ToDo :
1/ verify domain : https://www.cacert.org/account.php?id=7
2/ generate key
domain="$user.homelinux.org" time openssl genrsa -out key.pem 4096 time openssl req -new -key key.pem -out cert.csr -subj "/CN=$domain" -nodes
3/ request :
cat cert.csr
https://www.cacert.org/account.php?id=10
4/ copy to cert.pem
5/ setup apache :
SSLEngine on SSLCertificateFile /etc/local/$domain/cert.pem SSLCertificateKeyFile /etc/local/$domain/key.pem
Misc / UpDate :
grep 'BEGIN CERTIFICATE' /etc/apache2/ssl/$domain.* grep 'BEGIN CERTIFICATE' /etc/apache2/ssl/$domain.crt
openssl req -days 365 -new -newkey rsa:2048 -keyout key.pem -out request.pem -subj "/CN=$domain" -nodes openssl req -new -newkey rsa -keyout key.pem -out request.pem -subj "/CN=$domain" -nodes
#/etc/apache2/sites-available/default-ssl
openssl s_client -connect localhost:443 CONNECTED(00000003) 1074246864:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 7 bytes ---
wget -O- -np https://localhost:8022 OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol Unable to establish SSL connection.
aptitude reinstall apache2.2-common apache2-utils apache2
konqueror: An error occurred while loading https://localhost:443/
lynx -dump -head https://localhost # Looking up localhost # Making HTTPS connection to localhost # Retrying connection without TLS. # Looking up localhost # Making HTTPS connection to localhost # Alert!: Unable to make secure connection to remote host. # lynx: Can't access startfile https://localhost/
* http://mario.espaciolinux.com/apache2_ssl.html * https://joloridi.net/wikini/wakka.php?wiki=DebianCertificatSSL
apache2-ssl-certificate : http://bugs.debian.org/395823
ChecK cacert …
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
Fixed:
sudo a2ensite default-ssl && sudo invoke-rc.d apache2 restart
... uses an invalid security certificate. The certificate is not trusted because it is self signed. The certificate is not valid for any server names. (Error code: sec_error_untrusted_issuer)
This personal certificate can't be installed because you do not own the corresponding private key which was created when the certificate was requested.
http://wiki.cacert.org/FAQ/MissingPrivateKey
locate \.p12 locate \.pkcs12 locate \.pfx
Untrusted :
Error 207 net:ERR_CERT_INVALID
The site's security certificate is not trusted!
Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration
a2enmod ssl
I had my ajaxterm broken, then I investigated for apache errors like “Error Code: -12263” and I finally figured out that apache2 requieres this module as well :
a2enmod proxy_http
"Short write() to server" * http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_2_1_RTM/src/nss-3.2.1/mozilla/security/nss/cmd/ssltap/ssltap.c
bitlbee:
@root | jabber - Couldn't log in: Short write() to server │
Connection Interrupted The connection to the server was reset while the page was loading. The network link was interrupted while negotiating a connection. Please try again.
SSLCertificateKeyFile: file '/etc/apache2/ssl/apache.pem' does not exist or is empty
[Dovecot] Major CPU spike for SSL parameters?
root 26250 77.6 0.5 5052 652 ? RN 10:53 7:58 dovecot/ssl-params