TL;DR
For everything to work and not only your browser, you need to add that CA certificate to the system's trusted CA repository.
In ubuntu:
- Go to /usr/local/share/ca-certificates/
- Create a new folder, i.e. "sudo mkdir school"
- Copy the .crt file into the school folder
- Make sure the permissions are OK (755 for the folder, 644 for the file)
- Run "sudo update-ca-certificates"
Why
Let me explain what is going on also, so the other posters see why they don't need any certificate to use Github over HTTPS.
What is going on there is that your school is intercepting all the SSL communications, probably in order to monitor them.
To do that, what they do is in essence a "man in the middle" attack, and because of that, your browser complains rightfully that he is not being able to verify github's certificate. Your school proxy is taking out github's cert and instead providing its own cert.
When your browser tries to verify the school's provided cert against the CA that signed github's cert, it rightfully fails.
So, for the SSL connection to work in the school, you need to consciously accept that "MITM" attack. And you do that by adding the school's CA certificate as a trusted one.
When you trust that school CA, your verification of the fake github cert will work, since the fake github cert will be verified by the school CA.
Be aware that SSL connection is not safe anymore since your school administrator will be able to intercept all your encrypted connections.
I "fixed" the configuration by myself, with a bit of luck.
The issue seems to have been caused by the default configuration Ubuntu is shipping with Apache v2.x.
After enabling the needed modules with something like
sudo a2enmod ssl
sudo a2enmod headers
sudo a2enmod socache_shmcb
I also enabled the "default SSL site" with
sudo a2ensite default-ssl
Then added my own stuff in the /etc/apache2/sites-enabled
directory.
I added something like:
01-mysite.conf
02-other.conf
03-thistoo.conf
After running certbot --apache
the directory content became:
01-mysite-le-ssl.conf
01-mysite.conf
02-other-le-ssl.conf
02-other.conf
03-thistoo-le-ssl.conf
03-thistoo.conf
The problem came from the fact that the "default SSL site" configuration file is called default-ssl.conf
while the "default plaintext site" configuration is called 000-default.conf
.
In my specific case, then, default-ssl.conf
was the last one to be read by Apache v2.x from the sites-enabled
directory:
000-default.conf
01-mysite-le-ssl.conf
01-mysite.conf
02-other-le-ssl.conf
02-other.conf
03-thistoo-le-ssl.conf
03-thistoo.conf
default-ssl.conf
By "simply" renaming default-ssl.conf
to 000-default-ssl.conf
I started having things working, after a mandatory reload: systemctl apache2 reload; systemct apache2 status
!
The very same nmap
command seen in the question now returns the expected results:
$ nmap -A -Pn -p 443 mysite.com.
Nmap scan report for mysite.com. (1.2.3.4)
Host is up (0.044s latency).
Other addresses for mysite.com. (not scanned): 1234:1234:123:1234::
rDNS record for 1.2.3.4: host1.hosting.net
PORT STATE SERVICE VERSION
443/tcp open ssl/http Apache httpd 2.4.41
| tls-alpn:
|_ http/1.1
|_http-title: 421 Misdirected Request
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=host1
| Subject Alternative Name: DNS:host1
| Not valid before: 2022-11-06T10:22:12
|_Not valid after: 2032-11-03T10:22:12
Service Info: Host: 127.0.0.1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds
It seems nmap
doesn't know how to place a well-formed HTTPS SNI request.
But now we have: 443/tcp open ssl/http Apache httpd 2.4.41
: now it's ssl/http
, not just http
!
Lesson learned: with SSL/TLS and SNI, order matters. And a lot too!
As a very minor side note, I cleaned up the non-SSL (aka "HTTP") configuration file like this:
<VirtualHost _default_:80>
ServerName mysite.com # <-----------------.
RewriteEngine on # | THE SAME
RewriteCond %{SERVER_NAME} =mysite.com # <-'
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
All other configuration stuff has been moved into the SSL-enabled configuration. Simple and effective!
I really hope this will help others.
Best Answer
Good is subjective? Does it mean easy? Quick? Free? I think Let's Encrypt is good, but that is just my opinion.
Before I properly answer the question, I need to clarify something. Let's Encrypt is a free trusted certificate authority that issues SSL certificates. Certbot is the tool that Let's Encrypt recommends to actually get, and automatically set up, the certificates.
Let's Encrypt does have some issues, but for a small site ran by an Apache server, for a few people, it should be fine. If you are curious, take a look at this Security SE question that explains potential issues with Let's Encrypt.
To enable
https://
, you need to get a certificate trusted by your client's computers*.There are plenty of guides out there, but I suggest the official one, as it is pretty good. I'm assuming you have SSH (or shell) access to your Apache server, and that it is publically accessible. Head over to the Cerbot website. Fill out what your server is running on. For this answer, I selected Apache and Ubuntu 20.04 based on your question, but you should select whatever is correct for you.
sudo snap install core && sudo snap refresh core
sudo snap install --classic certbot
/usr/bin
foldersudo ln -s /snap/bin/certbot /usr/bin/certbot
If you want it to auto-install the certificate, run
sudo certbot --apache
. If you prefer to make the changes to the config file yourself, runsudo certbot certonly --apache
. The Let's Encrypt certificates expire after 90 days. So, it can automatically renew them for you. Runsudo certbot renew --dry-run
to test auto-renewal. If it works fine (without errors) then auto-renewal is good to go.Reboot the server, and then your website should work with
https
.*Technically, you could make your own, but it would display in their browsers that it isn't trusted, so you really shouldn't.