Hi guys...

I am trying to install SSL as one of my website requires SSL capability.. before I get to installing Thawte trial 21-day certificate...

I understand i need to install OpenSSL first?

After which i generate the key yah? Is 1024 bit, des3 too much? was told by someone that SSL connection takes alot of overhead on the server...

what other possible encryption are there?

Cos I created the cert, but on https://domainname.com, i get pointed to Apache Test Page instead. i have set the virtual host settings with port 443 etc...

What possible problem could it be?

Is 1024 too much, the answer is depends on what you are using the encrypted connection for..If it is only matter of carrying few bytes over the wirem I would say it is a good choice. However, when you want to have something like transaction processing where you have huge chunks of data going accross the wire back and forth, yes you would put so much load on to that penguin of yours. Depending on your site traffic, consistency of service, and processing power, 1024 might be too much. However, you always have the option to start below 1024, test it out, if you think it can handle more, then bumb it up to 1024 des3..
As far as https directory, Apache needs to know where the document root for your virtual directory that listens port 443.
Example:
<VirtualHost xx.xx.xx.xx:443>
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /home/domain/public_html
ErrorLog /home/domain/logs/error_log
CustomLog /home/domain/logs/access_log common
ScriptAlias /cgi-bin/ /home/domain/cgi-bin/
annnddd more options............
</VirtualHost>


Document root above is where decide to server my secure pages from, you can choose whatever directory you like to..You can have the same port 80 root as well, /var/www/html as an example...

This is what I configure for my virtual host
I am using Thawte's 21 days free trial of their certificate so accertain before purchasing..
I've installed openssl.

The reason why its www2 its because its our staging server before it hits production server.. so some kind of test bed...

Through the process of creating the cert, I specify the necessary information and generated the CSR, and using it I requested the cert from thawte.

1st point of suspicion
I cut and paste the cert info given to me in www2.domainname.crt. But I suspect that there maybe something wrong with it as when I tried to do a "openssl req -text -noout -in www2.domainname.com.crt"

It prompted me

unable to load X509 request
20083:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE REQUEST

Sounds like an invalid cert?

What I did was just copy the key with the begin/end tag given by thawte and paste through vim. Valid?


WHen I go to https://www2.domainname.com, I get shown the Apache Test page...

2nd point of suspicion

I get told the cert is not trusted.. which is expected but when I look at the cert details.. its all root@localhost.localdomain... seems like the cert is not recognise? Link to first suspicion?
cos i have entered the proper information while creating the cert...

what could I have miss.. or done wrong? Lost... :(

thanks

anyone....?

1st point of suspicion is correct, apparently ssl does not like the certificate. Therefore it can not request it properly.
2nd point of suspicion is somewhat odd coz I would think that thawte would issue a valid certificate to your domain name, not to localhost..Again, I never dealt with thawte certs, so I am maybe mistaken..

I am wondering if you ever had a ssl working before using thawte's certificate? I believe you haven't since you just installed openssl..

When you navigate to your https://blah.blah.com directory, you said that you get apache test page, which means that ssl is working(otherwise, you would get blank or some other errors). However it is not pulling the content from the directory you specified in your virtual directory entry.
Read you ssl.log to pin point exactly your doc root is for port 443.
Try to find out if your distribution creates a seperate .conf file that is relevant to ssl engine. This maybe in ssl folder some where in your /path/to/http. If so, make the appropriate changes.


Lastly, you mentioned that cert was issued by localhost. You can change this if you use the following method to create certificates. Just make sure to use your domainname in credentials. Since you said this is only for testing purposes why not get it working first and then get it certified by thawted or whatever you chose..
---------------------------------------------------------------------------
openssl genrsa -des3 4096 >/path/to/httpd/conf/ssl.key/servername.key
---------------------------------------------------------------------------
USE-A-PASSPHRASE
---------------------------------------------------------------------------
openssl req -new -x509 -key /path/to/httpd/conf/ssl.key/servername.key -out /etc/httpd/conf/ssl.crt/servername.crt -days 365 -utf8

---------------------------------------------------------------------------

/usr/local/ssl/bin/openssl rsa -in /path/to/httpd/conf/ssl.key/servername.key.cryp -out /path/to/httpd/conf/ssl.key/server.key

---------------------------------------------------------------------------
chmod 400 /path/to/httpd/conf/ssl.key/server.key
---------------------------------------------------------------------------

I can't find a "ssl.log". Where is it suppose to be.. or what other log possible?

I took a look at ssl.conf in /etc/httpd/conf.d/, I realise that there are 2 lines that states

Those commented # are the default ones. I added in the other lines myself to point straight to the cert/key I have created. Is it correct?

Then I added DocumentRoot /home/user/....
Which I usually add to virtual host..

by doing these.. it worked.. pages shown... so am I doing the correct things? It feels like I am pointing ssl.conf to use my only cert i have created rather than the default one.. but what if I have multiple SSL certs there instead for the few domains i have?


Also, as I have a passphrase.. when I restart httpd, after I did the above changes, it now starts to ask me for passphrase (which is why i think what i did is correct.. but need confirmation)..

I followed an online instructions and found the following instructions to turn my key into one thats without a need for passphrase..

What does the above do? When I generate my key, i used "openssl genrsa", so what's the diff here? Does it generate the same key out of the key with passphrase? Which is the extension that determines no need passphrase?

So if i want to reuse passphrase... i just revert the file? If so.. whats the best recommended way to automate it when httpd restarts? I understand httpd restarts everyday to clear orphan files and log.... but yet not compromise security (like putting passphrase in a script in clear text)?

Is there a need to put cert and key to /etc/httpd/conf/ssl.key ? or base on where i specify in ssl.conf?

How do I restart httpd with SSL in mind? I read in one place, that I should restart using "apachectl sslrestart" or something, but heard from friends that I should stick to using "/etc/init.d/httpd restart" as it activates a whole slew of command actually.. what you reckon?


Many thanks to those who read and contribute.. apologies for my many questions as I am really just mumbling through the dark with this....

thanks!

anyone??

Let's see..
You apache log may already include ssl log, I use fedora which uses a seperate log..
The way you created and configured your ssl key and cert files are correct. If you have used the default ones when a visitor examines your certificate he/she would not be convinced to feel secure by an cert that was isssued from the localhost..
As for using ssl for several domains, bear in mind that you cannot have name based virtual hosting for domains that listen port 443 (I may very well be wrong, I read an article that talked about how to setup name based virtual hosting for secure domains, did not get it to work though..). So even if you issue several certificates, I believe you can only use them for designated domains based on their IP addresses.

Also, the way you are bypassing the pwd entry for ssl is how most people do it (this includes myself too), ony thing you need to pay attention is that the file is only readable by root and make sure whoever restart httpd has access to the passphrase file. You can put this file wherever you want as long as you specify in ssl.conf file...

Since I am using apache with mod_ssl on fedora, I do not need to start ssl seperately. However, "apachectl startssl" also starts all of the needed processes (not sure about the exact difference between /etc/init.d/httpd and apachectl..)...
I hope I am shedding some lights on your questions, cheers...

You are, you are! THANKS!

For the quoted phrase in italics, what do you mean by whoever restart httpd has access to the passphrase file? I thought by doing, what I did - bypass password prompt -, there's no need for the key with passphrase anymore? I did save it to a file domainname.com.key.withpassphrase... for backup purpose...?


by doing ....
what does it mean? I generated the key using genrsa 1024... not i convert using rsa...?

nevarlen; you provided some ssl command 4 posting ago.. what does those mean? I trying to find documentation to explain to mee the commands with its relevant extension but can't find... i think i am not searching right.. hence here...


I don have ssl log.. but i have under /var/log/httpd
ssl_access
ssl_error
ss_request

same?

Hey,Swakoo!

I was with the same kind of problem - a "unable to load X509 request". I contacted Thawte and seems that there is (was, the guy told me he will check) a problem on their docs.
When they tell us to check the .CRT file with

openssl req -text -noout -in cert.crt

the correct thing to do is

openssl x509 -text -noout -in cert.crt

and then everything runs fine.