{"id":9660,"date":"2022-11-21T20:58:42","date_gmt":"2022-11-21T20:58:42","guid":{"rendered":"https:\/\/stevepedwards.today\/DebianAdmin\/?p=9542"},"modified":"2025-06-01T07:59:27","modified_gmt":"2025-06-01T06:59:27","slug":"ssl-on-ubuntu-apache2-creating-self-signed-certificates-checking-ssl-traffic-with-tcpdump-and-wireshark","status":"publish","type":"post","link":"https:\/\/stevepedwards.today\/DebianAdmin\/ssl-on-ubuntu-apache2-creating-self-signed-certificates-checking-ssl-traffic-with-tcpdump-and-wireshark\/","title":{"rendered":"SSL on Ubuntu Apache2 – Creating Self Signed Certificates, Checking SSL Traffic with TCPDUMP and Wireshark"},"content":{"rendered":"
<\/div>\n

<\/path><\/svg><\/i> \"Loading\"<\/p>\n

<\/div>\n

Programmers need to write their web apps for secure server hosting practically universally now, so you should also be writing them in VS Code\/other IDE with a Live Server set up for SSL as in the last Post, but if you also write at home and host on a local apache2 server or similar, it should also be using SSL too so you know your creation works on SSL(TLS)\/HTTPS\/port 443 platforms, rather than be surprised when first loaded to a secure web host...<\/p>\n

Is my SSL connection encrypted if the locally created certificate isn't trusted?
\nYes - you can see the pink packet in Wireshark on port 443 - so how do you install a certificate on linux Apache2? Read on..:<\/p>\n

\"\"<\/a><\/p>\n

SSL consists of two major parts:<\/p>\n

the encryption of the data
\nthe validation that you are actually talking to the expected server
\nIf you get the warning about an untrusted certificate than the encryption will still work, but you cannot be sure that you are talking to the expected server. This means a man in the middle attack might be possible where an active attacker will decrypt, sniff, and re-encrypt the traffic. That is instead of this:<\/p>\n

Browser <----------- encrypted -----------------------> Bank
\nyou get this:<\/p>\n

Browser <-- encrypted --> Attacker <--- encrypted ----> Bank
\nIn this case the attacker can sniff all data (passwords etc) and even modify the data and the client will not notice it. The connections are still encrypted, but not end-to-end (browser-to-server) but browser-to-attacker and again attacker-to-server.<\/p>\n

Usually you should not override the warning by the browser because chances are high that there is a man in the middle attack going on. Only in the case where you know that the certificate is the expected one (verify fingerprint, not just the subject of the certificate) you can override the warning.<\/p>\n

Note that there are cases of legal man in the middle attacks, i.e. SSL interception done by antivirus proxies or by middleboxes (firewalls) so that these can analyse the encrypted traffic. In this case your computer is either automatically configured to trust these certificates or you need to explicitly import the proxy-CA which signed the new certificates. If you are having such kind of problem while using your own computer inside the company please ask the network administrator how you should proceed and don't simply accept the certificates.<\/p>\n

Step 1: This step before amending \/etc\/apache2\/sites-available\/default-ssl.conf:<\/p>\n

sudo a2enmod ssl<\/span><\/p>\n

Step 2 \u2013 Creating the SSL Certificate<\/p>\n

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \/etc\/ssl\/private\/apache-selfsigned.key -out \/etc\/ssl\/certs\/apache-selfsigned.crt<\/span><\/p>\n

Common Name (eg, your name or your server's hostname) []:localhost<\/p>\n

ls \/etc\/ssl\/certs\/apache-selfsigned.crt<\/span>
\n\/etc\/ssl\/certs\/apache-selfsigned.crt<\/span><\/p>\n

Step 3 \u2013 Configuring Apache to Use SSL - create a local server named conf file:<\/p>\n

cd \/etc\/apache2\/sites-available<\/span><\/p>\n

stevee@localhost:\/etc\/apache2\/sites-available$ ls<\/span>
\n000-default.conf default-ssl<\/span><\/p>\n

make a conf file for your new SSL site for your server name:<\/p>\n

stevee@localhost:\/etc\/apache2\/sites-available$ sudo touch localhost.conf<\/span><\/p>\n

stevee@localhost:\/etc\/apache2\/sites-available$ ls<\/span>
\n000-default.conf localhost.conf default-ssl<\/span><\/p>\n

stevee@localhost:\/var\/www$ sudo a2ensite<\/span><\/p>\n

Your choices are: 000-default localhost default-ssl<\/span>
\nWhich site(s) do you want to enable (wildcards ok)?<\/span><\/p>\n

localhost<\/span>
\nEnabling site localhost.<\/span>
\nTo activate the new configuration, you need to run:<\/span>
\nsystemctl reload apache2<\/span><\/p>\n

Add the following red settings to your empty site file to suit your site and folders where you created the certificates :<\/p>\n

sudo vi \/etc\/apache2\/sites-available\/localhost.conf<\/span><\/p>\n

<IfModule mod_ssl.c><\/span>
\n<VirtualHost *:443><\/span><\/strong>
\nServerAdmin webmaster@localhost<\/span>
\nServerName localhost<\/span>
\nDocumentRoot \/var\/www<\/span><\/p>\n

SSLEngine on<\/span><\/strong>
\nSSLCertificateFile \/etc\/ssl\/certs\/apache-selfsigned.crt<\/span><\/strong>
\nSSLCertificateKeyFile \/etc\/ssl\/private\/apache-selfsigned.key<\/span><\/strong>
\n<\/VirtualHost><\/span><\/p>\n

sudo apache2ctl configtest<\/span>
\nSyntax OK<\/p>\n

sudo systemctl reload apache2<\/span><\/p>\n

Step 4 \u2014 Redirecting HTTP to HTTPS<\/p>\n

sudo vi \/etc\/apache2\/sites-enabled\/000-default.conf<\/span><\/p>\n

<VirtualHost *:80><\/span>
\n#ServerName www.example.com<\/span>
\nServerName localhost<\/span><\/strong><\/p>\n

DocumentRoot \/var\/www<\/span><\/strong>
\nRedirect \/ https:\/\/stevepedwards.today\/<\/span><\/strong><\/p>\n

Save the file in vim with<\/p>\n

:wq<\/span><\/p>\n

sudo apachectl configtest<\/span>
\nSyntax OK<\/p>\n

sudo systemctl reload apache2<\/span><\/p>\n

Now you can browse to your home site and change the address bar prefix to https:\/\/ OR hit Shift-F5 to make your page cache refresh to get the new SSL site.<\/p>\n

As the certificate is self-signed so unverified, the browser will complain:<\/p>\n

\"\"<\/a><\/p>\n

Continue on and you will get to your site but with the HTTPS struck through - but as seen in wireshark - the traffic IS still encrypted on port 443 using TLS:<\/p>\n

\"\"<\/a><\/p>\n

To capture and read the packets using tcpdump and wireshark:<\/p>\n

sudo apt install wireshark tcpdump<\/span><\/p>\n

tcpdump can only write to files of particular suffix - a dump.txt file for example will give a Permission Denied.<\/p>\n

dump.pcap works fine.<\/p>\n

Capture a small file of SSL traffic by being ready to click to your non HTTPS site once you start tcpdump running - stop the capture with Ctrl-C - as this checks that the re-direct from http port 80 to SSL port 443 works AND the site traffic captured is encrypted:<\/p>\n

sudo tcpdump -i ens5 -w dump.pcap<\/span><\/p>\n

Now you can read it back on the local server where Wireshark is installed to give the screen view at the start of the Post - it needs an xserver, so you cannot see output over remote SSH without further tech wizardry to run a GUI app over SSH:<\/p>\n

ssh -X stevee@192.168.1.11<\/span><\/p>\n

once logged in, cd to the dumpfile folder on the Apache server, and in it's full 27 inch, Win11, remote monitor glory you see Transport Layer Security version 1.3 used for the encryption:<\/p>\n

wireshark -r dump.pcap<\/span><\/p>\n

\"\"<\/a><\/p>\n

The \"HTTPS struck through\" and \"Not Secure\" message in the browser bar (or similar warnings like \"Your connection is not private\") is entirely due to the certificate being self-signed.<\/strong><\/p>\n

Here's why this happens:<\/p>\n

    \n
  1. Trust Chain:<\/strong> When your browser connects to an HTTPS website, it receives a certificate from the server. The browser then tries to verify this certificate by checking if it's been signed by a trusted Certificate Authority (CA). All major browsers (Chrome, Firefox, Edge, Safari) come with a pre-installed list of widely recognized and trusted CAs (like DigiCert, Let's Encrypt, GlobalSign, etc.).<\/li>\n
  2. Self-Signed Means Untrusted:<\/strong> A self-signed certificate is one that you<\/em> (or your server, in this case, Apache) created and signed yourself, rather than getting it from a recognized CA. Since your browser doesn't recognize your \"signing authority\" as a trusted CA, it flags the connection as \"Not Secure\" because it cannot verify the identity of the server. It doesn't mean the encryption isn't working; it just means the browser can't confirm who you are.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"
    <\/div>\n

    <\/path><\/svg><\/i> \"Loading\"<\/p>\n

    <\/div>\n

    Programmers need to write their web apps for secure server hosting practically universally now, so you should also be writing them in VS Code\/other IDE with a Live Server set up for SSL as in the last Post, but if you also write at home and host on a local apache2 server or similar, it ...\u00a0 SSL on Ubuntu Apache2 – Creating Self Signed Certificates, Checking SSL Traffic with TCPDUMP and Wireshark<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-9660","post","type-post","status-publish","format-standard","hentry","category-post"],"a3_pvc":{"activated":true,"total_views":29,"today_views":0},"_links":{"self":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/9660","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/comments?post=9660"}],"version-history":[{"count":14,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/9660\/revisions"}],"predecessor-version":[{"id":10278,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/9660\/revisions\/10278"}],"wp:attachment":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/media?parent=9660"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/categories?post=9660"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/tags?post=9660"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}