SSl Setup

1) I'm now working on SSL, and I'm still getting along. The first
issue I have is that I have a certificate error coming from the
certificate I created and moved. What exactly is the browser looking
at in this certificate?

2) I get a single index page (my default as defined in httpd.conf and
confirmed by httpd -S in the vitual hosting section). It's actually
an unsecured page from a [relatively] unsecured directory. I've also
looked at the ssl.conf file. I have a different documentroot in
ssl.conf. I'm using name based virtual hosting with my very own DNS A
Record IP. How does the ssl.conf file relate to, or get used by, the
httpd.conf file?

Re: SSl Setup

On Thu, 17 Jan 2008 17:41:45 -0800 (PST), Charles
wrote:

>1) I'm now working on SSL, and I'm still getting along. The first
>issue I have is that I have a certificate error coming from the
>certificate I created and moved.

What is the error?

> What exactly is the browser looking
>at in this certificate?
>
>2) I get a single index page (my default as defined in httpd.conf and
>confirmed by httpd -S in the vitual hosting section). It's actually
>an unsecured page from a [relatively] unsecured directory.

ssl does nothing to protect a site, it only encrypts
requests and responses.

>I've also
>looked at the ssl.conf file. I have a different documentroot in
>ssl.conf. I'm using name based virtual hosting with my very own DNS A
>Record IP. How does the ssl.conf file relate to, or get used by, the
>httpd.conf file?

ssl.conf has to be included in httpd.conf with an include
statement. Of course the ssl modules have to be loaded.

The httpd (or apache) program has a command line option to
list all loaded modules, and another one to list built-in
modules. Use them to verify if SSL is loaded.

Search this group in Google groups, there has been a lot
of talking about SSL in the past.

HTH
--
( Kees
)
c[_] People must not do things for fun. We are not here
for fun. There is no reference to fun in any Act
of Parliament. (#316)

Re: SSl Setup

On Jan 18, 11:54=A0am, Kees Nuyt wrote:
> On Thu, 17 Jan 2008 17:41:45 -0800 (PST), Charles
>
> wrote:
> >1) =A0 I'm now working on SSL, and I'm still getting along. =A0The first
> >issue I have is that I have a certificate error coming from the
> >certificate I created and moved.
>
> What is the error?

The security certificate presented by this website was issued for a
different website's address.

>
> > What exactly is the browser looking
> >at in this certificate?
>
> >2) I get a single index page (my default as defined in httpd.conf and
> >confirmed by httpd -S in the vitual hosting section). =A0It's actually
> >an unsecured page from a [relatively] unsecured directory. =A0
>
> ssl does nothing to protect a site, it only encrypts
> requests and responses.

I understand, kind of. At the moment, for my test domain, I have one
DocumentRoot for nonsecure (specified in httpd.conf), and one for
secure (specified in ssl.conf), like:

c:\apache\www\domain.tld <-------folder to serve unsecure pages
Found in httpd.conf
c:\apache\www\domain.tld\SSL <------Site to serve secure pages,
store certificates, etc. Put into ssl.conf

In looking at ssl.conf, I noted that there are *different*
DocumentRoot directives than in httpd.conf. I thought that indicated
that one should organize one's site along those lines. Is this not
correct, or not necessary, or....?

>
> >I've also
> >looked at the ssl.conf file. =A0I have a different documentroot in
> >ssl.conf. =A0I'm using name based virtual hosting with my very own DNS A
> >Record IP. =A0How does the ssl.conf file relate to, or get used by, the
> >httpd.conf file?
>
> ssl.conf has to be included in httpd.conf with an include
> statement. Of course the ssl modules have to be loaded.

And I've removed the commenting to cause it to be included.

Is the line specifying mod_ssl be loaded to be found in the
httpd.conf, or in ssl.conf?

> The httpd (or apache) program has a command line option to
> list all loaded modules, and another one to list built-in
> modules. Use them to verify if SSL is loaded.

It does not appear, but I shall double check when I am not so tired.
The URL of "https://localhost/ *does* return first a certificate
error, then a page, still using https. It returns my default page in
my first VirtualHost directive from httpd.conf, not my test domain's
page. I'm assuming such a response establishes that mod_ssl is
loaded.


>
> Search this group in Google groups, there has been a lot
> of talking about SSL in the past.

Google has been my friend for many years, back before it borged
Dejanews.

Re: SSl Setup

Post removed (X-No-Archive: yes)

Re: SSl Setup

On Jan 19, 12:44=A0am, Davide Bianchi
wrote:
> On 2008-01-19, Charles wrote:
>
> >> What is the error?
>
> > The security certificate presented by this website was issued for a
> > different website's address.
>
> That's normal, when you use multiple certificate or the example
> 'snake oil' one provided with the distribution.

I'm using a certificate that I created and moved after the
distribution was installed. That's why the question of "what is
being examined in the certificate?"

The bundle I have appears to be evolving towards a web hosting
configuration, and I'd like to standardize the addition of virtual
http and https capability.

> > In looking at ssl.conf, I noted that there are *different*
> > DocumentRoot directives than in httpd.conf. =A0I thought that indicated
> > that one should organize one's site along those lines. =A0Is this not
> > correct, or not necessary, or....?
>
> Usually the 'secure' site is different form the 'insecure' one, and
> the server uses two different ports (80 and 443) to talk plain http
> and https, so in fact is like you have two servers running in
> parallel and having two different configurations. Nothing stops you to
> have both configured the same way (a part for the ssl bits) and so
> presenting the same data both in http and https.

Except I am usually possessed by the demon of organization and
structure.

On a serious note, the site is evolving towards a routine ability to
offer SSL capability whether it be for personal or domain use. I
think I've already cracked how to differentiate between personal
(~user) and domain application. I think I should stay structured
until I get to that point, and leave it structured after that point
for ease of troubleshooting.

> > Is the line specifying mod_ssl be loaded to be found in the
> > httpd.conf, or in ssl.conf?
>
> It depends what you like. I prefer to keep the plain http bits
> separated from https, so in case I simply rename the ssl.conf file
> and everything is stopped. "old" configuration stile is to simply
> put everything in httpd.conf.

I prefer organized until I understand what is happening, why, and how
to control it.

I usually leave things organized after that because it's easier to
troubleshoot.

> > It does not appear, but I shall double check when I am not so tired.
> > The URL of "https://localhost/*does* return first a certificate
>
> Then ssl is loaded, otherwise it wouldn't even respond.

Cool. Then I have lots to learn, and the bundle will be good for
that.

Re: SSl Setup

Post removed (X-No-Archive: yes)

Re: SSl Setup

On Jan 19, 7:50=A0am, Davide Bianchi
wrote:
> On 2008-01-19, Charles wrote:
>
> >> > The security certificate presented by this website was issued for a
> >> > different website's address.
>
> > I'm using a certificate that I created and moved after the
> > distribution was installed. =A0 That's why the question of "what is
> > being examined in the certificate?"
>
> The Common Name (cn) should match the hostname your https server
> respond to.

Silly me. I followed instructions and named it "charles" because
that's what the prompts suggested.


Two last question, and I'm fine.

The certificate matches the server, not any of the virtual domains,
correct?

Does it extend SSL services to all domains being hosted on that
server?

Re: SSl Setup

Post removed (X-No-Archive: yes)

Re: SSl Setup

Charles wrote:
> 1) I'm now working on SSL, and I'm still getting along. The first
> issue I have is that I have a certificate error coming from the
> certificate I created and moved. What exactly is the browser looking
> at in this certificate?
>
> 2) I get a single index page (my default as defined in httpd.conf and
> confirmed by httpd -S in the vitual hosting section). It's actually
> an unsecured page from a [relatively] unsecured directory. I've also
> looked at the ssl.conf file. I have a different documentroot in
> ssl.conf. I'm using name based virtual hosting with my very own DNS A
> Record IP. How does the ssl.conf file relate to, or get used by, the
> httpd.conf file?

Charles,

It's my understanding that you cannot mix SSL with name-based virtual
hosts. That's the reason it keeps giving you the index page from the
first VH. You may be better off running a second Apache process on the
SSL port (unless you can go IP based virtual hosts). I do not have SSL
set up in my system you I don't have any other info on this.

--
Norman
Registered Linux user #461062