Re: [users@httpd] RE: Suspicious URL:Re: [users@httpd] Problems in setting up a "HTTPS" based WebDAV server
On 3/23/2012 11:47 PM, Ajay Garg wrote: > I used the following command to generate the ".key" and ".crt" :: > > > openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout > ssl.key -out ssl.crt > > > > I will be grateful, if you could let me know the required command(s) > to generate the "RSA Server Certificate", and the ".key" :-) You already have both (ssl.key is your private key and ssl.crt is your certificate file). The key becomes SSLCertificateKeyFile and the cert becomes SSLCertificateFile in your httpd.conf. Since you generated both at the same time, they are sure to match. It's important to note that you now have what is called a self-signed cert (its identity is only vouched for by itself) and practically every client on the Internet will warn or refuse to connect to your server. It's up to you to decide if that is a problem or not - if this is something you will only use privately, it's probably OK. To get past this, you need to generate a certificate signing request and send it to a reputable CA for signing. I believe http://www.startssl.com/ offers this service for free, but there a few other free ones out there. openssl req -out ssl.csr -key ssl.key -new (This generates ssl.csr which you can safely email to be signed) -- Daniel Ruggeri - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RE: Suspicious URL:Re: [users@httpd] Problems in setting up a "HTTPS" based WebDAV server
Thanks a ton, Daniel. I think, you are the first one to hit the nail on the head :-) Thanks again; I am obliged. Daniel, it seems that for generating certificates "class 2" identification is required (http://www.startssl.com/?app=34) Anyhow, since currently I am just in the development/testing phase, so what I just need is the feature working. Sorry if I may sound a bit too demanding, but I will be really grateful if you could let me now the appropriate commands to generate appropriate "SSLCertificateKeyFile" and "SSLCertificateFile", which will get the "connection to HTTPS WebDAV" server working (just about working locally). For production-based deployment, certificates can be generated on an official basis by my organisation. Thanks and Regards, Ajay On Sat, Mar 24, 2012 at 6:50 PM, Daniel Ruggeri wrote: > On 3/23/2012 11:47 PM, Ajay Garg wrote: > > I used the following command to generate the ".key" and ".crt" :: > > > > > > > openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout > > ssl.key -out ssl.crt > > > > > > > > > I will be grateful, if you could let me know the required command(s) > > to generate the "RSA Server Certificate", and the ".key" :-) > > You already have both (ssl.key is your private key and ssl.crt is your > certificate file). The key becomes SSLCertificateKeyFile and the cert > becomes SSLCertificateFile in your httpd.conf. Since you generated both > at the same time, they are sure to match. > > It's important to note that you now have what is called a self-signed > cert (its identity is only vouched for by itself) and practically every > client on the Internet will warn or refuse to connect to your server. > It's up to you to decide if that is a problem or not - if this is > something you will only use privately, it's probably OK. > > To get past this, you need to generate a certificate signing request and > send it to a reputable CA for signing. I believe > http://www.startssl.com/ offers this service for free, but there a few > other free ones out there. > > openssl req -out ssl.csr -key ssl.key -new > > (This generates ssl.csr which you can safely email to be signed) > > -- > Daniel Ruggeri > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
Re: [users@httpd] RE: Suspicious URL:Re: [users@httpd] Problems in setting up a "HTTPS" based WebDAV server
On 3/25/2012 12:52 AM, Ajay Garg wrote: > Sorry if I may sound a bit too demanding, but I will be really > grateful if you could let me now the appropriate commands to generate > appropriate "SSLCertificateKeyFile" and "SSLCertificateFile", which > will get the "connection to HTTPS WebDAV" server working (just about > working locally). For production-based deployment, certificates can be > generated on an official basis by my organisation. Ajay; The commands you ran actually generated these files. At this point, you will point to them inside a virtualhost: Listen *:443 ServerName ValueOfCommonName SSLEngine On SSLCertificateFile /path/to/ssl.crt SSLCertificateKeyFile /path/to/ssl.key #Add your WebDAV directives here In your production environment, you will submit the ssl.csr file for signing and the returning file will be the ssl.crt file. You should also get a chain file back as well. This becomes the value of SSLCertificateChainFile and is used for clients to tie your server's identity to a trusted authority. -- Daniel Ruggeri - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RE: Suspicious URL:Re: [users@httpd] Problems in setting up a "HTTPS" based WebDAV server
Ajay, Let's table the issue of certificates, and move on to getting your server started. You have a good key, and a good certificate. The fact that you can run openssl s_server with it proves that. What concerns me is that you have mod_ssl configuration language in your main configuration file. When you use the Red Hat supplied httpd configuration, it Includes everything in /etc/httpd/conf.d. Among the files in this directory is ssl.conf, which contains configuration language for a VirtualHost on port 443. With its own SSLCertificateFile, and its own SSLCertificateKeyFile. What if those configuration options are interfering with yours, and you end up using a mixture of the two? I'm actually not sure what would happen. Please try the following: 1) Comment out your VirtualHost definition at the bottom of httpd.conf 2) Find the SSLCertificateFile and SSLCertificateKeyFile parameters in conf.d/ssl.conf, and substitute your key and certificate file paths. 3) Stop and start your server. Does it start up now? Can you connect to it with a browser? S. On Mar 24, 2012, at 10:52 PM, Ajay Garg wrote: > Thanks a ton, Daniel. > > I think, you are the first one to hit the nail on the head :-) > Thanks again; I am obliged. > > Daniel, it seems that for generating certificates "class 2" identification is > required (http://www.startssl.com/?app=34) > > Anyhow, since currently I am just in the development/testing phase, so what I > just need is the feature working. > > Sorry if I may sound a bit too demanding, but I will be really grateful if > you could let me now the appropriate commands to generate appropriate > "SSLCertificateKeyFile" and "SSLCertificateFile", which will get the > "connection to HTTPS WebDAV" server working (just about working locally). For > production-based deployment, certificates can be generated on an official > basis by my organisation. > > > Thanks and Regards, > Ajay > > On Sat, Mar 24, 2012 at 6:50 PM, Daniel Ruggeri wrote: > On 3/23/2012 11:47 PM, Ajay Garg wrote: > > I used the following command to generate the ".key" and ".crt" :: > > > > > > openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout > > ssl.key -out ssl.crt > > > > > > > > I will be grateful, if you could let me know the required command(s) > > to generate the "RSA Server Certificate", and the ".key" :-) > > You already have both (ssl.key is your private key and ssl.crt is your > certificate file). The key becomes SSLCertificateKeyFile and the cert > becomes SSLCertificateFile in your httpd.conf. Since you generated both > at the same time, they are sure to match. > > It's important to note that you now have what is called a self-signed > cert (its identity is only vouched for by itself) and practically every > client on the Internet will warn or refuse to connect to your server. > It's up to you to decide if that is a problem or not - if this is > something you will only use privately, it's probably OK. > > To get past this, you need to generate a certificate signing request and > send it to a reputable CA for signing. I believe > http://www.startssl.com/ offers this service for free, but there a few > other free ones out there. > > openssl req -out ssl.csr -key ssl.key -new > > (This generates ssl.csr which you can safely email to be signed) > > -- > Daniel Ruggeri > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- scte...@apache.orghttp://www.temme.net/sander/ PGP FP: FC5A 6FC6 2E25 2DFD 8007 EE23 9BB8 63B0 F51B B88A View my availability: http://tungle.me/sctemme - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RE: Suspicious URL:Re: [users@httpd] Problems in setting up a "HTTPS" based WebDAV server
Sander, SALUTE !!! After performing your suggested steps 1), 2) and 3), I am able to connect to a HTTPS-based WebDAV server, as expected. (In other words, yes, it was in fact, "ssl.conf" interference at its worst). Thanks, Thanks, Thanks .. (repeated infinite times :-) ) Thanks and Regards, Ajay On Sun, Mar 25, 2012 at 10:02 PM, Sander Temme wrote: > Ajay, > > Let's table the issue of certificates, and move on to getting your server > started. You have a good key, and a good certificate. The fact that you > can run openssl s_server with it proves that. > > What concerns me is that you have mod_ssl configuration language in your > main configuration file. When you use the Red Hat supplied httpd > configuration, it Includes everything in /etc/httpd/conf.d. > > Among the files in this directory is ssl.conf, which contains > configuration language for a VirtualHost on port 443. With its own > SSLCertificateFile, and its own SSLCertificateKeyFile. What if those > configuration options are interfering with yours, and you end up using a > mixture of the two? I'm actually not sure what would happen. > > Please try the following: > > 1) Comment out your VirtualHost definition at the bottom of httpd.conf > 2) Find the SSLCertificateFile and SSLCertificateKeyFile parameters in > conf.d/ssl.conf, and substitute your key and certificate file paths. > 3) Stop and start your server. Does it start up now? Can you connect to > it with a browser? > > S. > > > On Mar 24, 2012, at 10:52 PM, Ajay Garg wrote: > > > Thanks a ton, Daniel. > > > > I think, you are the first one to hit the nail on the head :-) > > Thanks again; I am obliged. > > > > Daniel, it seems that for generating certificates "class 2" > identification is required (http://www.startssl.com/?app=34) > > > > Anyhow, since currently I am just in the development/testing phase, so > what I just need is the feature working. > > > > Sorry if I may sound a bit too demanding, but I will be really grateful > if you could let me now the appropriate commands to generate appropriate > "SSLCertificateKeyFile" and "SSLCertificateFile", which will get the > "connection to HTTPS WebDAV" server working (just about working locally). > For production-based deployment, certificates can be generated on an > official basis by my organisation. > > > > > > Thanks and Regards, > > Ajay > > > > On Sat, Mar 24, 2012 at 6:50 PM, Daniel Ruggeri > wrote: > > On 3/23/2012 11:47 PM, Ajay Garg wrote: > > > I used the following command to generate the ".key" and ".crt" :: > > > > > > > > > > openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout > > > ssl.key -out ssl.crt > > > > > > > > > > > > > I will be grateful, if you could let me know the required command(s) > > > to generate the "RSA Server Certificate", and the ".key" :-) > > > > You already have both (ssl.key is your private key and ssl.crt is your > > certificate file). The key becomes SSLCertificateKeyFile and the cert > > becomes SSLCertificateFile in your httpd.conf. Since you generated both > > at the same time, they are sure to match. > > > > It's important to note that you now have what is called a self-signed > > cert (its identity is only vouched for by itself) and practically every > > client on the Internet will warn or refuse to connect to your server. > > It's up to you to decide if that is a problem or not - if this is > > something you will only use privately, it's probably OK. > > > > To get past this, you need to generate a certificate signing request and > > send it to a reputable CA for signing. I believe > > http://www.startssl.com/ offers this service for free, but there a few > > other free ones out there. > > > > openssl req -out ssl.csr -key ssl.key -new > > > > (This generates ssl.csr which you can safely email to be signed) > > > > -- > > Daniel Ruggeri > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > > > > -- > scte...@apache.orghttp://www.temme.net/sander/ > PGP FP: FC5A 6FC6 2E25 2DFD 8007 EE23 9BB8 63B0 F51B B88A > > View my availability: http://tungle.me/sctemme > > > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
Re: [users@httpd] RE: Suspicious URL:Re: [users@httpd] Problems in setting up a "HTTPS" based WebDAV server
Just to save anybody else's time, here are the steps I reverted/fixed, that got the HTTPS-based WebDAV server working :: a) removing "VirtualHost" definition altogether from "httpd.conf" b) removing "mod_ssl" loading in "httpd.conf" (as it is already loaded via "ssl.conf") c) adding the "webdav" directives in "ssl.conf" All credit to Sander. Thanks and Regards, Ajay On Sun, Mar 25, 2012 at 10:30 PM, Ajay Garg wrote: > Sander, > > SALUTE !!! > > After performing your suggested steps 1), 2) and 3), I am able to connect > to a HTTPS-based WebDAV server, as expected. > (In other words, yes, it was in fact, "ssl.conf" interference at its > worst). > > > Thanks, Thanks, Thanks .. (repeated infinite times :-) ) > > > Thanks and Regards, > Ajay > > > > On Sun, Mar 25, 2012 at 10:02 PM, Sander Temme wrote: > >> Ajay, >> >> Let's table the issue of certificates, and move on to getting your server >> started. You have a good key, and a good certificate. The fact that you >> can run openssl s_server with it proves that. >> >> What concerns me is that you have mod_ssl configuration language in your >> main configuration file. When you use the Red Hat supplied httpd >> configuration, it Includes everything in /etc/httpd/conf.d. >> >> Among the files in this directory is ssl.conf, which contains >> configuration language for a VirtualHost on port 443. With its own >> SSLCertificateFile, and its own SSLCertificateKeyFile. What if those >> configuration options are interfering with yours, and you end up using a >> mixture of the two? I'm actually not sure what would happen. >> >> Please try the following: >> >> 1) Comment out your VirtualHost definition at the bottom of httpd.conf >> 2) Find the SSLCertificateFile and SSLCertificateKeyFile parameters in >> conf.d/ssl.conf, and substitute your key and certificate file paths. >> 3) Stop and start your server. Does it start up now? Can you connect to >> it with a browser? >> >> S. >> >> >> On Mar 24, 2012, at 10:52 PM, Ajay Garg wrote: >> >> > Thanks a ton, Daniel. >> > >> > I think, you are the first one to hit the nail on the head :-) >> > Thanks again; I am obliged. >> > >> > Daniel, it seems that for generating certificates "class 2" >> identification is required (http://www.startssl.com/?app=34) >> > >> > Anyhow, since currently I am just in the development/testing phase, so >> what I just need is the feature working. >> > >> > Sorry if I may sound a bit too demanding, but I will be really grateful >> if you could let me now the appropriate commands to generate appropriate >> "SSLCertificateKeyFile" and "SSLCertificateFile", which will get the >> "connection to HTTPS WebDAV" server working (just about working locally). >> For production-based deployment, certificates can be generated on an >> official basis by my organisation. >> > >> > >> > Thanks and Regards, >> > Ajay >> > >> > On Sat, Mar 24, 2012 at 6:50 PM, Daniel Ruggeri >> wrote: >> > On 3/23/2012 11:47 PM, Ajay Garg wrote: >> > > I used the following command to generate the ".key" and ".crt" :: >> > > >> > > >> >> > > openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout >> > > ssl.key -out ssl.crt >> > > >> >> > > >> > > >> > > I will be grateful, if you could let me know the required command(s) >> > > to generate the "RSA Server Certificate", and the ".key" :-) >> > >> > You already have both (ssl.key is your private key and ssl.crt is your >> > certificate file). The key becomes SSLCertificateKeyFile and the cert >> > becomes SSLCertificateFile in your httpd.conf. Since you generated both >> > at the same time, they are sure to match. >> > >> > It's important to note that you now have what is called a self-signed >> > cert (its identity is only vouched for by itself) and practically every >> > client on the Internet will warn or refuse to connect to your server. >> > It's up to you to decide if that is a problem or not - if this is >> > something you will only use privately, it's probably OK. >> > >> > To get past this, you need to generate a certificate signing request and >> > send it to a reputable CA for signing. I believe >> > http://www.startssl.com/ offers this service for free, but there a few >> > other free ones out there. >> > >> > openssl req -out ssl.csr -key ssl.key -new >> > >> > (This generates ssl.csr which you can safely email to be signed) >> > >> > -- >> > Daniel Ruggeri >> > >> > >> > - >> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> > For additional commands, e-mail: users-h...@httpd.apache.org >> > >> > >> >> >> -- >> scte...@apache.orghttp://www.temme.net/sander/ >> PGP FP: FC5A 6F
