starting Apache in SSL mode

classic Classic list List threaded Threaded
20 messages Options
FTP
Reply | Threaded
Open this post in threaded view
|

starting Apache in SSL mode

FTP
Hi there,

I was trying to start Apache in SSL mode and I did follow the http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued "apachectl startssl" and everything went fine.

Now, when I point to the https://<IP-address> from my server I get an "unable to connect error"!

What did I do wrong?

In the ssl_engine_log I get: "Configuring server new.host.name:443 for SSL protocol". This server has no domain assigned. Did I do something wrong in the certs?

Thanks

George

Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

Scott Francis
On 6/26/06, FTP <[hidden email]> wrote:
> Hi there,
>
> I was trying to start Apache in SSL mode and I did follow the http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued "apachectl startssl" and everything went fine.
>
> Now, when I point to the https://<IP-address> from my server I get an "unable to connect error"!
>
> What did I do wrong?
>
> In the ssl_engine_log I get: "Configuring server new.host.name:443 for SSL protocol". This server has no domain assigned. Did I do something wrong in the certs?

no, but you probably neglected to edit /var/www/conf/httpd.conf
appropriately (ServerName and NameVirtualHost come to mind, as well as
the appropriate name-specific parts of the SSL config in the same
file). ssl_engine_log probably won't give you the info you need here;
take a look at your access_log and error_log.
--
darkuncle@{gmail.com,darkuncle.net} || 0x5537F527
    encrypted email to the latter address please
    http://darkuncle.net/pubkey.asc for public key

FTP
Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

FTP
In reply to this post by FTP
On Mon, Jun 26, 2006 at 09:22:27AM -0700, Smith wrote:

> FTP wrote:
> >Hi there,
> >
> >I was trying to start Apache in SSL mode and I did follow the
> >http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued
> >"apachectl startssl" and everything went fine.
> >
> >Now, when I point to the https://<IP-address> from my server I get an
> >"unable to connect error"!
> >
> >What did I do wrong?
> >
> >In the ssl_engine_log I get: "Configuring server new.host.name:443 for SSL
> >protocol". This server has no domain assigned. Did I do something wrong in
> >the certs?
> >
> >Thanks
> >
> >George
> >
> >
> >  
> One time I had a problem where in /etc/rc.conf.local I put
> httpd_flags="-D" and the service would not start.  So I did
> httpd_flags=-D and it worked fine.  The point being I just removed the
> quotes.  I don't know if this will help you but maybe.
>

well, I start this from cmd ("apachectl startssl") and don't get any problems with that. Also, http to my IP address works fine. Only when I issue https do I get an error!

FTP
Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

FTP
In reply to this post by Scott Francis
On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote:

> On 6/26/06, FTP <[hidden email]> wrote:
> >Hi there,
> >
> >I was trying to start Apache in SSL mode and I did follow the
> >http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued
> >"apachectl startssl" and everything went fine.
> >
> >Now, when I point to the https://<IP-address> from my server I get an
> >"unable to connect error"!
> >
> >What did I do wrong?
> >
> >In the ssl_engine_log I get: "Configuring server new.host.name:443 for SSL
> >protocol". This server has no domain assigned. Did I do something wrong in
> >the certs?
>
> no, but you probably neglected to edit /var/www/conf/httpd.conf
> appropriately (ServerName and NameVirtualHost come to mind, as well as
> the appropriate name-specific parts of the SSL config in the same
> file). ssl_engine_log probably won't give you the info you need here;
> take a look at your access_log and error_log.
> --
> darkuncle@{gmail.com,darkuncle.net} || 0x5537F527
>    encrypted email to the latter address please
>    http://darkuncle.net/pubkey.asc for public key
>

Thanks for your reply.

Well, the error_log doesn't get any message. Also, the regular http does show the web page without having the IP address in the http.conf file. Why doesn't this work with SSL as well?
Certs etc. are in the correct path.

Thanks

George

FTP
Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

FTP
In reply to this post by FTP
On Tue, Jun 27, 2006 at 08:55:22PM +0900, vladas wrote:

> On 27/06/06, FTP <[hidden email]> wrote:
> >On Mon, Jun 26, 2006 at 09:22:27AM -0700, Smith wrote:
> >> FTP wrote:
> >> >Hi there,
> >> >
> >> >I was trying to start Apache in SSL mode and I did follow the
> >> >http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued
> >> >"apachectl startssl" and everything went fine.
> >> >
> >> >Now, when I point to the https://<IP-address> from my server I get an
> >> >"unable to connect error"!
> >> >
> >> >What did I do wrong?
>
> Comment out the line
> ServerName new.host.name in your /var/www/conf/httpd.conf.

I did that but no luck. I also entered as "ServerName" the IP of the box but I still get an error when I issue https. As I mentioned, http works fine though!

>
> >> >
> >> >In the ssl_engine_log I get: "Configuring server new.host.name:443 for
> >SSL
> >> >protocol". This server has no domain assigned. Did I do something wrong
> >in
> >> >the certs?
> >> >
> >> >Thanks
> >> >
> >> >George
> >> >
> >> >
> >> >
> >> One time I had a problem where in /etc/rc.conf.local I put
> >> httpd_flags="-D" and the service would not start.  So I did
> >> httpd_flags=-D and it worked fine.  The point being I just removed the
> >> quotes.  I don't know if this will help you but maybe.
> >>
> >
> >well, I start this from cmd ("apachectl startssl") and don't get any
> >problems with that. Also, http to my IP address works fine. Only when I
> >issue https do I get an error!

FTP
Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

FTP
In reply to this post by FTP
On Tue, Jun 27, 2006 at 09:03:08PM +0900, vladas wrote:

> On 27/06/06, FTP <[hidden email]> wrote:
> >Thanks for your reply.
> >
> >Well, the error_log doesn't get any message. Also, the regular http does
> >show the web page without having the IP address in the http.conf file. Why
> >doesn't this work with SSL as well?
> >Certs etc. are in the correct path.
>
>
> Apache uses virtual host for SSL traffic that allows the SSL host to
> have different configuration settings to the main web server.
>
> Of course, OpenSSL docs could explain much more.
>
>
> >Thanks
> >
> >George
> >
> >

does this mean that I have to go the 'virtual hosts' path?

Thanks

Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

Peter Blair
In reply to this post by FTP
SSL certificates for a hostname requires a unique IP address.  Are you
trying to do virtual name hosting with https?

On 6/27/06, FTP <[hidden email]> wrote:

> On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote:
> > On 6/26/06, FTP <[hidden email]> wrote:
> > >Hi there,
> > >
> > >I was trying to start Apache in SSL mode and I did follow the
> > >http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued
> > >"apachectl startssl" and everything went fine.
> > >
> > >Now, when I point to the https://<IP-address> from my server I get an
> > >"unable to connect error"!
> > >
> > >What did I do wrong?
> > >
> > >In the ssl_engine_log I get: "Configuring server new.host.name:443 for SSL
> > >protocol". This server has no domain assigned. Did I do something wrong in
> > >the certs?
> >
> > no, but you probably neglected to edit /var/www/conf/httpd.conf
> > appropriately (ServerName and NameVirtualHost come to mind, as well as
> > the appropriate name-specific parts of the SSL config in the same
> > file). ssl_engine_log probably won't give you the info you need here;
> > take a look at your access_log and error_log.
> > --
> > darkuncle@{gmail.com,darkuncle.net} || 0x5537F527
> >    encrypted email to the latter address please
> >    http://darkuncle.net/pubkey.asc for public key
> >
>
> Thanks for your reply.
>
> Well, the error_log doesn't get any message. Also, the regular http does show the web page without having the IP address in the http.conf file. Why doesn't this work with SSL as well?
> Certs etc. are in the correct path.
>
> Thanks
>
> George

FTP
Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

FTP
On Tue, Jun 27, 2006 at 08:49:37AM -0400, Peter Blair wrote:
> SSL certificates for a hostname requires a unique IP address.  Are you
> trying to do virtual name hosting with https?

no

>
> On 6/27/06, FTP <[hidden email]> wrote:
> >On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote:
> >> On 6/26/06, FTP <[hidden email]> wrote:
> >> >Hi there,
> >> >
> >> >I was trying to start Apache in SSL mode and I did follow the
> >> >http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued
> >> >"apachectl startssl" and everything went fine.
> >> >
> >> >Now, when I point to the https://<IP-address> from my server I get an
> >> >"unable to connect error"!
> >> >
> >> >What did I do wrong?
> >> >
> >> >In the ssl_engine_log I get: "Configuring server new.host.name:443 for
> >SSL
> >> >protocol". This server has no domain assigned. Did I do something wrong
> >in
> >> >the certs?
> >>
> >> no, but you probably neglected to edit /var/www/conf/httpd.conf
> >> appropriately (ServerName and NameVirtualHost come to mind, as well as
> >> the appropriate name-specific parts of the SSL config in the same
> >> file). ssl_engine_log probably won't give you the info you need here;
> >> take a look at your access_log and error_log.
> >> --
> >> darkuncle@{gmail.com,darkuncle.net} || 0x5537F527
> >>    encrypted email to the latter address please
> >>    http://darkuncle.net/pubkey.asc for public key
> >>
> >
> >Thanks for your reply.
> >
> >Well, the error_log doesn't get any message. Also, the regular http does
> >show the web page without having the IP address in the http.conf file. Why
> >doesn't this work with SSL as well?
> >Certs etc. are in the correct path.
> >
> >Thanks
> >
> >George

FTP
Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

FTP
In reply to this post by Peter Blair
On Tue, Jun 27, 2006 at 08:49:37AM -0400, Peter Blair wrote:

> SSL certificates for a hostname requires a unique IP address.  Are you
> trying to do virtual name hosting with https?
>
> On 6/27/06, FTP <[hidden email]> wrote:
> >On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote:
> >> On 6/26/06, FTP <[hidden email]> wrote:
> >> >Hi there,
> >> >
> >> >I was trying to start Apache in SSL mode and I did follow the
> >> >http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued
> >> >"apachectl startssl" and everything went fine.
> >> >
> >> >Now, when I point to the https://<IP-address> from my server I get an
> >> >"unable to connect error"!
> >> >
> >> >What did I do wrong?
> >> >
> >> >In the ssl_engine_log I get: "Configuring server new.host.name:443 for
> >SSL
> >> >protocol". This server has no domain assigned. Did I do something wrong
> >in
> >> >the certs?
> >>
> >> no, but you probably neglected to edit /var/www/conf/httpd.conf
> >> appropriately (ServerName and NameVirtualHost come to mind, as well as
> >> the appropriate name-specific parts of the SSL config in the same
> >> file). ssl_engine_log probably won't give you the info you need here;
> >> take a look at your access_log and error_log.
> >> --
> >> darkuncle@{gmail.com,darkuncle.net} || 0x5537F527
> >>    encrypted email to the latter address please
> >>    http://darkuncle.net/pubkey.asc for public key
> >>
> >
> >Thanks for your reply.
> >
> >Well, the error_log doesn't get any message. Also, the regular http does
> >show the web page without having the IP address in the http.conf file. Why
> >doesn't this work with SSL as well?
> >Certs etc. are in the correct path.
> >
> >Thanks
> >
> >George
> >
> >

the weird thing is that I don't anything in the logs! No errors - nothing!

FTP
Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

FTP
On Tue, Jun 27, 2006 at 03:55:16PM +0200, FTP wrote:

> On Tue, Jun 27, 2006 at 08:49:37AM -0400, Peter Blair wrote:
> > SSL certificates for a hostname requires a unique IP address.  Are you
> > trying to do virtual name hosting with https?
> >
> > On 6/27/06, FTP <[hidden email]> wrote:
> > >On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote:
> > >> On 6/26/06, FTP <[hidden email]> wrote:
> > >> >Hi there,
> > >> >
> > >> >I was trying to start Apache in SSL mode and I did follow the
> > >> >http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued
> > >> >"apachectl startssl" and everything went fine.
> > >> >
> > >> >Now, when I point to the https://<IP-address> from my server I get an
> > >> >"unable to connect error"!
> > >> >
> > >> >What did I do wrong?
> > >> >
> > >> >In the ssl_engine_log I get: "Configuring server new.host.name:443 for
> > >SSL
> > >> >protocol". This server has no domain assigned. Did I do something wrong
> > >in
> > >> >the certs?
> > >>
> > >> no, but you probably neglected to edit /var/www/conf/httpd.conf
> > >> appropriately (ServerName and NameVirtualHost come to mind, as well as
> > >> the appropriate name-specific parts of the SSL config in the same
> > >> file). ssl_engine_log probably won't give you the info you need here;
> > >> take a look at your access_log and error_log.
> > >> --
> > >> darkuncle@{gmail.com,darkuncle.net} || 0x5537F527
> > >>    encrypted email to the latter address please
> > >>    http://darkuncle.net/pubkey.asc for public key
> > >>
> > >
> > >Thanks for your reply.
> > >
> > >Well, the error_log doesn't get any message. Also, the regular http does
> > >show the web page without having the IP address in the http.conf file. Why
> > >doesn't this work with SSL as well?
> > >Certs etc. are in the correct path.
> > >
> > >Thanks
> > >
> > >George
> > >
> > >
>
> the weird thing is that I don't anything in the logs! No errors - nothing!
>

some more ifo:

when trying curl https://localhost I get the follwing:

curl: (60) Failed to connect to ::1: Connection refused
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
  bundle is named curl-ca-bundle.crt; you can specify an alternate file
   using the --cacert option.
   If this HTTPS server uses a certificate signed by a CA represented in
    the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
      not match the domain name in the URL).
      If you'd like to turn off curl's verification of the certificate, use
       the -k (or --insecure) option.

if I issue curl -k https://localhost instead, I do get the page. Could it be due to the self-signed cert?

Thanks George

FTP
Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

FTP
On Tue, Jun 27, 2006 at 04:34:19PM +0200, FTP wrote:

> On Tue, Jun 27, 2006 at 03:55:16PM +0200, FTP wrote:
> > On Tue, Jun 27, 2006 at 08:49:37AM -0400, Peter Blair wrote:
> > > SSL certificates for a hostname requires a unique IP address.  Are you
> > > trying to do virtual name hosting with https?
> > >
> > > On 6/27/06, FTP <[hidden email]> wrote:
> > > >On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote:
> > > >> On 6/26/06, FTP <[hidden email]> wrote:
> > > >> >Hi there,
> > > >> >
> > > >> >I was trying to start Apache in SSL mode and I did follow the
> > > >> >http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued
> > > >> >"apachectl startssl" and everything went fine.
> > > >> >
> > > >> >Now, when I point to the https://<IP-address> from my server I get an
> > > >> >"unable to connect error"!
> > > >> >
> > > >> >What did I do wrong?
> > > >> >
> > > >> >In the ssl_engine_log I get: "Configuring server new.host.name:443 for
> > > >SSL
> > > >> >protocol". This server has no domain assigned. Did I do something wrong
> > > >in
> > > >> >the certs?
> > > >>
> > > >> no, but you probably neglected to edit /var/www/conf/httpd.conf
B

> > > >> appropriately (ServerName and NameVirtualHost come to mind, as well as
> > > >> the appropriate name-specific parts of the SSL config in the same
> > > >> file). ssl_engine_log probably won't give you the info you need here;
> > > >> take a look at your access_log and error_log.
> > > >> --
> > > >> darkuncle@{gmail.com,darkuncle.net} || 0x5537F527
> > > >>    encrypted email to the latter address please
> > > >>    http://darkuncle.net/pubkey.asc for public key
> > > >>
> > > >
> > > >Thanks for your reply.
> > > >
> > > >Well, the error_log doesn't get any message. Also, the regular http does
> > > >show the web page without having the IP address in the http.conf file. Why
> > > >doesn't this work with SSL as well?
> > > >Certs etc. are in the correct path.
> > > >
> > > >Thanks
> > > >
> > > >George
> > > >
> > > >
> >
> > the weird thing is that I don't anything in the logs! No errors - nothing!
> >
>
> some more ifo:
>
> when trying curl https://localhost I get the follwing:
>
> curl: (60) Failed to connect to ::1: Connection refused
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
>  of Certificate Authority (CA) public keys (CA certs). The default
>   bundle is named curl-ca-bundle.crt; you can specify an alternate file
>    using the --cacert option.
>    If this HTTPS server uses a certificate signed by a CA represented in
>     the bundle, the certificate verification probably failed due to a
>      problem with the certificate (it might be expired, or the name might
>       not match the domain name in the URL).
>       If you'd like to turn off curl's verification of the certificate, use
>        the -k (or --insecure) option.
>
> if I issue curl -k https://localhost instead, I do get the page. Could it be due to the self-signed cert?
>
> Thanks George
>

even more info:

when I try to access the site via lynx I do get an SSL error message moaning that I have a self-signed cert. After accepting this, the page gets dispalyed.
So it looks like the problem is with the CA? How do I correct that?
I found the a reference in "manual/mod/mod_ssl/ssl_faq.html#ToC24" but mentions a "sign.sh" script wich isn't present in the OBSD package.

Thanks

George

FTP
Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

FTP
On Tue, Jun 27, 2006 at 05:03:52PM +0200, FTP wrote:

> On Tue, Jun 27, 2006 at 04:34:19PM +0200, FTP wrote:
> > On Tue, Jun 27, 2006 at 03:55:16PM +0200, FTP wrote:
> > > On Tue, Jun 27, 2006 at 08:49:37AM -0400, Peter Blair wrote:
> > > > SSL certificates for a hostname requires a unique IP address.  Are you
> > > > trying to do virtual name hosting with https?
> > > >
> > > > On 6/27/06, FTP <[hidden email]> wrote:
> > > > >On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote:
> > > > >> On 6/26/06, FTP <[hidden email]> wrote:
> > > > >> >Hi there,
> > > > >> >
> > > > >> >I was trying to start Apache in SSL mode and I did follow the
> > > > >> >http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued
> > > > >> >"apachectl startssl" and everything went fine.
> > > > >> >
> > > > >> >Now, when I point to the https://<IP-address> from my server I get an
> > > > >> >"unable to connect error"!
> > > > >> >
> > > > >> >What did I do wrong?
> > > > >> >
> > > > >> >In the ssl_engine_log I get: "Configuring server new.host.name:443 for
> > > > >SSL
> > > > >> >protocol". This server has no domain assigned. Did I do something wrong
> > > > >in
> > > > >> >the certs?
> > > > >>
> > > > >> no, but you probably neglected to edit /var/www/conf/httpd.conf
> B
> > > > >> appropriately (ServerName and NameVirtualHost come to mind, as well as
> > > > >> the appropriate name-specific parts of the SSL config in the same
> > > > >> file). ssl_engine_log probably won't give you the info you need here;
> > > > >> take a look at your access_log and error_log.
> > > > >> --
> > > > >> darkuncle@{gmail.com,darkuncle.net} || 0x5537F527
> > > > >>    encrypted email to the latter address please
> > > > >>    http://darkuncle.net/pubkey.asc for public key
> > > > >>
> > > > >
> > > > >Thanks for your reply.
> > > > >
> > > > >Well, the error_log doesn't get any message. Also, the regular http does
> > > > >show the web page without having the IP address in the http.conf file. Why
> > > > >doesn't this work with SSL as well?
> > > > >Certs etc. are in the correct path.
> > > > >
> > > > >Thanks
> > > > >
> > > > >George
> > > > >
> > > > >
> > >
> > > the weird thing is that I don't anything in the logs! No errors - nothing!
> > >
> >
> > some more ifo:
> >
> > when trying curl https://localhost I get the follwing:
> >
> > curl: (60) Failed to connect to ::1: Connection refused
> > More details here: http://curl.haxx.se/docs/sslcerts.html
> >
> > curl performs SSL certificate verification by default, using a "bundle"
> >  of Certificate Authority (CA) public keys (CA certs). The default
> >   bundle is named curl-ca-bundle.crt; you can specify an alternate file
> >    using the --cacert option.
> >    If this HTTPS server uses a certificate signed by a CA represented in
> >     the bundle, the certificate verification probably failed due to a
> >      problem with the certificate (it might be expired, or the name might
> >       not match the domain name in the URL).
> >       If you'd like to turn off curl's verification of the certificate, use
> >        the -k (or --insecure) option.
> >
> > if I issue curl -k https://localhost instead, I do get the page. Could it be due to the self-signed cert?
> >
> > Thanks George
> >
>
> even more info:
>
> when I try to access the site via lynx I do get an SSL error message moaning that I have a self-signed cert. After accepting this, the page gets dispalyed.
> So it looks like the problem is with the CA? How do I correct that?
> I found the a reference in "manual/mod/mod_ssl/ssl_faq.html#ToC24" but mentions a "sign.sh" script wich isn't present in the OBSD package.
>
> Thanks
>
> George
>

any chance to draw some attention to the above?

Thanks

Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

Joachim Schipper
On Sun, Jul 02, 2006 at 10:32:12PM +0200, FTP wrote:
> On Tue, Jun 27, 2006 at 05:03:52PM +0200, FTP wrote:
> > when I try to access the site via lynx I do get an SSL error message
> > moaning that I have a self-signed cert. After accepting this, the
> > page gets dispalyed.  So it looks like the problem is with the CA?
> > How do I correct that?  I found the a reference in
> > "manual/mod/mod_ssl/ssl_faq.html#ToC24" but mentions a "sign.sh"
> > script wich isn't present in the OBSD package.
>
> any chance to draw some attention to the above?

There are two basic solutions:
        1. Get a certificate from a commercial CA - Verisign, Thawte,
and the like. This will be trusted by default in most applications,
especially browsers.
        2. Create your own certificate, or whole CA chain. In this case,
you'll have to tell applications and visitors to accept the certificate.
I created my own CA, and had it sign one certificate per service. The
users then import the CA (in the ideal world) or just click 'accept
always' or the equivalent in their browser/mail client/... (in the real
world). [1]

If you want to go with the second option, Google has lots of HOWTO's.
It's not too difficult, but it does cost some work - and, being crypto,
finding out just why it doesn't work is not trivial.

                Joachim

[1] And then complain when the certificate expires. Well, the CA has a
much longer lifetime...

FTP
Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

FTP
On Mon, Jul 03, 2006 at 10:47:04AM +0200, Joachim Schipper wrote:

> On Sun, Jul 02, 2006 at 10:32:12PM +0200, FTP wrote:
> > On Tue, Jun 27, 2006 at 05:03:52PM +0200, FTP wrote:
> > > when I try to access the site via lynx I do get an SSL error message
> > > moaning that I have a self-signed cert. After accepting this, the
> > > page gets dispalyed.  So it looks like the problem is with the CA?
> > > How do I correct that?  I found the a reference in
> > > "manual/mod/mod_ssl/ssl_faq.html#ToC24" but mentions a "sign.sh"
> > > script wich isn't present in the OBSD package.
> >
> > any chance to draw some attention to the above?
>
> There are two basic solutions:
> 1. Get a certificate from a commercial CA - Verisign, Thawte,
> and the like. This will be trusted by default in most applications,
> especially browsers.
> 2. Create your own certificate, or whole CA chain. In this case,
> you'll have to tell applications and visitors to accept the certificate.
> I created my own CA, and had it sign one certificate per service. The
> users then import the CA (in the ideal world) or just click 'accept
> always' or the equivalent in their browser/mail client/... (in the real
> world). [1]
>
> If you want to go with the second option, Google has lots of HOWTO's.
> It's not too difficult, but it does cost some work - and, being crypto,
> finding out just why it doesn't work is not trivial.
>
> Joachim
>
> [1] And then complain when the certificate expires. Well, the CA has a
> much longer lifetime...
>

but I was following the procedure described in:
http://openbsd.org/faq/faq10.html#HTTPS

which normally should cover the self-signed cert part as well - or not?

Thanks

George

FTP
Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

FTP
On Mon, Jul 03, 2006 at 03:02:46PM +0200, FTP wrote:

> On Mon, Jul 03, 2006 at 10:47:04AM +0200, Joachim Schipper wrote:
> > On Sun, Jul 02, 2006 at 10:32:12PM +0200, FTP wrote:
> > > On Tue, Jun 27, 2006 at 05:03:52PM +0200, FTP wrote:
> > > > when I try to access the site via lynx I do get an SSL error message
> > > > moaning that I have a self-signed cert. After accepting this, the
> > > > page gets dispalyed.  So it looks like the problem is with the CA?
> > > > How do I correct that?  I found the a reference in
> > > > "manual/mod/mod_ssl/ssl_faq.html#ToC24" but mentions a "sign.sh"
> > > > script wich isn't present in the OBSD package.
> > >
> > > any chance to draw some attention to the above?
> >
> > There are two basic solutions:
> > 1. Get a certificate from a commercial CA - Verisign, Thawte,
> > and the like. This will be trusted by default in most applications,
> > especially browsers.
> > 2. Create your own certificate, or whole CA chain. In this case,
> > you'll have to tell applications and visitors to accept the certificate.
> > I created my own CA, and had it sign one certificate per service. The
> > users then import the CA (in the ideal world) or just click 'accept
> > always' or the equivalent in their browser/mail client/... (in the real
> > world). [1]
> >
> > If you want to go with the second option, Google has lots of HOWTO's.
> > It's not too difficult, but it does cost some work - and, being crypto,
> > finding out just why it doesn't work is not trivial.
> >
> > Joachim
> >
> > [1] And then complain when the certificate expires. Well, the CA has a
> > much longer lifetime...
> >
>
> but I was following the procedure described in:
> http://openbsd.org/faq/faq10.html#HTTPS
>
> which normally should cover the self-signed cert part as well - or not?
>
> Thanks
>
> George
>

now I get via lynx the following:

# lynx https://x.x.x.x

Looking up x.x.x.x
Making HTTPS connection to x.x.xx.
Alert!: Unable to connect to remote host.

lynx: Can't access startfile https://x.x.x.x/

Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

L. V. Lammert
In reply to this post by FTP
On Sun, 2 Jul 2006, FTP wrote:

> On Tue, Jun 27, 2006 at 05:03:52PM +0200, FTP wrote:
>
> any chance to draw some attention to the above?
>
> Thanks
>
Certificates have nothing to do with Apache, much less OpenBSD. If you
want a signed certificate, you must create your own CA, or purchased a
publically-signed cert from Verisign, Eqifax, Thawte, et al.

        Lee

Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

Mike Erdely
L. V. Lammert wrote:
> Certificates have nothing to do with Apache, much less OpenBSD. If you
> want a signed certificate, you must create your own CA, or purchased a
> publically-signed cert from Verisign, Eqifax, Thawte, et al.

That may be true, but mentioning "man 8 ssl" and referencing "GENERATING
RSA SERVER CERTIFICATES FOR WEB SERVERS" would have been helpful. :)

-ME

--
Support OpenBSD: http://www.openbsd.org/orders.html

FTP
Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

FTP
On Mon, Jul 03, 2006 at 11:24:44PM -0400, Michael Erdely wrote:

> L. V. Lammert wrote:
> >Certificates have nothing to do with Apache, much less OpenBSD. If you
> >want a signed certificate, you must create your own CA, or purchased a
> >publically-signed cert from Verisign, Eqifax, Thawte, et al.
>
> That may be true, but mentioning "man 8 ssl" and referencing "GENERATING
> RSA SERVER CERTIFICATES FOR WEB SERVERS" would have been helpful. :)
>
> -ME
>
> --


Thanks for your reply.

Well, actually I did exactly what's described in the "man 8 ssl" page (which by the way is mentioned in http://openbsd.org/faq/faq10.html#HTTPS) but firefox returns an error when accessing my server via https.
As I mentioned in a previous e-mail, lynx displays a message saying:
SSL error:self signed certificate-Continue? (y)

and after pressing enter does display the page.

Now, am I the only one who's using a self-signed cert or am I doing something fundamentaly wrong in my setup???
Up to now, I used SSL (self-signed certs only!) with Jetty and the installation was very easy. I'm surprised to face this kind of problems with Apache.

Thanks

George

Reply | Threaded
Open this post in threaded view
|

Re: starting Apache in SSL mode

Lars Hansson
On Tuesday 04 July 2006 16:30, FTP wrote:
> Well, actually I did exactly what's described in the "man 8 ssl" page
> (which by the way is mentioned in http://openbsd.org/faq/faq10.html#HTTPS)
> but firefox returns an error when accessing my server via https. As I
> mentioned in a previous e-mail, lynx displays a message saying: SSL
> error:self signed certificate-Continue? (y)

As someone who followed faq10 just today I can for certain say that the
procedure works.
I dont know why Firefox dont like you cert because if you follow faq10 it just
works, with firefox, lynx and konqueror.
What error does firefox show?

> Now, am I the only one who's using a self-signed cert or am I doing
> something fundamentaly wrong in my setup???

Nothing is wrong in your setup if Lynx shows the page after prompting you to
confirm the self-signed certificate.

> I'm surprised to face this kind of problems with Apache.

How can it be any easier than just cut-n-pasting the commands from the faq?
Took me a whole 2 minutes.

---
Lars Hansson

FTP
Reply | Threaded
Open this post in threaded view
|

Re: [solved] starting Apache in SSL mode

FTP
On Tue, Jul 04, 2006 at 04:54:51PM +0800, Lars Hansson wrote:

> On Tuesday 04 July 2006 16:30, FTP wrote:
> > Well, actually I did exactly what's described in the "man 8 ssl" page
> > (which by the way is mentioned in http://openbsd.org/faq/faq10.html#HTTPS)
> > but firefox returns an error when accessing my server via https. As I
> > mentioned in a previous e-mail, lynx displays a message saying: SSL
> > error:self signed certificate-Continue? (y)
>
> As someone who followed faq10 just today I can for certain say that the
> procedure works.
> I dont know why Firefox dont like you cert because if you follow faq10 it just
> works, with firefox, lynx and konqueror.
> What error does firefox show?
>
> > Now, am I the only one who's using a self-signed cert or am I doing
> > something fundamentaly wrong in my setup???
>
> Nothing is wrong in your setup if Lynx shows the page after prompting you to
> confirm the self-signed certificate.
>
> > I'm surprised to face this kind of problems with Apache.
>
> How can it be any easier than just cut-n-pasting the commands from the faq?
> Took me a whole 2 minutes.
>
> ---
> Lars Hansson
>

I was blocking port 443 in pf.conf and that was the reason :-(

I'm terribly sorry for my stupid mistake and thanks all of you for your support.

Thanks

George