httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arthur Chan" <ach...@saysit.com.hk>
Subject [users@httpd] HOWTO : configuring httpd.conf for OpenSSL ?
Date Wed, 30 Jul 2003 10:27:43 GMT
I encountered a few problems on the way, starting with the signing of the
certificate:
Towards the end, I got these , for me, un-deciperable error messages that
seem to relate to the encrpytion routine itself:
[ssl]# ./sign.sh private/server.csr
...(10 lines elided)
Certificate is to be certified until Jul 29 16:00:25 2004 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: private/server.crt <-> CA cert
private/server.crt: /C=HK/ST=HK/O=ANYCOY Co. Ltd.
/CN=www.saysit.com.hk/Email=achana@saysit.com.hk
error 18 at 0 depth lookup:self signed certificate
/C=HK/ST=HK/O=ANYCOY Co.
Ltd./CN=www.saysit.com.hk/Email=achana@saysit.com.hk
error 7 at 0 depth lookup:certificate signature failure
2117:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type
is not 01:rsa_pk1.c:100:
2117:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
failed:rsa_eay.c:396:
2117:error:0D079006:asn1 encoding routines:ASN1_verify:bad get asn1 object
call:a_verify.c:109:
[ssl]#
...
It went ahead and created the self-signed certificate "server.crt" anyway,
which I put into .../certs.
After commenting out  <VirtualHost _default_:443> and </VirtualHost>, I was
able to start Apache seemingly without errors:
# apachectl startssl
# ps -ef
however I do NOT see the processes, but when I start Apache with the normal
# apachectl start
I can see the httpd processes ! Maybe it is my setup?
In the test httpd.conf, there are 2 name-based vhosts using one single IP
address, I am NAT-ting with the router form an external IP to an internal IP
:
...
httpd.conf
Listen BIOSNAME:80
NameVirtualHost 192.169.100.1
<VirtualHost 192.168.100.1>
ServerName www.first.dom.com.hk
...blabla
</VirtualHost>
<VirtualHost 192.168.100.2>
ServerName www.second.dom.com.hk
...blabla
</VirtualHost>

That works well with a normal start, but not with an "apachectl startssl"!
Ideally, I would LOVE to have this :
<VirtualHost 192.168.100.1:80>
and
<VirtualHost 192.168.100.2:443>

That means only the second virtual host will be encrypted.
Can this be done ???
:-(
TIA



----- Original Message -----
From: <Jiang_Chang@trendmicro.com.cn>
To: <users@httpd.apache.org>
Sent: Wednesday, July 30, 2003 03:56 AM
Subject: [users@httpd] 答复: [users@httpd] 答复: [users@httpd] HOWTO :
configuring httpd.conf for OpenSSL ?


> Are you sure you open that port 80?
> I think this doc can give you some help.
> http://httpd.apache.org/docs-2.0/vhosts/examples.html#port
>
> -----原始邮件-----
> 发件人: Arthur Chan [mailto:achana@saysit.com.hk]
> 发送时间: 2003年7月30日 15:28
> 收件人: users@httpd.apache.org
> 主题: Re: [users@httpd] 答复: [users@httpd] HOWTO : configuring
> httpd.conf for OpenSSL ?
>
>
> Commenting out the whole <VirtualHost _default_:443> block has the benedit
> that when I do a "startssl" , there are no error messages. Yet all the
> requisite directives such as
> SSLEngine on
> SSLCipherSuite ALL: blabla
> SSLCertificateFile /path/to/certificate
> SSLCertificateKeyFile /path/to/key
> etc...
> are inside this <VirtualHost _default_:443> block.
> Can this be right ???
> Also, I cannot test with
> # telnet localhost 80
> it now gives me this message
> Trying 127.0.0.1
> Connected to localhost.localdomain
> ATTEMPT LOGGED from unknown@1287.0.0.1
> Connection refused by foreign host.
> #
>
> What's happening here now ???
> TIA
>
> ----- Original Message -----
> From: <Jiang_Chang@trendmicro.com.cn>
> To: <users@httpd.apache.org>
> Sent: Tuesday, July 29, 2003 03:48 AM
> Subject: [users@httpd] 答复: [users@httpd] HOWTO : configuring httpd.conf
for
> OpenSSL ?
>
>
> > Mixed port-based /named-based or IP-based  virtual host is not supported
> by ssl.
> > You must comments other type virual host in httpd.conf
> > #NameVirtualHost .....
> >
> > -----原始邮件-----
> > 发件人: Arthur Chan [mailto:achana@saysit.com.hk]
> > 发送时间: 2003年7月29日 11:53
> > 收件人: users@httpd.apache.org
> > 主题: [users@httpd] HOWTO : configuring httpd.conf for OpenSSL ?
> >
> >
> > Hi.
> > I compiled mod_ssl into Apache2 and got openssl to create server.key
into
> > .../conf/server.key and server.crt into .../conf/server.crt
> > Then I modified httpd.conf like this :
> > <IfModule mod_ssl.c>
> >    Include /path/to/html
> > </IfModule>
> > Also, I commented out the explicitly defined virtual hosts inside
> > <VirtualHost v.hostname.com>
> > </VirtualHost>
> > because I expect troubles there.
> >
> > In ssl.conf, I modified the following lines so that they have the samew
> > parameter values as in httpd.conf
> > <VirtualHost _default_:443>
> >   DocumentRoot "/path/to/html"
> >   ServerName www.my.domain.com:80  # in httpd.conf, I used the BIOS name
> > e.g. ServerName BIOSNAME:80
> >   ...
> >   SSLEngine on
> >   ...
> >   SSLCertificate /path/to/conf/ssl.crt/server.crt
> >   SSLCertificate /path/tp/conf/ssl.key/server.key
> >   ...
> > When I start apache again with
> > # apachectl startssl
> > I got the following messages
> > [error] VirtualHost -default_:443 -- mixing * port and non-* ports with
a
> > NameVirtualHost address is not supported: proceeding with unidentified
> > results.
> > Apache/2.0.40 mod_ssl/2.0.40 (Pass Phrase Dialog)
> > ...
> > Can someone please point out where I might have gone wrong ?
> > I didn't use RedHat's default directories in /etc/httpd.conf .
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.

> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message