httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dean A. Hoover" <dhoo...@rochester.rr.com>
Subject Re: [users@httpd] HTTPS and virtual hosts
Date Fri, 27 Feb 2004 14:39:13 GMT
I think I get most of what you are saying. But the really odd thing in
my mind is that when I "view" the certificate in IE, it is apparently
not the one that I self signed. It refers to localhost.localdomain, which is
not what I put in the cert. Any other ideas?

Dean Hoover

Boyle Owen wrote:

>>-----Original Message----
>>From: Dean A. Hoover [mailto:dhoover@rochester.rr.com]
>>
>>I am a newbie at apache httpd and ssl. I've been reading various books
>>and online stuff on the subject, trying to figure out how to enable
>>HTTPS on my webserver for virtual hosts. I talked to people I 
>>know that
>>have also done it, and I am still not able to get this 
>>working. I am using
>>RH9 and apache httpd-2.0.40-21.9. Here is
>>what I did in /home/tomcat/mywebsite.com/conf/ssl:
>>    
>>
>
>After reading below, there's nothing wrong with the apache or mod_ssl
>side at all. I guess by "fix" you mean "just click on the site and
>browse straight in". If so, your problem comes from the certificate and
>your understanding and expectations of HTTPS. 
>
>HTTPS consists of two mechanisms - encryption and authentication.
>Encrytion is easy to understand - the browser and server agree on a
>session key and encrypt all traffic between them. But there's no point
>in establishing a secure channel with a site unless you're sure of its
>identity. What the browsers are warning you about is that they can't
>confirm the authenticity of your site (If you went to a site that looked
>like amazon, but the browser warned you that it could not trust the
>site, would you type in your credit card number?)
>
>For the browser to trust the site, the certificate that the site
>presents must authenticate itself by referring to a root certificate
>that the browser has in its cache (ie, the site cert has to be signed).
>Since you made a self-signed cert (actually, you didn't mention anything
>about self-signing it), the browser can't authenticate it - hence the
>warnings.
>
>I don't know anything about Mozilla, BTW, so no idea what its problem
>is.
>
>Rgds,
>Owen Boyle
>Disclaimer: Any disclaimer attached to this message may be ignored. 
>  
>
>># openssl req -new -x509 -days 3650 -nodes -out 
>>www.mywebsite.com.pem -keyout 
>>www.mywebsite.com.pem
>>Generating a 1024 bit RSA private key
>>.........++++++
>>..++++++
>>writing new private key to 'www.mywebsite.com.pem'
>>-----
>>You are about to be asked to enter information that will be 
>>incorporated
>>into your certificate request.
>>What you are about to enter is what is called a Distinguished 
>>Name or a DN.
>>There are quite a few fields but you can leave some blank
>>For some fields there will be a default value,
>>If you enter '.', the field will be left blank.
>>-----
>>Country Name (2 letter code) [GB]:US
>>State or Province Name (full name) [Berkshire]:New York
>>Locality Name (eg, city) [Newbury]:Rochester
>>Organization Name (eg, company) [My Company Ltd]:My Web Site, Inc.
>>Organizational Unit Name (eg, section) []:
>>Common Name (eg, your name or your server's hostname) 
>>[]:www.mywebsite.com
>>Email Address []:webmaster@mywebsite.com
>>[root@mywebsite ssl]# /etc/init.d/httpd restart
>>Stopping httpd:                                            [  OK  ]
>>Starting httpd:                                            [  OK  ]
>>
>>
>>
>>
>>
>>
>>The relevant part of httpd.conf is as follows:
>>
>><VirtualHost *:443>
>>  ServerAdmin webmaster@mywebsite.com
>>  ServerName www.mywebsite.com
>>  ServerAlias mywebsite.com
>>  DocumentRoot /home/tomcat/mywebsite.com/webapps
>>  ErrorLog /home/tomcat/mywebsite.com/logs/error_log
>>  CustomLog /home/tomcat/mywebsite.com/logs/access_log common
>>
>>  <IfModule mod_ssl.c>
>>    SSLEngine on
>>    SSLCertificateFile 
>>/home/tomcat/mywebsite.com/conf/ssl/www.mywebsite.com.pem
>>  </IfModule>
>></VirtualHost>
>>
>>
>>
>>
>>
>>When I hit https://www.mywebsite.com from IE6, it complains with a
>>dialog box, stating:
>>
>>Security Alert
>>Information you exchange with this site cannot be exchanged or
>>viewed by others. However, there is a problem with the site's
>>security certificate.
>>
>>- The security certificate was by a company you have not chosen
>>to trust. View the certificate to determine whether you want to
>>trust the certifying authority.
>>
>>...
>>
>>- The name on the security certificate is invalid or does not
>>match the name of the site.
>>
>> >>> when I view the certificate, I see:
>>  blah, blah, blah
>>  Issued to: localhost.localdomain
>>  Issued by: localhost.localdomain
>>  Valid from 4/6/2003 to 4/5/2004
>>
>>On the main dialog, I click the "Yes" button to proceed and 
>>get into the site.
>>
>> >>>> When I try to hit it from Mozilla 1.2.1, I get and 
>>Alert box showing
>>www.mywebsite.com received a message with incorrect message
>>Authentication Code. If the error occurs frequently, contact 
>>the website
>>administrator.
>>
>>
>>
>>How do I fix this???
>>
>>Thanks.
>>Dean Hoover
>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP 
>>Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>    
>>
>Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
>keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
>e-mail is of a private and personal nature. It is not related to the
>exchange or business activities of the SWX Group. Le présent e-mail est
>un message privé et personnel, sans rapport avec l'activité boursière du
>Groupe SWX.
>
>This message is for the named person's use only. It may contain
>confidential, proprietary or legally privileged information. No
>confidentiality or privilege is waived or lost by any mistransmission.
>If you receive this message in error, please notify the sender urgently
>and then immediately delete the message and any copies of it from your
>system. Please also immediately destroy any hardcopies of the message.
>You must not, directly or indirectly, use, disclose, distribute, print,
>or copy any part of this message if you are not the intended recipient.
>The sender's company reserves the right to monitor all e-mail
>communications through their networks. Any views expressed in this
>message are those of the individual sender, except where the message
>states otherwise and the sender is authorised to state them to be the
>views of the sender's company. 
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>  
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message