self-signed wild card certs and mozilla
I would like to make a self-signed wild card cert and install the cert in my browser so that I don't get any scary warnings from the browser. I created a self-signed wild card cert as follows: # openssl req -new -x509 -nodes -out networkguild.org.crt -keyout networkguild.org.key -days 1826 -subj /C=US/ST=MD/O=Network Guild/CN=*.networkguild.org/[EMAIL PROTECTED]/ I then extracted the der form and stored it in a second .crt file: openssl x509 -inform PEM -outform DER -in networkguild.org.crt -out files/networkguild.org.crt I then simply pointed Mozilla at this file which is here: http://networkguild.org/sites/networkguild.org/files/networkguild.org.crt Mozilla dutifully offers to install the certificate without complaint. Unfortunately, when I access https://www.networkguild.org, it complains with the following error: Website Certified by an Unknown Authority Although it does give me the choice of accepting forever, but I shouldn't have to do this. When I click to accept here, I then get the next scary message: You have attempted to establish a connection with networkguild.org. However, the security certificate presented belongs to *.networkguild.org. It is possible, though unlikely, that someone may be trying to intercept your communications with this web site. However, and this was totally unexpected, IE doesn't complain at all. It found the certificate that I installed using Mozilla. Did I create my self-signed wild card cert properly? I must have done something partially correct for IE to accept it without warnings or errors. Michael Grant __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
virtual hosting and ssl
I've been playing around with the apache and our virtual hosts. I am well aware that I could have different certs for each IP address if I were using IP based virtual hosting but I'm using name based virtual hosts. I host a variety of domains which are not at all subdomains of my main domain. What I would like to do is have one cert for all my domains. I sort of have it working with name based virtual hosting, but in some cases, I get the following warning in Internet Explorer: The name on the security certificate does not match the name of the site. It appears that some web browsers, Netscape for example, support a * as a wild card in the CN. For example CN=*grant.org. There's also some talk on Microsoft's web site of some versions of IE supporting this too. Though, apparently not 5.01 running on windows 98 or me. The cases seem to be: 1) I generate a cert with CN=grant.org. No complaints when I connect to https://grant.org. Both Netscape IE complain if I connect to www.grant.org or any other of my domains. 2) I generate a cert with CN=*grant.org. No complaints when I connect to https://www.grant.org or https://grant.org from Netscape. IE complains that the name is incorrect. I can import the self-signed cert into both IE's and Netscape's trusted root ca list. 3) I generate a cert with CN=*. No complaints when I connect to any of my domains with Netscape, however IE complains that the name is incorrect. I can import the self-signed cert into Netscape's trusted root ca list but NOT IE's. Can someone tell me if there is a right way to generate a cert that works with more than one site with the various different browsers out there? Michael Grant __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: virtual hosting and ssl
While we're on this topic... Owen Boyle wrote on 01.03.26 This question comes up so often it ought to be in the .sig of the list... , and this ends with Use different port numbers for different SSL hosts. I personally don't know what the .sig would mean, but the last comment intriques me. By using different IP ports ... might something like the following work? For example: I have made this work, however there are drawbacks to this solution. 1) you need at least 2 certs, one for the virtual hosting server and the second one for the client (in our example, server.cert and acme.com.cert). If you used self-signed certs, the user is asked TWICE to accept the cert, one for the server.cert and secondly for the acme.com cert. 2) when you contact https://acme.com, what you end up with in the browser's location is actually https://acme.com:8443;. If someone bookmarks this and you rearrange your port numbers, they're screwed. VirtualHost 192.168.1.1:443 ServerAdmin [EMAIL PROTECTED] ServerName acme.com Redirect / https://acme.com:8443 SSLCertificateFile /path/to/original/server.cert SSLCertificateKeyFile /path/to/original/server.key /VirtualHost VirtualHost 192.168.1.1:443 ServerAdmin [EMAIL PROTECTED] ServerName perigee.com Redirect / https://perigee.com:8444 SSLCertificateFile /path/to/original/server.cert SSLCertificateKeyFile /path/to/original/server.key /VirtualHost VirtualHost 192.168.1.1:8443 ServerAdmin [EMAIL PROTECTED] ServerName acme.com DocumentRoot /var/www/acme.com SSLCertificateFile /path/to/original/acme.com.cert SSLCertificateKeyFile /path/to/original/acme.com.key /VirtualHost VirtualHost 192.168.1.1:8444 ServerAdmin [EMAIL PROTECTED] ServerName perigee.com DocumentRoot /var/www/perigee.com SSLCertificateFile /path/to/original/perigee.com.cert SSLCertificateKeyFile /path/to/original/perigee.com.key /VirtualHost By the way, in putting this email together, I actually tried this on my server (with different names). One thing I did not get working was using this in conjunction with VirtualDocumentRoot like this: (replace first 2 virtual hosts above with this) VirtualHost 192.168.1.1:443 ServerAdmin [EMAIL PROTECTED] ServerName server.com VirtualDocumentRoot /www/%0 Redirect /www/acme.com https://acme.com:8443 Redirect /www/perigee.com https://perigee.com:8444 SSLCertificateFile /path/to/original/server.cert SSLCertificateKeyFile /path/to/original/server.key /VirtualHost I could never get this to follow the redirects. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: virtual hosting and ssl
I have made this work, however there are drawbacks to this solution. Grrr, I take it back, I can't reproduce it now. I still get the name check, site name does not match certificate warning before it follows the redirect. 1) you need at least 2 certs, one for the virtual hosting server and the second one for the client (in our example, server.cert and acme.com.cert). If you used self-signed certs, the user is asked TWICE to accept the cert, one for the server.cert and secondly for the acme.com cert. 2) when you contact https://acme.com, what you end up with in the browser's location is actually https://acme.com:8443;. If someone bookmarks this and you rearrange your port numbers, they're screwed. VirtualHost 192.168.1.1:443 ServerAdmin [EMAIL PROTECTED] ServerName acme.com Redirect / https://acme.com:8443 SSLCertificateFile /path/to/original/server.cert SSLCertificateKeyFile /path/to/original/server.key /VirtualHost VirtualHost 192.168.1.1:443 ServerAdmin [EMAIL PROTECTED] ServerName perigee.com Redirect / https://perigee.com:8444 SSLCertificateFile /path/to/original/server.cert SSLCertificateKeyFile /path/to/original/server.key /VirtualHost VirtualHost 192.168.1.1:8443 ServerAdmin [EMAIL PROTECTED] ServerName acme.com DocumentRoot /var/www/acme.com SSLCertificateFile /path/to/original/acme.com.cert SSLCertificateKeyFile /path/to/original/acme.com.key /VirtualHost VirtualHost 192.168.1.1:8444 ServerAdmin [EMAIL PROTECTED] ServerName perigee.com DocumentRoot /var/www/perigee.com SSLCertificateFile /path/to/original/perigee.com.cert SSLCertificateKeyFile /path/to/original/perigee.com.key /VirtualHost __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and name-based virtual hosts
Jeff wrote: What is the host name (common name) in the certificates ??? I suspect you have used *.mydomain.dom - correct ??? Hmm, I'm also using name based virtual hosting with ssl as well, but my cert isn't *.domain.dom, it's just cn=domain.dom. The virtual hosts are of the form sub1.domain.dom and sub2.domain.dom. When I first accessed the domain, my browser asked me to accept the cert, it never said anything about the domain names not matching. I do, however, get the following errors in my apache_ssl_engine_log: Init: (sub1.domain.dom:443) RSA server certificate CommonName (CN) `domain.dom' does NOT match server name!? but otherwise, it doesn't seem to cause any problems except that I have this annoying floating point error... For those who asked previously, I'm running % httpd -version Server version: Apache/1.3.20 (Unix) Server built: May 24 2001 17:21:45 % gcc --version 2.95.3 % uname -v FreeBSD 4.3-STABLE #0: Sat Apr 28 11:05:39 EDT 2001 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Floating Point Errors
I'm still getting floating point errors when someone accesses my site via https://... Here's what I get in the log: in /var/log/messages: /kernel: pid 47234 (httpd), uid 65530: exited on signal 8 and in the apache error log: child pid 47234 exit signal Floating point exception (8) I can reproduce the problem by simply hitting the https side of apache and about half the time, this occurs. Anyone out there experience this? How can I debug such a thing? Since apache forks and reforks, I can't debug a single process. I've tried all the obvious things like reinstalling apache and mod_ssl but nothing seems to help. Perhaps I have some old libraries somewhere, but where? Michael Grant __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
sigfpe error
I'm still trying to track down this sigfpe (floating point exception) I'm getting when an ssl connection tries to start. I cannot seem to make apache dump core when this happens. I've created a core directory. chowned it to the uid that apache runs as. Added CoreDumpDirectory to the conf file. Seems that the process runs unlimited (as in coresize ulimited). Is there anything else I need to do to get it to deposit a nice little (or not so little!) core file somewhere for me? Michael Grant __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]