[waffffffle]

I have this computer with mandrake 9.1 installed and I want to use ssl but the built in certificate gives a weird warning in IE for windows (I'm not at my Mac to see what it looks like at home yet). I know nothing about SSL and I would like to know what I need to do to make the certificate say the name of my web site so that people will trust it, and hopefully avoid that warning coming up altogether.

I would appreciate anyone who could help me out with this. Thanks.

[utidjian]

Originally posted by waffffffle:
I have this computer with mandrake 9.1 installed and I want to use ssl but the built in certificate gives a weird warning in IE for windows (I'm not at my Mac to see what it looks like at home yet). I know nothing about SSL and I would like to know what I need to do to make the certificate say the name of my web site so that people will trust it, and hopefully avoid that warning coming up altogether.

I would appreciate anyone who could help me out with this. Thanks.

Do this:

cd /usr/share/ssl/certs
make

It should tell you what to do from there. You can also read the Makefile in that folder and/or /usr/share/ssl/openssl.cnf to get an idea of what is going on. Basically you want to generate a self signed cert.

[Arkham_c]

If you want people to trust your certificate, you have to buy it from a trusted authority like Verisign or Thawte.

It'll cost you between $50 and $100/year for a certificate from a reputable authority. There are lesser authorities that work in some browsers that will sell you a certificate for around $35.

If your concern is simply good encryption, you can self-sign. But if you do that, all of your users will be asked to accept your certificate when they first visit.

[waffffffle]

Hmm, that's annoying. My server is running on my school's dorm network. Do you think it is possible that my school might be able to share a certificate with other on-campus servers? Is that something that is normally done (like a university-wide site license, but for a certificate)?

[utidjian]

Originally posted by waffffffle:
Hmm, that's annoying. My server is running on my school's dorm network. Do you think it is possible that my school might be able to share a certificate with other on-campus servers? Is that something that is normally done (like a university-wide site license, but for a certificate)?

Not sure about the rules for that. Most likely you will have to talk to at least your local network admins. Obviously they can't allow just anyone who asks for the cert to have a copy whether there is a sitewide license or not.

Personally I see nothing wrong with self-signed certs. Sure your users have to click on [Accept] once... but that is no big deal. There was a time when you had to do that with Verisign (and other certs) also. It is more or less quite obvious it is about security and encryption and whatnot. A self-signed certificate is no less trustworthy than one from Verisign.

[waffffffle]

OK, well Safari gives me a warning and it doesn't really say much as far as who the certificate is from. Basically I want to make my site secure because I have most of the site restricted via password and I don't want the passwords flying across my school's dorm network unencrypted.

[utidjian]

Originally posted by waffffffle:
OK, well Safari gives me a warning and it doesn't really say much as far as who the certificate is from. Basically I want to make my site secure because I have most of the site restricted via password and I don't want the passwords flying across my school's dorm network unencrypted.

In that case self-signed certs are perfect for that. The commercial certs are for stuff like banking and financial transactions (stocks, eBay, PayPal, banking, bills, etc)

For everyday secure stuff like email, file transfers, secured web content and so on you don't need to pay $$$ to some CA company.

I don't have an OS X box right now... isn't there a thing to view the details of certificate (Mozilla has it)? Or a certificate management utility under prefs somewhere?

[waffffffle]

Well IE for Mac (9 and x) says "the identity certificate is invalid" and refuses to load my site using SSL. I want to avoid something like that from happening.

There's this script that I tried to use to generate a certificate but I have no idea if it worked. I just want my certificate to say my web site name on it so people know where its coming from.

[utidjian]

Originally posted by waffffffle:
Well IE for Mac (9 and x) says "the identity certificate is invalid" and refuses to load my site using SSL. I want to avoid something like that from happening.

There's this script that I tried to use to generate a certificate but I have no idea if it worked. I just want my certificate to say my web site name on it so people know where its coming from.

That is strange. Usually I get asked whether to accept or not. I will check with my certs.

Your second paragraph is somewhat devoid of useful content. What "script" did you use? The one I suggested earlier? Simple way to test a new cert is to browse to your website.

Usually a cert will have a LOT more information than just the website name. Once it is set up correctly AND the user accepts it... then they should never have to see it again from that particular browser on that particular machine (or account).

[waffffffle]

I was looking around and found /usr/lib/ssl/apache2-mod_ssl/gentestcrt.sh and ran it. It asked me for for information like my company name, email, etc. Then it asked for it all again. I thought this would have changed the certificate from the "localhost" default certificate to the new one with my company name, but aparrently it hasn't. I'm not really sure what to do to make it use this new certificate, assuming that this new one is any good.

[waffffffle]

OK so I figured out where the 2 files server.key and server.crt go. However now when I try connecting to my site using https I get an error and it won't connect. It works fine using http. I am using IE 6 here at work. It says either server not found or DNS error. I don't understand why that would be a problem if it works fine using http. Any ideas?

[utidjian]

Originally posted by waffffffle:
OK so I figured out where the 2 files server.key and server.crt go. However now when I try connecting to my site using https I get an error and it won't connect. It works fine using http. I am using IE 6 here at work. It says either server not found or DNS error. I don't understand why that would be a problem if it works fine using http. Any ideas?

Are you going through a proxy server? Try direct connect (turn off proxy settings).

Really I am not sure what the problem is that you are having. For me (I use Red Hat 7.3 on my servers) I have never had a problem with it.
What version of Apache are you using? What version of OpenSSL? Have you written a phpinfo file and browsed to it? It will give you a ton of info on how Apache is setup on your server. Do you have a local Linux guru who can help you out? Have you read the docs and forums over at http://www.mandrake.com ?

[waffffffle]

Originally posted by utidjian:
Are you going through a proxy server? Try direct connect (turn off proxy settings).

Really I am not sure what the problem is that you are having. For me (I use Red Hat 7.3 on my servers) I have never had a problem with it.
What version of Apache are you using? What version of OpenSSL? Have you written a phpinfo file and browsed to it? It will give you a ton of info on how Apache is setup on your server. Do you have a local Linux guru who can help you out? Have you read the docs and forums over at http://www.mandrake.com ?

NO proxy server.

Apache-AdvancedExtranetServer/2.0.44 (Mandrake Linux/11mdk) mod_perl/1.99_08 Perl/v5.8.0 mod_ssl/2.0.44 OpenSSL/0.9.7a PHP/4.3.1

I've looked at the phpinfo file. I know where the crt and key files are supposed to go. I just don't understand why all of a sudden it wont' work at all. Also mandrake wants you to pay for their forums.

[utidjian]

Originally posted by waffffffle:
NO proxy server.

Apache-AdvancedExtranetServer/2.0.44 (Mandrake Linux/11mdk) mod_perl/1.99_08 Perl/v5.8.0 mod_ssl/2.0.44 OpenSSL/0.9.7a PHP/4.3.1

I've looked at the phpinfo file. I know where the crt and key files are supposed to go. I just don't understand why all of a sudden it wont' work at all. Also mandrake wants you to pay for their forums.

Darn... yeah I forgot about that with the Mandrake forums.... but moving along. You are at Princeton, correct? I am not all that far away (Ramapo College of New Jersey). Did you check with your local Linux people at Princeton? http://www.princeton.edu/cgi-bin/Pho...pl?Qname=linux
theres gotta be someone nearby willing to help. It is probably something that would take a few minutes at the console.

Did you run a:

tail -f /var/log/httpd/access_log

on the server while trying to access the SSL pages? You may also want to run:

tail -f /var/log/httpd/error_log

And see if anything is showing up there.
That is what lots of terminals are good for ;-).
There may also be a problem on the client side...

Did you by any chance save the old cert files... so you can replace them?

[waffffffle]

Originally posted by utidjian:
Darn... yeah I forgot about that with the Mandrake forums.... but moving along. You are at Princeton, correct? I am not all that far away (Ramapo College of New Jersey). Did you check with your local Linux people at Princeton? http://www.princeton.edu/cgi-bin/Pho...pl?Qname=linux
theres gotta be someone nearby willing to help. It is probably something that would take a few minutes at the console.

Did you run a:

tail -f /var/log/httpd/access_log

on the server while trying to access the SSL pages? You may also want to run:

tail -f /var/log/httpd/error_log

And see if anything is showing up there.
That is what lots of terminals are good for ;-).
There may also be a problem on the client side...

Did you by any chance save the old cert files... so you can replace them?

First off, none of those ldap entries that you're looking at are actually real people. There is a Princeton Unix Group, a student organization, and I am on the mailing list. However I have already been told by everyone on that list that I shouldn't be using Mandrake but my server is sitting locked in a closet in Princeton while I am several hundred miles away right now. I really can't install Red Hat that way.

I switched back to the old certificates and it goes back to throwing up security warnings, but it will again connect using https. The old certificate says "localhost" as the name of the site. I want my cert to say my site's name. I'm not really sure how to do that.

I also tried using a set of .crt and .key files that are in this folder but called server.crt.rpmnew and server.key.rpmnew but they seem to have the same effect as the default ones, except that they expired in 2002.

[waffffffle]

Also there is a file in that directory called README.test-certificates that contains the following text:

Use the /usr/lib/ssl/apache2-mod_ssl/gentestcrt.sh script to generate your own, self-signed certificates to replace the localhost server name.

That is the script that I have been running. When I run it while my working directory is /etc/ssl/apache/ which is the location of the .crt and .key files, it generates a new .crt and .key file in that directory. However it refuses to run while there are files called server.crt and server.key in that directory, so I have to rename my current ones to use ones generated by the script. However when I use files generated by the script https won't work and I get the "do not found" errors.

[waffffffle]

Ahhh! Now apache won't start! My server is down! I tried to use the script one more time and now this happens:

# apachectl graceful
Reloading httpd-perl: [ OK ]
Reloading httpd2: [FAILED]


I tried starting apache without any files and I tried switching the old files back. Nothing will start apache and now I'm screwed because my server won't start and I have no idea how to fix this remotely.

[waffffffle]

OK so after much panicing I finally got apache up and running again by running /usr/sbin/httpd2 directly. However now my server is serving up php files as downloads. I don't know what I messed with that could have changed this behavior, however I have found that I can only start apache that way. Trying to start it using apachectl start doesnt work (it fails). Any ideas?

[waffffffle]

ahhhh, so everything is back to normal now, and my certs still dont work. any ideas?

[utidjian]

Originally posted by waffffffle:
ahhhh, so everything is back to normal now, and my certs still dont work. any ideas?

Not sure what you mean by "dont work". Do you mean you can not access the URL that is covered by the new certs at your site? Do you mean that you still get a warning popup about the site? Can you click on "Accept" (or whatever) and the warning no longer appears when you return to that URL?

If you get the warning popup but can "Accept" it... and no longer get the warning then your self-signed certs are working as well as they ever will. The ONLY way I know of to NOT have the initial warning popup is to get an "official" cert from a CA like Verisign or whatever. That is the way it is.
However... after the initial popup and acceptance of the cert you should no longer be bothered by the popup from that particular web browser using that particular user account accessing that particular URL.

If you can not access the URL at all with the new certs then you will have to look at the log files I mentioned earlier to determine what is going wrong specifically.

If you don't mind my asking, what is the URL?

Personally, for my own sites and for my users, I don't have a problem with self-signed certs. As long as I keep the keys secure my users can be reasonably sure that they are accessing the correct URL and the site is what it claims to be.

In reference to your earlier post about the Princeton-Linux resources... what did they reccommend to you for a Linux flavor? What was their advice on server setup? (just curious). While I prefer Red Hat for server and workstation I have tried most every other major flavor. Some are very good... some are not... some may be better than Red Hat. The reason I stay with it is because I already know it quite well. Red Hat tends to be well made, well documented and there are plenty of "free" resources when it comes to configuring it. I have never had much luck with MDK... not for lack of trying. I usually try to be agnostic about Linux distros on forums because the "my whatever is better than your whatever" dicksize discussions are never really useful.

-DU-...etc...

[waffffffle]

What I mean is that my cert still says Issued to: localhost.0J5S2sq and Issued by: localhost.0J5S2sq and For testing purposes only. I can't seem to get it to use a self made cert.

Most of the students like gentoo but I'm not really keen on having to compile every minor update.

I have no problem with the initial warning. But I want the cert to say my site's name and I want users to have the ability to trust my site once so that they don't have to keep accepting our cert.

I personally chose Mandrake after reading about the ease of installation and I thought that since I'm a Mac user I would want to go with the most friendly distro out there. Well it wasn't all that easy to install and I've had many problems with it. If I had to do it all over again I'd choose Red Hat, which most students have been recommendin to me after the fact (when I asked for advice beforehand everyone said gentoo).

[utidjian]

Originally posted by waffffffle:
What I mean is that my cert still says Issued to: localhost.0J5S2sq and Issued by: localhost.0J5S2sq and For testing purposes only. I can't seem to get it to use a self made cert.

Most of the students like gentoo but I'm not really keen on having to compile every minor update.

I have no problem with the initial warning. But I want the cert to say my site's name and I want users to have the ability to trust my site once so that they don't have to keep accepting our cert.

I personally chose Mandrake after reading about the ease of installation and I thought that since I'm a Mac user I would want to go with the most friendly distro out there. Well it wasn't all that easy to install and I've had many problems with it. If I had to do it all over again I'd choose Red Hat, which most students have been recommendin to me after the fact (when I asked for advice beforehand everyone said gentoo).

Look in your /etc/httpd/conf/httpd.conf file (your Apache config file). Is the directive in that file pointed to your newly made self signed certs?

My httpd.conf file has a line like this:

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

and another like this:

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

There are no other self-signed certs/keys pointed to in my httpd.conf file. I made those keys myself and they work. The client gets a popup warning asking them to accept (or reject) the certs. If they click "accept" that is the last time they will see it from that particular machine/browser/account. If I change the certs or they time out they will get the popup again.

On my servers I made the certs with the commands:

cd /etc/httpd/conf/
make server.key
make server.crt

and followed the prompts. Restarted the apache server:

service httpd restart

All done!

I have tried Gentoo. It is a pretty good distro. I chose the "Level 1" (or is it Level 3) install where one has to build everyhting from source. It took a couple of weeks to get most everything built, installed, and configured. One can also do a "binary only" or "mostly binary" install and it takes MUCH less time. But I wanted to see if there really was a performance boost from having a custom built everything Linux installation. In the end, if there was any boost, I couldn't tell the difference between a Gentoo box and a Red Hat box with identical hardware. After doing all that fiddling and waiting to get a single workstation all setup I certainly got the feeling that I was "one with the system" or whatever. But I have 50+ systems that I maintain and I already have methods and scripts for maintaining Red Hat based machines.
Gentoo is fine if you have the time and inclination to fiddle and learn all about it.

[Gary Kerbaugh]

   I see the subject of the httpd.conf file has come up. When I first read this, I didn't think about the failure to configure apache for https. It took me a bit of study to learn that and it was a while back. I don't recall my reason for doing everything I did so I don't know that I could answer questions about everything. However, if my configuration would help, I'd be happy to share it. Secure connections are made to port 443 on the server, so Apache must be configured to listen on port 443. I put all of the directives in a virtual host definition and naturally tested for the mod_ssl.c module. Anyway, with the hostname changed to www.yourhost.com, here's my config info:

<IfModule mod_ssl.c>
&nbsp;&nbsp;Listen 443
&nbsp;&nbsp;<VirtualHost _default_:443>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;SSLEngine on
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2: +EXP:+eNULL
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;SSLCertificateFile /System/Library/OpenSSL/certs/server.crt
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;SSLCertificateKeyFile /System/Library/OpenSSL/private/server.key
&nbsp;&nbsp;&nbsp;&nbsp;ServerAdmi n yourname@yourhost.com
&nbsp;&nbsp;&nbsp;&nbsp;DocumentRo ot "/Library/WebServer/Documents"
&nbsp;&nbsp;&nbsp;&nbsp;ServerN ame www.yourhost.com
&nbsp;&nbsp;&nbsp;&nbsp;ErrorLo g "/private/var/log/httpd/error_log"
&nbsp;&nbsp;&nbsp;&nbsp;TransferLo g "/private/var/log/httpd/access_log"
&nbsp;&nbsp;&nbsp;&nbsp;CustomL og "/private/var/log/httpd/access_log" common
&nbsp;&nbsp;</VirtualHost>
</IfModule>

Naturally, you should adjust your configuration to fit the location of your cert, key and logs. I tested it locally but it's only a test configuration; it isn't a working server. Thus, I can't guarantee it will work as such. I hope it helps a little.