Hello users :)
I try to ask a "smart" question on my problem...
I have some problem with nested subdomain and wildcard openssl
certificate.. perhaps, i don't know, this is because the subdomain type
is : site1.parisgeo.cnrs.fr, or site2.parisgeo.cnrs.fr, or other
subdomain like xxxx.parisgeo.cnrs.fr
When i create the self signed certificate, i enter CN =
*.parisgeo.cnrs.fr, but it's seems it's impossible to connect on this
site for example partage.parisgeo.cnrs.fr with this configuration ! Arg.
My virtualhost and my apache2 conf *work* with no wildcard cerficate, so
the problem is not here i think :
The port.conf
| NameVirtualHost *:443
Listen 443
|
An example virtualhost i have :
|<VirtualHost *:443>
ServerName partage.parisgeo.cnrs.fr
ServerAliaswww.partage.parisgeo.cnrs.Fr
DocumentRoot /var/www/owncloud
<Directory /var/www/owncloud>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile /etc/ssl/parisgeo.cnrs.fr.crt
SSLCertificateKeyFile /etc/ssl/parisgeo.cnrs.fr.key
</VirtualHost>
|
I generate my certificate like this (CN = *.parisgeo.cnrs.fr) :
|openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl req -newkey rsa:1024 -nodes -keyout parisgeo.cnrs.fr.key -out
parisgeo.cnrs.fr.csr
openssl x509 -req -days 3650 -in parisgeo.cnrs.fr.csr -CA ca.crt
-CAcreateserial -CAkey ca.key -out parisgeo.cnrs.fr.crt
|
The right for my generate key file :
|-rw-r--r-- 1 root root 1424 14 déc. 11:51 ca.crt
-rw-r--r-- 1 root root 1743 14 déc. 11:50 ca.key
-rw-r--r-- 1 root root 17 14 déc. 12:13 ca.srl
-rw-r--r-- 1 root root 981 14 déc. 12:13 parisgeo.cnrs.fr.crt
-rw-r--r-- 1 root root 627 14 déc. 12:08 parisgeo.cnrs.fr.csr
-rw-r--r-- 1 root root 891 14 déc. 12:08 parisgeo.cnrs.fr.key
|
When i try to connect and test the certificate with openssl :
|root@xxxx:/etc/ssl# openssl s_client -connect partage.parisgeo.cnrs.fr:443
CONNECTED(00000003)
depth=0 /C=FR/ST=IDF/L=PARIS/O=CNRS/CN=*.parisgeo.cnrs.fr
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=FR/ST=IDF/L=PARIS/O=CNRS/CN=*.parisgeo.cnrs.fr
verify return:1
---
Certificate chain
0 s:/C=FR/ST=IDF/L=PARIS/O=CNRS/CN=*.parisgeo.cnrs.fr
i:/C=FR/ST=IDF/L=PARIS/O=CNRS/CN=*.parisgeo.cnrs.fr
---
Server certificate
----BEGIN CERTIFICATE-----
..... blabla .....
-----BEGIN CERTIFICATE-----
subject=/C=FR/ST=IDF/L=PARIS/O=CNRS/CN=*.parisgeo.cnrs.fr
issuer=/C=FR/ST=IDF/L=PARIS/O=CNRS/CN=*.parisgeo.cnrs.fr
---
No client certificate CA names sent
---
SSL handshake has read 1253 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 7642C70A1E358CAA5901C060A26655DE3AF0BA683C9A598BA7C4B14FF108ADD7
Session-ID-ctx:
Master-Key: 65184165198498498484 6516511321584831181468469431688132138498
Key-Arg : None
Start Time: 1323862629
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
closed|
The firefox error when i try to connect to the site is :
|An error occurred during a connection to partage.parisgeo.cnrs.fr.
Peer's certificate has an invalid signature.
(Error code: sec_error_bad_signature)
|
If you have any idea to help me resolving this problem ..
Thanks a lot ! SR.
