New to https, looking for info on how it is setup with a hosted site.
Hello, I am trying to set up a secure subdomain on my site. It is hosted on an Apache server. Uses Cpanel for the interface. I have set up a subdomain that redirect to the part of the site I want secured, and have created and installed my certificates, just looking for what else needs to be done on my end and what I can expect the provider to do. TIA sly- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: ssl trouples
Phil Ehrens wrote: Markus wrote: Phil Ehrens wrote: Markus wrote: Made all the ca.key and the server.key and sign it via sign.sh everthing looked good so far. then the misery begins. ./configure --with apache... --with-ssl --with-mm --with-crt=/var/local/certs --with -key=/var/local/private --prefix=../apache_1.3.35 --enabled-shared-ssl Error: cannot find SSL x.509 certificated file /var/local/certs It wants the path to the cert, not to the directory containing the cert. I wonder why they didn't use --with-cert for the option name?! I put that path in, however it still doesn't work. I put it in like this: the certs and keys are in /usr/local/certs and /usr/local/private. and i put in/usr/local/certs and /usr/local/private It wants something like: /usr/local/certs/httpdcert.pem ^^ | filename of cert __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] Ahh now it works :) Thanks.. Except httpd dosent start up anymore.. but this we do tommorow :)
SSL_CLIENT_XXX is null
I don't know if my first mail hit the list. Sorry for the duplicate
if it was the case
Hi all,
First of all, thanks for the very good job with openssl. It really rocks !!
Now my question:
I'm trying to setup strong authentication via client certificate (belgian eid).
You can see my apache config
NameVirtualHost *
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.pem
SSLVerifyClient optional_no_ca
SSLVerifyDepth 5
SSLCACertificateFile /etc/apache2/ssl/BelgiumRootCA.pem
SSLOptions +FakeBasicAuth +ExportCertData +StdEnvVars +CompatEnvVars
#SSLUserName SSL_CLIENT_S_DN_CN
RequestHeader set SSL_CLIENT_DN %{SSL_CLIENT_DN}e
RequestHeader set SSL_CLIENT_S_DN %{SSL_CLIENT_S_DN}e
RequestHeader set SSL_CLIENT_S_DN_CN %{SSL_CLIENT_S_DN_CN}e
RequestHeader set SSL_CLIENT_S_DN_S %{SSL_CLIENT_S_DN_S}e
RequestHeader set SSL_SERVER_S_DN %{SSL_SERVER_S_DN}e
RequestHeader set SSL_PROTOCOL %{SSL_PROTOCOL}e
RequestHeader set MyHeader "coucou"
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
# Commented out for Ubuntu
#RedirectMatch ^/$ /apache2-default/
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
I've a small PHP script that dumps all the HTTP headers. All the HTTP
headers about the cient (SSL_CLIENT_XXX) contain (null) while
SSL_SERVER_S_DN and SSL_PROTOCOL are successfully populated.
What's wrong with what I've done.
I use my belgian eid on other website so the root cause is not at the
client side. I also include my error.log that can maybe help you. It
looks ok expect for the timeout but I don't know if I have to care
about it.
[Mon May 22 15:23:12 2006] [notice] Apache/2.0.54 (Ubuntu)
PHP/5.0.5-2ubuntu1.2 mod_ssl/2.0.54 OpenSSL/0.9.7g configured --
resuming normal operations
[Mon May 22 15:23:20 2006] [info] Connection to child 0 established
(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:20 2006] [info] Seeding PRNG with 136 bytes of entropy
[Mon May 22 15:23:20 2006] [info] Initial (No.1) HTTPS request
received for child 0 (server localhost.localdomain:443)
[Mon May 22 15:23:27 2006] [info] Connection to child 0 closed with
standard shutdown(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:27 2006] [info] Connection to child 1 established
(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:27 2006] [info] Seeding PRNG with 136 bytes of entropy
[Mon May 22 15:23:27 2006] [info] Initial (No.1) HTTPS request
received for child 1 (server localhost.localdomain:443)
[Mon May 22 15:23:27 2006] [info] Subsequent (No.2) HTTPS request
received for child 1 (server localhost.localdomain:443)
[Mon May 22 15:23:42 2006] [info] (70007)The timeout specified has
expired: SSL input filter read failed.
[Mon May 22 15:23:42 2006] [info] Connection to child 1 closed with
standard shutdown(server localhost.localdomain:443, client 127.0.0.1)
Thanks in advance for your help
François
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
Re: ssl trouples
Markus wrote: > Phil Ehrens wrote: > > >Markus wrote: > > > > > >>Made all the ca.key and the server.key and sign it via sign.sh everthing > >>looked good so far. > >> > >>then the misery begins. > >> > >>./configure --with apache... --with-ssl --with-mm > >>--with-crt=/var/local/certs --with -key=/var/local/private > >>--prefix=../apache_1.3.35 --enabled-shared-ssl > >> > >>Error: > >>cannot find SSL x.509 certificated file /var/local/certs > >> > >> > > > >It wants the path to the cert, not to the directory containing > >the cert. I wonder why they didn't use --with-cert for the > >option name?! > > > I put that path in, however it still doesn't work. I put it in like this: > the certs and keys are in /usr/local/certs and /usr/local/private. > and i put in/usr/local/certs > and /usr/local/private It wants something like: /usr/local/certs/httpdcert.pem ^^ | filename of cert __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: ssl trouples
Phil Ehrens wrote: Markus wrote: Made all the ca.key and the server.key and sign it via sign.sh everthing looked good so far. then the misery begins. ./configure --with apache... --with-ssl --with-mm --with-crt=/var/local/certs --with -key=/var/local/private --prefix=../apache_1.3.35 --enabled-shared-ssl Error: cannot find SSL x.509 certificated file /var/local/certs It wants the path to the cert, not to the directory containing the cert. I wonder why they didn't use --with-cert for the option name?! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] I put that path in, however it still doesn't work. I put it in like this: the certs and keys are in /usr/local/certs and /usr/local/private. and i put in/usr/local/certs and /usr/local/private or do i understand something wrong, sorry but im a complet unic newbie Any other suggestions?
Re: ssl trouples
Markus wrote: > Made all the ca.key and the server.key and sign it via sign.sh everthing > looked good so far. > > then the misery begins. > > ./configure --with apache... --with-ssl --with-mm > --with-crt=/var/local/certs --with -key=/var/local/private > --prefix=../apache_1.3.35 --enabled-shared-ssl > > Error: > cannot find SSL x.509 certificated file /var/local/certs It wants the path to the cert, not to the directory containing the cert. I wonder why they didn't use --with-cert for the option name?! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
ssl trouples
Made all the ca.key and the server.key and sign it via sign.sh everthing looked good so far. then the misery begins. ./configure --with apache... --with-ssl --with-mm --with-crt=/var/local/certs --with -key=/var/local/private --prefix=../apache_1.3.35 --enabled-shared-ssl Error: cannot find SSL x.509 certificated file /var/local/certs but those buggers are there ca.key server.key ca.crt server.crt any hint would be welcome __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Jean-Pierre Guilloteau est absent.
Je serai absent(e) du 20/05/2006 au 29/05/2006. Je répondrai à votre message dès mon retour. Vous pouvez en mon absence contacter Aspaway au 01 46 67 88 88. Cordialement. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
SSL_CLIENT_XXX is null
Hi all,
First of all, thanks for the very good job with openssl. It really rocks !!
Now my question:
I'm trying to setup strong authentication via client certificate (belgian eid).
You can see my apache config
NameVirtualHost *
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.pem
SSLVerifyClient optional_no_ca
SSLVerifyDepth 5
SSLCACertificateFile /etc/apache2/ssl/BelgiumRootCA.pem
SSLOptions +FakeBasicAuth +ExportCertData +StdEnvVars +CompatEnvVars
#SSLUserName SSL_CLIENT_S_DN_CN
RequestHeader set SSL_CLIENT_DN %{SSL_CLIENT_DN}e
RequestHeader set SSL_CLIENT_S_DN %{SSL_CLIENT_S_DN}e
RequestHeader set SSL_CLIENT_S_DN_CN %{SSL_CLIENT_S_DN_CN}e
RequestHeader set SSL_CLIENT_S_DN_S %{SSL_CLIENT_S_DN_S}e
RequestHeader set SSL_SERVER_S_DN %{SSL_SERVER_S_DN}e
RequestHeader set SSL_PROTOCOL %{SSL_PROTOCOL}e
RequestHeader set MyHeader "coucou"
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
# Commented out for Ubuntu
#RedirectMatch ^/$ /apache2-default/
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel info
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
I've a small PHP script that dumps all the HTTP headers. All the HTTP
headers about the cient (SSL_CLIENT_XXX) contain (null) while
SSL_SERVER_S_DN and SSL_PROTOCOL are successfully populated.
What's wrong with what I've done.
I use my belgian eid on other website so the root cause is not at the
client side. I also include my error.log that can maybe help you. It
looks ok expect for the timeout but I don't know if I have to care
about it.
[Mon May 22 15:23:12 2006] [notice] Apache/2.0.54 (Ubuntu)
PHP/5.0.5-2ubuntu1.2 mod_ssl/2.0.54 OpenSSL/0.9.7g configured --
resuming normal operations
[Mon May 22 15:23:20 2006] [info] Connection to child 0 established
(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:20 2006] [info] Seeding PRNG with 136 bytes of entropy
[Mon May 22 15:23:20 2006] [info] Initial (No.1) HTTPS request
received for child 0 (server localhost.localdomain:443)
[Mon May 22 15:23:27 2006] [info] Connection to child 0 closed with
standard shutdown(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:27 2006] [info] Connection to child 1 established
(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:27 2006] [info] Seeding PRNG with 136 bytes of entropy
[Mon May 22 15:23:27 2006] [info] Initial (No.1) HTTPS request
received for child 1 (server localhost.localdomain:443)
[Mon May 22 15:23:27 2006] [info] Subsequent (No.2) HTTPS request
received for child 1 (server localhost.localdomain:443)
[Mon May 22 15:23:42 2006] [info] (70007)The timeout specified has
expired: SSL input filter read failed.
[Mon May 22 15:23:42 2006] [info] Connection to child 1 closed with
standard shutdown(server localhost.localdomain:443, client 127.0.0.1)
Thanks in advance for your help
François
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
