LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-15-2014, 09:50 AM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 559

Rep: Reputation: Disabled
SSL - Remove untrusted connection warning from Apache server


I am adding ssl to my website, but I still have that "Untrusted connection" warning.

I first generated my own certificate as follows:

Code:
# generate mysite.coms's RSA keypair with 3072 bits and encrypt it
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes-128-cbc -out mysite_key.pem

# generate a certificate signing request.  Used FQDN of server (i.e. mysite.com).  Use email with dot to prevent spam.  Didn't include an "extra" password
openssl req -new -key mysite_key.pem -sha256 -days 365 -out mysite_csr.pem

# Remove pass-phrase from the key
cp mysite_key.pem mysite_key.pem.tmp
openssl rsa -in mysite_key.pem.tmp -out mysite_key.pem
rm -f mysite_key.pem.tmp

# sign the certificate with the key itself.  Skip this step if using a CA (NOTE.  I DID THIS STEP)
openssl x509 -req -in mysite_csr.pem -signkey mysite_key.pem -sha256 -days 365 -out mysite_crt.pem

# Copy the files to the correct locations (don't move since it will cause problems with selinux). Be sure to keep at read only by root
cp mysite_key.pem /etc/pki/tls/private/mysite_key.pem
cp mysite_csr.pem /etc/pki/tls/private/mysite_csr.pem
cp mysite_crt.pem /etc/pki/tls/certs/mysite_crt.pem
rm -f mysite_key.pem
rm -f mysite_csr.pem
rm -f mysite_crt.pem
Things worked fine, but I obviously had the untrusted connection warning.

I then went to https://www.startssl.com/, gave them /etc/pki/tls/private/mysite_csr.pem, and got a certificate. I saved it as /etc/pki/tls/certs/mysite_startssl.crt.

My /etc/httpd/conf/httpd.conf file is shown below. I also updated my /etc/httpd/conf.d/ssl.conf file with my ssl credentials, however, I don't think it was necessary since I have my ssl credentials in a virtual host.

When starting up Apache, I get the following warnings:
Code:
[Thu May 15 08:39:20 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 15 08:39:20 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:39:20 2014] [notice] Digest: generating secret for digest authentication ...
[Thu May 15 08:39:20 2014] [notice] Digest: done
[Thu May 15 08:39:20 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:39:20 2014] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.5.12 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
I've also tried commenting out SSLCertificateFile /etc/pki/tls/certs/easysbt_crt.pem , but then get the following error. Note that since I originally was using selfsigned keys, I did generate a certificate even though my instructions told me to skip it if I was using a CA certificate.
Code:
[Thu May 15 08:38:56 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 15 08:38:56 2014] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/httpd/conf/httpd.conf:1053)
EDIT. I also tried using my startssl certificate for SSLCertificateFile, and not using SSLCACertificateFile (even though this just seems wrong), and get the following:
Code:
[Thu May 15 08:53:28 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 15 08:53:28 2014] [warn] RSA server certificate CommonName (CN) `www.mysite.com' does NOT match server name!?
[Thu May 15 08:53:28 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:53:29 2014] [notice] Digest: generating secret for digest authentication ...
[Thu May 15 08:53:29 2014] [notice] Digest: done
[Thu May 15 08:53:29 2014] [warn] RSA server certificate CommonName (CN) `www.mysite.com' does NOT match server name!?
[Thu May 15 08:53:29 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:53:29 2014] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.5.12 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
EDIT2. Also, tried changing my ServerName from mysite.com to www.mysite.com, but still have warnings.
Code:
[Thu May 15 08:59:16 2014] [notice] caught SIGTERM, shutting down
[Thu May 15 08:59:16 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 15 08:59:17 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:59:17 2014] [notice] Digest: generating secret for digest authentication ...
[Thu May 15 08:59:17 2014] [notice] Digest: done
[Thu May 15 08:59:17 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 15 08:59:17 2014] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.5.12 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
Please provide any recommendation. Thank you

Code:
<VirtualHost *:80>
    ServerName mysite.com
    ServerSignature Off
    RewriteEngine on
    RewriteCond %{HTTPS} !=on
    RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>

NameVirtualHost *:443
<VirtualHost *:443>
    SSLEngine on
    #strong encryption ciphers only
    #see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
    SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
    SSLCertificateFile /etc/pki/tls/certs/mysite_crt.pem
    SSLCertificateKeyFile /etc/pki/tls/private/mysite_key.pem
    SSLCACertificateFile  /etc/pki/tls/certs/mysite_startssl.crt
    ServerName mysite.com
    ServerAlias www.mysite.com mysite.net www.mysite.net mail.mysite.com smtp.mysite.com ftp.mysite.com
    DocumentRoot /var/www/mysite/html

    <Directory "/var/www/mysite/html">
    allow from all
    Options +Indexes

    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteBase /

        ## If the request is for a valid directory, file, or link, don't do anything
        RewriteCond %{REQUEST_FILENAME} -d [OR]
        RewriteCond %{REQUEST_FILENAME} -f [OR]
        RewriteCond %{REQUEST_FILENAME} -l
        RewriteRule ^ - [L]

        #remove the trailing slash
        RewriteRule (.+)/$ $1

        #Replaces file if "." is not in the string (i.e. it will not replace file.html, but will replace file
        RewriteRule ^([^.]+)$ $1.html [L]

    </IfModule>

    </Directory>

</VirtualHost>

Last edited by NotionCommotion; 05-15-2014 at 10:01 AM.
 
Old 05-15-2014, 02:26 PM   #2
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 559

Original Poster
Rep: Reputation: Disabled
In hindsight, this post is likely not dedicated to Linux, and likely should have been posted on a more Apache centric website.

Agree?
 
Old 05-15-2014, 03:18 PM   #3
EDDY1
LQ Addict
 
Registered: Mar 2010
Location: Oakland,Ca
Distribution: wins7, Debian wheezy
Posts: 6,838

Rep: Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649Reputation: 649
Although I know nothing about servers, I can say that I get, that warning when the time & date on my machine isn't correct.
 
Old 05-16-2014, 08:54 AM   #4
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 559

Original Poster
Rep: Reputation: Disabled
Turns out I needed to set SSLCertificateChainFile in /etc/httpd/conf/httpd.conf.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Untrusted connection FireFox njb Linux Mint 2 08-03-2012 02:26 PM
SSL Untrusted conflicker Linux - Newbie 3 06-18-2012 05:05 PM
Checking Mail Through Tor and my Browser says Connection is Untrusted? newb123 Linux - Security 4 05-23-2011 06:55 AM
Apache SSL untrusted certificate keysorsoze Linux - Server 4 10-08-2008 09:36 PM
apache requires SSL connection ryedunn Linux - Software 1 02-01-2005 08:34 PM


All times are GMT -5. The time now is 08:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration