0

I'm trying to setup SSL for Apache (installed via XAMPP) on Mac OS X Yosemite.

Let's assume that I have a local hostname called 'my-local-host' already setup. I followed the instructions here to setup the certs running the following commands:

# 1. Create host key
sudo ssh-keygen -f my-local-host.key

# 2. Create SSL certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout my-local-host.key -out my-local-host.crt

# 3. Create nopass Host Key
sudo openssl rsa -in my-local-host.key -out my-local-host.nopass.key

Note: I did all this inside the /Applications/XAMPP/xamppfiles/apache2/ssl directory.

After this, I added a virtual host listing to httpd-vhosts.conf.

<VirtualHost *:443>
    ServerName my-local-host
    DocumentRoot "/path/to/my-local-host/files"

    SSLEngine on
    SSLCertificateFile "/Applications/XAMPP/xamppfiles/apache2/ssl/my-local-host.crt"
    SSLCertificateKeyFile "/Applications/XAMPP/xamppfiles/apache2/ssl/my-local-host.key"

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/Applications/XAMPP/xamppfiles/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>

    <Directory "/path/to/my-local-host/files">
        ServerSignature Off
        Options Indexes FollowSymLinks Includes execCGI
        AllowOverride All
        Require all granted
    </Directory>
    ErrorLog "logs/my_local_host_log"
</VirtualHost>

I then added the certificate to system Keychain with the following:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Applications/XAMPP/xamppfiles/apache2/ssl/my-local-host.crt

And then I restarted Apache and attempted to load https://my-local-host in the Chrome browser. Here's the error I received:

This server could not prove that it is my-local-host; its security certificate is from [missing_subjectAltName].

After searching online it appears that this is an issue relating to Chrome dropping CommonName support from Chrome 58.

I found this aptly title post: Missing [missing_subjectAltName] in ssl certificate (since Chrome 58) that sported a command for creating a compliant certificate:

sudo openssl req -newkey rsa:2048 -x509 -nodes -keyout my-local-host.key -new -out my-local-host.crt -subj /CN=my-local-host -reqexts SAN -extensions SAN -config <(cat /System/Library/OpenSSL/openssl.cnf ; printf '[SAN]\nsubjectAltName=DNS:my-local-host') -sha256 -days 3650

Unfortunately, when I run this I get the following error:

error on line -1 of /dev/fd/63
80231:error:02001009:system library:fopen:Bad file descriptor:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/bio/bss_file.c:126:fopen('/dev/fd/63','rb')
80231:error:2006D002:BIO routines:BIO_new_file:system lib:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/bio/bss_file.c:131:
80231:error:0E078002:configuration file routines:DEF_LOAD:system lib:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/conf/conf_def.c:199:

Is there some other, less cumbersome way I can create a compliant certificate that addresses the issue with missing_subjectAltName on Chrome?

jww
  • 97,681
  • 90
  • 411
  • 885
ObiHill
  • 11,448
  • 20
  • 86
  • 135
  • ***`CN=my-local-host`*** is probably wrong. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww Jun 10 '17 at 00:31
  • OS X and OpenSSL 0.9.8 is too old. It lacks most EC gear, and it can't do TLS 1.2. Also see [Homebrew refusing to link OpenSSL](http://stackoverflow.com/q/38670295), [Update OpenSSL on OS X with Homebrew](http://stackoverflow.com/q/15185661), [How to install latest version of openssl Mac OS X El Capitan](http://stackoverflow.com/q/35129977), [How to upgrade OpenSSL in OS X?](http://apple.stackexchange.com/q/126830), [Openssl installation using HomeBrew fails](http://superuser.com/q/486389), etc. – jww Jun 10 '17 at 00:33

1 Answers1

0

I just managed to find a fix for this from this post: Fixing Chrome 58+ [missing_subjectAltName] with openssl when using self signed certificates. Many thanks to the author.

So here's what I did that worked:

First we'll delete all the files we created from earlier.

Secondly, we create these two files in our working directory /Applications/XAMPP/xamppfiles/apache2/ssl:

First file - my-local-host.csr.cnf with the following contents:

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=NG
ST=Lagos
L=Ikeja
O=Local, LLC
OU=Tech
emailAddress=admin@yourdomain.com
CN = my-local-host

Note: make sure all the fields have a value i.e. no blank entries.

Second file - my-local-host.v3.ext with the following contents:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = my-local-host

Thirdly, run the following commands:

sudo openssl genrsa -des3 -out rootCA.key 2048
sudo openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
openssl req -new -sha256 -nodes -out my-local-host.csr -newkey rsa:2048 -keyout my-local-host.key -config <( cat my-local-host.csr.cnf )
sudo openssl x509 -req -in my-local-host.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out my-local-host.crt -days 500 -sha256 -extfile my-local-host.v3.ext

Note: I tried running the third command with sudo, but I was getting errors for some reason, and I found some info online that suggested running this without it, and it worked for me.

After you've done all this, run the following command:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain my-local-host.crt

And finally, restart Apache.

I hope this helps solve your SSL issue.

ObiHill
  • 11,448
  • 20
  • 86
  • 135