Re: starting Apache in SSL mode
On Mon, Jul 03, 2006 at 11:24:44PM -0400, Michael Erdely wrote: L. V. Lammert wrote: Certificates have nothing to do with Apache, much less OpenBSD. If you want a signed certificate, you must create your own CA, or purchased a publically-signed cert from Verisign, Eqifax, Thawte, et al. That may be true, but mentioning man 8 ssl and referencing GENERATING RSA SERVER CERTIFICATES FOR WEB SERVERS would have been helpful. :) -ME -- Thanks for your reply. Well, actually I did exactly what's described in the man 8 ssl page (which by the way is mentioned in http://openbsd.org/faq/faq10.html#HTTPS) but firefox returns an error when accessing my server via https. As I mentioned in a previous e-mail, lynx displays a message saying: SSL error:self signed certificate-Continue? (y) and after pressing enter does display the page. Now, am I the only one who's using a self-signed cert or am I doing something fundamentaly wrong in my setup??? Up to now, I used SSL (self-signed certs only!) with Jetty and the installation was very easy. I'm surprised to face this kind of problems with Apache. Thanks George
Re: starting Apache in SSL mode
On Tuesday 04 July 2006 16:30, FTP wrote: Well, actually I did exactly what's described in the man 8 ssl page (which by the way is mentioned in http://openbsd.org/faq/faq10.html#HTTPS) but firefox returns an error when accessing my server via https. As I mentioned in a previous e-mail, lynx displays a message saying: SSL error:self signed certificate-Continue? (y) As someone who followed faq10 just today I can for certain say that the procedure works. I dont know why Firefox dont like you cert because if you follow faq10 it just works, with firefox, lynx and konqueror. What error does firefox show? Now, am I the only one who's using a self-signed cert or am I doing something fundamentaly wrong in my setup??? Nothing is wrong in your setup if Lynx shows the page after prompting you to confirm the self-signed certificate. I'm surprised to face this kind of problems with Apache. How can it be any easier than just cut-n-pasting the commands from the faq? Took me a whole 2 minutes. --- Lars Hansson
Re: starting Apache in SSL mode
On Sun, Jul 02, 2006 at 10:32:12PM +0200, FTP wrote: On Tue, Jun 27, 2006 at 05:03:52PM +0200, FTP wrote: when I try to access the site via lynx I do get an SSL error message moaning that I have a self-signed cert. After accepting this, the page gets dispalyed. So it looks like the problem is with the CA? How do I correct that? I found the a reference in manual/mod/mod_ssl/ssl_faq.html#ToC24 but mentions a sign.sh script wich isn't present in the OBSD package. any chance to draw some attention to the above? There are two basic solutions: 1. Get a certificate from a commercial CA - Verisign, Thawte, and the like. This will be trusted by default in most applications, especially browsers. 2. Create your own certificate, or whole CA chain. In this case, you'll have to tell applications and visitors to accept the certificate. I created my own CA, and had it sign one certificate per service. The users then import the CA (in the ideal world) or just click 'accept always' or the equivalent in their browser/mail client/... (in the real world). [1] If you want to go with the second option, Google has lots of HOWTO's. It's not too difficult, but it does cost some work - and, being crypto, finding out just why it doesn't work is not trivial. Joachim [1] And then complain when the certificate expires. Well, the CA has a much longer lifetime...
Re: starting Apache in SSL mode
On Mon, Jul 03, 2006 at 10:47:04AM +0200, Joachim Schipper wrote: On Sun, Jul 02, 2006 at 10:32:12PM +0200, FTP wrote: On Tue, Jun 27, 2006 at 05:03:52PM +0200, FTP wrote: when I try to access the site via lynx I do get an SSL error message moaning that I have a self-signed cert. After accepting this, the page gets dispalyed. So it looks like the problem is with the CA? How do I correct that? I found the a reference in manual/mod/mod_ssl/ssl_faq.html#ToC24 but mentions a sign.sh script wich isn't present in the OBSD package. any chance to draw some attention to the above? There are two basic solutions: 1. Get a certificate from a commercial CA - Verisign, Thawte, and the like. This will be trusted by default in most applications, especially browsers. 2. Create your own certificate, or whole CA chain. In this case, you'll have to tell applications and visitors to accept the certificate. I created my own CA, and had it sign one certificate per service. The users then import the CA (in the ideal world) or just click 'accept always' or the equivalent in their browser/mail client/... (in the real world). [1] If you want to go with the second option, Google has lots of HOWTO's. It's not too difficult, but it does cost some work - and, being crypto, finding out just why it doesn't work is not trivial. Joachim [1] And then complain when the certificate expires. Well, the CA has a much longer lifetime... but I was following the procedure described in: http://openbsd.org/faq/faq10.html#HTTPS which normally should cover the self-signed cert part as well - or not? Thanks George
Re: starting Apache in SSL mode
On Sun, 2 Jul 2006, FTP wrote: On Tue, Jun 27, 2006 at 05:03:52PM +0200, FTP wrote: any chance to draw some attention to the above? Thanks Certificates have nothing to do with Apache, much less OpenBSD. If you want a signed certificate, you must create your own CA, or purchased a publically-signed cert from Verisign, Eqifax, Thawte, et al. Lee
Re: starting Apache in SSL mode
L. V. Lammert wrote: Certificates have nothing to do with Apache, much less OpenBSD. If you want a signed certificate, you must create your own CA, or purchased a publically-signed cert from Verisign, Eqifax, Thawte, et al. That may be true, but mentioning man 8 ssl and referencing GENERATING RSA SERVER CERTIFICATES FOR WEB SERVERS would have been helpful. :) -ME -- Support OpenBSD: http://www.openbsd.org/orders.html
Re: starting Apache in SSL mode
On Tue, Jun 27, 2006 at 05:03:52PM +0200, FTP wrote: On Tue, Jun 27, 2006 at 04:34:19PM +0200, FTP wrote: On Tue, Jun 27, 2006 at 03:55:16PM +0200, FTP wrote: On Tue, Jun 27, 2006 at 08:49:37AM -0400, Peter Blair wrote: SSL certificates for a hostname requires a unique IP address. Are you trying to do virtual name hosting with https? On 6/27/06, FTP [EMAIL PROTECTED] wrote: On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote: On 6/26/06, FTP [EMAIL PROTECTED] wrote: Hi there, I was trying to start Apache in SSL mode and I did follow the http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued apachectl startssl and everything went fine. Now, when I point to the https://IP-address from my server I get an unable to connect error! What did I do wrong? In the ssl_engine_log I get: Configuring server new.host.name:443 for SSL protocol. This server has no domain assigned. Did I do something wrong in the certs? no, but you probably neglected to edit /var/www/conf/httpd.conf B appropriately (ServerName and NameVirtualHost come to mind, as well as the appropriate name-specific parts of the SSL config in the same file). ssl_engine_log probably won't give you the info you need here; take a look at your access_log and error_log. -- [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 encrypted email to the latter address please http://darkuncle.net/pubkey.asc for public key Thanks for your reply. Well, the error_log doesn't get any message. Also, the regular http does show the web page without having the IP address in the http.conf file. Why doesn't this work with SSL as well? Certs etc. are in the correct path. Thanks George the weird thing is that I don't anything in the logs! No errors - nothing! some more ifo: when trying curl https://localhost I get the follwing: curl: (60) Failed to connect to ::1: Connection refused More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a bundle of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. if I issue curl -k https://localhost instead, I do get the page. Could it be due to the self-signed cert? Thanks George even more info: when I try to access the site via lynx I do get an SSL error message moaning that I have a self-signed cert. After accepting this, the page gets dispalyed. So it looks like the problem is with the CA? How do I correct that? I found the a reference in manual/mod/mod_ssl/ssl_faq.html#ToC24 but mentions a sign.sh script wich isn't present in the OBSD package. Thanks George any chance to draw some attention to the above? Thanks
Re: starting Apache in SSL mode
On Mon, Jun 26, 2006 at 09:22:27AM -0700, Smith wrote: FTP wrote: Hi there, I was trying to start Apache in SSL mode and I did follow the http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued apachectl startssl and everything went fine. Now, when I point to the https://IP-address from my server I get an unable to connect error! What did I do wrong? In the ssl_engine_log I get: Configuring server new.host.name:443 for SSL protocol. This server has no domain assigned. Did I do something wrong in the certs? Thanks George One time I had a problem where in /etc/rc.conf.local I put httpd_flags=-D and the service would not start. So I did httpd_flags=-D and it worked fine. The point being I just removed the quotes. I don't know if this will help you but maybe. well, I start this from cmd (apachectl startssl) and don't get any problems with that. Also, http to my IP address works fine. Only when I issue https do I get an error!
Re: starting Apache in SSL mode
On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote: On 6/26/06, FTP [EMAIL PROTECTED] wrote: Hi there, I was trying to start Apache in SSL mode and I did follow the http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued apachectl startssl and everything went fine. Now, when I point to the https://IP-address from my server I get an unable to connect error! What did I do wrong? In the ssl_engine_log I get: Configuring server new.host.name:443 for SSL protocol. This server has no domain assigned. Did I do something wrong in the certs? no, but you probably neglected to edit /var/www/conf/httpd.conf appropriately (ServerName and NameVirtualHost come to mind, as well as the appropriate name-specific parts of the SSL config in the same file). ssl_engine_log probably won't give you the info you need here; take a look at your access_log and error_log. -- [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 encrypted email to the latter address please http://darkuncle.net/pubkey.asc for public key Thanks for your reply. Well, the error_log doesn't get any message. Also, the regular http does show the web page without having the IP address in the http.conf file. Why doesn't this work with SSL as well? Certs etc. are in the correct path. Thanks George
Re: starting Apache in SSL mode
On Tue, Jun 27, 2006 at 08:55:22PM +0900, vladas wrote: On 27/06/06, FTP [EMAIL PROTECTED] wrote: On Mon, Jun 26, 2006 at 09:22:27AM -0700, Smith wrote: FTP wrote: Hi there, I was trying to start Apache in SSL mode and I did follow the http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued apachectl startssl and everything went fine. Now, when I point to the https://IP-address from my server I get an unable to connect error! What did I do wrong? Comment out the line ServerName new.host.name in your /var/www/conf/httpd.conf. I did that but no luck. I also entered as ServerName the IP of the box but I still get an error when I issue https. As I mentioned, http works fine though! In the ssl_engine_log I get: Configuring server new.host.name:443 for SSL protocol. This server has no domain assigned. Did I do something wrong in the certs? Thanks George One time I had a problem where in /etc/rc.conf.local I put httpd_flags=-D and the service would not start. So I did httpd_flags=-D and it worked fine. The point being I just removed the quotes. I don't know if this will help you but maybe. well, I start this from cmd (apachectl startssl) and don't get any problems with that. Also, http to my IP address works fine. Only when I issue https do I get an error!
Re: starting Apache in SSL mode
SSL certificates for a hostname requires a unique IP address. Are you trying to do virtual name hosting with https? On 6/27/06, FTP [EMAIL PROTECTED] wrote: On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote: On 6/26/06, FTP [EMAIL PROTECTED] wrote: Hi there, I was trying to start Apache in SSL mode and I did follow the http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued apachectl startssl and everything went fine. Now, when I point to the https://IP-address from my server I get an unable to connect error! What did I do wrong? In the ssl_engine_log I get: Configuring server new.host.name:443 for SSL protocol. This server has no domain assigned. Did I do something wrong in the certs? no, but you probably neglected to edit /var/www/conf/httpd.conf appropriately (ServerName and NameVirtualHost come to mind, as well as the appropriate name-specific parts of the SSL config in the same file). ssl_engine_log probably won't give you the info you need here; take a look at your access_log and error_log. -- [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 encrypted email to the latter address please http://darkuncle.net/pubkey.asc for public key Thanks for your reply. Well, the error_log doesn't get any message. Also, the regular http does show the web page without having the IP address in the http.conf file. Why doesn't this work with SSL as well? Certs etc. are in the correct path. Thanks George
Re: starting Apache in SSL mode
On Tue, Jun 27, 2006 at 08:49:37AM -0400, Peter Blair wrote: SSL certificates for a hostname requires a unique IP address. Are you trying to do virtual name hosting with https? no On 6/27/06, FTP [EMAIL PROTECTED] wrote: On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote: On 6/26/06, FTP [EMAIL PROTECTED] wrote: Hi there, I was trying to start Apache in SSL mode and I did follow the http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued apachectl startssl and everything went fine. Now, when I point to the https://IP-address from my server I get an unable to connect error! What did I do wrong? In the ssl_engine_log I get: Configuring server new.host.name:443 for SSL protocol. This server has no domain assigned. Did I do something wrong in the certs? no, but you probably neglected to edit /var/www/conf/httpd.conf appropriately (ServerName and NameVirtualHost come to mind, as well as the appropriate name-specific parts of the SSL config in the same file). ssl_engine_log probably won't give you the info you need here; take a look at your access_log and error_log. -- [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 encrypted email to the latter address please http://darkuncle.net/pubkey.asc for public key Thanks for your reply. Well, the error_log doesn't get any message. Also, the regular http does show the web page without having the IP address in the http.conf file. Why doesn't this work with SSL as well? Certs etc. are in the correct path. Thanks George
Re: starting Apache in SSL mode
On Tue, Jun 27, 2006 at 08:49:37AM -0400, Peter Blair wrote: SSL certificates for a hostname requires a unique IP address. Are you trying to do virtual name hosting with https? On 6/27/06, FTP [EMAIL PROTECTED] wrote: On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote: On 6/26/06, FTP [EMAIL PROTECTED] wrote: Hi there, I was trying to start Apache in SSL mode and I did follow the http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued apachectl startssl and everything went fine. Now, when I point to the https://IP-address from my server I get an unable to connect error! What did I do wrong? In the ssl_engine_log I get: Configuring server new.host.name:443 for SSL protocol. This server has no domain assigned. Did I do something wrong in the certs? no, but you probably neglected to edit /var/www/conf/httpd.conf appropriately (ServerName and NameVirtualHost come to mind, as well as the appropriate name-specific parts of the SSL config in the same file). ssl_engine_log probably won't give you the info you need here; take a look at your access_log and error_log. -- [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 encrypted email to the latter address please http://darkuncle.net/pubkey.asc for public key Thanks for your reply. Well, the error_log doesn't get any message. Also, the regular http does show the web page without having the IP address in the http.conf file. Why doesn't this work with SSL as well? Certs etc. are in the correct path. Thanks George the weird thing is that I don't anything in the logs! No errors - nothing!
Re: starting Apache in SSL mode
On Tue, Jun 27, 2006 at 04:34:19PM +0200, FTP wrote: On Tue, Jun 27, 2006 at 03:55:16PM +0200, FTP wrote: On Tue, Jun 27, 2006 at 08:49:37AM -0400, Peter Blair wrote: SSL certificates for a hostname requires a unique IP address. Are you trying to do virtual name hosting with https? On 6/27/06, FTP [EMAIL PROTECTED] wrote: On Mon, Jun 26, 2006 at 08:30:29AM -0700, Scott Francis wrote: On 6/26/06, FTP [EMAIL PROTECTED] wrote: Hi there, I was trying to start Apache in SSL mode and I did follow the http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued apachectl startssl and everything went fine. Now, when I point to the https://IP-address from my server I get an unable to connect error! What did I do wrong? In the ssl_engine_log I get: Configuring server new.host.name:443 for SSL protocol. This server has no domain assigned. Did I do something wrong in the certs? no, but you probably neglected to edit /var/www/conf/httpd.conf B appropriately (ServerName and NameVirtualHost come to mind, as well as the appropriate name-specific parts of the SSL config in the same file). ssl_engine_log probably won't give you the info you need here; take a look at your access_log and error_log. -- [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 encrypted email to the latter address please http://darkuncle.net/pubkey.asc for public key Thanks for your reply. Well, the error_log doesn't get any message. Also, the regular http does show the web page without having the IP address in the http.conf file. Why doesn't this work with SSL as well? Certs etc. are in the correct path. Thanks George the weird thing is that I don't anything in the logs! No errors - nothing! some more ifo: when trying curl https://localhost I get the follwing: curl: (60) Failed to connect to ::1: Connection refused More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a bundle of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. if I issue curl -k https://localhost instead, I do get the page. Could it be due to the self-signed cert? Thanks George even more info: when I try to access the site via lynx I do get an SSL error message moaning that I have a self-signed cert. After accepting this, the page gets dispalyed. So it looks like the problem is with the CA? How do I correct that? I found the a reference in manual/mod/mod_ssl/ssl_faq.html#ToC24 but mentions a sign.sh script wich isn't present in the OBSD package. Thanks George
Re: starting Apache in SSL mode
On 6/26/06, FTP [EMAIL PROTECTED] wrote: Hi there, I was trying to start Apache in SSL mode and I did follow the http://openbsd.org/faq/faq10.html#HTTPS steps. After that I issued apachectl startssl and everything went fine. Now, when I point to the https://IP-address from my server I get an unable to connect error! What did I do wrong? In the ssl_engine_log I get: Configuring server new.host.name:443 for SSL protocol. This server has no domain assigned. Did I do something wrong in the certs? no, but you probably neglected to edit /var/www/conf/httpd.conf appropriately (ServerName and NameVirtualHost come to mind, as well as the appropriate name-specific parts of the SSL config in the same file). ssl_engine_log probably won't give you the info you need here; take a look at your access_log and error_log. -- [EMAIL PROTECTED],darkuncle.net} || 0x5537F527 encrypted email to the latter address please http://darkuncle.net/pubkey.asc for public key