Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
in an attempt to release some IP addresses, I'm trying to move from individual sites to subdomains. Therefor I've generated a (self signed) wildcard certificate and modified my apache configuration. However, IE gives me two certificate errors:
the security certificate is issued by a company you have not choosen to trust .....
The name on the security certificate is not valid or does not match the name of the site .....
The first one does not worry me, I know that I'm not trusted. But I don't like the second one.
Question: Did I do something wrong or is it normal ?
PS
apache 1.3.3 on slackware 10.1
Code:
root@webserver01:~# /usr/bin/openssl genrsa -rand /dev/urandom -out btd-techweb01.key 1024
2048 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.............................++++++
...++++++
e is 65537 (0x10001)
root@webserver01:~# /usr/bin/openssl req -new -key btd-techweb01.key -out btd-techweb01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ZA
State or Province Name (full name) [Some-State]:SomeProvince
Locality Name (eg, city) []:SomeCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyEmployer ABC
Organizational Unit Name (eg, section) []:BTD
Common Name (eg, YOUR name) []:*.lbtd-techweb01
Email Address []:wsturkenboom@myemployer.co.za
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:SomePWD
An optional company name []:MyEmployer
root@webserver01:~# /usr/bin/openssl x509 -req -days 30 -in btd-techweb01.csr -signkey btd-techweb01.key -out wildcard-btd-techweb01.crt
Signature ok
subject=/C=ZA/ST=Gauteng/L=Randburg/O=MyEmployer SMS/OU=BTD/CN=*.lbtd-techweb01/emailAddress=wsturkenboom@myemployer.co.za
Getting Private key
root@webserver01:~#
The generated files are copied to /etc/apache/lbtd-techweb01
## _ _
## _ __ ___ ___ __| | ___ ___| | mod_ssl
## | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
## | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
## |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
## |_____|
## ____________________________________________________________________________
##
## Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
##
## Load the mod_ssl module:
##
LoadModule ssl_module libexec/apache/libssl.so
##
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>
#<VirtualHost _default_:*>
<VirtualHost _default_:80>
DocumentRoot "/var/www/htdocs"
</VirtualHost>
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First either `none'
# or `dbm:/path/to/file' for the mechanism to use and
# second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache shm:/var/log/apache/ssl_scache(512000)
SSLSessionCache dbm:/var/log/apache/ssl_scache
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual explusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:/var/log/apache/ssl_mutex
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
# Logging:
# The home of the dedicated SSL protocol logfile. Errors are
# additionally duplicated in the general error log file. Put
# this somewhere where it cannot be used for symlink attacks on
# a real server (i.e. somewhere where only root can write).
# Log levels are (ascending order: higher ones include lower ones):
# none, error, warn, info, trace, debug.
SSLLog /var/log/apache/ssl_engine_log
SSLLogLevel info
</IfModule>
<IfDefine SSL>
##
## SSL Virtual Host Context
##
# command centre subdomain
<VirtualHost 172.18.32.111:443>
# General setup for the virtual host
DocumentRoot "/home/wim/commandcentre/web"
#WimS
ServerName cc.lbtd-techweb01
ServerAdmin wsturkenboom@multichoice.co.za
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#WimS
SSLCertificateFile /etc/apache/lbtd_techweb01/wildcard-btd-techweb01.crt
SSLCertificateKeyFile /etc/apache/lbtd_techweb01/btd-techweb01.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
# tac room subdomain
<VirtualHost 172.18.32.111:443>
# General setup for the virtual host
DocumentRoot "/home/wim/tacroom/web"
#WimS
ServerName tac.lbtd-techweb01
ServerAdmin wsturkenboom@multichoice.co.za
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#WimS
SSLCertificateFile /etc/apache/lbtd_techweb01/wildcard-btd-techweb01.crt
SSLCertificateKeyFile /etc/apache/lbtd_techweb01/btd-techweb01.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
# document directory subdomain
<VirtualHost 172.18.32.111:443>
# General setup for the virtual host
DocumentRoot "/home/wim/docdir/web"
#WimS
ServerName docdir.lbtd-techweb01
ServerAdmin wsturkenboom@multichoice.co.za
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#WimS
SSLCertificateFile /etc/apache/lbtd_techweb01/wildcard-btd-techweb01.crt
SSLCertificateKeyFile /etc/apache/lbtd_techweb01/btd-techweb01.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
Last edited by Wim Sturkenboom; 06-29-2007 at 05:56 AM.
To add to this:
I found on a dutch forum that IE does not consider a wildcard certificate valid for a site. Further I installed Opera on my Win2K box and Opera seems to be happy (except for the 'trusted issuer').
So this seems to be an IE related issue. Can anybody confirm this?
Last edited by Wim Sturkenboom; 07-02-2007 at 07:58 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.