apachessllets-encrypt

Install SSL on Windows Apache


1. What I want to do:

I have a domain example.me, and a sub-domain text.example.me which is hosted on my Windows Server. It's running Apache with php 5.6

I want to install and SSL certificate using Let's Encrypt and this tool https://github.com/PKISharp/win-acme

2. The problem:

It doesn't seem to be working, I get the following error when trying to access https://test.example.me

This site can’t provide a secure connection

3. What I have done so far

I followed every step from: https://commaster.net/content/how-setup-lets-encrypt-apache-windows

This is the content of my httpd-ssl.conf

<VirtualHost *:443>
    ServerAdmin me@examole.com
    ServerName text.example.me
    DocumentRoot "D:/xampp/htdocs"

    RewriteEngine On
    # Redirect to the correct domain name
    RewriteCond %{HTTP_HOST} !^test.example.me$ [NC]
    RewriteRule ^/?(.*)$ https://test.example.me/$1 [NE,L,R=301]

    Alias /.well-known D:/xampp/htdocs/.well-known

    SSLEngine on
    SSLCertificateFile "conf/ssl.crt/text.example.me-crt.pem"
    SSLCertificateKeyFile "conf/ssl.key/test.example.me-key.pem"
    SSLCertificateChainFile "conf/ssl.csr/ca-test.example.me-crt.pem"
</VirtualHost>

My 80,443 ports are avaiable, and not being used by Skype, so that's not the issue.

This is the content of my httpd-vhosts.conf

<VirtualHost *:80>
    ServerAdmin me@example.me
    ServerName test.example.me

    RewriteEngine On
    # Redirect to the HTTPS site
    RewriteCond %{HTTPS} off
    RewriteRule ^/?(.*)$ https://test.example.me/$1 [NE,L,R=301]
    ErrorLog logs/slog.log
</VirtualHost>

Solution

  • I am using Let's Encrypt since some years - but without(!) RewriteEngine.

    So here is a snipped from my http-vhosts.conf

    <VirtualHost *:80>
      DocumentRoot "C:/webserver/html/example_html"
      ServerName www.example.com
      Redirect permanent / https://www.example.com/
      # For the case that you are using ModProxy to forward to a Tomcat, please also add:
      # ProxyPass "/.well-known/" "!"
    </VirtualHost>
    

    A snipped from my httpd-ssl.conf:

    <VirtualHost *:443>
      DocumentRoot "C:/webserver/html/example_html"
      ServerName www.example.com
      Protocols h2 http/1.1
    
      SSLEngine on
      SSLProtocol all -SSLv2 -SSLv3
      SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:SEED-SHA:DHE-RSA-SEED-SHA:!DSS
      SSLHonorCipherOrder on
      SSLCompression off
      SSLCertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/www.example.com-crt.pem"
      SSLCertificateKeyFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/www.example.com-key.pem"
      SSLCACertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/ca-www.example.com-crt.pem"
    
      <IfModule headers_module>
      Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
      Header always set x-frame-options "SAMEORIGIN"
      Header always set X-Content-Type-Options "nosniff"
      Header always set X-XSS-Protection "1; mode=block"
      #Header always set Content-Security-Policy "script-src 'self'"
      </IfModule>
    
      BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    
      #For the case that you use ModProxy to forward to a Tomcat or so
      #ProxyPass "/.well-known/" "!"
    
      EnableSendfile off
      EnableMMAP off 
    </VirtualHost>                                  
    

    Also please keep in mind that when you want to use multiple hostnames, then you need a wildcard certificate - otherwise it's simple with Let's Encrypt to have one certificate for each host/domian name - but you need one virtual host section for each host/domain name you are using.

    Last but not least my personal opinion is thet ModRewrite should not be used when there is no need, because it is complicate and not really understood by most people.