News:

SMF 2.0.19 has been released! Please update. Read more.

Main Menu

SSL Certificates

Started by baldur2630, July 05, 2022, 06:20:55 PM

Previous topic - Next topic

baldur2630

I have 3 forums running on CentOS 7 no SSL no problems.

I'm upgrading to CentOS 8 and I want to move the forums over. To test everything was working. I started an install of the latest version. I got to the SSL part and Bye Bye installation.

I'm planning to install Let's Encrypt. I see no reason to pay for something which does NOTHING. It doesn't stop the hackers. it doesn't stop the spammers and it doesn't block the backdoors that the alphabet agencies have built into every computer. Let's Encrypt is the way to go BUT...

When I tried to install a certificate, it needs the name of the forum and if the forum can't exist because it can't be installed, SMF seems to be out of the race.

I hope there is either an older version I can use which doesn't die if I don't make some millionaires even richer OR perhaps someone has managed to install Let's Encrypt for a site which doesn't exist.

I an NOT using a hosting site. Al my servers are in a subdomain which I host myself in my office (and I have all the security if it;s in my office that SSL won't give me!)

Anyone have an answer to this conundrum or do I stay with Centos 7?

Kindred

I have no idea what you mean.
I installed smf just fine without a certificate and then added the certificate after installation
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

Quote from: baldur2630 on July 05, 2022, 06:20:55 PMI see no reason to pay for something which does NOTHING

Not entirely true, it enables HTTPS without users getting scary warnings, which prevents the most trivial cases of MITM and so on and things like password sniffing over wifi.

Quote from: baldur2630 on July 05, 2022, 06:20:55 PMWhen I tried to install a certificate, it needs the name of the forum and if the forum can't exist because it can't be installed, SMF seems to be out of the race

This is really a server problem not a PHP application level problem; you'd plug the certificate into Apache (or nginx, whichever your flavour, doesn't really matter) and if you can't serve even a static file/image from there, it's not configured correctly, because SSL connections are handled by the web server underneath the PHP layer.

Get it running without worrying about PHP - just stick an image in the folder you're going to be serving from and verify you can access that correctly over HTTPS.

As for SMF, you're on CentOS 7 which IIRC ships with PHP 5.4 which is far too old for SMF 2.1 (but not the still-supported 2.0). Ideally if you want to use SMF, not using something with a 10 year old (and long since unsupported by its developers) version of PHP would be a good start.

live627

Quote from: baldur2630 on July 05, 2022, 06:20:55 PMWhen I tried to install a certificate, it needs the name of the forum and if the forum can't exist because it can't be installed, SMF seems to be out of the race.
You confusing that with the domain name?

marcosbr

Let's Encrypt will install a sub domain if you have a "valid" domain,
They don't know "your office"
Nothing in life is absolute. We are always learning... Did you know that?
https://amigosdaeletronica.com.br

baldur2630

Quote from: Kindred on July 05, 2022, 06:23:03 PMI have no idea what you mean.
I installed smf just fine without a certificate and then added the certificate after installation
What browser, I tried Firefox, Chrome, Brave and it's the same with every one of them.It's fine until you reach the page where at the bottom you have a checkbox about forcing SSL. It's grayed out and as soon as you click 'Continue', I get a BLANK screen and a message it's insecure.

Just utter BS. There is no more privacy SSL or not NOTHING is secure.

There seems to be no way past this on my system. Unless you have found a browser that isn't trying to make someone rich.

shawnb61

I suggest stepping thru this how-to, one careful step at a time.  Especially the SSL diagnostics & repair_settings tools:
https://www.simplemachines.org/community/index.php?topic=555034.0
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Kindred

Quote from: baldur2630 on July 05, 2022, 11:22:07 PM
Quote from: Kindred on July 05, 2022, 06:23:03 PMI have no idea what you mean.
I installed smf just fine without a certificate and then added the certificate after installation
What browser, I tried Firefox, Chrome, Brave and it's the same with every one of them.It's fine until you reach the page where at the bottom you have a checkbox about forcing SSL. It's grayed out and as soon as you click 'Continue', I get a BLANK screen and a message it's insecure.

Just utter BS. There is no more privacy SSL or not NOTHING is secure.

There seems to be no way past this on my system. Unless you have found a browser that isn't trying to make someone rich.

Any browser

Don't use https to install.
Use http.
Install smf.
Then install your cert.
Then switch your smf to https.

If you get a warning, then tell into ignore the insecure nature,  you are aware of the risks.

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

baldur2630

Quote from: shawnb61 on July 05, 2022, 11:27:56 PMI suggest stepping thru this how-to, one careful step at a time.  Especially the SSL diagnostics & repair_settings tools:
https://www.simplemachines.org/community/index.php?topic=555034.0

The opening line says it all (1.) Purchase & install your certificate.

HTTP is fine until the box about forcing SSL, after that ALL the browsers stop working and give a blank page or an error message. To say it works with any browser is pure bull****** IT DOES NOT.

I don't think this is an SMF problem. I think it's a browser problem and/or Windows 10.
I'll try it using XP see what that does

marcosbr

Quote from: baldur2630 on July 05, 2022, 06:20:55 PMI have 3 forums running on CentOS 7 no SSL no problems.

I'm upgrading to CentOS 8 and I want to move the forums over. To test everything was working. I started an install of the latest version. I got to the SSL part and Bye Bye installation.

I'm planning to install Let's Encrypt. I see no reason to pay for something which does NOTHING. It doesn't stop the hackers. it doesn't stop the spammers and it doesn't block the backdoors that the alphabet agencies have built into every computer. Let's Encrypt is the way to go BUT...

When I tried to install a certificate, it needs the name of the forum and if the forum can't exist because it can't be installed, SMF seems to be out of the race.

I hope there is either an older version I can use which doesn't die if I don't make some millionaires even richer OR perhaps someone has managed to install Let's Encrypt for a site which doesn't exist.

I an NOT using a hosting site. Al my servers are in a subdomain which I host myself in my office (and I have all the security if it;s in my office that SSL won't give me!)

Anyone have an answer to this conundrum or do I stay with Centos 7?

you cannot "force" SSL without having a certificate installed.
Nothing in life is absolute. We are always learning... Did you know that?
https://amigosdaeletronica.com.br

Arantor

Which is why you should get the SSL working *first* before worrying about SMF in this case.

Chief of Nothing

Quote from: baldur2630 on July 05, 2022, 06:20:55 PMI see no reason to pay for something which does NOTHING.
Yes it does, as Arantor said it blocks nearly all man in the middle attacks to sniffing passwords to evesdropping on the content your looking at.

You didn't say what webserver your running so perhaps if you tell us that and maybe post the servers configuration we can help more.

I too think you may have confused forum name with domain name with the certificate. Did you put your domain info into the Let's Encrypt certificate?

Quote from: baldur2630 on July 05, 2022, 06:20:55 PMand I have all the security if it;s in my office that SSL won't give me!
This is not good thinking, it matters not one bit if the computer is in your office or not if there are any unpatched / not yet discovered exploits in your OS, webserver, php or forum software.

Quote from: baldur2630 on July 06, 2022, 03:17:56 AMI don't think this is an SMF problem. I think it's a browser problem and/or Windows 10.
I'll try it using XP see what that does
It is not an SMF problem. It is not a browser problem. It is not a Windows 10 problem. It is a websever configuration problem.

baldur2630

HP-Proliant ML110 G6 Server. VMWare ESX 6 (we are VMWare partners)

CentOS 8 server. Downloaded last week. Clean installation 4GB RAM. 100GB hard drive.

Apache, mySQL,
SELinux disabled.
dnf updates done.
vsftpd with TLS working.

2 x virtual servers. Working fine with a Welcome stub
vserver folder in /etc/http/config.d as below (exactly the same as on CentOS 7 which works fine WITHOUT an SSL)

<VirtualHost *:80>
    ServerName myserver.mydomain(FQDN)
    DocumentRoot /var/www/myserver
    RewriteEngine On
    RewriteRule ^(/techsup/.*) /www/myserver$1

    ServerAdmin myEmail
    ServerAlias myserver
    ErrorLog /var/log/httpd/myserver-errorr_log
    TransferLog /var/log/httpd/myserver-access_log
    DirectoryIndex index.php
</VirtualHost>

What else?

Aleksi "Lex" Kilpinen

Quote from: baldur2630 on July 06, 2022, 03:17:56 AMThe opening line says it all (1.) Purchase & install your certificate.

HTTP is fine until the box about forcing SSL, after that ALL the browsers stop working and give a blank page or an error message. To say it works with any browser is
Others have said this already in other words, but I'm just pointing this out once more to be clear,
since you seem more than a bit confused about it.

Installing an SSL certificate and configuring your server to use it, has nothing to do with SMF.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Chief of Nothing

Quote from: baldur2630 on July 06, 2022, 11:06:23 AMWhat else?

Ok, I'm not so up to date with Apache but from what you've posted if that's the only configuration that you have then Apache is not configured to use SSL.

You also need a virtualhost listening on port 443 for SSL. This virtualhost would contain the settings for enabling SSL and the path to the SSL certificate for the domain. Here is an example I found:

<VirtualHost 192.168.1.1:443>
        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

        SSLCertificateFile      /etc/ssl/star.example.com.crt
        SSLCertificateKeyFile   /etc/ssl/star.example.com.key

        ServerName      "one.example.com"
        DocumentRoot    "/var/www/html/one"

        CustomLog       "/var/log/httpd/one-access.log" combined
        ErrorLog        "/var/log/httpd/one-error.log"

        <Directory /var/www/html>
                AllowOverride none

                Order Allow,Deny
                Allow from all
        </Directory>
</VirtualHost>

Do you have any configs that looks similar to that?



baldur2630

Quote from: Chief of Nothing on July 06, 2022, 10:41:39 AM
Quote from: baldur2630 on July 05, 2022, 06:20:55 PMI see no reason to pay for something which does NOTHING.
Yes it does, as Arantor said it blocks nearly all man in the middle attacks to sniffing passwords to evesdropping on the content your looking at.

You didn't say what webserver your running so perhaps if you tell us that and maybe post the servers configuration we can help more.

I too think you may have confused forum name with domain name with the certificate. Did you put your domain info into the Let's Encrypt certificate?

Quote from: baldur2630 on July 05, 2022, 06:20:55 PMand I have all the security if it;s in my office that SSL won't give me!
This is not good thinking, it matters not one bit if the computer is in your office or not if there are any unpatched / not yet discovered exploits in your OS, webserver, php or forum software.

Quote from: baldur2630 on July 06, 2022, 03:17:56 AMI don't think this is an SMF problem. I think it's a browser problem and/or Windows 10.
I'll try it using XP see what that does
It is not an SMF problem. It is not a browser problem. It is not a Windows 10 problem. It is a websever configuration problem.

WRONG - visit www.grc.com. I quote from their site
H
ow is this elegant system subverted?
Any corporation, educational institution, or other Internet connectivity provider who wishes to monitor every Internet action of its employees, students or users—every private user ID & password of every social networking or banking site they visit, their medical records, all "secure" eMail . . . EVERYTHING—simply arranges to add one additional "Pseudo Certificate Authority" to their users' browsers or computers. It's that simple.

For example, suppose that "Bendover Industries" installs a commercially available "SSL Proxy" (also known as an HTTPS or TLS Proxy). Then, as part of prepping computers for use inside their network, Bendover's IT department simply adds one additional "trusted" Certificate Authority to each computer. That's all it takes.

Now, whenever anyone inside Bendover's network makes a "secure" connection to any remote public web site—their bank, Google Mail, Facebook, anything—that connection is intercepted by Bendover's SSL Proxy appliance before it leaves the building. On-the-fly, the SSL Proxy Appliance creates a fraudulent "spoofed" web server certificate in order to impersonate the intended remote web site, and it signs that fraudulent certificate itself using the signature of the also-fraudulent Certificate Authority that was previously planted inside the user's browser or computer.

Because the impersonation is perfect, neither the browser nor the user can readily detect that they do not have a securely encrypted direct connection to the remote web site. Their browser shows every facet of a standard secured SSL connection—all the locks and pretty colors and everything we have been trained to look for and check for are present . . .
And it's all a lie.

Instead of connecting to the remote web server, the browser is "securely" connected only to the local Proxy Appliance which is decrypting, inspecting, and logging all of the material sent from the browser. It inspects all content to determine whether it abides by whatever arbitrary policies the local network is enforcing. It's users have NO privacy and NO security. Or perhaps it just silently logs & records everything for possible future need. Either way, it has obtained full access to everything the user enters into their web browser.

Do you TRUST the providers after you shell out your hard-earned cash? I for one DO NOT.


baldur2630

Quote from: Chief of Nothing on July 06, 2022, 11:23:21 AM
Quote from: baldur2630 on July 06, 2022, 11:06:23 AMWhat else?

Ok, I'm not so up to date with Apache but from what you've posted if that's the only configuration that you have then Apache is not configured to use SSL.

You also need a virtualhost listening on port 443 for SSL. This virtualhost would contain the settings for enabling SSL and the path to the SSL certificate for the domain. Here is an example I found:

<VirtualHost 192.168.1.1:443>
        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

        SSLCertificateFile      /etc/ssl/star.example.com.crt
        SSLCertificateKeyFile   /etc/ssl/star.example.com.key

        ServerName      "one.example.com"
        DocumentRoot    "/var/www/html/one"

        CustomLog       "/var/log/httpd/one-access.log" combined
        ErrorLog        "/var/log/httpd/one-error.log"

        <Directory /var/www/html>
                AllowOverride none

                Order Allow,Deny
                Allow from all
        </Directory>
</VirtualHost>

Do you have any configs that looks similar to that?


Of course I don't because I don't have any SSL Certificate. Please read the previous posts.

Arantor

If you're that bothered, why are you even bothering with SSL?

Aleksi "Lex" Kilpinen

Quote from: baldur2630 on July 06, 2022, 11:26:15 AMOf course I don't because I don't have any SSL Certificate. Please read the previous posts.
The FIRST step in getting SSL to work, is to get a certificate.
Please read the previous posts.

Marking this topic solved, as at this stage it is not an SMF issue.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

baldur2630

Because 'believer' (like you) won't visit the site if it doesn't have one. Letsencrypt is FREE so I am quite happy to make 'believers' happy. Incidentally it's Open Source, so less likely to have the backdoor that the costly ones.

I repeat, None of us have any security or any privacy. I don't just have a Firewall. I check all my logs DAILY and block all the parasites that have nothing better to do than post s**t on your forum or deluge you with spam. SSL does NOTHING to stop that.

Advertisement: