NO: Sierra Apache SSL

Wed Jun 9 16:04:07 UTC 2021

Hi Mark,

the typical Apache ssl setup with certificates from letsencrpyt is as this :

my-ssl-setup.conf
------------------------

# Required modules: mod_log_config, mod_setenvif, mod_ssl, socache_shmcb_module (for default value of SSLSessionCache)
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
LoadModule headers_module lib/httpd/modules/mod_headers.so

Listen *:443

LoadModule socache_shmcb_module lib/httpd/modules/mod_socache_shmcb.so
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/private/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300

# generated 2021-02-18, Mozilla Guideline v5.6, Apache 2.4.41, OpenSSL 1.1.1d, modern configuration, no OCSP
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&ocsp=false&guideline=5.6

SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite 
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

SSLHonorCipherOrder     off
SSLSessionTickets       off

<VirtualHost *:443>
   DocumentRoot "/Users/Admin/Sites/default"
   ServerName www.host.fr
   ServerAdmin webmaster at host.fr
   DirectoryIndex index.html

   SSLEngine on
   SSLCertificateFile "/etc/letsencrypt/live/www.host.fr/fullchain.pem"
   SSLCertificateKeyFile "/etc/letsencrypt/live/www.host.fr/privkey.pem"
   SSLCertificateChainFile "/etc/letsencrypt/live/www.host.fr/fullchain.pem"

</VirtualHost>

####### end my-ssl-setup.conf

Now you have to figure out from your godaddy files which one is the private key (I would guess hash.pem) and which one 
is the certificate that is usually bundled with the chain of authorities (hence fullchain.pem in may case) but not 
always as it might be in your case. So you might want make a try with

   SSLCertificateFile "/mypath/hash.crt"
   SSLCertificateKeyFile "/mypath/hash.pem"
   SSLCertificateChainFile "/mypath/gd_bundle-g2-g1.crt"

You can also try to open the goaddy files with Macos app keychain, to get a glimpse of what they contain. Normally, the 
private key file cannot be read.

HTH
Regards
Bruno

By Design
http://www.bydesign.fr
Bruno Del Sol
bruno.delsol at bydesign.fr
46, rue de La Tour d'Auvergne
75009 Paris (France)

Le 09/06/2021 à 17:34, Mark Grinde a écrit :
> Hello $all-
>
> This is not an Omnis question, but it is a setup issue on a machine that may be used as an Omnis web server (if that helps)…
>
> We are looking for advice on how to configure a mac webserver with an SSL certificate.
>
> We have a mac mini running macOS Sierra where we cannot seem to find the right magic to install a GoDaddy SSL certificate to work with apache.
>
> In the old days, Apple had a server app that worked alongside regular OSX.  It generated the CSR, and it then configured apache with the resulting SSL files from GoDaddy.  We had used this successfully for years.
>
> These days, however, Apple has decided that SSL certificates must be installed manually.
>
> After searching the web for answers, we have tried countless ways to manually generate the CSR, install the GoDaddy SSL file(s), and configure the apache conf file, all without success.
>
> So, we’re hoping someone out there might know of a proven step-by-step procedure for making this happen?
>
> The apache conf file wants paths to an SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile.
>
> GoDaddy provides a hash.crt file, a hash.pem file, and a gd_bundle-g2-g1.crt file.  We do not understand how the GoDaddy files correspond to the apache file requirements.  And GoDaddy tech support, for the record, has been woefully unhelpful.
>
> If this is beyond the scope of free advice, we would be willing to engage a knowledgeable paid consultant— if anyone listening is or knows of one.
>
> Thanks!
>
> Mark
> _____________________________________________________________
> Manage your list subscriptions at http://lists.omnis-dev.com
> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com