* http://www.system-linux.eu/index.php?post/2009/12/04/Certificat-x509-pour-votre-Apache# [[ToDo]] : 
  * http://www.yassl.com/yaSSL/Products-cyassl.html

ToDo :

  * http://www.pcinpact.com/news/86934-openssl-faille-heartbleed-menace-securite-web-sites-ferment.htm
  * http://en.wikipedia.org/wiki/Certificate_signing_request
  * https://www.cacert.org/account.php?id=10
  * http://www.faqs.org/docs/Linux-HOWTO/SSL-Certificates-HOWTO.html
  * http://bugs.cacert.org/view.php?id=1089&nbn=1
  * https://www.startssl.com/# GratiS
  * http://www.reddit.com/r/linux/comments/20ctva/debian_will_no_longer_ship_cacertorg_certificates/
  * https://filippo.io/Heartbleed/
  * https://filippo.io/Heartbleed/#tizen.org


===== USAGE =====

1/ verify domain : https://www.cacert.org/account.php?id=7

2/ generate key

  domain="$user.homelinux.org"
  time openssl genrsa -out key.pem 4096
  time openssl req -new -key key.pem  -out cert.csr -subj "/CN=$domain" -nodes

3/ request :

  cat  cert.csr

  https://www.cacert.org/account.php?id=10

4/ copy to cert.pem

5/ setup apache :


  SSLEngine on
  SSLCertificateFile /etc/local/$domain/cert.pem
  SSLCertificateKeyFile /etc/local/$domain/key.pem


Misc / UpDate :

  grep 'BEGIN CERTIFICATE'  /etc/apache2/ssl/$domain.*
  grep 'BEGIN CERTIFICATE'  /etc/apache2/ssl/$domain.crt

  openssl req -days 365 -new -newkey rsa:2048 -keyout key.pem -out request.pem -subj "/CN=$domain" -nodes
  openssl req -new -newkey rsa -keyout key.pem -out request.pem -subj "/CN=$domain" -nodes

  #/etc/apache2/sites-available/default-ssl

===== HTTPS =====

  * https://localhost:443/
  * http://www.modssl.org/
  * http://www.debian-administration.org/articles/349#comment_52
  * http://slackfr.org/doku.php?id=trucs_et_astuces:logiciels:reconcilier_firefox_3_x_x_avec_les_certificats_ssl#  [[Mozilla]] : 
  * http://webmasters.stackexchange.com/questions/1247/can-i-skip-the-pem-pass-phrase-question-when-i-restart-the-webserver# [[nginx]]
  * https://conorpp.com/blog/trying-out-lets-encrypt/
  * https://github.com/acmesh-official/acme.sh/wiki/CA




===== openssl =====

<code>
openssl s_client -connect localhost:443

CONNECTED(00000003)
1074246864:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
</code>

http://www.astaro.org/beta-versions/utm-9-public-beta/41572-8-900-open-clientless-sslvpn-ssl-certificate-fetch-doesnt-work.html

@TaG: ApachE HttP


===== Apache :  Error Code: -12263  =====

  wget -O- -np  https://localhost:8022 
  OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
  Unable to establish SSL connection.


* https://localhost

  aptitude reinstall apache2.2-common apache2-utils apache2

  konqueror: An error occurred while loading https://localhost:443/

  lynx -dump -head https://localhost
  # Looking up localhost
  # Making HTTPS connection to localhost
  # Retrying connection without TLS.
  # Looking up localhost
  # Making HTTPS connection to localhost
  # Alert!: Unable to make secure connection to remote host.
  # lynx: Can't access startfile https://localhost/


 * http://mario.espaciolinux.com/apache2_ssl.html
 * https://joloridi.net/wikini/wakka.php?wiki=DebianCertificatSSL


apache2-ssl-certificate : http://bugs.debian.org/395823


===== ERRORS =====

==== error : sec_error_expired_certificate ====

ChecK cacert ...


==== error : ssl_error_rx_record_too_long ====

  * http://bug.gd/search/details/69648/ssl_error_rx_record_too_long_
  * http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html


  apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName

  * http://mohamedaslam.com/how-to-fix-apache-could-not-reliably-determine-the-servers-fully-qualified-domain-name-using-127011-for-servername-error-on-ubuntu/

Fixed:

 sudo a2ensite  default-ssl && sudo invoke-rc.d apache2 restart

https://localhost:443/


==== error : firefox ====

  ... uses an invalid security certificate.
  The certificate is not trusted because it is self signed.
  The certificate is not valid for any server names.
  (Error code: sec_error_untrusted_issuer)


  This personal certificate can't be installed because you do not own the corresponding private key which was created when the certificate was requested.


http://wiki.cacert.org/FAQ/MissingPrivateKey

    locate \.p12
    locate \.pkcs12
    locate \.pfx

Untrusted : 

  * https://addons.mozilla.org/en-US/firefox/addon/cacert-root-certificate/


==== error : webkit ====

  Error 207 net:ERR_CERT_INVALID


  The site's security certificate is not trusted!

  * http://wiki.cacert.org/InclusionStatus
  * http://blog.avirtualhome.com/adding-ssl-certificates-to-google-chrome-linux-ubuntu/


==== SSLEngine =====

Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration

  a2enmod ssl


==== proxy ====

  * https://localhost:8022

I had my ajaxterm broken, then I investigated for apache errors like "Error Code: -12263"
and I finally figured out that apache2 requieres this module as well :

  a2enmod proxy_http


==== misc ====

  "Short write() to server"
  * http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_2_1_RTM/src/nss-3.2.1/mozilla/security/nss/cmd/ssltap/ssltap.c

bitlbee: 
  @root | jabber - Couldn't log in: Short write() to server                                                            │    


==== laposte ====

<code>
      
Connection Interrupted

The connection to the server was reset while the page was loading.

The network link was interrupted while negotiating a connection. Please try again.

</code>


===== MESSAGE =====

  SSLCertificateKeyFile: file '/etc/apache2/ssl/apache.pem' does not exist or is empty

===== CLIENTS =====


  [Dovecot] Major CPU spike for SSL parameters?

  root     26250 77.6  0.5   5052   652 ?        RN   10:53   7:58 dovecot/ssl-params

  * http://www.dovecot.org/list/dovecot/2006-January/010965.html


===== MISC =====

  * http://opensslrampage.org/# JokE ? BuG QA
  * http://www.zdnet.com/article/freak-another-day-another-serious-ssl-security-hole/
  * http://blog.seboss666.info/2015/12/je-teste-lets-encrypt-cest-pas-mauvais-sur-le-papier-mais/# HttpS
  * https://blog.fastmail.com/2014/10/15/ssl-3-0-disabled-due-to-security-vulnerability/# SecuritY
  * https://stosb.com/blog/secure-your-letsencrypt-setup-with-acme-tiny/
  * https://github.com/Neilpang/acme.sh 
  * https://bart.degoe.de/github-pages-and-lets-encrypt/



===== MORE =====

@TaG: DnS ApachE HttpS AppleT
@TaG: [[SSH]] [[Apache]] [[HTTP]] [[Server]] [[HTTPD]] HttpS CryptO

{{http://images.ifun.ru/s/sIw3vUyCVi.jpg}}

{{http://img528.imageshack.us/img528/5404/tcv80ipepkza7.jpg}}