LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 07-01-2005, 07:27 AM   #1
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Rep: Reputation: 30
OpenSSL and its wonder


Hi guys...

I am trying to install SSL as one of my website requires SSL capability.. before I get to installing Thawte trial 21-day certificate...

I understand i need to install OpenSSL first?

After which i generate the key yah? Is 1024 bit, des3 too much? was told by someone that SSL connection takes alot of overhead on the server...

what other possible encryption are there?

Cos I created the cert, but on https://domainname.com, i get pointed to Apache Test Page instead. i have set the virtual host settings with port 443 etc...

What possible problem could it be?
 
Old 07-02-2005, 07:19 PM   #2
nevarlen
Member
 
Registered: Feb 2005
Distribution: Debian 3.x & Fedora Core 3, Debie on IBM Thinkpad
Posts: 68

Rep: Reputation: 15
Is 1024 too much, the answer is depends on what you are using the encrypted connection for..If it is only matter of carrying few bytes over the wirem I would say it is a good choice. However, when you want to have something like transaction processing where you have huge chunks of data going accross the wire back and forth, yes you would put so much load on to that penguin of yours. Depending on your site traffic, consistency of service, and processing power, 1024 might be too much. However, you always have the option to start below 1024, test it out, if you think it can handle more, then bumb it up to 1024 des3..
As far as https directory, Apache needs to know where the document root for your virtual directory that listens port 443.
Example:
<VirtualHost xx.xx.xx.xx:443>
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /home/domain/public_html
ErrorLog /home/domain/logs/error_log
CustomLog /home/domain/logs/access_log common
ScriptAlias /cgi-bin/ /home/domain/cgi-bin/
annnddd more options............
</VirtualHost>


Document root above is where decide to server my secure pages from, you can choose whatever directory you like to..You can have the same port 80 root as well, /var/www/html as an example...

Last edited by nevarlen; 07-02-2005 at 10:20 PM.
 
Old 07-04-2005, 06:22 AM   #3
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
This is what I configure for my virtual host
Quote:
<IfDefine HAVE_SSL>
<VirtualHost xxx.xx.xxx.20:443>
ServerAdmin admin@domainname.com
DocumentRoot /home/user/www/wwwroot
ServerName www2.domainname.com
ServerAlias www4.domainname.com
ErrorDocument 402 /core/error400.php
ErrorDocument 403 /core/error400.php
ErrorDocument 404 /core/error400.php
ErrorDocument 500 /core/error400.php
CustomLog /var/log/httpd/domainname.com.access_log common
ErrorLog /var/log/httpd/domainname.com.error_log
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/www2.domainname.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www2.domainname.com.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
</IfDefine>

<VirtualHost *:80>
ServerAdmin admin@domainname.com
DocumentRoot /home/user/www/wwwroot
ServerName www2.domainname.com
ServerAlias www4.domainname.com
ErrorDocument 402 /core/error400.php
ErrorDocument 403 /core/error400.php
ErrorDocument 404 /core/error400.php
ErrorDocument 500 /core/error400.php
CustomLog /var/log/httpd/domainname.com.access_log common
ErrorLog /var/log/httpd/domainname.com.error_log
</VirtualHost>
I am using Thawte's 21 days free trial of their certificate so accertain before purchasing..
I've installed openssl.

The reason why its www2 its because its our staging server before it hits production server.. so some kind of test bed...

Through the process of creating the cert, I specify the necessary information and generated the CSR, and using it I requested the cert from thawte.

1st point of suspicion
I cut and paste the cert info given to me in www2.domainname.crt. But I suspect that there maybe something wrong with it as when I tried to do a "openssl req -text -noout -in www2.domainname.com.crt"

It prompted me

unable to load X509 request
20083:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE REQUEST

Sounds like an invalid cert?

What I did was just copy the key with the begin/end tag given by thawte and paste through vim. Valid?


WHen I go to https://www2.domainname.com, I get shown the Apache Test page...

2nd point of suspicion

I get told the cert is not trusted.. which is expected but when I look at the cert details.. its all root@localhost.localdomain... seems like the cert is not recognise? Link to first suspicion?
cos i have entered the proper information while creating the cert...

what could I have miss.. or done wrong? Lost... :(

thanks

Last edited by Swakoo; 07-04-2005 at 10:21 PM.
 
Old 07-05-2005, 02:10 AM   #4
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
anyone....?
 
Old 07-05-2005, 06:46 PM   #5
nevarlen
Member
 
Registered: Feb 2005
Distribution: Debian 3.x & Fedora Core 3, Debie on IBM Thinkpad
Posts: 68

Rep: Reputation: 15
1st point of suspicion is correct, apparently ssl does not like the certificate. Therefore it can not request it properly.
2nd point of suspicion is somewhat odd coz I would think that thawte would issue a valid certificate to your domain name, not to localhost..Again, I never dealt with thawte certs, so I am maybe mistaken..

I am wondering if you ever had a ssl working before using thawte's certificate? I believe you haven't since you just installed openssl..

When you navigate to your https://blah.blah.com directory, you said that you get apache test page, which means that ssl is working(otherwise, you would get blank or some other errors). However it is not pulling the content from the directory you specified in your virtual directory entry.
Read you ssl.log to pin point exactly your doc root is for port 443.
Try to find out if your distribution creates a seperate .conf file that is relevant to ssl engine. This maybe in ssl folder some where in your /path/to/http. If so, make the appropriate changes.


Lastly, you mentioned that cert was issued by localhost. You can change this if you use the following method to create certificates. Just make sure to use your domainname in credentials. Since you said this is only for testing purposes why not get it working first and then get it certified by thawted or whatever you chose..
---------------------------------------------------------------------------
openssl genrsa -des3 4096 >/path/to/httpd/conf/ssl.key/servername.key
---------------------------------------------------------------------------
USE-A-PASSPHRASE
---------------------------------------------------------------------------
openssl req -new -x509 -key /path/to/httpd/conf/ssl.key/servername.key -out /etc/httpd/conf/ssl.crt/servername.crt -days 365 -utf8

---------------------------------------------------------------------------

/usr/local/ssl/bin/openssl rsa -in /path/to/httpd/conf/ssl.key/servername.key.cryp -out /path/to/httpd/conf/ssl.key/server.key

---------------------------------------------------------------------------
chmod 400 /path/to/httpd/conf/ssl.key/server.key
---------------------------------------------------------------------------
 
Old 07-06-2005, 06:32 AM   #6
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
I can't find a "ssl.log". Where is it suppose to be.. or what other log possible?

I took a look at ssl.conf in /etc/httpd/conf.d/, I realise that there are 2 lines that states

Quote:
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www2.domainname.com.key
#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
Quote:
#SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateFile /etc/httpd/conf/ssl.crt/www2.domainname.com.crt
Those commented # are the default ones. I added in the other lines myself to point straight to the cert/key I have created. Is it correct?

Then I added DocumentRoot /home/user/....
Which I usually add to virtual host..

by doing these.. it worked.. pages shown... so am I doing the correct things? It feels like I am pointing ssl.conf to use my only cert i have created rather than the default one.. but what if I have multiple SSL certs there instead for the few domains i have?


Also, as I have a passphrase.. when I restart httpd, after I did the above changes, it now starts to ask me for passphrase (which is why i think what i did is correct.. but need confirmation)..

I followed an online instructions and found the following instructions to turn my key into one thats without a need for passphrase..

Quote:
[bash]# mv private.key private.key.withpassphrase
[bash]# openssl rsa -in private.key.withpassphrase -out private.key
[bash]# chmod 0400 private.key
What does the above do? When I generate my key, i used "openssl genrsa", so what's the diff here? Does it generate the same key out of the key with passphrase? Which is the extension that determines no need passphrase?

So if i want to reuse passphrase... i just revert the file? If so.. whats the best recommended way to automate it when httpd restarts? I understand httpd restarts everyday to clear orphan files and log.... but yet not compromise security (like putting passphrase in a script in clear text)?

Is there a need to put cert and key to /etc/httpd/conf/ssl.key ? or base on where i specify in ssl.conf?

How do I restart httpd with SSL in mind? I read in one place, that I should restart using "apachectl sslrestart" or something, but heard from friends that I should stick to using "/etc/init.d/httpd restart" as it activates a whole slew of command actually.. what you reckon?


Many thanks to those who read and contribute.. apologies for my many questions as I am really just mumbling through the dark with this....

thanks!
 
Old 07-11-2005, 11:46 PM   #7
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
anyone??
 
Old 07-16-2005, 09:37 PM   #8
nevarlen
Member
 
Registered: Feb 2005
Distribution: Debian 3.x & Fedora Core 3, Debie on IBM Thinkpad
Posts: 68

Rep: Reputation: 15
Let's see..
You apache log may already include ssl log, I use fedora which uses a seperate log..
The way you created and configured your ssl key and cert files are correct. If you have used the default ones when a visitor examines your certificate he/she would not be convinced to feel secure by an cert that was isssued from the localhost..
As for using ssl for several domains, bear in mind that you cannot have name based virtual hosting for domains that listen port 443 (I may very well be wrong, I read an article that talked about how to setup name based virtual hosting for secure domains, did not get it to work though..). So even if you issue several certificates, I believe you can only use them for designated domains based on their IP addresses.

Also, the way you are bypassing the pwd entry for ssl is how most people do it (this includes myself too), ony thing you need to pay attention is that the file is only readable by root and make sure whoever restart httpd has access to the passphrase file. You can put this file wherever you want as long as you specify in ssl.conf file...

Since I am using apache with mod_ssl on fedora, I do not need to start ssl seperately. However, "apachectl startssl" also starts all of the needed processes (not sure about the exact difference between /etc/init.d/httpd and apachectl..)...
I hope I am shedding some lights on your questions, cheers...
 
Old 07-18-2005, 12:14 AM   #9
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by nevarlen
Let's see..
You apache log may already include ssl log, I use fedora which uses a seperate log..
The way you created and configured your ssl key and cert files are correct. If you have used the default ones when a visitor examines your certificate he/she would not be convinced to feel secure by an cert that was isssued from the localhost..
As for using ssl for several domains, bear in mind that you cannot have name based virtual hosting for domains that listen port 443 (I may very well be wrong, I read an article that talked about how to setup name based virtual hosting for secure domains, did not get it to work though..). So even if you issue several certificates, I believe you can only use them for designated domains based on their IP addresses.

Also, the way you are bypassing the pwd entry for ssl is how most people do it (this includes myself too), ony thing you need to pay attention is that the file is only readable by root and make sure whoever restart httpd has access to the passphrase file. You can put this file wherever you want as long as you specify in ssl.conf file...

Since I am using apache with mod_ssl on fedora, I do not need to start ssl seperately. However, "apachectl startssl" also starts all of the needed processes (not sure about the exact difference between /etc/init.d/httpd and apachectl..)...
I hope I am shedding some lights on your questions, cheers...
You are, you are! THANKS!

For the quoted phrase in italics, what do you mean by whoever restart httpd has access to the passphrase file? I thought by doing, what I did - bypass password prompt -, there's no need for the key with passphrase anymore? I did save it to a file domainname.com.key.withpassphrase... for backup purpose...?


by doing ....
Quote:
# openssl rsa -in private.key.withpassphrase -out private.key
what does it mean? I generated the key using genrsa 1024... not i convert using rsa...?

nevarlen; you provided some ssl command 4 posting ago.. what does those mean? I trying to find documentation to explain to mee the commands with its relevant extension but can't find... i think i am not searching right.. hence here...


I don have ssl log.. but i have under /var/log/httpd
ssl_access
ssl_error
ss_request

same?
 
Old 03-22-2006, 08:41 AM   #10
eustaquiorangel
LQ Newbie
 
Registered: Mar 2006
Location: São José do Rio Preto, SP, Brazil
Distribution: Slackware
Posts: 1

Rep: Reputation: 0
Error on the docs

Hey,Swakoo!

I was with the same kind of problem - a "unable to load X509 request". I contacted Thawte and seems that there is (was, the guy told me he will check) a problem on their docs.
When they tell us to check the .CRT file with
openssl req -text -noout -in cert.crt
the correct thing to do is
openssl x509 -text -noout -in cert.crt
and then everything runs fine.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Openssl velan Programming 1 05-16-2005 01:28 AM
OpenSSL Chiel Linux - Newbie 1 09-03-2004 05:52 PM
openssl abdullahgee Linux - Security 2 06-04-2004 02:36 PM
openSSL again ArchNGEL Linux - General 1 06-05-2003 11:03 PM
openssl sailaw Linux - General 1 01-25-2003 04:29 AM


All times are GMT -5. The time now is 12:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration