate /etc/letsencrypt/live/site.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/site.ru/privkey.pem;
ssl on;
keepalive_timeout 70;
keepalive_requests 150;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/pki/nginx/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=31536000;";
#add_header Content-Security-Policy-Report-Only "default-srcIn order not to be confused at all, take out the ssl config for your site in a separate file.
Similar questions
M
S
D
A
D
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question