Hello Scott, > Whew, that was a bit of an exercise. > > > Some issues I discovered and some quick things that I learned - maybe > this will help others. Likely I need some correction/clarification too?! > > FWIW I use a CD for the bulk of the packages and a floppy for 'partial' > backups of the packages that I adjust. =-=-=-=- > > > 1) The online PDF doc wasn't available while I was playing/testing so > maybe all my issues/questions are answered therein. > > 2) I had never played with SSL or certificates so I was learning on the > fly. > > 3) Late in the game I discovered the help option on the main (first) > menu of lrcfg. It had some useful info there about mini_httpds. > :-)
> 4) the config file for mini_httpds (/etc/mini_httpds.conf) has a line to > specify the certificate file, by default this says: certfile=mini_httpd.pem > this file is actually stored in the directory /var/webconf/www. For > clarity I changed my entry to read: > certfile=/var/webconf/www/mini_httpd.pem This (actual directory) was > evident after I peeked into /etc/init.d/mini_httpds and saw that there was > a specific directory change into the /var/webconf/www directory. > The intention was that this file is stored in the /var/sh-www directory, which is also listed to backup in mhttpds.list. But this is actually some leftover from the "old" weblet setup. I think the easiest way for now is to store it in the /root directory, so it's saved with the root.lrp package. But I will look at a better place for it (somewhere in the mhttpds.lrp package itself). > Note that (AIUI) if you use a different http daemon (i.e. non > mini_httpd*) then that certfile line may need to be different, e.g.: > certfile=/var/sh-www/www/mini_httpd.pem > The certificate file is only of use with a ssl httpd like mini_httpds, sh-www doesn't support ssl. But if you store the key in /root it will be always saved. > 5) I discovered that in order to use SSL (via mini_httpds) I'd need to > acquire a certificate and thus go_through_hassles or self-sign a > certificate. Guess which I chose... > ;-) > 6) To create the self-signed certificate one needs needs to install > (albeit it only temporarily, for the purpose of this certificate > generation) the openssl.lrp package. > > 7) I found this single command gave me exactly the certificate file that > I needed: > openssl req -new -newkey rsa:1024 -days 9500 -nodes -x509 -keyout > /var/webconf/www/mini_httpd.pem \ > -out /var/webconf/www/mini_httpd.pem > > > 8) I chose 9500 days until expiry so as to not have to do this process > again for > 26 years. > > 9) This command causes two sections to appear in the certfile file > (/var/webconf/www/mini_httpd.pem): 'RSA PRIVATE KEY' & 'CERTIFICATE'. > This is unusual because normally the output files mentioned on the > openssl cmdline are different and thus each of the two files gets only one > 'section'. mini_httpds seems to need both sections in that single > PEM file. > > > 10) It was a bit of a challenge to diagnose what mini_httpds was unhappy > about because it gave no output, and the filesize of mini_httpds.log stayed > at all times as zero. I got some hints about what I was doing incorrectly > by removing the '2>/dev/nul' parts from /etc/init.d/mini_httpds. > > 11) mini_httpd.pem has cooties! Nobody wants to backup this file (well, > neither mini_httpds nor webconf). I fixed this by adding > 'var/webconf/www/mini_httpd.pem' to file: /var/lib/lrpkg/webconf.list > > > 12) I then did a *full* backup of webconf (to floppy) and re-burned that > on my CD, because a partial backup would not backup that file. ... Should > this mini_httpd.pem file be part of a 'partial' backup? Should it be a > part of mhttpd.lrp or webconf.lrp? It should probably have an entry in one > of the <package>.list file ?! > I think the best option is to make it part of the mhttpds package, because it's used by the httpds daemon, not by webconf. > 13) A funny thing happened at some point - some of the files in > /var/webconf/www had their group membership removed, so they said > 'nogroup'. I changed all these to be group=root. Until I made that fix I > couldn't see the full index.cgi page (i.e. the column at the left was > missing and all I got was the 'general information' blurb). > Strange.... I will take a look. > 14) AIUI one can safely ignore all logfile entries which state "socket > :: - Address family not supported by protocol". This 'complaint' refers > to (AIUI) the fact that I don't have IPv6 support going on. > Correct, mhttpd supports ipv6 (but only if you have installed ipv6 support). You can savely ignore the entries. > 15) happy logfiles: when mini_httpds is loaded & running you'll see in > daemon.log these two lines: started as root without requesting chroot(), > warning only mini_httpd/1.19 19dec2003 starting on R11, port 443 > > 16) More on generating the self-signed certificate... If you type into > your browser window (for example) https://192.168.0.254 to access the > webconf screen you'll possibly get notified that the certificate does not > match the host you are connecting to ("Domain name mismatch" - firefox > v1.07 warning window). This seems to be related to the "Common name" field > of the self-signed certificate you are making. All of the fields don't > matter *at all*, except this field. > > Basically, if this field is set to "192.168.0.254" then one won't get a > complaint about "Domain name mismatch" (firefox v1.07 syntax). In my case, > because I have an entry in my hosts file (on my usual workstation) as: > 192.168.0.254 router > > > I would be entering: > https://router > into my browser. Thus at the time I generated a certificate I set my > "Common name" to be "router" and I don't get the domain-mismatch > warning. I still have to accept the certificate though, since it is > self-signed and thus not automatically trusted. > > 17) Curiously, the file /var/webconf/www/basic.cgi lives in the > webconf.lRp file, however the file /var/webconf/www/expert.cgi lives in the > webconf.lWp file. Is this segregation of the basic.cgi & expert.cgi > intentional? > This is intentional, the webconf.lrp package provides the basic options (basic.cgi). The webconf.lwp is a plugin which adds some expert options (which is not always needed/wanted). > Hopefully this is helpful to others and thanks to all for LEAF! > > Thanks for reporting! > scott; canada > Eric > > ------------------------------------------------------- > SF.Net email is sponsored by: > Tame your development challenges with Apache's Geronimo App Server. > Download > it for free - -and be entered to win a 42" plasma tv or your very own > Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php > ------------------------------------------------------------------------ > leaf-user mailing list: leaf-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ > > ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
