| View previous topic :: View next topic |
| Author |
Message |
rizzo
Retired Dev
Joined: 30 Apr 2002
Posts: 1067
Location: Manitowoc, WI, USA
|
 Posted: Tue Mar 25, 2003 1:58 am Post subject: setting up apache https server, invalid certificate? |
 |
|
I'm trying to set up mod_ssl onto my apache 1.3.27 box. I already had apache and mod_php running fine. I followed instructions that I found on this forum and another page including using the sign.sh script to self-sign the cert.
However when I try to bring up the host in my webpage on my desktop box I get a pop-up error that says thusly:
| Quote: | | Could not establish an encrypted connection because certificate presented by <my.domain.tld> is invalid or corrupted. Error Code: -8182 |
My apache ssl-error_log has this:
| Code: | [Mon Mar 24 19:55:57 2003] [error] mod_ssl: SSL handshake failed (server my.domain.tld:443, client 172.16.30.127) (OpenSSL library error follows)
[Mon Mar 24 19:55:57 2003] [error] OpenSSL: error:14094412:lib(20):func(148):reason(1042)
|
The webserver is actually a box behind the firewall on my lan. my.domain.tld (name changed to protect the bandwidth) routes to my firewall from the outside, which forwards 80 and 443 to the webserver. On the inside however (which is where I'm testing), I have my.domain.tld entered in my /etc/hosts file to go to the internal address of the webserver directly. Might this be causing a problem? |
|
| Back to top |
|
 |
kashani
Advocate
Joined: 02 Sep 2002
Posts: 2032
Location: San Francisco
|
| Posted: Tue Mar 25, 2003 3:32 am Post subject: ssl certs |
|
|
It might be the name, but that will usually just through up and error and let you click through. I had the same problems, especially with Mozilla, until I built my own cert. The default Gentoo stuff seemed to have some issues.
kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
| Back to top |
|
|
rizzo
Retired Dev
Joined: 30 Apr 2002
Posts: 1067
Location: Manitowoc, WI, USA
|
| Posted: Tue Mar 25, 2003 1:21 pm Post subject: |
|
|
Yes I did build my own cert, so the original gentoo cert isn't an issue.
The "ServerName" in apache.conf matches the name that I gave for the CommonName when creating both the CA cert and the server cert. |
|
| Back to top |
|
|
rizzo
Retired Dev
Joined: 30 Apr 2002
Posts: 1067
Location: Manitowoc, WI, USA
|
| Posted: Wed Mar 26, 2003 4:27 pm Post subject: |
|
|
A friend has directed me to the script at /usr/lib/ssl/mod_ssl/gentestcrt.sh. I ran that and while I don't get any errors, I don't get anything at all. It spins for a while and finally I get a "The document contains no data." error message.
*shrug* |
|
| Back to top |
|
|
SNo0py
Apprentice
Joined: 12 Jul 2002
Posts: 270
Location: Vienna, Austria
|
| Posted: Mon Jun 02, 2003 2:48 pm Post subject: |
|
|
The default-cert worked fine, but the new generated one does produce your error (code -8182) -> how to resolve???
_________________
Sex is like hacking. You get in, you get out, and you hope you didnt leave something behind that can be traced back to you. |
|
| Back to top |
|
|
stream
Guru
Joined: 04 Jan 2003
Posts: 401
|
| Posted: Sun Dec 21, 2003 9:03 pm Post subject: |
|
|
hi,
I have the same problem (code -8182). I generated the cert with /usr/lib/ssl/mod_ssl/gentestcrt.sh
have somebody a solution to solve this problem? |
|
| Back to top |
|
|
rizzo
Retired Dev
Joined: 30 Apr 2002
Posts: 1067
Location: Manitowoc, WI, USA
|
| Posted: Mon Dec 22, 2003 5:27 pm Post subject: |
|
|
| My problem is knowing what to enter for what values. Read the prompts at the script CAREFULLY and you should be fine. |
|
| Back to top |
|
|
jingo
Tux's lil' helper
Joined: 04 Dec 2002
Posts: 134
Location: Denmark
|
| Posted: Thu May 06, 2004 9:53 pm Post subject: |
|
|
bump
Having this wierd problem to!
Solution anyone??
_________________
I'm not a perfectionist, even though my parents were |
|
| Back to top |
|
|
sokai
n00b
Joined: 26 May 2004
Posts: 23
Location: Germany - Potsdam
|
| Posted: Sat Jun 12, 2004 12:15 pm Post subject: solution |
|
|
The solution - not realy but the error is away - is the following:
1. delete your certificate
| Code: | | rm /etc/apache2/conf/ssl/server.* |
2. create new certificate with NO own properties (if you will be asked hit ENTER)
| Code: | cd /usr/lib/ssl/apache2-mod_ssl/
./gentestcrt.sh
! FOR ALL PROPERTIES HIT ENTER !
mv server.* /etc/apache2/conf/ssl/
|
3. restart apache
| Code: | | /etc/init.d/apache2 restart |
4. direct your browser to https://localhost and accept the certificate for localhost
THAT'S IT...
My question now is:
How I can create a self-signed certificate for another domain than localhost!?
sofar
sokai |
|
| Back to top |
|
|
dedxi
n00b
Joined: 08 Jun 2004
Posts: 12
|
| Posted: Sat Jun 12, 2004 6:56 pm Post subject: Other than localhost |
|
|
| It might work f you enter your actual domain name for the CN entry for the certificate. If that gives you an error (it did on my server), you might try editing the script and replacing the default entries for localhost to whatever.com and then making the certificate with all defaults. That seemed to work for me. |
|
| Back to top |
|
|
sokai
n00b
Joined: 26 May 2004
Posts: 23
Location: Germany - Potsdam
|
| Posted: Sun Jun 13, 2004 11:37 am Post subject: Re: Other than localhost |
|
|
| dedxi wrote: | | It might work if you enter your actual domain name for the CN entry for the certificate. |
No, that's the problem...
| dedxi wrote: | | If that gives you an error (it did on my server), |
Me too...
| dedxi wrote: | | you might try editing the script and replacing the default entries for localhost to whatever.com and then making the certificate with all defaults. That seemed to work for me. |
Thanks for this hint - it works! 
But I don't understand that thing...
If I change something else than localhost too (maybe the "countryName") I will get the error. Konqueror says that he will not accept that certificate becaus it's selfsigned. But if I only change localhost, the certificate is selfsigned but it will be accepted...
sofar
sokai |
|
| Back to top |
|
|
sogood007
n00b
Joined: 19 Sep 2004
Posts: 4
|
| Posted: Sun Sep 19, 2004 5:11 am Post subject: |
|
|
I have similar issue too. I am not sure whether it is because I always mis-type something and I need to use backspace. I ended up modified the script to put all my information in the defaults and just keep press enter. Then the certificate works.
I think modified the script also make sense because every year I need to generate a new cert so I don't need to retype the information again.
Hope this trick work for others. |
|
| Back to top |
|
|
Ox-
Guru
Joined: 19 Jun 2003
Posts: 305
|
| Posted: Thu Oct 14, 2004 4:04 pm Post subject: |
|
|
Just did forum search on "corrupted certificate", read this thread, edited the script, and now everything works for me too.
Thanks everyone! |
|
| Back to top |
|
|
CoolAce
n00b
Joined: 25 Nov 2003
Posts: 18
Location: Braunschweig, Germany
|
| Posted: Tue Nov 09, 2004 9:09 pm Post subject: |
|
|
Hm, I don't think that editing the script really does the trick. I bet all of you did solve a different issue while editing the script.
There is a bug in firefox that prevents him to deal with certificates that are signed by authorities that have the same common name as the certificate itself.
So either by editing the script or by entering the values directly: You have to make sure that you enter different values when you are prompted for the CN (common name).
At least _that_ solved the issue for me. |
|
| Back to top |
|
|
MrWolf
n00b
Joined: 09 Mar 2005
Posts: 9
|
| Posted: Wed Nov 09, 2005 11:38 am Post subject: |
|
|
My Solution was simple just change the certificate domain from localhost to the address I was trying to access the site from e.g. www.buzbox.net
_________________
I am Mr Wintson Wolf...I solve problems. |
|
| Back to top |
|
|
|
Networking & Security
