Kevin, I have both chained and self-signed certs on various servers. The example from my workstation is a self-signed cert. Self-signed is actually less prone to error because you don't have to worry about importing the intermediate certs into the keystore database. The only other thing I know to suggest at the moment is verify you're loading the IBM ssl module and listening on port 443:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 Are you getting any errors in the IHS SSL logs, either at server startup or when you attempt to browse to port 443? -John -----Original Message----- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Monday, February 18, 2013 5:04 PM To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server John (Thompson)... This IHS Apache is definitely a cracked Apache with some odd configuration SSL setup in particular is completely different. John (Hester), I can see the cert in the key file (through the gsk7cmd command) but with the name api.client.com it cannot be found. I even recreated the cert as "api" (without dots) because I found a page that said that the dots could be causing problems, but still no love. It seems I've done everything correctly but still it just can't find a combination that works. I'm wondering if the problem here is the fact that it's a self-signed cert without a chain? Are you using a self-signed cert here? Do you have other certs in your key file that may represent a chain for the self-signed cert? Thank you gentlemen for the insight. Most appreciated. -K On Mon, Feb 18, 2013 at 3:09 PM, John Hester <jhes...@momtex.com> wrote: > It sounds like you've done all you need to for basic IHS SSL > functionality. As long as api.client.com matches the name you gave > the certificate via ikeyman, and you have the KeyFile directive, you > should be OK. There are a lot of other options you can add for > optimization and browser compatibility, but I don't think leaving any > of those out would break it outright. Here's my working IHS config > from the development server on my Windows workstation for comparison: > > <VirtualHost *:443> > SSLEnable > SSLProtocolDisable SSLv2 > SSLServerCert is12.momtex.com > <Directory "c:/IBM/HTTPServer/htdocs/html"> > Options +Includes > AddType text/html .shtml > AddOutputFilter INCLUDES .shtml > </Directory> > </VirtualHost> > KeyFile "C:/IBM/HTTPServer/key.kdb" > SSLDisable > > -John > > -----Original Message----- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Saturday, February 16, 2013 4:02 PM > To: U2 Users List > Subject: [U2] AIX 5.3 IBMIHS Web Server > > Might anyone have any tips or tricks for getting SSL to work on the > IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The documentation > I've found on the web is byzantine at best and it would be fine if the > commands actually worked, but I keep getting odd error messages and > stalled at every turn. > > I've upgrade the GSK so that the server will start with SSL enabled, I > have a virtual host configured, but I have no clue how to tie a > specific certificate to the VirtualHost. Well, let's say I have > clues, but nothing is working. Here's the <VirtualHost> stanza I have > set up in > httpd.conf: > > <VirtualHost *:443> > SSLEnable > SSLClientAuth None > SSLServerCert api.client.com > ServerName api.client.com > DocumentRoot /usr/www > <Directory "/usr/www"> > Order Allow,Deny > Allow From All > </Directory> > ErrorLog logs/api_error.log > CustomLog logs/api_error.log common </VirtualHost> > > I've been able to generate a CSR and create a self-signed certificate, > and it would appear that I've even successfully imported that > certificate into my key database, as demonstrated by this command: > > $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label " > api.client.com" -pw "password" > > ...which produces the following output... > > Label: api.client.com > Key Size: 512 > Version: X509 V1 > Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: api.client.com > CLIENT City, ST, US > Subject: api.client.com > CLIENT > City, ST, US > Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: Saturday, > April 17, 2032 7:06:08 PM EDT > Fingerprint: ... > Signature Algorithm: 1.2.840.113549.1.1.5 Trust Status: enabled > > But even though this certificate is in the keyfile (and yes, I have a > KeyFile directive elsewhere in the httpd.conf file pointing to the > client.kdb file) I can't seem to associate it to the virtual host. > What am I missing? > > (And yes, I'm aware this is not specifically a U2 question but I need > this to provide web connectivity to a Unidata machine from a Rackspace > hosted server. So in a way... it sorta is U2 related.) > > Help? > _______________________________________________ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > _______________________________________________ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > _______________________________________________ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users _______________________________________________ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users
