Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am currently trying to add a new CERT to a Reverse Proxy. Currently the Reverse proxy is working and servicing all http requests. I am having a problem using the Reverse Proxy with my Exchange 2010 environment.
Please can someone assist me with creating a cert, providing a decent CA to sign th cert -- unless I can use my Domain Controller CA to do that. If so, I have Cert Server set up on Server 2008 R2 Standard.
Linux Version: Linux reverseproxy.domain.local 2.6.32-431.3.1.el6.x86_64 #1 SMP Fri Jan 3 21:39:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
All http requests work properly. Here is the config to the virtual host that does not work and services https/ssl.
Quote:
<VirtualHost 172.17.10.13:443>
ServerName webmail.domain.net:443
ErrorLog /var/log/httpd/domain.net/cas2010error.log
CustomLog /var/log/httpd/domain.net/cas2010.log combined
# SSLEngine On
# SSLProxyVerify none
# SSLProxyEngine On
# SSLProxyCheckPeerCN Off
# SSLProxyCheckPeerExpire On
# SSLCertificateFile /etc/pki/tls/certs/webmail.domain.net.crt
# SSLCertificateKeyFile /etc/pki/tls/private/webmail.domain.net.key
<Location />
ProxyPass https://cashost.domain.local/owa/
ProxyPassReverse https://cashost.domain.local/owa/
SSLRequireSSL
</Location>
</VirtualHost>
I commented out all the SSL stuff on my server because I could not get httpd to restart without failing.
Please can someone give me some guidance. BTW, the Exchange 2010 server has a valid certificate. I created it using my in local CA on the Domain Controller.
you have to trust exchange certificate on your reverse proxy. for security purposes just let some urls like excgangeserver/owa to open from reverse proxy not ecp.
Thank you for that reply. Do you know how to do that? One thing I ended up doing on my Exchange Server was turn FBA off.
Plus one thing I keep seeing is that whenever I put the webmail link in, it keeps loading an expired cert in the browser (not the new one I created and referenced in my virtual host). How can I fix that?
Code:
[root@reverseproxy ~]# apachectl -t
Syntax OK
[root@emissary ~]#
Code:
[root@emissary conf.d]# curl -v https://webmail.shekinya.net
* About to connect() to webmail.shekinya.net port 443 (#0)
* Trying 24.12.253.252... connected
* Connected to webmail.shekinya.net (24.12.253.252) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Remote Certificate has expired.
* NSS error -8181
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.