View previous topic :: View next topic |
Author |
Message |
cwc Veteran
Joined: 20 Mar 2006 Posts: 1281 Location: Tri-Cities, WA USA
|
Posted: Mon Aug 15, 2016 3:08 pm Post subject: ssl configuration help please. |
|
|
I'm setting up a ssl server. At least I am trying.
Additionally this is the first time I've done this.
I am trying to use oepnssl and this is probably the problem but I thought I'd query the worlds greatest linux forum.
I've read multiple forum posts and tired to apply https in a simple way.
Here is the command I use to generate my certs.
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout cserver.key -out cserver.crt
and this is how I access them at:
# pwd
/etc/ssl/apache2
ciclo apache2 # ls -l
total 28
-rw-r--r-- 1 root root 1375 Aug 15 06:54 cserver.crt
-rw-r--r-- 1 root root 1704 Aug 15 06:54 cserver.key
drwxr-xr-x 2 root root 4096 Aug 11 06:05 hide
-r--r--r-- 1 root root 1042 Aug 14 07:47 server.crt
-r--r--r-- 1 root root 749 Aug 14 07:47 server.csr
-r-------- 1 root root 891 Aug 14 07:47 server.key
-r-------- 1 root root 1934 Aug 14 07:47 server.pem
Code: |
## Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If the certificate
# is encrypted, then you will be prompted for a pass phrase. Note that a
# kill -HUP will prompt again. Keep in mind that if you have both an RSA
# and a DSA certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.) #cwc
SSLCertificateFile /etc/ssl/apache2/cserver.crt
## Server Private Key:
# If the key is not combined with the certificate, use this directive to
# point at the key file. Keep in mind that if you've both a RSA and a DSA
# private key you can configure both in parallel (to also allow the use of
# DSA ciphers, etc.)#cwc
SSLCertificateKeyFile /etc/ssl/apache2/cserver.key
|
I get the following error when I access the site using firefox.
The owner of https://icebowl.cc has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
I'd appreciate any advice. _________________ Without diversity there can be no evolution:) |
|
Back to top |
|
|
chiefbag Guru
Joined: 01 Oct 2010 Posts: 542 Location: The Kingdom
|
Posted: Tue Aug 16, 2016 8:15 am Post subject: |
|
|
That's normal, Firefox is complaining because your certificate is self signed.
ie. the root CA can not be verified by the browser.
Code: | Certificate chain
0 s:/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
i:/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJAKqqbaqiDkYFMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCV0ExEjAQBgNVBAcMCUtFTk5FV0lDSzETMBEGA1UE
CgwKaWNlYm93bC5jYzETMBEGA1UECwwKaWNlYm93bC5jYzETMBEGA1UEAwwKaWNl
Ym93bC5jYzEeMBwGCSqGSIb3DQEJARYPY29sZW1hbkBvd3QuY29tMB4XDTE2MDgx
NTE4MjEzNloXDTE3MDgxNTE4MjEzNlowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQI
DAJXQTESMBAGA1UEBwwJS0VOTkVXSUNLMRMwEQYDVQQKDAppY2Vib3dsLmNjMRMw
EQYDVQQLDAppY2Vib3dsLmNjMRMwEQYDVQQDDAppY2Vib3dsLmNjMR4wHAYJKoZI
hvcNAQkBFg9jb2xlbWFuQG93dC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDgy91Z9q+tGlP3Qx6Xl+EfdiB2aajmUechG+02E+CziwXMH8vdIR9W
kkaVWRzyikDHlRqW6oaNPDr8pgRifH6YtGQpfPkrOH4Oy3azkP4UJgs1p4aVeFJr
LJCJmB10LI3KNOTnnKm3hWt/JQwqVSasoDIm6+acGyEDmAE8O83Kc+Wj+hRL1xBh
gIRrWNyzXUrYGZ6gBPHg6aFmjyxmaooTMf7ieAakPT3qdXF9W9n937W81xD6g+zI
nb2L01u2fv1Mc2ngGxUmqwf4GwDQrFl6NpTuWaFZ+Lu0smpNEIwuT6HiwHnZJrnL
Wdw327HoOmRi+LNrbH7ZSZTME03esTorAgMBAAGjUDBOMB0GA1UdDgQWBBRL9W1+
oKbgs6h2LnYu/8T3t6M2QTAfBgNVHSMEGDAWgBRL9W1+oKbgs6h2LnYu/8T3t6M2
QTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAQ/vANLxe3NglAzhiN
fY33PfaiSKwBYdbU7Jp5e3/N8WppmyKn9OERnv2Znh8MudRA2doV899eQdHlCon/
67eZlmJcnwDWziANmHRlQ1B4uV6cu3Hn3KTg1ewMOzEgbkTryTFHhZ6TAVrRqjwJ
gFtLkMrbCtH8CFUoeb8fmF+LddbD3pVfbAWVSd6vjWMzw6jdfO3+Unxx2LePrZcY
l27KXCr9pYvW7SDZDm6XaL+JbsoZP17h/uO/2W4NQ5FAbqjujb6XHYgixsVbQyq7
9ukA84pRXwJq0MRJ/6vPpNGpksAtN4zNIruNDnjZgWX8rGHeg1DahAkuHJ3ecvIj
AZC/
-----END CERTIFICATE-----
subject=/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
issuer=/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1702 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: BE18E042A1020984AA26A9B05FCB24B29816B515CAFEDEE04696E0CADE7DD599
Session-ID-ctx:
Master-Key: 3F73F7478756A0BDCAEAC163578635D22BA51B17F9CE43FDF95B79C70460BE5F8B89C03F792B0D9738703A2F2C901330
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 84 d7 af be 9e f6 e4 57-43 b5 b3 ba 71 c0 7e 3f .......WC...q.~?
0010 - 11 1d 61 49 a5 aa 9b 91-bb 2e 9e eb 21 00 58 0e ..aI........!.X.
0020 - 4f 3c 85 28 43 d1 83 10-a4 1f 4c 0f 9a 00 7a 8a O<.(C.....L...z.
0030 - ca 64 56 1c 99 7c ba b0-7b 65 5f e2 97 5a 65 7a .dV..|..{e_..Zez
0040 - 5a 62 88 17 b2 a4 e8 67-e1 c2 e2 78 78 12 1b 66 Zb.....g...xx..f
0050 - cc 4c 20 ac 11 8d 58 0f-cd 60 f0 ef 57 48 25 a0 .L ...X..`..WH%.
0060 - 50 68 1c c8 f8 1e 8b 54-82 f1 94 d9 1c 4e e8 99 Ph.....T.....N..
0070 - f9 69 48 22 af 16 ee 4e-d9 24 13 65 b0 52 f5 ee .iH"...N.$.e.R..
0080 - c4 f1 9e ce 65 20 fa 37-e3 70 03 dc c6 a5 f5 34 ....e .7.p.....4
0090 - b0 44 fd 17 ec 23 f4 d7-1a 32 03 ea 70 8b 37 5b .D...#...2..p.7[
00a0 - 5e 20 c2 24 7b 4f 2f 33-cc b0 1d 02 15 62 97 a4 ^ .${O/3.....b..
00b0 - ac 7a 09 1f c5 5b 98 03-5b 6b 04 24 a6 e7 6c cb .z...[..[k.$..l.
Start Time: 1471335125
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
--- |
|
|
Back to top |
|
|
chiefbag Guru
Joined: 01 Oct 2010 Posts: 542 Location: The Kingdom
|
Posted: Tue Aug 16, 2016 8:21 am Post subject: |
|
|
To work around the error you can import your CA to your browser that you signed it with.
Otherwise get it signed by Comodo etc. and add their CA to your server config. |
|
Back to top |
|
|
cwc Veteran
Joined: 20 Mar 2006 Posts: 1281 Location: Tri-Cities, WA USA
|
Posted: Tue Aug 16, 2016 3:24 pm Post subject: |
|
|
chiefbag wrote: | To work around the error you can import your CA to your browser that you signed it with.
Otherwise get it signed by Comodo etc. and add their CA to your server config. |
Thank You!
$ $ $
https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/37
I was hoping to do this for free using OpenSSL.
Thanks for the response.
cwc _________________ Without diversity there can be no evolution:) |
|
Back to top |
|
|
cwc Veteran
Joined: 20 Mar 2006 Posts: 1281 Location: Tri-Cities, WA USA
|
Posted: Tue Aug 16, 2016 3:33 pm Post subject: |
|
|
how did you get the following:
chiefbag wrote: | That's normal, Firefox is complaining because your certificate is self signed.
ie. the root CA can not be verified by the browser.
Code: | Certificate chain
0 s:/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
i:/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJAKqqbaqiDkYFMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCV0ExEjAQBgNVBAcMCUtFTk5FV0lDSzETMBEGA1UE
CgwKaWNlYm93bC5jYzETMBEGA1UECwwKaWNlYm93bC5jYzETMBEGA1UEAwwKaWNl
Ym93bC5jYzEeMBwGCSqGSIb3DQEJARYPY29sZW1hbkBvd3QuY29tMB4XDTE2MDgx
NTE4MjEzNloXDTE3MDgxNTE4MjEzNlowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQI
DAJXQTESMBAGA1UEBwwJS0VOTkVXSUNLMRMwEQYDVQQKDAppY2Vib3dsLmNjMRMw
EQYDVQQLDAppY2Vib3dsLmNjMRMwEQYDVQQDDAppY2Vib3dsLmNjMR4wHAYJKoZI
hvcNAQkBFg9jb2xlbWFuQG93dC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDgy91Z9q+tGlP3Qx6Xl+EfdiB2aajmUechG+02E+CziwXMH8vdIR9W
kkaVWRzyikDHlRqW6oaNPDr8pgRifH6YtGQpfPkrOH4Oy3azkP4UJgs1p4aVeFJr
LJCJmB10LI3KNOTnnKm3hWt/JQwqVSasoDIm6+acGyEDmAE8O83Kc+Wj+hRL1xBh
gIRrWNyzXUrYGZ6gBPHg6aFmjyxmaooTMf7ieAakPT3qdXF9W9n937W81xD6g+zI
nb2L01u2fv1Mc2ngGxUmqwf4GwDQrFl6NpTuWaFZ+Lu0smpNEIwuT6HiwHnZJrnL
Wdw327HoOmRi+LNrbH7ZSZTME03esTorAgMBAAGjUDBOMB0GA1UdDgQWBBRL9W1+
oKbgs6h2LnYu/8T3t6M2QTAfBgNVHSMEGDAWgBRL9W1+oKbgs6h2LnYu/8T3t6M2
QTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAQ/vANLxe3NglAzhiN
fY33PfaiSKwBYdbU7Jp5e3/N8WppmyKn9OERnv2Znh8MudRA2doV899eQdHlCon/
67eZlmJcnwDWziANmHRlQ1B4uV6cu3Hn3KTg1ewMOzEgbkTryTFHhZ6TAVrRqjwJ
gFtLkMrbCtH8CFUoeb8fmF+LddbD3pVfbAWVSd6vjWMzw6jdfO3+Unxx2LePrZcY
l27KXCr9pYvW7SDZDm6XaL+JbsoZP17h/uO/2W4NQ5FAbqjujb6XHYgixsVbQyq7
9ukA84pRXwJq0MRJ/6vPpNGpksAtN4zNIruNDnjZgWX8rGHeg1DahAkuHJ3ecvIj
AZC/
-----END CERTIFICATE-----
subject=/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
issuer=/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1702 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: BE18E042A1020984AA26A9B05FCB24B29816B515CAFEDEE04696E0CADE7DD599
Session-ID-ctx:
Master-Key: 3F73F7478756A0BDCAEAC163578635D22BA51B17F9CE43FDF95B79C70460BE5F8B89C03F792B0D9738703A2F2C901330
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 84 d7 af be 9e f6 e4 57-43 b5 b3 ba 71 c0 7e 3f .......WC...q.~?
0010 - 11 1d 61 49 a5 aa 9b 91-bb 2e 9e eb 21 00 58 0e ..aI........!.X.
0020 - 4f 3c 85 28 43 d1 83 10-a4 1f 4c 0f 9a 00 7a 8a O<.(C.....L...z.
0030 - ca 64 56 1c 99 7c ba b0-7b 65 5f e2 97 5a 65 7a .dV..|..{e_..Zez
0040 - 5a 62 88 17 b2 a4 e8 67-e1 c2 e2 78 78 12 1b 66 Zb.....g...xx..f
0050 - cc 4c 20 ac 11 8d 58 0f-cd 60 f0 ef 57 48 25 a0 .L ...X..`..WH%.
0060 - 50 68 1c c8 f8 1e 8b 54-82 f1 94 d9 1c 4e e8 99 Ph.....T.....N..
0070 - f9 69 48 22 af 16 ee 4e-d9 24 13 65 b0 52 f5 ee .iH"...N.$.e.R..
0080 - c4 f1 9e ce 65 20 fa 37-e3 70 03 dc c6 a5 f5 34 ....e .7.p.....4
0090 - b0 44 fd 17 ec 23 f4 d7-1a 32 03 ea 70 8b 37 5b .D...#...2..p.7[
00a0 - 5e 20 c2 24 7b 4f 2f 33-cc b0 1d 02 15 62 97 a4 ^ .${O/3.....b..
00b0 - ac 7a 09 1f c5 5b 98 03-5b 6b 04 24 a6 e7 6c cb .z...[..[k.$..l.
Start Time: 1471335125
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
--- |
|
_________________ Without diversity there can be no evolution:) |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Wed Aug 17, 2016 1:43 am Post subject: |
|
|
If you want free, and you can run code on the server, you could use EFF's Let's Encrypt project. They issue free short lived certificates (seems to be ~3 months), and provide a client that can be installed on the server to obtain and install replacement certificates as needed. |
|
Back to top |
|
|
cwc Veteran
Joined: 20 Mar 2006 Posts: 1281 Location: Tri-Cities, WA USA
|
Posted: Tue Aug 30, 2016 11:41 am Post subject: |
|
|
Hu wrote: | If you want free, and you can run code on the server, you could use EFF's Let's Encrypt project. They issue free short lived certificates (seems to be ~3 months), and provide a client that can be installed on the server to obtain and install replacement certificates as needed. |
thank you!
is this the link: https://letsencrypt.org/ _________________ Without diversity there can be no evolution:) |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21633
|
Posted: Wed Aug 31, 2016 1:14 am Post subject: |
|
|
Yes. It seems to be in Portage, too, as app-crypt/certbot. I have not tried it. |
|
Back to top |
|
|
|