httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Canfield <andycanfi...@yandex.com>
Subject Re: [users@httpd] https
Date Fri, 04 Apr 2014 11:47:47 GMT
Well, "a while" turned out to be one day. Stuck again.

I found a web page that had some info on it, It shows a command (openssl
req) to create a privately signed SSL key. Unfortunately, it doesn't
explain that command, but 'man req 1' has more information such as what
'-x509' does for me (this has got to be one of the greatest parameter
keywords of all time). However, the example include this on the openssl
command line:

    -subj /O=VirtualH/OU=Virtual/CN=127.0.0.1

The man req 1 page says this consists of a subject line with sub-options
/O as "VirtualH", /OH as "Virtual", and "CN" as "127.0.0.1", and no
blanks. But I can find nothing, NOTHING, that explain what the
suboptions of the -subj parameter are. What is O? What is OU? What is
CN? Is 'VirtualH' a name for the virtual host? Where is that documented,
does anyone know?

I'd like to get the company name into that certificate somewhere, but
don't yet see how.

Thank you.


>     Thank you very much Yehuda. I think I am launched and can follow
>     on for a while by myself.
>
>
>>
>>
>>     On Thu, Apr 3, 2014 at 6:10 AM, Andy Canfield
>>     <andycanfield@yandex.com <mailto:andycanfield@yandex.com>> wrote:
>>
>>
>>         Files:
>>
>>         -rw-r--r-- 1 root 859 Apr  3 11:45 /etc/apache2/ssl/crt/vhost1.crt
>>
>>         -rw-r--r-- 1 root 916 Apr  3 11:45 /etc/apache2/ssl/key/vhost1.key
>>
>>         So AFAIK I've got a certificate I've generated myself. Nobody
>>         vouches for me but it shoud enable encryption and make my
>>         TCP/IP packets hard to read.
>>
>>         Contents of /etc/apache2/ports.conf:
>>         NameVirtualHost *:80
>>         Listen 80
>>
>>         <IfModule mod_ssl.c>
>>             Listen 443
>>         </IfModule>
>>         <IfModule mod_gnutls.c>
>>             Listen 443
>>         </IfModule>
>>
>>         Files:
>>
>>         -rw-r--r-- 1 andy 1439 Apr  3 14:48
>>         /etc/apache2/sites-available/default
>>         -rw-r--r-- 1 andy 7485 Jun 16  2011
>>         /etc/apache2/sites-available/default-ssl
>>         -rw-r--r-- 1 root 7469 Feb  7  2012
>>         /etc/apache2/sites-available/default-ssl.original
>>         -rw-r--r-- 1 root  950 Feb  7  2012
>>         /etc/apache2/sites-available/default.original
>>
>>         I see here that /etc/apache2/sites-available has one symbolic
>>         link to /etc/apache2/sites-available/default, and no symbolic
>>         links to any of the other entries in the sites-available
>>         directory. Also all the other entries in
>>         /etc/apache2/sites-available are symbolic links to
>>         configuration files such as
>>
>>         lrwxrwxrwx 1 root 21 May  6  2012 /etc/apache2/sites-enabled/opal.conf ->
/www/opal/apache.conf
>>
>>         These links have been working fine for years as links into
>>         the site control directory and not into 'sites-available'.
>>         But perhaps that is wrong.
>>
>>         Maybe what I need is a symbolic link from sites-enabled to
>>         ../sites-available/default-ssl ? Nope, tested, did not solve
>>         the problem....
>>
>>         When I give this command (as root) -
>>
>>             /etc/init.d/apache2 restart
>>
>>         I see only this output:
>>
>>         apache2: Could not reliably determine the server's fully
>>         qualified domain name, using 192.168.1.112 for ServerName
>>          ... waiting apache2: Could not reliably determine the
>>         server's fully qualified domain name, using 192.168.1.112 for
>>         ServerName
>>                                                                                 
  
>>         [ OK ]
>>
>>         But nmap still says that nothing is listening to port 443.
>>
>>         Thank you Oren.
>>
>>
>>         On 04/03/2014 04:04 PM, Oren wrote:
>>>         Hi Andy.
>>>         Process basically include getting/creating a certificate,
>>>         define it on your site and reload apache.
>>>         here is a centos manual which is not exactly the same on
>>>         ubuntu but pretty much explains the order of things
>>>         http://wiki.centos.org/HowTos/Https
>>>
>>>         on ubuntu you will have to open the 443 port
>>>         <IfModule mod_ssl.c>
>>>             Listen 443
>>>         </IfModule>
>>>
>>>         once the https is ready, you can do a redirect to the https
>>>         site from http. (with mod_rewrite)
>>>
>>>         do you have logs or any information on what is not working?
>>>
>>>         Oren
>>>
>>>         On 04/03/2014 11:39 AM, Andy Canfield wrote:
>>>>         I have been using apache for maybe ten years now, and
>>>>         maintain two
>>>>         servers in addition to the apache on my notebook computer
>>>>         for testing.
>>>>         All using Ubuntu Linux *.04 LTS. It now appears that I
>>>>         ought to convert
>>>>         from http to https.
>>>>
>>>>         But the documentation is insane. A piece here, a piece
>>>>         there, have to do
>>>>         X (but first? and afterwards?). Assuming everything is else
>>>>         is OK, this
>>>>         is way you edit this line in VirtualHost file (there is no
>>>>         "/etc/apache2/.../VirtualHost" file!)
>>>>
>>>>         I figure that I need to do it in two steps:
>>>>         [1] Get the https version up and running, and
>>>>         [2] Make the http version automatically switch to https.
>>>>
>>>>         But I can't get https working at all, for anything. There's
>>>>         a "Listen
>>>>         443" in /etc/apache2/ports.conf but 'nmap localhost' says
>>>>         443 is a
>>>>         closed port.
>>>>
>>>>         Has anybody else ever converted a hosted site from http to
>>>>         https? What
>>>>         did you have to do to get the secure one working?
>>>>
>>>>
>>>>         ---------------------------------------------------------------------
>>>>
>>>>         To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>         <mailto:users-unsubscribe@httpd.apache.org>
>>>>         For additional commands, e-mail:
>>>>         users-help@httpd.apache.org
>>>>         <mailto:users-help@httpd.apache.org>
>>>>
>>>
>>>         ---------------------------------------------------------------------
>>>
>>>         To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>         <mailto:users-unsubscribe@httpd.apache.org>
>>>         For additional commands, e-mail: users-help@httpd.apache.org
>>>         <mailto:users-help@httpd.apache.org>
>>>
>>>
>>>         .
>>>
>>
>>
>
>


Mime
View raw message