LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 06-29-2007, 06:52 AM   #1
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
SSL and subdomain problem


Hi,

in an attempt to release some IP addresses, I'm trying to move from individual sites to subdomains. Therefor I've generated a (self signed) wildcard certificate and modified my apache configuration. However, IE gives me two certificate errors:
  1. the security certificate is issued by a company you have not choosen to trust .....
  2. The name on the security certificate is not valid or does not match the name of the site .....
The first one does not worry me, I know that I'm not trusted. But I don't like the second one.

Question: Did I do something wrong or is it normal ?

PS
apache 1.3.3 on slackware 10.1



Code:
root@webserver01:~# /usr/bin/openssl genrsa -rand /dev/urandom -out btd-techweb01.key 1024
2048 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.............................++++++
...++++++
e is 65537 (0x10001)
root@webserver01:~# /usr/bin/openssl req -new -key btd-techweb01.key -out btd-techweb01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ZA
State or Province Name (full name) [Some-State]:SomeProvince
Locality Name (eg, city) []:SomeCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyEmployer ABC
Organizational Unit Name (eg, section) []:BTD
Common Name (eg, YOUR name) []:*.lbtd-techweb01
Email Address []:wsturkenboom@myemployer.co.za

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:SomePWD
An optional company name []:MyEmployer
root@webserver01:~# /usr/bin/openssl x509 -req -days 30 -in btd-techweb01.csr -signkey btd-techweb01.key -out wildcard-btd-techweb01.crt
Signature ok
subject=/C=ZA/ST=Gauteng/L=Randburg/O=MyEmployer SMS/OU=BTD/CN=*.lbtd-techweb01/emailAddress=wsturkenboom@myemployer.co.za
Getting Private key
root@webserver01:~#
The generated files are copied to /etc/apache/lbtd-techweb01

The relevant part of http.conf:
Code:
#
# Use name-based virtual hosting.
#
#WimS
#NameVirtualHost *:80
NameVirtualHost 172.18.32.111:443

# ==> mod_ssl configuration settings <==
#
# PACKAGES REQUIRED:  apache (N series) and openssl (N series)
#

#WimS
Include /etc/apache/mod_ssl.conf
And mod_ssl.conf
Code:
##                      _             _
##  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
## | '_ ` _ \ / _ \ / _` |   / __/ __| |  Apache Interface to OpenSSL
## | | | | | | (_) | (_| |   \__ \__ \ |  www.modssl.org
## |_| |_| |_|\___/ \__,_|___|___/___/_|  ftp.modssl.org
##                      |_____|
## ____________________________________________________________________________
##
## Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.

##
## Load the mod_ssl module:
##
LoadModule ssl_module libexec/apache/libssl.so

##
##  SSL Support
##
##  When we also provide SSL we have to listen to the
##  standard HTTP port (see above) and to the HTTPS port
##
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>

#<VirtualHost _default_:*>
<VirtualHost _default_:80>
DocumentRoot "/var/www/htdocs"
</VirtualHost>

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
#
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
</IfDefine>

<IfModule mod_ssl.c>

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        shm:/var/log/apache/ssl_scache(512000)
SSLSessionCache         dbm:/var/log/apache/ssl_scache
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual explusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
SSLMutex  file:/var/log/apache/ssl_mutex

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#   Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.  Put
#   this somewhere where it cannot be used for symlink attacks on
#   a real server (i.e. somewhere where only root can write).
#   Log levels are (ascending order: higher ones include lower ones):
#   none, error, warn, info, trace, debug.
SSLLog      /var/log/apache/ssl_engine_log
SSLLogLevel info

</IfModule>

<IfDefine SSL>

##
## SSL Virtual Host Context
##
# command centre subdomain
<VirtualHost 172.18.32.111:443>

#  General setup for the virtual host
DocumentRoot "/home/wim/commandcentre/web"
#WimS
ServerName cc.lbtd-techweb01
ServerAdmin wsturkenboom@multichoice.co.za
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#WimS
SSLCertificateFile /etc/apache/lbtd_techweb01/wildcard-btd-techweb01.crt
SSLCertificateKeyFile /etc/apache/lbtd_techweb01/btd-techweb01.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog /var/log/apache/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

# tac room subdomain
<VirtualHost 172.18.32.111:443>

#  General setup for the virtual host
DocumentRoot "/home/wim/tacroom/web"
#WimS
ServerName tac.lbtd-techweb01
ServerAdmin wsturkenboom@multichoice.co.za
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#WimS
SSLCertificateFile /etc/apache/lbtd_techweb01/wildcard-btd-techweb01.crt
SSLCertificateKeyFile /etc/apache/lbtd_techweb01/btd-techweb01.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog /var/log/apache/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

# document directory subdomain
<VirtualHost 172.18.32.111:443>

#  General setup for the virtual host
DocumentRoot "/home/wim/docdir/web"
#WimS
ServerName docdir.lbtd-techweb01
ServerAdmin wsturkenboom@multichoice.co.za
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#WimS
SSLCertificateFile /etc/apache/lbtd_techweb01/wildcard-btd-techweb01.crt
SSLCertificateKeyFile /etc/apache/lbtd_techweb01/btd-techweb01.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog /var/log/apache/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

</IfDefine>

Last edited by Wim Sturkenboom; 06-29-2007 at 06:56 AM.
 
Old 06-30-2007, 01:09 PM   #2
fatzeus
Member
 
Registered: Nov 2004
Location: Venice, Italy
Distribution: Gentoo
Posts: 44

Rep: Reputation: 15
I've not read all your configuration, anyway a wildcard certificate works only on subdomains, so if you have *.domain.com

www.domain.com
a.domain.com
somename.domain.com

are all valid, but

domain.com

doesn't much the certifacte
 
Old 07-01-2007, 06:52 AM   #3
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Thanks for the reply, but that's not the problem as far as I can see.

From the signing request:
Common Name (eg, YOUR name) []:*.lbtd-techweb01

From mod_ssl:
ServerName tac.lbtd-techweb01
ServerName cc.lbtd-techweb01
 
Old 07-02-2007, 07:33 AM   #4
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
To add to this:
I found on a dutch forum that IE does not consider a wildcard certificate valid for a site. Further I installed Opera on my Win2K box and Opera seems to be happy (except for the 'trusted issuer').

So this seems to be an IE related issue. Can anybody confirm this?

Last edited by Wim Sturkenboom; 07-02-2007 at 08:58 AM.
 
  


Reply

Tags
apache, modssl, ssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache - wildcard ssl dedicated ipaddress for each subdomain? sysconfig Linux - Server 2 04-02-2007 02:04 PM
Secure Subdomain / Directory Problem chadi Linux - General 1 12-23-2004 01:37 PM
Yet another apache domain/subdomain problem xtra Linux - Newbie 2 08-18-2004 08:30 AM
SubDomain Problem - Directories? Quincy Wisdom General 0 07-04-2004 11:46 PM
Subdomain and hosting problem AZIMBD03 Linux - Newbie 4 12-07-2003 05:09 AM


All times are GMT -5. The time now is 04:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration