Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Firebug displays the following error when viewing my site:
Quote:
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.
My approach to generate self-signed SSL keys is shown below. I didn't think I was using SHA-1, but thought I was using SHA-256.
What should I do to eliminate this warning?
Thank you
Code:
# generate mysite.coms's RSA keypair with 3072 bits and encrypt it
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes-128-cbc -out mysite_key.pem
# generate a certificate signing request. Used FQDN of server (i.e. mysite.com). Use email with dot to prevent spam. Didn't include an "extra" password
openssl req -new -key mysite_key.pem -sha256 -days 365 -out mysite_csr.pem
# Remove pass-phrase from the key
cp mysite_key.pem mysite_key.pem.tmp
openssl rsa -in mysite_key.pem.tmp -out mysite_key.pem
rm -f mysite_key.pem.tmp
# sign the certificate with the key itself. Skip this step if using a CA
openssl x509 -req -in mysite_csr.pem -signkey mysite_key.pem -sha256 -days 365 -out mysite_crt.pem
# Copy the files to the correct locations (don't move since it will cause problems with selinux). Be sure to keep at read only by root
cp mysite_key.pem /etc/pki/tls/private/mysite_key.pem
cp mysite_csr.pem /etc/pki/tls/private/mysite_csr.pem
cp mysite_crt.pem /etc/pki/tls/certs/mysite_crt.pem
rm -f mysite_key.pem
rm -f mysite_csr.pem
rm -f mysite_crt.pem
# update /etc/httpd/conf.d/ssl.conf as follows:
# SSLCertificateFile /etc/pki/tls/certs/mysite_crt.pem
# SSLCertificateKeyFile /etc/pki/tls/private/mysite_key.pem
/etc/init.d/httpd restart
Hi Pearlseattle, I had the following in /etc/httpd/conf.d/ssl.conf, and changed it to your recommended script, but no change. Not positive, but think the problem is the certificate and not the Apache configuration.
Sorry, it was just a shot in the dark
Could you please tell me where exactly you see the warning/message in Firebug (I activated it against my site but didn't see anthing, but I have a cert signed externally by godaddy)? Does the warning show up immediately after activating the Firebug lower "frame" in Firefox?
Hello again. It shows the message every time a page is loaded. If the site has any GET/POST requests, it shows it every time and I sometimes have over ten warnings on a page load. I couldn't figure out how to add an image on this forum, but included a link http://s24.postimg.org/9qe6wwk79/firebug.png.
Thanks!
Last edited by NotionCommotion; 05-17-2015 at 11:46 AM.
Thank you.
Before that we start doing some too-deep testing etc..., can you post as well the configuration (at least the main parts) of your vhost-apache-config-file that your site is using?
(anonymize names of files, host, etc...)
Thank you.
Before that we start doing some too-deep testing etc..., can you post as well the configuration (at least the main parts) of your vhost-apache-config-file that your site is using?
(anonymize names of files, host, etc...)
Lot of stuff! I deleted most of the comments to shorten it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.