{"id":323,"date":"2019-07-02T14:30:19","date_gmt":"2019-07-02T14:30:19","guid":{"rendered":"https:\/\/silviamarin.ro\/?p=57"},"modified":"2019-07-02T14:30:19","modified_gmt":"2019-07-02T14:30:19","slug":"securizarea-serverului-apache-cu-ssl-2","status":"publish","type":"post","link":"https:\/\/marinelvis.xyz\/index.php\/2019\/07\/02\/securizarea-serverului-apache-cu-ssl-2\/","title":{"rendered":"SECURIZAREA SERVERULUI APACHE CU SSL"},"content":{"rendered":"<p><em><strong>Generarea certificatelor SSL<\/strong><\/em><br \/>\nSe creeaza folderul unde se vor pastra certificatele si cheia privata:<\/p>\n<pre>mkdir \/var\/SSL &amp;&amp; cd \/var\/SSL<\/pre>\n<p>Se genereaza cheia privata (<span style=\"color: #ff0000;\">domeniu.com<span style=\"color: #000000;\">.key<\/span><\/span>) cu OpenSSL in terminalul serverului domeniului sau in Control Panel<\/p>\n<pre>openssl genrsa -out \/var\/SSL\/<span style=\"color: #ff0000;\">domeniu.com<span style=\"color: #000000;\">.key<\/span><\/span> 2048<\/pre>\n<p>Se creeaza fisierul \u201c<span style=\"color: #ff0000;\">domeniu.com<\/span>.csr\u201d<\/p>\n<pre>openssl req -new -sha256 -key \/var\/SSL\/<span style=\"color: #ff0000;\">domeniu.com<\/span>.key -out \/var\/SSL\/<span style=\"color: #ff0000;\">domeniu.com<\/span>.csr<\/pre>\n<blockquote><p><em>Country: RO<\/em><br \/>\n<em>State or Province: Galati<\/em><br \/>\n<em>City or Locality: Galati<\/em><br \/>\n<em>Organization Name: Home<\/em><br \/>\n<em>Organizational Unit: IT<\/em><br \/>\n<em>Common Name: domeniu.com<\/em><br \/>\n<em>Password chalenge ramane gol (Enter)<\/em><\/p><\/blockquote>\n<p>Se verifica certificatul CSR:<\/p>\n<pre>openssl req -noout -text -in \/var\/SSL\/<span style=\"color: #ff0000;\">domeniu.com<\/span>.csr<\/pre>\n<p>Acum exista cheia privata (<em><span style=\"color: #ff0000;\">domeniu.com<\/span>.key<\/em>) care va ramane instalata pe serverul domeniului si certificatul\u00a0 (<em><span style=\"color: #ff0000;\">domeniu.com<\/span>.csr<\/em>) care va fi transmis catre autoritatea comerciala de certificare (Comodo,VeriSign, GoDaddy,etc.) pentru a genera cheia publica care va avea extensia .crt<\/p>\n<p><strong>GoDaddy<\/strong> genereaza 2 fisiere: <em>fa87f784d9b6ea29.crt<\/em> si <em>gd_bundle-g2-g1.crt<\/em>. Primul este certificatul <em><span style=\"color: #ff0000;\">domeniu.com<\/span>.csr<\/em> semnat digital de GoDaddy si se redenumeste <em><span style=\"color: #ff0000;\">domeniu.com<\/span>.crt<\/em> iar al doilea este certificatul intermediar al autoritatii de certificare si se redenumeste <em>intermediate.crt<\/em>. Ambele fisiere se salveaza in <em>\/var\/SSL<\/em><br \/>\nSe concateneaza cele doua fisiere:<\/p>\n<pre>cat <span style=\"color: #ff0000;\">domeniu.com<\/span>.crt intermediate.crt &gt; <span style=\"color: #ff0000;\">domeniu.com<\/span>.chained.crt<\/pre>\n<p><strong>Comodo<\/strong> genereaza 4 fisiere: Root (<em>AddTrustExternalCARoot.crt<\/em> si<br \/>\n<em>COMODORSAAddTrustCA.crt<\/em>), Intermediate2 (<em>COMODORSADomainValidationSecureServerCA.crt<\/em>), si Primary Certificates (<em><span style=\"color: #ff0000;\">domeniu.com<\/span>.crt<\/em>).<br \/>\nSe concateneeaza cele 4 fisiere in ordinea: Primary, Intermediate, Root:<\/p>\n<pre>cat <span style=\"color: #ff0000;\">domeniu.com<\/span>.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt &gt; <span style=\"color: #ff0000;\">domeniu.com<\/span>.pem<\/pre>\n<p>Fisierele concatenate obtinute arata asa:<\/p>\n<blockquote><p><em>\u2014\u2013BEGIN CERTIFICATE\u2014\u2013<\/em><br \/>\n<em>MIIFNjCCBB6gAwIBAgIJAPqH94TZtuopMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2VjS0NIRftLNXpgFWeGeqZpW9Tdh7prvvsy78cGo+aqAIVUNe0tMWAV2RupaSaWajr7s7uEWBWGWRVFDyAXGOyx\/ytwa6SrxDq7<\/em><br \/>\n<em>\u2014\u2013END CERTIFICATE\u2014\u2013<\/em><br \/>\n<em>\u2014\u2013BEGIN CERTIFICATE\u2014\u2013<\/em><br \/>\n<em>RzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD<\/em><br \/>\n<em>EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzDBNliF44v\/z5lz4\/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOvK\/6AYZ15V8TPLvQ\/MDxdR\/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23ecSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR\/<\/em><br \/>\n<em>\u2014\u2013END CERTIFICATE\u2014\u2013<\/em><br \/>\n<em>\u2014\u2013BEGIN CERTIFICATE\u2014\u2013<\/em><br \/>\n<em>Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3FiCPH6WTT3G8kYo\/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4HTu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp\/3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI<\/em><br \/>\n<em>\u2014\u2013END CERTIFICATE\u2014\u2013<\/em><br \/>\n<em>\u2014\u2013BEGIN CERTIFICATE\u2014\u2013<\/em><br \/>\n<em>FJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i\/ojgC95\/5Y0V4evLOtXi<\/em><br \/>\n<em>EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMYavx4A6lNf4DD+qta\/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+YihfukEHU1jPE44dMX4\/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLEsNKR1EwRcbNhyz2h\/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h\/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5=<\/em><br \/>\n<em>\u2014\u2013END CERTIFICATE\u2014\u2013<\/em><\/p><\/blockquote>\n<p><em><strong>Configurarea serverului Apache<\/strong><\/em><\/p>\n<pre>cd \/etc\/apache2\/sites-available\u00a0\ncp 000-default.conf 000-default.conf.orig\u00a0\nnano 000-default.conf<\/pre>\n<p>Se inlocuieste continutul fisierului cu urmatorul:<\/p>\n<blockquote><p><em>&lt;VirtualHost *:80&gt;\u00a0\u00a0<\/em><br \/>\n<em>ServerName <span style=\"color: #ff0000;\">domeniu.com<\/span>\u00a0\u00a0<\/em><br \/>\n<em>Redirect permanent \/ https:\/\/<span style=\"color: #ff0000;\">domeniu.com<\/span>\/\u00a0\u00a0<\/em><br \/>\n<em>ErrorLog ${APACHE_LOG_DIR}\/error.log\u00a0\u00a0<\/em><br \/>\n<em>CustomLog ${APACHE_LOG_DIR}\/access.log combined<\/em><br \/>\n<em>&lt;\/VirtualHost&gt;<\/em><br \/>\n<em>&lt;VirtualHost *:443&gt;<\/em><br \/>\n<em>ServerName www.<span style=\"color: #ff0000;\">domeniu.com<\/span><\/em><br \/>\n<em>ServerAdmin webmaster@localhost<\/em><br \/>\n<em>DocumentRoot \/var\/www\/html\u00a0\u00a0<\/em><br \/>\n<em>SSLEngine on\u00a0\u00a0<\/em><br \/>\n<em>SSLCertificateFile \/var\/SSL\/<span style=\"color: #ff0000;\">domeniu.com<\/span>.crt\u00a0\u00a0<\/em><br \/>\n<em>SSLCertificateKeyFile \/var\/SSL\/<span style=\"color: #ff0000;\">domeniu.com<\/span>.key\u00a0\u00a0<\/em><br \/>\n<em>SSLCACertificateFile \/var\/SSL\/intermediate.crt<\/em><br \/>\n<em>ErrorLog ${APACHE_LOG_DIR}\/error.log<\/em><br \/>\n<em>CustomLog ${APACHE_LOG_DIR}\/access.log combined<\/em><br \/>\n<em>&lt;\/VirtualHost<\/em>&gt;<\/p><\/blockquote>\n<p>Se activeaza modulul SSL al serverului Apache<\/p>\n<pre>a2enmod ssl<\/pre>\n<p>Se activeaza suportul pentru &#8222;perfect forward secrecy&#8221; in modulul ssl;<\/p>\n<pre>nano\u00a0\/etc\/apache2\/mods-available\/ssl.conf<\/pre>\n<p>Se activeaza \u00a0<em>&#8222;SSLHonorCipherOrder on&#8221;<\/em> si se inlocuieste <em>&#8222;SSLCipherSuite HIGH:!aNULL&#8221;<\/em> cu<\/p>\n<blockquote><p><em>SSLCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH<\/em><\/p><\/blockquote>\n<p>Se salveaza fisierul si se reporneste serverul Apache<\/p>\n<pre>systemctl restart apache2.service<\/pre>\n<p>Se verifica domeniul:<br \/>\n<a href=\"https:\/\/domeniu.com\/\">https:\/\/domeniu.com<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Generarea certificatelor SSL Se creeaza folderul unde se vor pastra certificatele si cheia privata: mkdir \/var\/SSL &amp;&amp; cd \/var\/SSL Se genereaza cheia privata (domeniu.com.key) cu OpenSSL in terminalul serverului domeniului sau in Control Panel openssl genrsa -out \/var\/SSL\/domeniu.com.key 2048 Se creeaza fisierul \u201cdomeniu.com.csr\u201d openssl req -new -sha256 -key \/var\/SSL\/domeniu.com.key -out \/var\/SSL\/domeniu.com.csr Country: RO State or [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-323","post","type-post","status-publish","format-standard","hentry","category-fara-categorie"],"_links":{"self":[{"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/posts\/323","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/comments?post=323"}],"version-history":[{"count":0,"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/posts\/323\/revisions"}],"wp:attachment":[{"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/media?parent=323"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/categories?post=323"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/marinelvis.xyz\/index.php\/wp-json\/wp\/v2\/tags?post=323"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}