Luca favaro's picture
Luca favaro - Fri, 2015/10/23 - 17:15

I've trying to setup turnkey mediawiki to use https and a wildcard certificate without any luck. I would also like to setup a redirect from the http site on port 80 to 443.

This is a fresh installation

I've read hundreds of forums and followed each and every suggestion but in the best case I would get something working but that would break something else.

I have my .pem, .crt and .key files loaded under /etc/ssl/certs

My configuration files /etc/mediawiki/apache.conf and /etc/mediawiki/localsettings.php are now back to their original 

I can see the main page when I go to http://wiki.domain.com/index.php/Main_Page and https://wiki.domain.com/index.php/Main_Page but in the case of https it showing a warning and I can see it is using the self-signed certificate. Evidently is not using my wildcard certificate.

Any help is appreciated

Luca

Forum: 
Support
Tags: 
mediawiki ssl https
Luca favaro's picture

Luca favaro - Mon, 2015/10/26 - 16:19

Anyone out there willing to help out?

Now I tried replacing the cert.pem files under /etc/ssl/certs with my own certificates

but on the webpage I still get the error and when I look at the certificate it tells me is still the self-signed one....

I believe the configuration file for apache is /etc/apache2/sites-available/default-ssl.conf

because when I change something there I can see it is actually changing on the page.

right now I have changed these lines in the file

        SSLCertificateFile    /etc/ssl/certs/cert.pem 

         SSLCACertificateFile /etc/ssl/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem

I don't where else to look...

Jeremy Davis's picture

Jeremy Davis - Thu, 2015/10/29 - 08:08
Firstly you should be able to redirect http to https (port 80 to port 443) by replacing the existing lines within the Apache mediawiki conf file relatring to port 80 (/etc/mediawiki/apache.conf) with this instead: 
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]

Regarding the SSL cert location; in v14.0 we tightened the security screws a bit. Part of that was moving the default cert location from /etc/ssl/certs to /etc/ssl/private. Also the modification you put in /etc/apache2/mods-available/ssl.conf should work and is the sensible place to declare a server-wide wildcard cert IMO. However if a cert location is declared in any of the enabled Apache virtualhost conf files (any that are in /etc/apache2/sites-enabled) then that setting will override it.

Regarding the /etc/apache2/sites-available/default-ssl.conf file; that virtualhost conf file should actually be disabled or it will probably clash with the ssl settings in the mediawiki site file (which is actually /etc/mediawiki/apache.conf as noted above).

To see what sites are enabled have a peek in the aptly named /etc/apache2/sites-enabled directory. E.g. 

ls -l /etc/apache2/sites-enabled


By default that should only include mediawiki.conf (which will be a symlink to /etc/apache2/sites-available/mediawiki.conf; which in turn will be a symlink to /etc/mediawiki/apache.conf). Check that to see if it declares certs anywhere; if it does (and you have certs declared how you want in /etc/apache2/mods-available/ssl.conf) then you can safely delete any lines relating to certs (from your /etc/mediawiki/apache.conf and/or of the sites listed in /etc/apache2/sites-enabled). Once you are done you need to restart Apache to apply your new config.


service apache2 restart


Also as a word of caution I would advise that you do these changes (redirect http to https & add CA cert) separately (both will require Apache restart). Then if something doesn't work as it should you have a good idea where to start looking...

Add new comment