Hostname, Apache, and SSL

B1 b1smooth at yahoo.com
Sun Mar 27 10:41:00 MST 2005 

I've done this many times and had no problems...Where
do your certificates live and did you disable the
passphrase verification?...email me off the list. No
one else has responded by now and probably won't lol. 

I'd do 
openssl rsa -in private.key -out signingkey.key( add
in your triple des stuff if you like)

openssl x509 -in certsignreq.csr -out
selfsigned_digicert.crt -req -signkey signingkey.key
-days 1825(five years lol)

--remove passphrase verification 
mv private.key private.key.withpassphrase
"openssl rsa -in private.key.withpassphrase -out
private.key"
chmod 0400 private.key

then 

"cp private.key /etc/httpd/conf/ssl.key/server.key"
"cp selfsigned_digicert.crt
/etc/httpd/conf/ssl.crt/server.crt"

Restart Apache just because and that better work.
xlargebear at bellsouth.net wrote:

> Hi B
> You have no idea  how many times I've done that and
> realized I made a 
> mistake in the name. I keep doing it. Anyways, it's
> corrected. However, 
> still no secure connection to my server.
> When I try:
> openssl s_client -connect www.mydomain.com:443
> I get these lines
> verify error:num=19:self signed certificate in
> certificate chain
> verify return:0
> 
> I checked the logs in the router and from apache and
> there's no record 
> of any connection being attempted. I even tried it
> by entering the ip 
> of the linux box running the site from another
> within the network and 
> nothing. Not even an error message.
> 
> On the apache error_log file I do get this when I
> restart apache
> LDAP: Built with OpenLDAP LDAP SDK
> [notice] LDAP: SSL support unavailable
> [notice] suEXEC mechanism enabled (wrapper:
> /usr/sbin/suexec)
> [notice] Digest: generating secret for digest
> authentication ...
> [notice] Digest: done
> [notice] LDAP: Built with OpenLDAP LDAP SDK
> [notice] LDAP: SSL support unavailable
> [notice] Apache/2.0.51 (Fedora) configured --
> resuming normal operations
> 
> Thanks a lot for helping
> Froinds
> 
> On Mar 27, 2005, at 2:50 AM, B1 wrote:
> 
> > I see a syntax error...Certificate Signing Request
> > file is .csr not crs
> > openssl req -new -key www.mydomain.com.key -out
> > www.mydomain.com.crs(csr)
> >
> > See if that makes the difference...it prompts for
> CN
> > and all that jazz afterwards...could be the
> problem
> >  --- xlargebear at bellsouth.net wrote:
> >
> >> Hi B (or anyone who reads this)
> >> This is driving me nuts. My old hostname in my
> Linux
> >> box was Linux
> >> since at the time I didn't have a domain. I
> changed
> >> that and now when I
> >> do hostname I get www.mydomain.com. When I type
> >> dnshostname I get
> >> mydomain.com without www. So far so good.
> >> I went ahead and created my key:
> >> openssl genrsa -des3 -out www.mydomain.com.key
> 1024
> >> Then I created my certificate signing request:
> >> openssl req -new -key www.mydomain.com.key -out
> >> www.mydomain.com.crs
> >> when openssl asks me for my Common Name I enter
> >> www.mydomain.com
> >> After that I create my self signed certificate
> >> openssl x509 -req -days 365 -in
> www.mydomain.com.csr
> >> -signkey
> >> www.mydomain.com.key -out www.mydomain.com.crt
> >> Finally the configuration for SSL in httpd.conf
> file
> >> wich is a very
> >> simple set up
> >>
> >> <VirtualHost 192.168.1.103:443>
> >> ServerName www.mydomain.com
> >> DocumentRoot /var/www/html/mydomain
> >> <Directory /var/www/html/mydomain>
> >> Options None
> >> Order allow,deny
> >> Allow from all
> >> </Directory>
> >> SSLEngine On
> >> SSLCertificateFile
> >> /etc/httpd/ssl/www.mydomain.com.crt
> >> SSLCertificateKeyFile
> >> /etc/httpd/ssl/www.mydomain.com.key
> >> </VirtualHost>
> >>
> >> When I start Apache with ssl it seems to start
> >> without a problem.
> >> However, I can not connect from inside or outside
> to
> >> it. In the
> >> ssl_error.log I get the following line:
> >> [Sat Mar 26 14:55:38 2005] [warn] RSA server
> >> certificate CommonName
> >> (CN) `Linux' does NOT match server name!?
> >> "Linux" used to be my old hostname in my machine.
> I
> >> already changed it
> >> so I don't know where apache is getting that
> >> hostname from.
> >> Without ssl apache works and have been working
> fine
> >> for months.
> >> Thanks for all your help.
> >> Froinds ( not really that large :) )
> >>
> >> On Mar 26, 2005, at 6:29 PM, B1 wrote:
> >>
> >>> If it already is working then you must have a
> >> static
> >>> ip(or a dynamic client) and you are using ns
> >> servers
> >>> from whom ever you registered your domain
> through;
> >>> they are pointing your something.com to your
> >> ip...no
> >>> need to setup bind now, but if you wanted
> complete
> >>> control( as most linux freeks do) then you'd
> setup
> >>> bind but if it ain't broke then don't try to fix
> >> it
> >>>
> >>> B1
> >>>
> >>> --- xlargebear at bellsouth.net wrote:
> >>>> Thank you for your answer Mr. B1
> >>>> I'm already running my website under that
> domain
> >> and
> >>>> it works without
> >>>> setting up bind. I'm behind a linksys router
> that
> >>>> points port 80 and
> >>>> 443 to the box running apache.
> >>>> Would I still need to set bind?
> >>>> Froinds
> >>>>
> >>>>
> >>>> On Mar 25, 2005, at 2:58 PM, B1 wrote:
> >>>>
> >>>>> Well first of all Mr. Xlargebear,
> >>>>>
> >>>>> You need to edit your /etc/sysconf/network
> file
> >>>> and
> >>>>> change hostname to what you'd like it to be.
> >>>>>
> >>>>> Your second and more laborious issue may be
> >>>> setting up
> >>>>> bind and named to make your box a dns for your
> >>>> domain.
> >>>>> Just setting the hostname as something.com
> won't
> >>>> allow
> >>>>> me to point my browser to you and access your
> >>>> apache
> >>>>> homepage. If you registered a domain name then
> >> you
> >>>>> should edit your hosts file in the /etc/hosts
> >>>> location
> >>>>> and add the name there, but this will only
> point
> >>>> you
> >>>>> to your box not other computers from your
> >> intranet
> >>>> or
> >>>>> THE internet..such as typing something.com in
> >> the
> >>>>> browser on the LOCAL machine and getting your
> >>>> apache
> >>>>> homepage.
> >>>>>
> >>>>> 3rd..you really would fair better with a
> static
> >> IP
> >>>>> address and have it in your hosts file with
> your
> >>>> FQD
> >>>>> and other aliases and in your zone file and
> >>>> named.conf
> >>>>> if you want the world to have access to
> >>>>> www.something.com
> >>>>>
> >>>>> if you have gnome then as root do;
> >>>>>
> >>>>> gedit /etc/sysconf/network
> >>>>>
> >>>>>          if kde then use kedit
> >>>>>
> >>>>> save that then do:
> >>>>>
> >>>>> service network restart
> 
=== message truncated ===

More information about the yellowdog-general mailing list