Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Fresh Install - Apache ssl not working (SOLVED)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
JC99
l33t
l33t


Joined: 06 Aug 2003
Posts: 782
Location: Toronto

PostPosted: Sat Jan 02, 2010 11:52 pm    Post subject: Fresh Install - Apache ssl not working (SOLVED) Reply with quote

Hello everyone,

I just did a fresh install of Gentoo and Apache2. When I navigate to my site (http://jasoncarson.ca) everything works, but when I go to my ssl enabled site (https://jasoncarson.ca) Firefox gives me the following error message.

Quote:
An error occurred during a connection to jasoncarson.ca.

Peer's certificate has an invalid signature.

(Error code: sec_error_bad_signature)


* The page you are trying to view can not be shown because the authenticity of the received data could not be verified.

* Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.


I can't access it in Firefox or IE. I haven't tried other browsers.

Anyone know how to fix this?


Last edited by JC99 on Sun Jan 03, 2010 9:55 pm; edited 3 times in total
Back to top
View user's profile Send private message
Mad Merlin
Veteran
Veteran


Joined: 09 May 2005
Posts: 1143

PostPosted: Sun Jan 03, 2010 2:37 am    Post subject: Reply with quote

It's probably because you get a self signed SSL certificate by default, which newer versions of Firefox and IE particularly dislike. Normally they give you the option to continue anyways, but for some reason I'm getting the same thing you're seeing in Firefox (with no option to continue anyways). Konqueror lets me continue anyways though.
_________________
Game! - Where the stick is mightier than the sword!
Back to top
View user's profile Send private message
JC99
l33t
l33t


Joined: 06 Aug 2003
Posts: 782
Location: Toronto

PostPosted: Sun Jan 03, 2010 2:46 am    Post subject: Reply with quote

I checked Apache's ssl_error_log and it says the following...

Quote:
[Sat Jan 02 17:46:32 2010] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?


...so I guess I have to create a new certificate so that CommonName is the same has server name? Anyone know if this is the correct thing to do?
Back to top
View user's profile Send private message
cach0rr0
Moderator
Moderator


Joined: 13 Nov 2008
Posts: 4121
Location: Houston, Republic of Texas

PostPosted: Sun Jan 03, 2010 2:54 am    Post subject: Reply with quote

that one's just a warning, not an error - but you would correct it by generating a new cert, yes; thing to do is

-make sure the cert matches the domain/host you intend to serve
-ideally, add a ServerName directive to /etc/apache2/modules.d/00_default_settings.conf that matches your hostname

truth is so long as you're using a self-signed certificate, users WILL get SSL errors in their browser unless they mark your certificate as trusted, no matter how correctly you set the Common Name and so forth.

I personally use certs from cacert.org, and have a main landing page that instructs users on how to install CACert's root certificate (which then allows my certs to be trusted)

Some browsers will ignore this (e.g. IE and Chrome). Firefox has no issue with this, thankfully.

Anyway, yes, regenerate the cert, add the ServerName directive, and you'll be *as close to* correct functionally as you can be with a self-signed cert
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
JC99
l33t
l33t


Joined: 06 Aug 2003
Posts: 782
Location: Toronto

PostPosted: Sun Jan 03, 2010 4:14 am    Post subject: Reply with quote

Thanks for your help. I created my own certificate. Here is what I did.

Go to /etc/ssl/apache2/ then run the following commands...

Code:
openssl genrsa -out server.key 1024
openssl rsa -in server.key -out server.pem
openssl req -new -key server.key -out server.csr


After I ran that third command I was promted to enter some info. Make sure "Common Name" is your domain. Next run this final command

Code:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


...and everything should work. It did for me.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum