httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rey sebastien <reyma...@gmail.com>
Subject Re: [users@httpd] OpenSSL and apache2 wildcard self-signed certificate for nested subdomain
Date Wed, 14 Dec 2011 13:04:37 GMT
Le mer. 14 déc. 2011 13:49:54 CET, Tom Evans a écrit :
> On Wed, Dec 14, 2011 at 12:43 PM, rey sebastien<reyman64@gmail.com>  wrote:
>> Hello users :)
>> I try to ask a "smart" question on my problem...
>>
>> I have some problem with nested subdomain and wildcard openssl certificate..
>> perhaps, i don't know, this is because the subdomain type is :
>> site1.parisgeo.cnrs.fr, or site2.parisgeo.cnrs.fr, or other subdomain like
>> xxxx.parisgeo.cnrs.fr
>> …
>> I generate my certificate like this (CN = *.parisgeo.cnrs.fr) :
>>
>> openssl genrsa -des3 -out ca.key 2048
>> openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
>> openssl req -newkey rsa:1024 -nodes -keyout parisgeo.cnrs.fr.key -out
>> …
>> root@xxxx:/etc/ssl# openssl s_client -connect partage.parisgeo.cnrs.fr:443
>> …
>>      Verify return code: 18 (self signed certificate)
>> ---
>> closed
>>
>> The firefox error when i try to connect to the site is :
>>
>> An error occurred during a connection to partage.parisgeo.cnrs.fr.
>> Peer's certificate has an invalid signature.
>> (Error code: sec_error_bad_signature)
>>
>
> Firefox will not trust a self signed certificate unless you install
> the CA certificate into your browser's keychain. Other browsers will
> ask if you want to accept a self signed certificate.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html>  for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

Thanks for yout great explain,
I try to connect with chrome, and it's possible to access the website, 
so you're right ...

Is there any solution to bypass this problem ? With another type of 
self signed certificate wich need no CA ? or contain the Ca i don't 
know ?

Cheers,
SR.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message