Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B42E79DFB for ; Wed, 14 Dec 2011 13:19:49 +0000 (UTC) Received: (qmail 79849 invoked by uid 500); 14 Dec 2011 13:19:46 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 79832 invoked by uid 500); 14 Dec 2011 13:19:46 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 79824 invoked by uid 99); 14 Dec 2011 13:19:46 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Dec 2011 13:19:46 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of i.galic@brainsware.org designates 188.40.115.121 as permitted sender) Received: from [188.40.115.121] (HELO mail.brainsware.org) (188.40.115.121) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Dec 2011 13:19:35 +0000 Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.brainsware.org (Postfix) with ESMTP id 35BFB6C010; Wed, 14 Dec 2011 13:19:15 +0000 (UTC) X-Virus-Scanned: amavisd-new at brainsware.org Received: from mail.brainsware.org ([127.0.0.1]) by localhost (mail.brainsware.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aM2xON6J0SC5; Wed, 14 Dec 2011 13:19:09 +0000 (UTC) Received: from mail.brainsware.org (mail.brainsware.org [188.40.115.121]) by mail.brainsware.org (Postfix) with ESMTP id C741B6C00E; Wed, 14 Dec 2011 13:19:09 +0000 (UTC) Date: Wed, 14 Dec 2011 13:19:09 -0000 (UTC) From: Igor =?utf-8?Q?Gali=C4=87?= To: users@httpd.apache.org Cc: Tom Evans Message-ID: In-Reply-To: <4EE89EE5.7010509@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Originating-IP: [91.130.91.14] X-Mailer: Zimbra 7.0.0_GA_3077 (ZimbraWebClient - SAF3 (Linux)/7.0.0_GA_3077) X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] OpenSSL and apache2 wildcard self-signed certificate for nested subdomain ----- Original Message ----- > Le mer. 14 d=C3=A9c. 2011 13:49:54 CET, Tom Evans a =C3=A9crit : > > On Wed, Dec 14, 2011 at 12:43 PM, rey sebastien > > wrote: > >> Hello users :) > >> I try to ask a "smart" question on my problem... > >> > >> I have some problem with nested subdomain and wildcard openssl > >> certificate.. > >> perhaps, i don't know, this is because the subdomain type is : > >> site1.parisgeo.cnrs.fr, or site2.parisgeo.cnrs.fr, or other > >> subdomain like > >> xxxx.parisgeo.cnrs.fr > >> =E2=80=A6 > >> I generate my certificate like this (CN =3D *.parisgeo.cnrs.fr) : > >> > >> openssl genrsa -des3 -out ca.key 2048 > >> openssl req -new -x509 -days 3650 -key ca.key -out ca.crt > >> openssl req -newkey rsa:1024 -nodes -keyout parisgeo.cnrs.fr.key > >> -out > >> =E2=80=A6 > >> root@xxxx:/etc/ssl# openssl s_client -connect > >> partage.parisgeo.cnrs.fr:443 > >> =E2=80=A6 > >> Verify return code: 18 (self signed certificate) > >> --- > >> closed > >> > >> The firefox error when i try to connect to the site is : > >> > >> An error occurred during a connection to partage.parisgeo.cnrs.fr. > >> Peer's certificate has an invalid signature. > >> (Error code: sec_error_bad_signature) > >> > > > > Firefox will not trust a self signed certificate unless you install > > the CA certificate into your browser's keychain. Other browsers > > will > > ask if you want to accept a self signed certificate. > > > > Cheers > > > > Tom > > > > Thanks for yout great explain, > I try to connect with chrome, and it's possible to access the > website, > so you're right ... > > Is there any solution to bypass this problem ? With another type of > self signed certificate wich need no CA ? or contain the Ca i don't > know ? cacert.org will issue free certificates, and, IIRC, also wildcard certificates. They are available in *most* browsers. > Cheers, > SR. i -- Igor Gali=C4=87 Tel: +43 (0) 664 886 22 883 Mail: i.galic@brainsware.org URL: http://brainsware.org/ GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org