LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   SSL - Remove untrusted connection warning from Apache server (https://www.linuxquestions.org/questions/linux-newbie-8/ssl-remove-untrusted-connection-warning-from-apache-server-4175505086/)

NotionCommotion 05-15-2014 08:50 AM
SSL - Remove untrusted connection warning from Apache server
 
I am adding ssl to my website, but I still have that "Untrusted connection" warning.

I first generated my own certificate as follows:

Code:
# generate mysite.coms's RSA keypair with 3072 bits and encrypt it
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes-128-cbc -out mysite_key.pem

# generate a certificate signing request.  Used FQDN of server (i.e. mysite.com).  Use email with dot to prevent spam.  Didn't include an "extra" password
openssl req -new -key mysite_key.pem -sha256 -days 365 -out mysite_csr.pem

# Remove pass-phrase from the key
cp mysite_key.pem mysite_key.pem.tmp
openssl rsa -in mysite_key.pem.tmp -out mysite_key.pem
rm -f mysite_key.pem.tmp

# sign the certificate with the key itself.  Skip this step if using a CA (NOTE.  I DID THIS STEP)
openssl x509 -req -in mysite_csr.pem -signkey mysite_key.pem -sha256 -days 365 -out mysite_crt.pem

# Copy the files to the correct locations (don't move since it will cause problems with selinux). Be sure to keep at read only by root
cp mysite_key.pem /etc/pki/tls/private/mysite_key.pem
cp mysite_csr.pem /etc/pki/tls/private/mysite_csr.pem
cp mysite_crt.pem /etc/pki/tls/certs/mysite_crt.pem
rm -f mysite_key.pem
rm -f mysite_csr.pem
rm -f mysite_crt.pem
Things worked fine, but I obviously had the untrusted connection warning.

I then went to https://www.startssl.com/, gave them /etc/pki/tls/private/mysite_csr.pem, and got a certificate. I saved it as /etc/pki/tls/certs/mysite_startssl.crt.

My /etc/httpd/conf/httpd.conf file is shown below. I also updated my /etc/httpd/conf.d/ssl.conf file with my ssl credentials, however, I don't think it was necessary since I have my ssl credentials in a virtual host.

When starting up Apache, I get the following warnings:
Code:
[Thu May 15 08:39:20 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 15 08:39:20 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:39:20 2014] [notice] Digest: generating secret for digest authentication ...
[Thu May 15 08:39:20 2014] [notice] Digest: done
[Thu May 15 08:39:20 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:39:20 2014] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.5.12 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
I've also tried commenting out SSLCertificateFile /etc/pki/tls/certs/easysbt_crt.pem , but then get the following error. Note that since I originally was using selfsigned keys, I did generate a certificate even though my instructions told me to skip it if I was using a CA certificate.
Code:
[Thu May 15 08:38:56 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 15 08:38:56 2014] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/httpd/conf/httpd.conf:1053)
EDIT. I also tried using my startssl certificate for SSLCertificateFile, and not using SSLCACertificateFile (even though this just seems wrong), and get the following:
Code:
[Thu May 15 08:53:28 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 15 08:53:28 2014] [warn] RSA server certificate CommonName (CN) `www.mysite.com' does NOT match server name!?
[Thu May 15 08:53:28 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:53:29 2014] [notice] Digest: generating secret for digest authentication ...
[Thu May 15 08:53:29 2014] [notice] Digest: done
[Thu May 15 08:53:29 2014] [warn] RSA server certificate CommonName (CN) `www.mysite.com' does NOT match server name!?
[Thu May 15 08:53:29 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:53:29 2014] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.5.12 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
EDIT2. Also, tried changing my ServerName from mysite.com to www.mysite.com, but still have warnings.
Code:
[Thu May 15 08:59:16 2014] [notice] caught SIGTERM, shutting down
[Thu May 15 08:59:16 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 15 08:59:17 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:59:17 2014] [notice] Digest: generating secret for digest authentication ...
[Thu May 15 08:59:17 2014] [notice] Digest: done
[Thu May 15 08:59:17 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:59:17 2014] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.5.12 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
Please provide any recommendation. Thank you

Code:
<VirtualHost *:80>
    ServerName mysite.com
    ServerSignature Off
    RewriteEngine on
    RewriteCond %{HTTPS} !=on
    RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>

NameVirtualHost *:443
<VirtualHost *:443>
    SSLEngine on
    #strong encryption ciphers only
    #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
    SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
    SSLCertificateFile /etc/pki/tls/certs/mysite_crt.pem
    SSLCertificateKeyFile /etc/pki/tls/private/mysite_key.pem
    SSLCACertificateFile  /etc/pki/tls/certs/mysite_startssl.crt
    ServerName mysite.com
    ServerAlias www.mysite.com mysite.net www.mysite.net mail.mysite.com smtp.mysite.com ftp.mysite.com
    DocumentRoot /var/www/mysite/html

    <Directory "/var/www/mysite/html">
    allow from all
    Options +Indexes

    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteBase /

        ## If the request is for a valid directory, file, or link, don't do anything
        RewriteCond %{REQUEST_FILENAME} -d [OR]
        RewriteCond %{REQUEST_FILENAME} -f [OR]
        RewriteCond %{REQUEST_FILENAME} -l
        RewriteRule ^ - [L]

        #remove the trailing slash
        RewriteRule (.+)/$ $1

        #Replaces file if "." is not in the string (i.e. it will not replace file.html, but will replace file
        RewriteRule ^([^.]+)$ $1.html [L]

    </IfModule>

    </Directory>

</VirtualHost>

NotionCommotion 05-15-2014 01:26 PM
In hindsight, this post is likely not dedicated to Linux, and likely should have been posted on a more Apache centric website.

Agree?

EDDY1 05-15-2014 02:18 PM
Although I know nothing about servers, I can say that I get, that warning when the time & date on my machine isn't correct.

NotionCommotion 05-16-2014 07:54 AM
Turns out I needed to set SSLCertificateChainFile in /etc/httpd/conf/httpd.conf.


All times are GMT -5. The time now is 09:19 AM.