I've downloaded APK from the Internet and wanted to check it's integrity and credibility. I used apksigner but I don't know how interpret output result - is it safe or not? Official website doesn't cover this subject.
Console output:
$ ./apksigner verify -v -Werr --print-certs --min-sdk-version 28 ~/Downloads/com...apkmirror.com.apk
Verifies
Verified using v1 scheme (JAR signing): false
Verified using v2 scheme (APK Signature Scheme v2): false
Number of signers: 1
Signer #1 certificate DN: CN=gearhead, OU=Android, O=Google Inc., L=Mountain View, ST=California, C=US
Signer #1 certificate SHA-256 digest: fdb00c43dbde8b51cb312aa81d3b5fa17713adb94b28f598d77f8eb89daceedf
Signer #1 certificate SHA-1 digest: 9ca91f9e704d630ef67a23f52bf1577a92b9ca5d
Signer #1 certificate MD5 digest: eeb557fc154afc0d8eec621bdc7ea950
Signer #1 key algorithm: RSA
Signer #1 key size (bits): 2048
Signer #1 public key SHA-256 digest: 1b6110e69b38474bc06d6cba9578489b208b969f6ccf95206db9eac689063f2d
Signer #1 public key SHA-1 digest: 844d9df046e665c5630312da1a541be3e09e1afc
Signer #1 public key MD5 digest: 6f0062bb932de2a7303f506dd3412847
Related
I have the need to generate a JWK with the following parameters:
“kty”: Key Type
“kid”: Key ID
“use”: “sig” Public Key Use
“n”: the modulus
“e”: “AQAB” the public exponent
“x5c”: X. 509 Certificate Chain
“x5t”: X.509 Certificate SHA-1 Thumbprint
Note:
JWKs should contain a public key using RSA algorithm. RSA provides a key ID for key
matching purposes.
Should contain X.509 certificate using both “x5t” (X.509 SHA-1 Thumbprint) and “x5c” (X.509
certificate Chain) parameters
The first 5 parameters ("kty", "kid", "use", "n", "e") are fairly straight forward and not an issue. However, for the "x5c" and "x5t" components, I am not sure how to generate these. It seems as I can create an x509 cert using tools such as the one found at https://www.samltool.com/self_signed_certs.php and I suppose the x509 cert generated there would be the x5c parameter. Is this correct and how would I generate a x5t (cert thumbprint) from this?
All help is appreciated.
Since you have neither a tool nor a language tagged, I assume that it is rather a general explanation of both parameters.
In x5c a certificate or certificate chain is stored, in x5t the associated thumbprint. A certificate or certificate chain is used to prove ownership of a public key, the thumbprint is a hash of a certificate used to identify/compare certificates.
The exact definition of both parameters is described in RFC 7517, JSON Web Key (JWK), chapters 4.7 x5c and 4.8 x5t:
x5c:
The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key represented by other members of the JWK. Use of this member is OPTIONAL...
x5t:
The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]. Note that certificate thumbprints are also sometimes known as certificate fingerprints. The key in the certificate MUST match the public key represented by other members of the JWK. Use of this member is OPTIONAL.
Creation of a certificate:
A self signed certificate can (apart from the online tool you use) also be generated e.g. with OpenSSL. The following OpenSSL statement
openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.crt -days 365
generates a private (unencrypted) PEM encoded 4096 bit key in PKCS#8 format (key.pem):
-----BEGIN PRIVATE KEY-----
MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDkWIfV9uL3XMay
...
OPAsywknGU1A/xTa3fFKO9KV6t/T9z3G
-----END PRIVATE KEY-----
and a PEM encoded certificate (cert.crt):
-----BEGIN CERTIFICATE-----
MIIF4zCCA8ugAwIBAgIJAKSZ5oC4tblkMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
...
6aBMYeKy0dqjtZIlO8rm2Rialc7Qt+0=
-----END CERTIFICATE-----
For more options and details, see openssl req and the post How to generate a self-signed SSL certificate using OpenSSL?.
Note that a self-signed certificate is signed by the owner. Self-signed certificates are used on internal pages or in test environments. A CA-signed certificate, in contrast, is signed by a third-party, publicly trusted certificate authority (CA) like DigiCert or Thawte etc. used e.g. for public-facing websites, s. also here. A signed certificate is requested with a CSR.
Certificates, certificate chains, certificate authorities, etc. are part of a public key infrastructure.
Example use of x5c:
In Appendix B of RFC 7517, an example of the use of the x5c parameter is given. The DER encoded certificate is Base64 encoded and is contained in a JSON array:
{
"kty":"RSA",
"use":"sig",
"kid":"1b94c",
"n":"vrjOfz9Ccdgx5nQudyhdoR17V-IubWMeOZCwX_jj0hgAsz2J_pqYW08
PLbK_PdiVGKPrqzmDIsLI7sA25VEnHU1uCLNwBuUiCO11_-7dYbsr4iJmG0Q
u2j8DsVyT1azpJC_NG84Ty5KKthuCaPod7iI7w0LK9orSMhBEwwZDCxTWq4a
YWAchc8t-emd9qOvWtVMDC2BXksRngh6X5bUYLy6AyHKvj-nUy1wgzjYQDwH
MTplCoLtU-o-8SNnZ1tmRoGE9uJkBLdh5gFENabWnU5m1ZqZPdwS-qo-meMv
VfJb6jJVWRpl2SUtCnYG2C32qvbWbjZ_jBPD5eunqsIo1vQ",
"e":"AQAB",
"x5c":
["MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJB
gNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYD
VQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1
wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBg
NVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDV
QQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1w
YmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnH
YMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66
s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6
SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpn
fajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPq
PvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVk
aZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BA
QUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL
+9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1
zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL
2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo
4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTq
gawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA=="]
}
Note that the line breaks within values are for display purposes only. The DER encoding results from the PEM encoding by removing header, footer and line breaks and Base64 decoding the rest, i.e. the Base64 decoded DER encoded certificate is the body of the PEM encoded certificate without line breaks.
For a certificate chain, the certificates are separated by commas, see e.g. RFC 7515, Appendix B, x5c.
Thumbprint/Fingerprint:
The thumbprint of a certificate is the SHA-1 hash of the DER encoded certificate and can be generated with OpenSSL as follows, s. also here:
openssl x509 -in cert.crt -noout -fingerprint
Here cert.crt is the PEM encoded certificate. For more details, see openssl x509.
Example: If the certificate from RFC 7517, Appendix B is used, the OpenSSL statement returns the following output:
SHA1 Fingerprint=E2:93:5E:9C:40:4B:BF:42:69:2C:87:6E:81:6C:50:90:EB:19:70:AD
i.e. the hex encoded thumbprint is: E2935E9C404BBF42692C876E816C5090EB1970AD or Base64url encoded: 4pNenEBLv0JpLIdugWxQkOsZcK0. The latter is the value of x5t:
"x5t":"4pNenEBLv0JpLIdugWxQkOsZcK0"
Thank you #Topaco for the last comment on your own answer. For anyone still confused, here's a complete flow with sample code:
In a JS environment with Buffer and crypto:
function generateX5t(certificate) {
// Extracts everything between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`
// and remove line-breaks
const data = certificate
.replaceAll('\n', '')
.match(/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/gm)
.join('');
const sha1 = crypto.subtle.digest('SHA-1', Buffer.from(data, 'base64'));
const hex = sha1.then((r) => Buffer.from(r).toString('hex'));
const x5t = hex.then((r) => Buffer.from(r, 'hex').toString('base64url'));
return x5t
}
const certificate = `-----BEGIN CERTIFICATE-----
MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJB
gNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYD
VQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1
wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBg
NVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDV
QQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1w
YmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnH
YMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66
s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6
SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpn
fajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPq
PvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVk
aZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BA
QUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL
+9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1
zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL
2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo
4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTq
gawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA==
-----END CERTIFICATE-----`
generateX5t(certificate).then(r => console.log(r))
To summarize:
1. Get certificate content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
2. Remove new lines or line breaks
MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDVQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDVQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1wYmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnHYMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpnfajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPqPvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVkaZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL+9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTqgawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA==
3. Decode the resulting string as Base64
4. SHA1 encode the result
5. HEX decode the result
6. URL-safe Base64 encode the result, this is the value for x5t
Problem Statement:
I've wanted to change the SSL certificate, because I've changed my server so I had to create a new CSR with the different name as discuss in the following question with this command. And generated the Privatekey and CSR.
$ openssl req -new -newkey rsa:2048 -nodes -keyout example_new.key -out example_new.csr
Then I'd paste the CSR to Re-Key in Godaddy portal and received certificate from Godaddy and then i renamed it to the following as per best practises.
example.com.crt
intermediate.crt
example.com.pem
And then I've concatenated the certificate with signing certificate in right order as discussed in this answer.
$ cat example.com.crt intermediate.crt > bundle_chained.crt
Exception:
Getting following exception while restarting Nginx.
$ sudo nginx -t
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/path/example_new.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
Here's what I tested:
The certificate and private key has no trailing spaces.
I checked the nginx.conf and the directives are pointing to the
correct private key and certificate.
I've checked md5 hashed of the key and bundle_chained
$ openssl x509 -noout -modulus -in bundle_chained.crt | openssl md5
(stdin)= d91144b76e2fa292e9aee71f10ac8b63
$ openssl rsa -noout -modulus -in example.key | openssl md5
(stdin)= a4773e7fa31e0bdc7edad15ee5412d3e
Note: Md5 hash are not matching
Checked bundle_chained.crt using following and figure out that it doesn't look like my as I've specified Maharashtra ST and it is showing Arizona which is my CA.
$ openssl x509 -noout -text -in bundle_chained.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8d:a1:9d:55:8c:d8:as:45
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
Validity
Not Before: Aug 20 11:54:25 2020 GMT
Not After : Aug 19 10:00:10 2022 GMT
Subject: OU = Domain Control Validated, CN = example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
....
.....
Note: Please note that it did showing CN correct as example.com in my case.
Thank you for your help. :)
I try to make a gpg encryption/decryption on my server, for encryption i make this command line :
gpg --output test.txt.gpg --encrypt test.txt
and then i enter a user ID and my file is created.
But after, when i want to decrypt this file with same commande :
gpg --output result.txt --decrypt test.txt.gpg
result is :
gpg: encrypted with 2048-bit RSA key, ID FF070B4D, created 2017-07-19
"droli mail_adress"
gpg: decryption failed: No secret key
i don't understand why i can encrypt but can't decrypt after ?
$gpg --list-keys
/home/ssie/.gnupg/pubring.gpg
-----------------------------
pub 2048R/09C41BAC 2017-07-19
uid droli mail_adress
sub 2048R/6D2F1BE9 2017-07-19
$gpg --list-secret-keys
/home/ssie/.gnupg/secring.gpg
-----------------------------
sec 2048R/09C41BAC 2017-07-19
uid droli mail_adress sub
ssb 2048R/6D2F1BE9 2017-07-19
Edit after 2 hours :
I think to have find why : there were 2 different keys and 1 secret key for the same user. But now there is another issue : i deleted the wrong key and make the same test again.
the answer after decrypt is :
You need a passphrase to unlock the secret key for user: "droli
mail_adress" 2048-bit RSA key, ID 6D2F1BE9, created 2017-07-19 (main
key ID 09C41BAC)
can't connect to `/home/ssie/.gnupg/S.gpg-agent': Connection refused
gpg-agent[32298]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user gpg: encrypted with 2048-bit RSA key, ID
6D2F1BE9, created 2017-07-19 "telefact " gpg: public key decryption
failed: General error gpg: decryption failed: No secret key
what is this "S.gpg-agent" ? (the file /home/ssie/.gnupg/S.gpg-agent is empty in my case)
$ gpg-agent
--daemon GPG_AGENT_INFO=/tmp/gpg-1K7fOi/S.gpg-agent:18607:1; export GPG_AGENT_INFO;
After launching GPG_AGENT_INFO=/tmp/gpg-1K7fOi/S.gpg-agent:18607:1
and export GPG_AGENT_INFO
there is no ask about the gpg agent.
You need a passphrase to unlock the secret key for user: "droli
mail_adress" 2048-bit RSA key, ID 6D2F1BE9, created 2017-07-19 (main
key ID 09C41BAC)
gpg: cancelled by user
gpg: encrypted with 2048-bit RSA key, ID 6D2F1BE9, created 2017-07-19
"droli mail_adress"
gpg: public key decryption failed: General error
gpg: decryption failed: No secret key
When creating a new key i have the same issue at the end :
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
gpg: cancelled by user
gpg: Key generation canceled.
it's like there is a dyfonctionnement with the passphrase ?
Thanks for help.
The solution is :
chmod o+rw $(tty)
before using su to become that user and it works as it should.
I'm trying to make a paper based backup of a 4092 bit secret/private PGP key using a QR code generator, but the key is just too big. I'm going to go low tech here and split it into two pieces, but perhaps I don't need to. I know that when exporting the secret key, it also exports the public key embedded within it.
Is there any way to remove the public portion of the key from that file, or prior to exporting, so that the resulting file is only the private key?
I'm not certain the resulting file will be small enough still, but it is worth a shot.
D:\Users\tharding>gpg --edit-key "04EAC14C"
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/04EAC14C created: 2015-02-11 expires: never usage: SCE
trust: unknown validity: unknown
[ unknown] (1). Timothy Harding <hardingt#gmail.com>
gpg> key 1
No subkey with index 1
gpg> delkey
You must select at least one key.
gpg> delkey 0
You must select at least one key.
Update:
From what I can tell, (looking at the ASCII Armored output for both the public key and the private key) it looks like they are structured this way:
Update 2:
Looked at the files again, and this is what I've got, I haven't pulled out a hex editor yet to verify the non armored files, but I've found surprisingly little help online about how these key files are internally structured:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version:
4 header chars ??
1517 pub key chars
4 footer chars ??
-----END PGP PUBLIC KEY BLOCK-----
and
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version:
4 different header chars from pub key ??
700 pub key chars
1772 private key chars (possibly some header/footer to do with the symmetric cipher)
817 pub key chars (same total 1517, exact same ASCII sequence if put together)
4 different footer chars from pub key ??
-----END PGP PRIVATE KEY BLOCK-----
Update 3:
Took a look at the binary pub/private keys and found that:
public key is 1138 bytes
4 unique bytes
1134 bytes found in private key as well
private key is 2467 bytes
4 unique bytes
524 of which are found verbatim in the public key
1329 of which are unique to the private key
38 bytes which are found verbatim in the public key (key name & Email address)
572 bytes which are found verbatim in the public key
There is a program called Paperkey[1], written by David Shaw[2], that extracts only the private key information from an exported OpenPGP private key.
Excerpt from the package description:
extract just the secret information out of OpenPGP secret keys
The Paperkey page has a version already built for Windows 32bit, and provides the source to compile on Linux, Unix, *BSD and OSX.
Paperkey is also available via the package manager on some Linux/BSD distributions.
Example package manager installs -
apt (debian) -
apt-get install paperkey
yum (redhat)
yum install paperkey
pkg (bsd)
pkg install paperkey
ports (bsd)
cd /usr/ports/security/paperkey
make install clean
CA certificate installs and works fine, no security issues. I am able to use it for the WordPress admin area and the homepage (root) can be accessed securely no problem. Anytime the server tries to access HTTPS domain.com/anything it returns a 404 page.
I've been teaching myself AWS over the past two weeks and this is the first time I've needed to ask for help. Normally I can find the answers but this time I keep coming up cold. Thanks in advance.
Here are the examples:
https://www.pageantsuppliers.com
https://www.pageantsuppliers.com/cart
Short answer: you have a web server configuration problem.
Long answer: if you save the certificate you get from $ openssl s_client -connect www.pageantsuppliers.com:443 -CAfile startcom-ca.crt (just copy/paste it), the end entity (server certificate) looks OK:
$ openssl x509 -inform PEM -in pageantsuppliers-com.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 984131 (0xf0443)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
Validity
Not Before: Mar 9 18:28:34 2014 GMT
Not After : Mar 10 07:32:09 2015 GMT
Subject: description=tq5XRBjgh9USfQ68, C=US, CN=www.pageantsuppliers.com/emailAddress=87f13a43b0ac46298171a954f337671e.protect#whoisguard.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b6:1a:e0:2c:62:cb:74:f6:8a:82:a5:41:85:29:
fb:f6:68:7a:a1:68:04:ec:ea:fe:fc:a5:44:66:dc:
69:6f:d5:9b:2a:4a:b0:56:00:b9:65:c1:f9:a5:36:
f5:66:03:ee:d7:a3:22:7d:a2:eb:45:ba:28:b5:6d:
66:29:93:4b:a2:a7:21:d8:ca:fe:4f:43:4f:49:72:
10:ee:57:08:d5:27:39:e1:ad:56:9a:7a:24:25:e6:
91:6f:b5:8f:32:fb:3e:fc:30:2d:bd:53:7d:3b:d3:
f0:b7:a6:1f:eb:60:ea:92:37:5e:d9:da:f5:40:5a:
7b:aa:e3:ae:65:60:c0:11:bb:79:4d:08:85:7b:7d:
1d:e6:b3:7a:45:91:12:9f:c1:f4:54:9b:9b:a2:a0:
f5:e9:64:e2:4f:8f:c6:f3:f4:54:73:02:77:4b:d9:
6b:c0:47:84:8f:ea:b4:05:b9:39:0b:1e:f5:37:ee:
90:d6:87:e0:c3:15:56:db:e6:fa:b9:fa:4e:1f:36:
c8:df:c9:e8:3a:63:46:d2:e9:e6:07:67:00:6a:10:
d2:d1:40:19:1a:ac:f5:ef:17:28:73:05:6b:69:d1:
74:a8:7b:2e:92:13:fb:f5:d5:d3:57:a6:b6:9f:94:
34:68:c2:ff:8f:5a:8c:3b:8e:d5:c4:f7:6a:97:54:
a4:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
DD:18:77:CF:57:39:39:EF:1E:B7:E0:25:09:D2:90:72:83:11:D3:9D
X509v3 Authority Key Identifier:
keyid:EB:42:34:D0:98:B0:AB:9F:F4:1B:6B:08:F7:CC:64:2E:EF:0E:2C:45
X509v3 Subject Alternative Name:
DNS:www.pageantsuppliers.com, DNS:pageantsuppliers.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.23223.1.2.3
CPS: http://www.startssl.com/policy.pdf
User Notice:
Organization: StartCom Certification Authority
Number: 1
Explicit Text: This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.startssl.com/crt1-crl.crl
Authority Information Access:
OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
CA Issuers - URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt
X509v3 Issuer Alternative Name:
URI:http://www.startssl.com/
Signature Algorithm: sha1WithRSAEncryption
42:8e:78:33:a0:76:39:90:9c:53:b8:e7:7a:a4:06:6d:8a:7c:
f4:65:90:87:70:a9:da:b4:19:09:e2:dd:fd:75:39:c8:f8:bf:
d2:de:e7:0f:70:a8:92:71:2c:fe:45:5f:5b:14:e4:9b:80:1f:
54:7b:1a:37:b4:de:b7:fc:c8:d4:c6:7f:07:be:cc:16:cb:82:
08:12:ff:fe:14:cb:ac:64:83:17:a3:a0:f9:e1:97:6f:66:e8:
9b:13:d3:da:e5:be:c7:43:14:18:6d:bc:76:55:00:c4:8c:8e:
1e:0f:a1:21:46:e3:60:db:5a:1d:7f:61:49:43:55:d7:b6:1c:
af:b2:84:f2:e5:e8:f9:e4:db:ab:b6:38:26:74:cb:8d:69:f6:
9c:0b:ac:fd:bf:9b:c5:3b:3b:2c:16:72:69:7f:7e:7d:7c:37:
bd:f1:e1:83:5e:42:ed:9c:0e:c3:b5:e1:6d:f3:91:ec:07:ff:
7d:12:4c:37:73:5d:9f:be:d2:55:8e:ef:c5:48:3d:7d:d5:cb:
0c:e1:75:ef:dd:0c:8e:46:50:0a:9a:3c:72:28:8d:c0:31:df:
65:06:44:e0:af:3f:0f:7e:de:04:10:be:a0:e9:b9:c6:03:b8:
38:fe:b1:a7:fb:af:b7:6f:82:10:7a:a6:38:50:07:9e:5b:19:
e1:a6:bf:95
The issuer is StartCom Class 1 Primary Intermediate Server CA, which should be OK. And StartCom Class 1 Primary Intermediate Server CA's issuer is StartCom Certification Authority, which should also be OK.
However, when issuing a GET:
$ echo "GET / HTTP/1.1" | openssl s_client -connect www.pageantsuppliers.com:443 -CAfile ca-bundle.pem -servername www.pageantsuppliers.com
CONNECTED(00000003)
depth=3 C = IL, O = StartCom Ltd., CN = StartCom Certification Authority G2
verify return:1
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = tq5XRBjgh9USfQ68, C = US, CN = www.pageantsuppliers.com, emailAddress = 87f13a43b0ac46298171a954f337671e.protect#whoisguard.com
verify return:1
---
...
Start Time: 1394991510
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
It appears there is no web server serving content on that port. The DONE above should be replaced with raw HTML because s_client simply prints what it receives. You can also add -pause -ign_eof to keep the connection open, but that's not your problem (see s_client(1) docs).
You have a web server configuration problem.
I ended up hiring someone on freelancer to figure it out for me. Well worth the $39. Here is what he said so that others can share in the knowledge.
From roonex on freelancer:
I edited this file: /etc/httpd/conf.d/ssl.conf and on the end of just
before closing tag it I added this code:
<Directory /var/zpanel/hostdata/zadmin/public_html>
AllowOverride none
Order Allow,Deny
Allow from all
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</Directory>
The problem was that for ssl you have to tell the virtual host to use
same folder for http and https, in plesk or cpanel you have to check
only one checkbox to do this, but for zpanel you have to do this
change in the ssl.conf
After this just restart the apache and it will be fixed