Hi
System info:
-------------------
cat /etc/redhat-release
CentOS release 6.8 (Final)
[root@host tmpsslkeys]# uname -a
Linux host.dnsname.com 2.6.32-642.el6.x86_64 #1 SMP Tue May 10 17:27:01 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
apachectl -v
Server version: Apache/2.2.15 (Unix)
Server built: Jun 19 2018 15:45:13
I've been looking at getting https going one of my local webservers using a self signed CA certificate and while doing so trying to get a better understanding of ssl and was wondering if anyone could help answering some queries I have.
What I have done so far:
I created a self signed CA certificate by doing the following:
# generate private key
$ openssl genrsa -out ca.key 2048
# generate certificate signing request - entering the ip adress of the server for the common name
openssl req -new -key ca.key -out ca.csr
....
Common Name (eg, your name or your server's hostname) []:10.168.6.206
....
# generate self-signed certificate
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Then copied the generated keys in to /etc/pki/tls/
cp ca.crt /etc/pki/tls/certs/10.168.6.206.crt
cp ca.key /etc/pki/tls/private/10.168.6.206.crt
cp ca.csr /etc/pki/tls/private/10.168.6.206.csr
Updated conf/httpd.conf to load the ssl module by adding:
...
<IfModule mod_ssl.c>
# SSL name based virtual hosts are not yet supported, therefore no
# NameVirtualHost statement here
Listen 443
</IfModule>
...
LoadModule ssl_module modules/mod_ssl.so
...
1)
After restarting apache when I try to connect from a locally run (firefox) browser using
https://10.168.6.206 I get the following message:
----------------------------
Warning: Potential Security Risk Ahead
Firefox detected a potential security threat and did not continue to 10.168.6.206. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
"10.168.6.206 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT"
------------------------------
Does this mean the ssl client (browser?) has received the certificate from the server, tried to check it against a list of trusted CAs and not found it trusted (which I guess it wouldn't given the CA os my server) - thus the warning ?
Does anyone know where the ssl client (browser?) stores the list of (trusted CAs ? and how it identifies a trusted CA (DNS?)?
If I go ahead and select 'Accept the Risk and Continue'
It looks like it goes to the index page using https.
Does anyone know how I can confirm it is indeed using ssl (I have disabled port 80, so I assume it is but do not know how to verify) ?
2) when I attempt to do a wget of a file on the server I get the following error:
wget
https://10.168.6.206/myfile.txt
--2020-07-13 16:31:22--
https://10.168.6.206/myfile.txt
Connecting to 10.168.6.206:443... connected.
ERROR: cannot verify 10.168.6.206's certificate, issued by `/C=GB/ST=/L=/O=/OU=BCA/CN=10.168.6.206/emailAddress=':
Self-signed certificate encountered.
To connect to 10.168.6.206 insecurely, use `--no-check-certificate'.
If I do this:
wget --ca-certificate /etc/pki/tls/certs/ca10.168.6.206.crt
https://10.168.6.206/myfile.txt
it works fine.
Does anyone know what wget tries to do in the first case and not in the second ? Where does it look for the crt file by default ?
3) If I try to wget using the host DN rather than the ip address I get the follwoing:
wget --ca-certificate /etc/pki/tls/certs/ca10.168.6.206.crt
https://host.dnsname.com/myfile.txt
--2020-07-13 16:36:58--
https://host.dnsname.com/myfile.txt
Resolving host.dnsname.com... 10.168.6.206
Connecting to host.dnsname.com|10.168.6.206|:443... connected.
ERROR: certificate common name `10.168.6.206' doesn't match requested host name `host.dnsname.com'.
To connect to host.dnsname.com insecurely, use `--no-check-certificate'.
Suggesting that at some stage there is a name check comparing the 'name' in the certificate against the server name used in the url.
It seems I can use the DN name by recreating the certificate, but entering the host dns for 'Commong Name' when creating the certificate request:
openssl req -new -key ca.key -out ca.csr
....
Common Name (eg, your name or your server's hostname) []:host.dnsname.com
....
but then I can't use the ip address. Does anyone know how I can configure wget such that I can use both ? May be by getting them to check both certificates ?
With apache https it seems I can type in either
https://10.168.6.206 or
https://hoat.dnsname.com even though the certificate being used has a common name of the the ip address - does anyone know why this is ? is the DN converted to the ip address before certificate check ?