Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Yehuda Katz 
I have always had issues with OpenSSL on Windows, so I gave up and started
using xca (https://hohnstaedt.de/xca/). I created a root certificate that I
imported into the Windows trust store and I create new certificates for
each website in my dev environment.

- Y

On Tue, Apr 16, 2024 at 9:26 PM General Email <
general.email.12341...@gmail.com> wrote:

>
> This is also not relevant to what I am stating. If you develop, do it
>> regardless of http/https that is convenient for everyone. It will be to
>> your own benefit. If you have to host the application on your own server,
>> so be it. It will be easier with choosing your https solution. You could
>> already be developing it now, and later you can check how to use openssl.
>> Last thing you want, is an application that forces https or http.
>>
>
>
> http is an insecure protocol. I don't want my website to run on http. So,
> I am hardcoding https in links in my website that refer to pages in my
> website.
>
> Now, I know that you will write why not redirect http to https by default.
> The problem with this is that if the website gets migrated to different
> provider and if people forget to redirect http to https in new setup then
> it will become a security problem.
>
> Hardcoding https solves all issues.
>
>
>

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread General Email 
> This is also not relevant to what I am stating. If you develop, do it
> regardless of http/https that is convenient for everyone. It will be to
> your own benefit. If you have to host the application on your own server,
> so be it. It will be easier with choosing your https solution. You could
> already be developing it now, and later you can check how to use openssl.
> Last thing you want, is an application that forces https or http.
>


http is an insecure protocol. I don't want my website to run on http. So, I
am hardcoding https in links in my website that refer to pages in my
website.

Now, I know that you will write why not redirect http to https by default.
The problem with this is that if the website gets migrated to different
provider and if people forget to redirect http to https in new setup then
it will become a security problem.

Hardcoding https solves all issues.

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc 
> 
> On Tuesday 16 April 2024 at 18:42:09, Marc wrote:
> 
> > This is more about the ability to host an application regardless if it
> is
> > on http or https. How https is enforced/applied is up to the manager of
> > the server, why would you even care as a developer of an application?
> 
> I often develop applications on servers which I manage.

How is this relevant?

> Please stop trying to enforce your opinion of the demarcation between
> disciplines on other people.
> 
> Not every developer is only a developer.
> 

This is also not relevant to what I am stating. If you develop, do it 
regardless of http/https that is convenient for everyone. It will be to your 
own benefit. If you have to host the application on your own server, so be it. 
It will be easier with choosing your https solution. You could already be 
developing it now, and later you can check how to use openssl. Last thing you 
want, is an application that forces https or http.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Antony Stone 
On Tuesday 16 April 2024 at 18:57:13, Marc wrote:

> 15 years ago people were not writing about gays.
>
> Maybe it takes another 15 years to be allowed to write about idiots.

Don't be silly.

Gay people identify themselves as gay, and talking about them as such is not a 
pejorative term.

If you can find someone who identifies themselves as an idiot, then perhaps 
you're allowed to refer to them as such, but if it's just your own opinion 
that they're an idiot, you're being anti-social and unpleasant.

I think all Frank was trying to say was "please let's keep to the technical 
support of people who are trying to use Apache, and stop throwing insults at 
them, because it's not constructive to the conversation".


Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc 
>   >
>   >   But should your development be not protocol independent? If
> your
>   > code works on http it should also work on https. I am getting
> sick of
>   > these wordpress idiots where they still have hardcoded links
> everywhere
>   > and I can't even convert a website from http to https.
>   >
>   >
>   >
>   > Are you saying that I am a wordpress idiot?
>   >
> 
>   No :) Development/management team of wordpress are idiots. They are
> still advising people incorrectly to upgrade eg while distributions are
> backporting security stuff. A developer should just do developing. A
> dentist is also not telling an ophthalmologist what to do. Why do you
> care if you are using http or https? Unless you are developing something
> specific to the https protocol (eg. sni) forget about it.
> 
> 
> 
> Marc, let's try to be friendly towards users and adopt a more neutral
> tone.  New users have questions, and it's normal. Calling folks "idiots"
> isn't helping here.
> 

And I am trying so hard to be part of the woke movement. 15 years ago people 
were not writing about gays. Maybe it takes another 15 years to be allowed to 
write about idiots. They already are officially mentioned in the dictionary. ;)


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Antony Stone 
On Tuesday 16 April 2024 at 18:42:09, Marc wrote:

> This is more about the ability to host an application regardless if it is
> on http or https. How https is enforced/applied is up to the manager of
> the server, why would you even care as a developer of an application?

I often develop applications on servers which I manage.

Please stop trying to enforce your opinion of the demarcation between 
disciplines on other people.

Not every developer is only a developer.


Antony.

-- 
"Can you keep a secret?"
"Well, I shouldn't really tell you this, but... no."


   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc 
> 
> Pardon me- have 443 redirect to 80 of the environment variable is true.
> Alternatively, have a completely different 443 vhost declared for
> development purposes
> 
> On Tue, Apr 16, 2024 at 11:30 AM Will Fatherley   > wrote:
> 
> 
> 
>   But should your development be not protocol independent? If
> your code works on http it should also work on https. I am getting sick
> of these wordpress idiots where they still have hardcoded links
> everywhere and I can't even convert a website from http to https.
> 
> 
>   TLS is not in the application layer as HTTP is, so it’s just a
> complication that has to be managed in development. I don’t know how
> Wordpress works, but there are solutions beyond its configuration.

You are writting it is not application layer and then write it needs to be 
addressed in development?

>   For example, if you just need to verify your HTTP-based application
> functions as desired, but there is commingling of HTTPS and HTTP in
> application HREFs then use the `if` directive with a development-only
> environment variable in your virtual hosts. If the client follows a HTTPS
> link that isn’t going to work for keying material reasons, have the 443
> virtual host redirect to 80 if the development variable in the
> development environment
> 

This is more about the ability to host an application regardless if it is on 
http or https. How https is enforced/applied is up to the manager of the 
server, why would you even care as a developer of an application?

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Will Fatherley 
Pardon me- have 443 redirect to 80 of the environment variable is true.
Alternatively, have a completely different 443 vhost declared for
development purposes

On Tue, Apr 16, 2024 at 11:30 AM Will Fatherley 
wrote:

>
> But should your development be not protocol independent? If your code
>> works on http it should also work on https. I am getting sick of these
>> wordpress idiots where they still have hardcoded links everywhere and I
>> can't even convert a website from http to https.
>>
> TLS is not in the application layer as HTTP is, so it’s just a
> complication that has to be managed in development. I don’t know how
> Wordpress works, but there are solutions beyond its configuration.
>
> For example, if you just need to verify your HTTP-based application
> functions as desired, but there is commingling of HTTPS and HTTP in
> application HREFs then use the `if` directive with a development-only
> environment variable in your virtual hosts. If the client follows a HTTPS
> link that isn’t going to work for keying material reasons, have the 443
> virtual host redirect to 80 if the development variable in the development
> environment
>

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Will Fatherley 
> But should your development be not protocol independent? If your code
> works on http it should also work on https. I am getting sick of these
> wordpress idiots where they still have hardcoded links everywhere and I
> can't even convert a website from http to https.
>
TLS is not in the application layer as HTTP is, so it’s just a complication
that has to be managed in development. I don’t know how Wordpress works,
but there are solutions beyond its configuration.

For example, if you just need to verify your HTTP-based application
functions as desired, but there is commingling of HTTPS and HTTP in
application HREFs then use the `if` directive with a development-only
environment variable in your virtual hosts. If the client follows a HTTPS
link that isn’t going to work for keying material reasons, have the 443
virtual host redirect to 80 if the development variable in the development
environment

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Frank Gingras 
On Tue, Apr 16, 2024 at 11:11 AM Marc  wrote:

> >
> >
> >   But should your development be not protocol independent? If your
> > code works on http it should also work on https. I am getting sick of
> > these wordpress idiots where they still have hardcoded links everywhere
> > and I can't even convert a website from http to https.
> >
> >
> >
> > Are you saying that I am a wordpress idiot?
> >
>
> No :) Development/management team of wordpress are idiots. They are still
> advising people incorrectly to upgrade eg while distributions are
> backporting security stuff. A developer should just do developing. A
> dentist is also not telling an ophthalmologist what to do. Why do you care
> if you are using http or https? Unless you are developing something
> specific to the https protocol (eg. sni) forget about it.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org


Marc, let's try to be friendly towards users and adopt a more neutral
tone.  New users have questions, and it's normal. Calling folks "idiots"
isn't helping here.

Thanks.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Antony Stone 
On Tuesday 16 April 2024 at 16:07:09, Marc wrote:

> A developer should just do developing.

Some people, especially in smaller organisations, have to be multi-skilled.

> A dentist is also not telling an ophthalmologist what to do.

No, but a dentist might have some valuable advice on diet.


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc 
> 
> 
>   But should your development be not protocol independent? If your
> code works on http it should also work on https. I am getting sick of
> these wordpress idiots where they still have hardcoded links everywhere
> and I can't even convert a website from http to https.
> 
> 
> 
> Are you saying that I am a wordpress idiot?
> 

No :) Development/management team of wordpress are idiots. They are still 
advising people incorrectly to upgrade eg while distributions are backporting 
security stuff. A developer should just do developing. A dentist is also not 
telling an ophthalmologist what to do. Why do you care if you are using http or 
https? Unless you are developing something specific to the https protocol (eg. 
sni) forget about it.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread General Email 
>
> Here’s a possible SO question that might help you:
>
> https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl
>

Thanks Will. I will look look into it.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread General Email 
> But should your development be not protocol independent? If your code
> works on http it should also work on https. I am getting sick of these
> wordpress idiots where they still have hardcoded links everywhere and I
> can't even convert a website from http to https.
>

Are you saying that I am a wordpress idiot?

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Will Fatherley 
> Can someone please give me exact openssl command(s) to use.
>

Command parameters can vary, and encryption technology is regulated by
national laws. You should consult with your IT security staff on this
matter if possible.

What you are probably looking for is “how to self-sign my TLS public key”.
Here’s a basic sketch of what this looks like in production:

You as subject have generated for your server a public/private key-pair
already with, eg, openssl. Now you need a certificate authority, ca, to
sign the public key, rendering your public key certificate. This is
achieved by creating a certificate signature request or csr with, eg,
openssl, and giving it to ca. Then ca may render the certificate to you for
you to distribute how you like. These steps can be achieved by you acting
both as subject and ca, by self-signing.

Here’s a possible SO question that might help you:
https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl

>

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc 
> 
> Windows is my development environment. Later the website will be hosted
> on linux and the linux hosting provider will provide SSL certificate.
> 

But should your development be not protocol independent? If your code works on 
http it should also work on https. I am getting sick of these wordpress idiots 
where they still have hardcoded links everywhere and I can't even convert a 
website from http to https.

Re: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread General Email 
> I think you need to search for setting up your own CA and sign certs.


Windows is my development environment. Later the website will be hosted on
linux and the linux hosting provider will provide SSL certificate.

I had looked at
https://stackoverflow.com/questions/4221874/how-do-i-allow-https-for-apache-on-localhost

But it looks like many answers on this page are obsolete now.


I don't think openssl commands are any differnt on windows.


Yeah, they are not. But I don't know what all arguments to give to openssl.

Maybe easier to get an existing cert and use that, and just ignore the
> warning?
> Maybe there are even easier to use tools on windows that do this all for
>

I actually want to use openssl. openssl.exe comes with apache 2.4
distribution.

RE: [users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread Marc 
> 
> I was looking for openssl command(s) to generate server side certificate
> and key so that https start working on my apache 2.4 web server on
> windows.
> 
> I looked on Internet but found few commands but they all used different
> arguments to openssl.
> 
> Can someone please give me exact openssl command(s) to use.
> 
> I will appreciate it.

I think you need to search for setting up your own CA and sign certs. I don't 
think openssl commands are any differnt on windows. Maybe easier to get an 
existing cert and use that, and just ignore the warning?
Maybe there are even easier to use tools on windows that do this all for you? 
Microsoft certool?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] openssl comand(s) for https mode on apache 2.4 on windows.

2024-04-16 Thread General Email 
Hi,

I was looking for openssl command(s) to generate server side certificate
and key so that https start working on my apache 2.4 web server on windows.

I looked on Internet but found few commands but they all used different
arguments to openssl.

Can someone please give me exact openssl command(s) to use.

I will appreciate it.

Regards,
GE

Re: [users@httpd] better configtest

2024-04-16 Thread Eric Covener 
On Tue, Apr 16, 2024 at 4:42 AM Marc  wrote:
>
>
> With the forced upon us 90 day certificate renewal crap, my httpd was down 
> today although I have a 'restart procedure' that verifies a bit for errors 
> with apachectl configtest.
>
> 1.
> what is the point of having a apachectl configtest, when a restart can still 
> fail? It can't be to difficult to include cert checks here, can it? This is 
> now becoming a significant part.

The bar is useful, not perfect.  configtest checks for _syntax_ validity.

> 2.
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
> AH00016: Configuration Failed
>
> This is useless, why not list config line or cert name?

This error means post-configuration failed. This is when the collected
config is acted upon, which is not really within line-by-line mode.
Normally there's a preceding error message with more details, maybe in
a vhost-specific error log?

-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] better configtest

2024-04-16 Thread Xavier Belanger 
Hi,

Marc  wrote:

> With the forced upon us 90 day certificate renewal crap, my httpd
> was down today although I have a 'restart procedure' that verifies
> a bit for errors with apachectl configtest.

Regardless of the certificate duration I would recommend to use
some monitoring tool to check on the status of the web service and
get an alert when the certificate is close from its expiration date.

I personally use Monit [1], but there is probably plenty of other
tools that could fullfill the same purpose.

Sincerely,

1: https://mmonit.com/monit/
-- 
Xavier Belanger

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] better configtest

2024-04-16 Thread Marc 

With the forced upon us 90 day certificate renewal crap, my httpd was down 
today although I have a 'restart procedure' that verifies a bit for errors with 
apachectl configtest.

1. 
what is the point of having a apachectl configtest, when a restart can still 
fail? It can't be to difficult to include cert checks here, can it? This is now 
becoming a significant part.

2.
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed
AH00016: Configuration Failed

This is useless, why not list config line or cert name?