Hi

System info:
-------------------
cat /etc/redhat-release
CentOS release 6.8 (Final)
[root@host tmpsslkeys]# uname -a
Linux host.dnsname.com 2.6.32-642.el6.x86_64 #1 SMP Tue May 10 17:27:01 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

apachectl -v
Server version: Apache/2.2.15 (Unix)
Server built: Jun 19 2018 15:45:13


I've been looking at getting https going one of my local webservers using a self signed CA certificate and while doing so trying to get a better understanding of ssl and was wondering if anyone could help answering some queries I have.

What I have done so far:

I created a self signed CA certificate by doing the following:
# generate private key
$ openssl genrsa -out ca.key 2048

# generate certificate signing request - entering the ip adress of the server for the common name
openssl req -new -key ca.key -out ca.csr
....
Common Name (eg, your name or your server's hostname) []:10.168.6.206
....

# generate self-signed certificate
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

Then copied the generated keys in to /etc/pki/tls/
cp ca.crt /etc/pki/tls/certs/10.168.6.206.crt
cp ca.key /etc/pki/tls/private/10.168.6.206.crt
cp ca.csr /etc/pki/tls/private/10.168.6.206.csr

Updated conf/httpd.conf to load the ssl module by adding:
...
<IfModule mod_ssl.c>
# SSL name based virtual hosts are not yet supported, therefore no
# NameVirtualHost statement here
Listen 443
</IfModule>
...
LoadModule ssl_module modules/mod_ssl.so
...


1)
After restarting apache when I try to connect from a locally run (firefox) browser using https://10.168.6.206 I get the following message:

----------------------------
Warning: Potential Security Risk Ahead

Firefox detected a potential security threat and did not continue to 10.168.6.206. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

"10.168.6.206 uses an invalid security certificate.

The certificate is not trusted because it is self-signed.

Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT"
------------------------------


Does this mean the ssl client (browser?) has received the certificate from the server, tried to check it against a list of trusted CAs and not found it trusted (which I guess it wouldn't given the CA os my server) - thus the warning ?

Does anyone know where the ssl client (browser?) stores the list of (trusted CAs ? and how it identifies a trusted CA (DNS?)?


If I go ahead and select 'Accept the Risk and Continue'
It looks like it goes to the index page using https.
Does anyone know how I can confirm it is indeed using ssl (I have disabled port 80, so I assume it is but do not know how to verify) ?


2) when I attempt to do a wget of a file on the server I get the following error:
wget https://10.168.6.206/myfile.txt
--2020-07-13 16:31:22-- https://10.168.6.206/myfile.txt
Connecting to 10.168.6.206:443... connected.
ERROR: cannot verify 10.168.6.206's certificate, issued by `/C=GB/ST=/L=/O=/OU=BCA/CN=10.168.6.206/emailAddress=':
Self-signed certificate encountered.
To connect to 10.168.6.206 insecurely, use `--no-check-certificate'.

If I do this:
wget --ca-certificate /etc/pki/tls/certs/ca10.168.6.206.crt https://10.168.6.206/myfile.txt
it works fine.

Does anyone know what wget tries to do in the first case and not in the second ? Where does it look for the crt file by default ?


3) If I try to wget using the host DN rather than the ip address I get the follwoing:
wget --ca-certificate /etc/pki/tls/certs/ca10.168.6.206.crt https://host.dnsname.com/myfile.txt
--2020-07-13 16:36:58-- https://host.dnsname.com/myfile.txt
Resolving host.dnsname.com... 10.168.6.206
Connecting to host.dnsname.com|10.168.6.206|:443... connected.
ERROR: certificate common name `10.168.6.206' doesn't match requested host name `host.dnsname.com'.
To connect to host.dnsname.com insecurely, use `--no-check-certificate'.

Suggesting that at some stage there is a name check comparing the 'name' in the certificate against the server name used in the url.

It seems I can use the DN name by recreating the certificate, but entering the host dns for 'Commong Name' when creating the certificate request:
openssl req -new -key ca.key -out ca.csr
....
Common Name (eg, your name or your server's hostname) []:host.dnsname.com
....

but then I can't use the ip address. Does anyone know how I can configure wget such that I can use both ? May be by getting them to check both certificates ?

With apache https it seems I can type in either https://10.168.6.206 or https://hoat.dnsname.com even though the certificate being used has a common name of the the ip address - does anyone know why this is ? is the DN converted to the ip address before certificate check ?

Correct; ANY self-signed certificate will generate that message, in any browser.
Check the documentation about how to add a self-signed certificate to Firefox.
https://knowledge.digicert.com/solution/SO5437
You verify it by having the web page load. Since you're using HTTPS and the page comes up, then you're set.
The first-case is simple; you again have a self-signed certificate; it's not trusted, and it tells you to use the '--no-check-certificate' to bypass it.
The second case is TELLING the system where the certificate is, so naturally it's accepting it. There are numerous locations for those certificates, which you can find by running:
...which will give you several paths.
Right; you generated the certificate with an IP address instead of a host-name. They don't match.
Again; the names aren't matching. Use one or the other, and since MOST websites use hostnames, stick with that. Or you can do as you are and specify a different certificate manually that does have the IP in it.
Right; again, it's doing a host-name lookup via DNS, and you have accepted the certificate.

2 members found this post helpful.

Thank you very much TB0ne for this comprehensive answers!