httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] HTTPS and virtual hosts
Date Fri, 27 Feb 2004 14:28:57 GMT
> -----Original Message----
> From: Dean A. Hoover [mailto:dhoover@rochester.rr.com]
> 
> I am a newbie at apache httpd and ssl. I've been reading various books
> and online stuff on the subject, trying to figure out how to enable
> HTTPS on my webserver for virtual hosts. I talked to people I 
> know that
> have also done it, and I am still not able to get this 
> working. I am using
> RH9 and apache httpd-2.0.40-21.9. Here is
> what I did in /home/tomcat/mywebsite.com/conf/ssl:

After reading below, there's nothing wrong with the apache or mod_ssl
side at all. I guess by "fix" you mean "just click on the site and
browse straight in". If so, your problem comes from the certificate and
your understanding and expectations of HTTPS. 

HTTPS consists of two mechanisms - encryption and authentication.
Encrytion is easy to understand - the browser and server agree on a
session key and encrypt all traffic between them. But there's no point
in establishing a secure channel with a site unless you're sure of its
identity. What the browsers are warning you about is that they can't
confirm the authenticity of your site (If you went to a site that looked
like amazon, but the browser warned you that it could not trust the
site, would you type in your credit card number?)

For the browser to trust the site, the certificate that the site
presents must authenticate itself by referring to a root certificate
that the browser has in its cache (ie, the site cert has to be signed).
Since you made a self-signed cert (actually, you didn't mention anything
about self-signing it), the browser can't authenticate it - hence the
warnings.

I don't know anything about Mozilla, BTW, so no idea what its problem
is.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 
> 
> # openssl req -new -x509 -days 3650 -nodes -out 
> www.mywebsite.com.pem -keyout 
> www.mywebsite.com.pem
> Generating a 1024 bit RSA private key
> .........++++++
> ..++++++
> writing new private key to 'www.mywebsite.com.pem'
> -----
> You are about to be asked to enter information that will be 
> incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished 
> Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [GB]:US
> State or Province Name (full name) [Berkshire]:New York
> Locality Name (eg, city) [Newbury]:Rochester
> Organization Name (eg, company) [My Company Ltd]:My Web Site, Inc.
> Organizational Unit Name (eg, section) []:
> Common Name (eg, your name or your server's hostname) 
> []:www.mywebsite.com
> Email Address []:webmaster@mywebsite.com
> [root@mywebsite ssl]# /etc/init.d/httpd restart
> Stopping httpd:                                            [  OK  ]
> Starting httpd:                                            [  OK  ]
> 
> 
> 
> 
> 
> 
> The relevant part of httpd.conf is as follows:
> 
> <VirtualHost *:443>
>   ServerAdmin webmaster@mywebsite.com
>   ServerName www.mywebsite.com
>   ServerAlias mywebsite.com
>   DocumentRoot /home/tomcat/mywebsite.com/webapps
>   ErrorLog /home/tomcat/mywebsite.com/logs/error_log
>   CustomLog /home/tomcat/mywebsite.com/logs/access_log common
> 
>   <IfModule mod_ssl.c>
>     SSLEngine on
>     SSLCertificateFile 
> /home/tomcat/mywebsite.com/conf/ssl/www.mywebsite.com.pem
>   </IfModule>
> </VirtualHost>
> 
> 
> 
> 
> 
> When I hit https://www.mywebsite.com from IE6, it complains with a
> dialog box, stating:
> 
> Security Alert
> Information you exchange with this site cannot be exchanged or
> viewed by others. However, there is a problem with the site's
> security certificate.
> 
> - The security certificate was by a company you have not chosen
> to trust. View the certificate to determine whether you want to
> trust the certifying authority.
> 
> ...
> 
> - The name on the security certificate is invalid or does not
> match the name of the site.
> 
>  >>> when I view the certificate, I see:
>   blah, blah, blah
>   Issued to: localhost.localdomain
>   Issued by: localhost.localdomain
>   Valid from 4/6/2003 to 4/5/2004
> 
> On the main dialog, I click the "Yes" button to proceed and 
> get into the site.
> 
>  >>>> When I try to hit it from Mozilla 1.2.1, I get and 
> Alert box showing
> www.mywebsite.com received a message with incorrect message
> Authentication Code. If the error occurs frequently, contact 
> the website
> administrator.
> 
> 
> 
> How do I fix this???
> 
> Thanks.
> Dean Hoover
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message