View previous topic :: View next topic |
Author |
Message |
Evileye l33t
Joined: 06 Aug 2003 Posts: 782 Location: Toronto
|
Posted: Sat Jan 02, 2010 11:52 pm Post subject: Fresh Install - Apache ssl not working (SOLVED) |
|
|
Hello everyone,
I just did a fresh install of Gentoo and Apache2. When I navigate to my site (http://jasoncarson.ca) everything works, but when I go to my ssl enabled site (https://jasoncarson.ca) Firefox gives me the following error message.
Quote: | An error occurred during a connection to jasoncarson.ca.
Peer's certificate has an invalid signature.
(Error code: sec_error_bad_signature)
* The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
* Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site. |
I can't access it in Firefox or IE. I haven't tried other browsers.
Anyone know how to fix this?
Last edited by Evileye on Sun Jan 03, 2010 9:55 pm; edited 3 times in total |
|
Back to top |
|
|
Mad Merlin Veteran
Joined: 09 May 2005 Posts: 1155
|
Posted: Sun Jan 03, 2010 2:37 am Post subject: |
|
|
It's probably because you get a self signed SSL certificate by default, which newer versions of Firefox and IE particularly dislike. Normally they give you the option to continue anyways, but for some reason I'm getting the same thing you're seeing in Firefox (with no option to continue anyways). Konqueror lets me continue anyways though. _________________ Game! - Where the stick is mightier than the sword! |
|
Back to top |
|
|
Evileye l33t
Joined: 06 Aug 2003 Posts: 782 Location: Toronto
|
Posted: Sun Jan 03, 2010 2:46 am Post subject: |
|
|
I checked Apache's ssl_error_log and it says the following...
Quote: | [Sat Jan 02 17:46:32 2010] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!? |
...so I guess I have to create a new certificate so that CommonName is the same has server name? Anyone know if this is the correct thing to do? |
|
Back to top |
|
|
cach0rr0 Bodhisattva
Joined: 13 Nov 2008 Posts: 4123 Location: Houston, Republic of Texas
|
Posted: Sun Jan 03, 2010 2:54 am Post subject: |
|
|
that one's just a warning, not an error - but you would correct it by generating a new cert, yes; thing to do is
-make sure the cert matches the domain/host you intend to serve
-ideally, add a ServerName directive to /etc/apache2/modules.d/00_default_settings.conf that matches your hostname
truth is so long as you're using a self-signed certificate, users WILL get SSL errors in their browser unless they mark your certificate as trusted, no matter how correctly you set the Common Name and so forth.
I personally use certs from cacert.org, and have a main landing page that instructs users on how to install CACert's root certificate (which then allows my certs to be trusted)
Some browsers will ignore this (e.g. IE and Chrome). Firefox has no issue with this, thankfully.
Anyway, yes, regenerate the cert, add the ServerName directive, and you'll be *as close to* correct functionally as you can be with a self-signed cert _________________ Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
Back to top |
|
|
Evileye l33t
Joined: 06 Aug 2003 Posts: 782 Location: Toronto
|
Posted: Sun Jan 03, 2010 4:14 am Post subject: |
|
|
Thanks for your help. I created my own certificate. Here is what I did.
Go to /etc/ssl/apache2/ then run the following commands...
Code: | openssl genrsa -out server.key 1024
openssl rsa -in server.key -out server.pem
openssl req -new -key server.key -out server.csr
|
After I ran that third command I was promted to enter some info. Make sure "Common Name" is your domain. Next run this final command
Code: | openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt |
...and everything should work. It did for me. |
|
Back to top |
|
|
|