Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ssl configuration help please.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1076
Location: Tri-Cities, WA USA

PostPosted: Mon Aug 15, 2016 3:08 pm    Post subject: ssl configuration help please. Reply with quote

I'm setting up a ssl server. At least I am trying.
Additionally this is the first time I've done this.
I am trying to use oepnssl and this is probably the problem but I thought I'd query the worlds greatest linux forum.
I've read multiple forum posts and tired to apply https in a simple way.

Here is the command I use to generate my certs.
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout cserver.key -out cserver.crt

and this is how I access them at:
# pwd
/etc/ssl/apache2
ciclo apache2 # ls -l
total 28
-rw-r--r-- 1 root root 1375 Aug 15 06:54 cserver.crt
-rw-r--r-- 1 root root 1704 Aug 15 06:54 cserver.key
drwxr-xr-x 2 root root 4096 Aug 11 06:05 hide
-r--r--r-- 1 root root 1042 Aug 14 07:47 server.crt
-r--r--r-- 1 root root 749 Aug 14 07:47 server.csr
-r-------- 1 root root 891 Aug 14 07:47 server.key
-r-------- 1 root root 1934 Aug 14 07:47 server.pem

Code:

## Server Certificate:
   # Point SSLCertificateFile at a PEM encoded certificate. If the certificate
   # is encrypted, then you will be prompted for a pass phrase. Note that a
   # kill -HUP will prompt again. Keep in mind that if you have both an RSA
   # and a DSA certificate you can configure both in parallel (to also allow
   # the use of DSA ciphers, etc.) #cwc
   SSLCertificateFile /etc/ssl/apache2/cserver.crt

   ## Server Private Key:
   # If the key is not combined with the certificate, use this directive to
   # point at the key file. Keep in mind that if you've both a RSA and a DSA
   # private key you can configure both in parallel (to also allow the use of
   # DSA ciphers, etc.)#cwc
   SSLCertificateKeyFile /etc/ssl/apache2/cserver.key

I get the following error when I access the site using firefox.

The owner of https://icebowl.cc has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

I'd appreciate any advice.
_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Tue Aug 16, 2016 8:15 am    Post subject: Reply with quote

That's normal, Firefox is complaining because your certificate is self signed.
ie. the root CA can not be verified by the browser.

Code:
Certificate chain
 0 s:/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
   i:/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJAKqqbaqiDkYFMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCV0ExEjAQBgNVBAcMCUtFTk5FV0lDSzETMBEGA1UE
CgwKaWNlYm93bC5jYzETMBEGA1UECwwKaWNlYm93bC5jYzETMBEGA1UEAwwKaWNl
Ym93bC5jYzEeMBwGCSqGSIb3DQEJARYPY29sZW1hbkBvd3QuY29tMB4XDTE2MDgx
NTE4MjEzNloXDTE3MDgxNTE4MjEzNlowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQI
DAJXQTESMBAGA1UEBwwJS0VOTkVXSUNLMRMwEQYDVQQKDAppY2Vib3dsLmNjMRMw
EQYDVQQLDAppY2Vib3dsLmNjMRMwEQYDVQQDDAppY2Vib3dsLmNjMR4wHAYJKoZI
hvcNAQkBFg9jb2xlbWFuQG93dC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDgy91Z9q+tGlP3Qx6Xl+EfdiB2aajmUechG+02E+CziwXMH8vdIR9W
kkaVWRzyikDHlRqW6oaNPDr8pgRifH6YtGQpfPkrOH4Oy3azkP4UJgs1p4aVeFJr
LJCJmB10LI3KNOTnnKm3hWt/JQwqVSasoDIm6+acGyEDmAE8O83Kc+Wj+hRL1xBh
gIRrWNyzXUrYGZ6gBPHg6aFmjyxmaooTMf7ieAakPT3qdXF9W9n937W81xD6g+zI
nb2L01u2fv1Mc2ngGxUmqwf4GwDQrFl6NpTuWaFZ+Lu0smpNEIwuT6HiwHnZJrnL
Wdw327HoOmRi+LNrbH7ZSZTME03esTorAgMBAAGjUDBOMB0GA1UdDgQWBBRL9W1+
oKbgs6h2LnYu/8T3t6M2QTAfBgNVHSMEGDAWgBRL9W1+oKbgs6h2LnYu/8T3t6M2
QTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAQ/vANLxe3NglAzhiN
fY33PfaiSKwBYdbU7Jp5e3/N8WppmyKn9OERnv2Znh8MudRA2doV899eQdHlCon/
67eZlmJcnwDWziANmHRlQ1B4uV6cu3Hn3KTg1ewMOzEgbkTryTFHhZ6TAVrRqjwJ
gFtLkMrbCtH8CFUoeb8fmF+LddbD3pVfbAWVSd6vjWMzw6jdfO3+Unxx2LePrZcY
l27KXCr9pYvW7SDZDm6XaL+JbsoZP17h/uO/2W4NQ5FAbqjujb6XHYgixsVbQyq7
9ukA84pRXwJq0MRJ/6vPpNGpksAtN4zNIruNDnjZgWX8rGHeg1DahAkuHJ3ecvIj
AZC/
-----END CERTIFICATE-----
subject=/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
issuer=/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1702 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: BE18E042A1020984AA26A9B05FCB24B29816B515CAFEDEE04696E0CADE7DD599
    Session-ID-ctx:
    Master-Key: 3F73F7478756A0BDCAEAC163578635D22BA51B17F9CE43FDF95B79C70460BE5F8B89C03F792B0D9738703A2F2C901330
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 84 d7 af be 9e f6 e4 57-43 b5 b3 ba 71 c0 7e 3f   .......WC...q.~?
    0010 - 11 1d 61 49 a5 aa 9b 91-bb 2e 9e eb 21 00 58 0e   ..aI........!.X.
    0020 - 4f 3c 85 28 43 d1 83 10-a4 1f 4c 0f 9a 00 7a 8a   O<.(C.....L...z.
    0030 - ca 64 56 1c 99 7c ba b0-7b 65 5f e2 97 5a 65 7a   .dV..|..{e_..Zez
    0040 - 5a 62 88 17 b2 a4 e8 67-e1 c2 e2 78 78 12 1b 66   Zb.....g...xx..f
    0050 - cc 4c 20 ac 11 8d 58 0f-cd 60 f0 ef 57 48 25 a0   .L ...X..`..WH%.
    0060 - 50 68 1c c8 f8 1e 8b 54-82 f1 94 d9 1c 4e e8 99   Ph.....T.....N..
    0070 - f9 69 48 22 af 16 ee 4e-d9 24 13 65 b0 52 f5 ee   .iH"...N.$.e.R..
    0080 - c4 f1 9e ce 65 20 fa 37-e3 70 03 dc c6 a5 f5 34   ....e .7.p.....4
    0090 - b0 44 fd 17 ec 23 f4 d7-1a 32 03 ea 70 8b 37 5b   .D...#...2..p.7[
    00a0 - 5e 20 c2 24 7b 4f 2f 33-cc b0 1d 02 15 62 97 a4   ^ .${O/3.....b..
    00b0 - ac 7a 09 1f c5 5b 98 03-5b 6b 04 24 a6 e7 6c cb   .z...[..[k.$..l.

    Start Time: 1471335125
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Tue Aug 16, 2016 8:21 am    Post subject: Reply with quote

To work around the error you can import your CA to your browser that you signed it with.
Otherwise get it signed by Comodo etc. and add their CA to your server config.
Back to top
View user's profile Send private message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1076
Location: Tri-Cities, WA USA

PostPosted: Tue Aug 16, 2016 3:24 pm    Post subject: Reply with quote

chiefbag wrote:
To work around the error you can import your CA to your browser that you signed it with.
Otherwise get it signed by Comodo etc. and add their CA to your server config.


Thank You!
$ $ $

https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/37

I was hoping to do this for free using OpenSSL.

Thanks for the response.

cwc
_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1076
Location: Tri-Cities, WA USA

PostPosted: Tue Aug 16, 2016 3:33 pm    Post subject: Reply with quote

how did you get the following:


chiefbag wrote:
That's normal, Firefox is complaining because your certificate is self signed.
ie. the root CA can not be verified by the browser.

Code:
Certificate chain
 0 s:/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
   i:/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJAKqqbaqiDkYFMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCV0ExEjAQBgNVBAcMCUtFTk5FV0lDSzETMBEGA1UE
CgwKaWNlYm93bC5jYzETMBEGA1UECwwKaWNlYm93bC5jYzETMBEGA1UEAwwKaWNl
Ym93bC5jYzEeMBwGCSqGSIb3DQEJARYPY29sZW1hbkBvd3QuY29tMB4XDTE2MDgx
NTE4MjEzNloXDTE3MDgxNTE4MjEzNlowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQI
DAJXQTESMBAGA1UEBwwJS0VOTkVXSUNLMRMwEQYDVQQKDAppY2Vib3dsLmNjMRMw
EQYDVQQLDAppY2Vib3dsLmNjMRMwEQYDVQQDDAppY2Vib3dsLmNjMR4wHAYJKoZI
hvcNAQkBFg9jb2xlbWFuQG93dC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDgy91Z9q+tGlP3Qx6Xl+EfdiB2aajmUechG+02E+CziwXMH8vdIR9W
kkaVWRzyikDHlRqW6oaNPDr8pgRifH6YtGQpfPkrOH4Oy3azkP4UJgs1p4aVeFJr
LJCJmB10LI3KNOTnnKm3hWt/JQwqVSasoDIm6+acGyEDmAE8O83Kc+Wj+hRL1xBh
gIRrWNyzXUrYGZ6gBPHg6aFmjyxmaooTMf7ieAakPT3qdXF9W9n937W81xD6g+zI
nb2L01u2fv1Mc2ngGxUmqwf4GwDQrFl6NpTuWaFZ+Lu0smpNEIwuT6HiwHnZJrnL
Wdw327HoOmRi+LNrbH7ZSZTME03esTorAgMBAAGjUDBOMB0GA1UdDgQWBBRL9W1+
oKbgs6h2LnYu/8T3t6M2QTAfBgNVHSMEGDAWgBRL9W1+oKbgs6h2LnYu/8T3t6M2
QTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAQ/vANLxe3NglAzhiN
fY33PfaiSKwBYdbU7Jp5e3/N8WppmyKn9OERnv2Znh8MudRA2doV899eQdHlCon/
67eZlmJcnwDWziANmHRlQ1B4uV6cu3Hn3KTg1ewMOzEgbkTryTFHhZ6TAVrRqjwJ
gFtLkMrbCtH8CFUoeb8fmF+LddbD3pVfbAWVSd6vjWMzw6jdfO3+Unxx2LePrZcY
l27KXCr9pYvW7SDZDm6XaL+JbsoZP17h/uO/2W4NQ5FAbqjujb6XHYgixsVbQyq7
9ukA84pRXwJq0MRJ/6vPpNGpksAtN4zNIruNDnjZgWX8rGHeg1DahAkuHJ3ecvIj
AZC/
-----END CERTIFICATE-----
subject=/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
issuer=/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1702 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: BE18E042A1020984AA26A9B05FCB24B29816B515CAFEDEE04696E0CADE7DD599
    Session-ID-ctx:
    Master-Key: 3F73F7478756A0BDCAEAC163578635D22BA51B17F9CE43FDF95B79C70460BE5F8B89C03F792B0D9738703A2F2C901330
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 84 d7 af be 9e f6 e4 57-43 b5 b3 ba 71 c0 7e 3f   .......WC...q.~?
    0010 - 11 1d 61 49 a5 aa 9b 91-bb 2e 9e eb 21 00 58 0e   ..aI........!.X.
    0020 - 4f 3c 85 28 43 d1 83 10-a4 1f 4c 0f 9a 00 7a 8a   O<.(C.....L...z.
    0030 - ca 64 56 1c 99 7c ba b0-7b 65 5f e2 97 5a 65 7a   .dV..|..{e_..Zez
    0040 - 5a 62 88 17 b2 a4 e8 67-e1 c2 e2 78 78 12 1b 66   Zb.....g...xx..f
    0050 - cc 4c 20 ac 11 8d 58 0f-cd 60 f0 ef 57 48 25 a0   .L ...X..`..WH%.
    0060 - 50 68 1c c8 f8 1e 8b 54-82 f1 94 d9 1c 4e e8 99   Ph.....T.....N..
    0070 - f9 69 48 22 af 16 ee 4e-d9 24 13 65 b0 52 f5 ee   .iH"...N.$.e.R..
    0080 - c4 f1 9e ce 65 20 fa 37-e3 70 03 dc c6 a5 f5 34   ....e .7.p.....4
    0090 - b0 44 fd 17 ec 23 f4 d7-1a 32 03 ea 70 8b 37 5b   .D...#...2..p.7[
    00a0 - 5e 20 c2 24 7b 4f 2f 33-cc b0 1d 02 15 62 97 a4   ^ .${O/3.....b..
    00b0 - ac 7a 09 1f c5 5b 98 03-5b 6b 04 24 a6 e7 6c cb   .z...[..[k.$..l.

    Start Time: 1471335125
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13485

PostPosted: Wed Aug 17, 2016 1:43 am    Post subject: Reply with quote

If you want free, and you can run code on the server, you could use EFF's Let's Encrypt project. They issue free short lived certificates (seems to be ~3 months), and provide a client that can be installed on the server to obtain and install replacement certificates as needed.
Back to top
View user's profile Send private message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1076
Location: Tri-Cities, WA USA

PostPosted: Tue Aug 30, 2016 11:41 am    Post subject: Reply with quote

Hu wrote:
If you want free, and you can run code on the server, you could use EFF's Let's Encrypt project. They issue free short lived certificates (seems to be ~3 months), and provide a client that can be installed on the server to obtain and install replacement certificates as needed.


thank you!

is this the link: https://letsencrypt.org/
_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13485

PostPosted: Wed Aug 31, 2016 1:14 am    Post subject: Reply with quote

Yes. It seems to be in Portage, too, as app-crypt/certbot. I have not tried it.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum