Wim Sturkenboom |
06-29-2007 05:52 AM |
SSL and subdomain problem
Hi,
in an attempt to release some IP addresses, I'm trying to move from individual sites to subdomains. Therefor I've generated a (self signed) wildcard certificate and modified my apache configuration. However, IE gives me two certificate errors: - the security certificate is issued by a company you have not choosen to trust .....
- The name on the security certificate is not valid or does not match the name of the site .....
The first one does not worry me, I know that I'm not trusted. But I don't like the second one.
Question: Did I do something wrong or is it normal ?
PS
apache 1.3.3 on slackware 10.1
Code:
root@webserver01:~# /usr/bin/openssl genrsa -rand /dev/urandom -out btd-techweb01.key 1024
2048 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.............................++++++
...++++++
e is 65537 (0x10001)
root@webserver01:~# /usr/bin/openssl req -new -key btd-techweb01.key -out btd-techweb01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ZA
State or Province Name (full name) [Some-State]:SomeProvince
Locality Name (eg, city) []:SomeCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyEmployer ABC
Organizational Unit Name (eg, section) []:BTD
Common Name (eg, YOUR name) []:*.lbtd-techweb01
Email Address []:wsturkenboom@myemployer.co.za
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:SomePWD
An optional company name []:MyEmployer
root@webserver01:~# /usr/bin/openssl x509 -req -days 30 -in btd-techweb01.csr -signkey btd-techweb01.key -out wildcard-btd-techweb01.crt
Signature ok
subject=/C=ZA/ST=Gauteng/L=Randburg/O=MyEmployer SMS/OU=BTD/CN=*.lbtd-techweb01/emailAddress=wsturkenboom@myemployer.co.za
Getting Private key
root@webserver01:~#
The generated files are copied to /etc/apache/lbtd-techweb01
The relevant part of http.conf:
Code:
#
# Use name-based virtual hosting.
#
#WimS
#NameVirtualHost *:80
NameVirtualHost 172.18.32.111:443
# ==> mod_ssl configuration settings <==
#
# PACKAGES REQUIRED: apache (N series) and openssl (N series)
#
#WimS
Include /etc/apache/mod_ssl.conf
And mod_ssl.conf
Code:
## _ _
## _ __ ___ ___ __| | ___ ___| | mod_ssl
## | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
## | | | | | | (_) | (_| | \__ \__ \ | www.modssl.org
## |_| |_| |_|\___/ \__,_|___|___/___/_| ftp.modssl.org
## |_____|
## ____________________________________________________________________________
##
## Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
##
## Load the mod_ssl module:
##
LoadModule ssl_module libexec/apache/libssl.so
##
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>
#<VirtualHost _default_:*>
<VirtualHost _default_:80>
DocumentRoot "/var/www/htdocs"
</VirtualHost>
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First either `none'
# or `dbm:/path/to/file' for the mechanism to use and
# second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache shm:/var/log/apache/ssl_scache(512000)
SSLSessionCache dbm:/var/log/apache/ssl_scache
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual explusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:/var/log/apache/ssl_mutex
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
# Logging:
# The home of the dedicated SSL protocol logfile. Errors are
# additionally duplicated in the general error log file. Put
# this somewhere where it cannot be used for symlink attacks on
# a real server (i.e. somewhere where only root can write).
# Log levels are (ascending order: higher ones include lower ones):
# none, error, warn, info, trace, debug.
SSLLog /var/log/apache/ssl_engine_log
SSLLogLevel info
</IfModule>
<IfDefine SSL>
##
## SSL Virtual Host Context
##
# command centre subdomain
<VirtualHost 172.18.32.111:443>
# General setup for the virtual host
DocumentRoot "/home/wim/commandcentre/web"
#WimS
ServerName cc.lbtd-techweb01
ServerAdmin wsturkenboom@multichoice.co.za
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#WimS
SSLCertificateFile /etc/apache/lbtd_techweb01/wildcard-btd-techweb01.crt
SSLCertificateKeyFile /etc/apache/lbtd_techweb01/btd-techweb01.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
# tac room subdomain
<VirtualHost 172.18.32.111:443>
# General setup for the virtual host
DocumentRoot "/home/wim/tacroom/web"
#WimS
ServerName tac.lbtd-techweb01
ServerAdmin wsturkenboom@multichoice.co.za
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#WimS
SSLCertificateFile /etc/apache/lbtd_techweb01/wildcard-btd-techweb01.crt
SSLCertificateKeyFile /etc/apache/lbtd_techweb01/btd-techweb01.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
# document directory subdomain
<VirtualHost 172.18.32.111:443>
# General setup for the virtual host
DocumentRoot "/home/wim/docdir/web"
#WimS
ServerName docdir.lbtd-techweb01
ServerAdmin wsturkenboom@multichoice.co.za
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#WimS
SSLCertificateFile /etc/apache/lbtd_techweb01/wildcard-btd-techweb01.crt
SSLCertificateKeyFile /etc/apache/lbtd_techweb01/btd-techweb01.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
|