Clayton's Tech Bits

Home

Contact

Resumé / C.V.

Links

Search this site:

Categories:

/ (224)
  Admin/ (86)
    Apache/ (7)
      HTTPS-SSL/ (4)
    Cherokee/ (1)
    LAN/ (4)
    LVM/ (3)
    Monitoring/ (2)
      munin/ (2)
    OpenVPN/ (1)
    SSH-Proxy/ (3)
    SSH-SSL/ (6)
    backups/ (16)
      SpiderOak/ (1)
      backuppc/ (5)
      dirvish/ (1)
      misc/ (6)
      rdiff-backup/ (1)
      rsync/ (1)
      unison/ (1)
    commandLine/ (11)
    crontab/ (1)
    databases/ (8)
      MSSQL/ (2)
      MySQL/ (5)
      PostgreSQL/ (1)
    dynamicDNS/ (2)
    email/ (9)
      Dovecot/ (1)
      deliverability/ (1)
      misc/ (1)
      postfix/ (6)
    iptables/ (2)
    virtualization/ (8)
      VMware/ (1)
      virtualBox/ (7)
  Coding/ (11)
    bash/ (1)
    gdb/ (1)
    git/ (2)
    php/ (4)
    python/ (3)
      Django/ (1)
  Education/ (1)
  Hosting/ (23)
    Amazon/ (14)
      EBS/ (3)
      EC2/ (11)
    Godaddy/ (2)
    NearlyFreeSpeech/ (3)
    Rackspace/ (1)
    vpslink/ (3)
  Linux/ (20)
    Awesome/ (3)
    CPUfreq/ (1)
    Chinese/ (1)
    Debian/ (5)
      WPA/ (1)
    audio/ (1)
    encryption/ (2)
    fonts/ (1)
    misc/ (4)
    router-bridge/ (2)
  SW/ (39)
    browser/ (2)
      Chrome/ (1)
      Firefox/ (1)
    business/ (25)
      Drupal/ (8)
      KnowledgeTree/ (6)
      Redmine/ (2)
      SugarCRM/ (6)
      WebERP/ (2)
      eGroupware/ (1)
    email/ (1)
    fileSharing/ (1)
      mldonkey/ (1)
    graphics/ (2)
    research/ (2)
    website/ (6)
      blog/ (6)
        blosxom/ (3)
        rss2email/ (1)
        webgen/ (1)
  Security/ (12)
    IMchat/ (1)
    circumvention/ (2)
    e-mail/ (4)
    greatFirewall/ (1)
    hacking/ (1)
    password/ (1)
    privacy/ (1)
    skype/ (1)
  Services/ (1)
    fileSharing/ (1)
  TechWriting/ (1)
  xHW/ (13)
    Lenovo/ (1)
    Motorola_A1200/ (2)
    Thinkpad_600e/ (1)
    Thinkpad_a21m/ (3)
    Thinkpad_i1300/ (1)
    Thinkpad_x24/ (1)
    USB_audio/ (1)
    scanner/ (1)
    wirelessCards/ (2)
  xLife/ (17)
    China/ (9)
      Beijing/ (5)
        OpenSource/ (3)
    Expatriation/ (1)
    Vietnam/ (7)

Archives:

2012/03

2012/01

2011/12

2011/11

2011/10

2011/09

2011/08

2011/07

2011/06

2011/05

2011/04

2011/02

2010/12

2010/11

2010/10

2010/09

2010/08

2010/07

2010/06

2010/05

2010/04

2010/03

2010/02

2010/01

2009/12

2009/11

2009/10

2009/09

2009/08

2009/07

2009/06

2009/05

2009/04

2009/03

2009/02

2009/01

2008/12

2008/11

2008/10

2008/09

Subscribe XML RSS Feed

Wed, 16 Sep 2009

---

/Admin/Apache/HTTPS-SSL: Desktop Apache https Quick Start

I expect to be accessing some services on my laptop via Apache over an untrusted network in the near future, so I need to turn on SSL.

As usual, turn on the Apache SSL module:

cd /etc/apache2/mods-enabled/
ln -s ../mods-available/ssl.conf .
ln -s ../mods-available/ssl.load .

and the default SSL configuration:

cd /etc/apache2/sites-enabled/
ln -s ../sites-available/default-ssl 001-default-ssl

Now restart Apache and it just works!? Apparently there is a "snakeoil" certificate already in place to get the job done. Trivial. Thank you, Debian Apache packagers.

posted at: 08:23 | path: /Admin/Apache/HTTPS-SSL | permanent link to this entry

Wed, 01 Apr 2009

---

/Admin/Apache/HTTPS-SSL: SSL Certificates 101

Generally speaking, it would appear that a vanilla single root SSL certificate, self-signed or otherwise, is only good for exactly one domain that corresponds exactly to the "common name" used in creating the certificate.

Some vendors[1] sell something called a "wildcard" certificate, where the common name on the certificate takes the form of "*.domain.com", and can be used to secure multiple sub-domains. Such a "wildcard" certificate, not suprisingly, seems to be considerably more expensive then a single root certificate. Apache even provides a built-in mechanism using a document root wildcard[2] for mapping each sub-domain to a different document root.

Some vendors like Godaddy[3] sell multiple domain certificates which seem to provide a discount to purchasing the same number of single root certificates.

A good source for a free certificate is cacert.org[4]. cacert.org will sign a certificate for you for a domain if your e-mail address is in the whois record for the domain (this is an automated process on their end, they verify your identity by sending you a link in an e-mail ....) The Apache website[5] has a nice concise explanation of how to create a server key and certificate signing request for cacert.org (or anyone else....)

Basically the process is[7]:

• Get an account on cacert.org.
• In the domains section of your cacert.org account, add the domain that you wish to issue Apache certificates for.
• Use the cacert.org way[8] to generate key try.key and certificate request try.csr (note that apache.org[5] suggests a multi-step method for the same process):

  openssl req -nodes -new -keyout try.key -out try.csr

• In the above, you only need to enter the "Common Name" exactly the same as the sub-domain that you want the certificate to work for. All other prompts may be ignored.
• Double-check the certificate request:

  openssl req -noout -text -in try.csr

• On the cacert.org site, select "New" in the "Server Certificates" section, and paste the contents of the above .csr file into the input box.
• Then create a new certificate file (.crt) file on your server, and paste the key output by cacert.org into this file.
• In the appropriate Apache VirtualHost section in /etc/apache2/sites-available/, point SSLCertificateFile at the path of your new certificate, and point SSLCertificateKeyFile at the path of the key that it was generated from (the Certificate Signing Request [.csr] is no longer needed).

cacert.org certificates seem to be good for six months. They send you an e-mail in advance of expiry.

For a particular SSL-enabled Apache virtual host, force users to always use https by placing a redirect in http virtual host, ie.:

<VirtualHost *:80> DocumentRoot /var/www/vsc/apps ServerName apps.vancouversolidcomputing.com ServerAlias apps.vancouversolidcomputing.com ServerAdmin ckoeni@gmail.com CustomLog /var/log/apache2/access.log combined Redirect / https://apps.vancouversolidcomputing.com/ </VirtualHost>

[1] http://www.sslshopper.com/best-ssl-wildcard-certificate.html
[2] http://phaseshiftllc.com/archives/2008/10/27/multiple-secure-subdomains-with-a-wildcard-ssl-certificate
[3] http://www.godaddy.com/gdshop/ssl/ssl.asp?ci=9039
[4] https://www.cacert.org/
[5] http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#realcert
[6] http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#removepassphrase
[7] http://www.cacert.org/help.php?id=6
[8] http://www.cacert.org/help.php?id=4

posted at: 23:57 | path: /Admin/Apache/HTTPS-SSL | permanent link to this entry

---

/Admin/Apache/HTTPS-SSL: Multiple SSL Certificates in Apache

As I noted in an earlier post, name-based virtual hosting "seemed" to be working. "Seemed". In fact, the virtual hosts were finding the correct web root and loading the correct site, but browsers were consistently giving an error to the effect that the domain name in the certificate and the domain name the browser was pointed to were not the same.

Someone on the cacert.org e-mail list[1] set me straight:

From: Pete Stephenson
To: cacert-support@lists.cacert.org
Subject: Re: Certificate somehow associated with wrong sub-domain?

Both subdomains share the same IP address.

SSL is IP-based, rather than name-based. Specifically, when a client
connects to a server, it establishes the SSL connection prior to
sending the HTTP Host header, so the server has no idea which specific
certificate to send. Depending on the server, it may send the first
certificate mentioned in the configuration file or do something else
entirely.

You can solve this by adding multiple SubjectAltNames to a certificate
(e.g. you'd have a SAN for apps.vancouversolidcomputing.com and
another one for vsc.vancouversolidcomputing.com all in a single
certificate) and telling your server to use the same certificate for
both subdomains.

More details, including a handy shell script which can generate the
required CSR (some options, like the RSA key length are manually
configurable in the shell script; it doesn't prompt the user for the
keylength), are available here:
http://wiki.cacert.org/wiki/VhostTaskForce

Cheers!
-Pete

So what I take from this is:

• If one has more then one domain to which one wants / needs to assign more then one SSL certificate, then each domain / certificate needs its own IP address for IP-based virtual hosts.
• If one uses just one certificate containing multiple SubjectAltNames one can get away with only one IP address and name-based virtual hosts.

This page[2] talks about the issue in general, and the various somewhat fuzzy and partially supported options -- "Currently the different browsers, servers and CAs all implement different and incompatible ways to use SSL certificates for several VHosts on the same server" -- this situation has not been entirely standardized yet!

This page[3] seems to recommend the cacert.org way to setup Apache with the right kind of multiple SubjectAltName certificate, complete with a script[4] for generating an appropriate Certificate Request and associated key. I used the script to generate the request, and sure enough:

# openssl req -noout -text -in vancouversolidcomputing_csr.pem Certificate Request: Data: Version: 0 (0x0) Subject: CN=www.vancouversolidcomputing.com <snip> Requested Extensions: X509v3 Subject Alternative Name: DNS:www.vancouversolidcomputing.com, DNS:vancouversolidcomputing.com, DNS:printshopdemo.vancouversolidcomputing.com, DNS:vsc.vancouversolidcomputing.com , DNS:solid.vancouversolidcomputing.com, DNS:apps.vancouversolidcomputing.com, DNS:ofri.vancouversolidcomputing.com <snip>

out comes a Certificate Request with multiple SubjectAltNames.

I then replaced *all* certificates in my Apache virtual hosts with this new certificate, ie.

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/vancouversolidcomputing_crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/vancouversolidcomputing_privatekey.pem

in each virtual host block for each sub-domain / web root.

The certificate now works flawlessly in Iceape (which apparently contains the cacert.org Certificate Authority information) and Internet Explorer still complains about an untrusted Certificate Authority. Neither complains about domain names not matching, which was happening before.

[3] contained several other directives in each of the SSL virtual host blocks:

UseCanonicalName On
SSLCipherSuite HIGH
SSLProtocol all -SSLv2

but I have so far found these unnecessary.

[1] https://lists.cacert.org/wws/info/cacert-support
[2] http://wiki.cacert.org/wiki/VhostTaskForce
[3] http://wiki.cacert.org/wiki/CSRGenerator
[4] http://svn.cacert.org/CAcert/Software/CSRGenerator/csr

posted at: 23:30 | path: /Admin/Apache/HTTPS-SSL | permanent link to this entry

Sat, 14 Mar 2009

---

/Admin/Apache/HTTPS-SSL: Turn on SSL in Apache

Turn on the SSL module:

cd /etc/apache2/mods-enabled/
ln -s ../mods-available/ssl.conf .
ln -s ../mods-available/ssl.load .
/etc/init.d/apache2 restart

In Debian, /etc/apache2/mods-enabled/ports.conf should already have logic to listen on the default port 443 if the SSL module is loaded.

Now create a self-signed certificate (tinyca is a nice simple GUI that will do the job....) Just enter minimal information, and export the newly generated cert and key to files, being careful to set the expiration date nice and long, and export the key WITHOUT a password (otherwise you will have to provide a password every time apache is restarted).

Copy the exported certificate files to your server, into directory /etc/apache2/ssl. Now create an SSL block in the Apache Virtual Host where you would like SSL. The *:80 block will respond to normal http requests, and the *:443 block will respond to https (SSL) requests:

<VirtualHost *:80> DocumentRoot /var/www/webroot ServerName subdomain.domain.com ServerAlias subdomain.domain.com ServerAdmin webmaster@domain.com CustomLog /var/log/apache2/access.log combined </VirtualHost> NameVirtualHost *:443 <VirtualHost *:443> DocumentRoot /var/www/webroot ServerName subdomain.domain.com ServerAlias subdomain.domain.com ServerAdmin webmaster@domain.com CustomLog /var/log/apache2/access.log combined SSLEngine on SSLCertificateFile /etc/apache2/ssl/cert.pem SSLCertificateKeyFile /etc/apache2/ssl/key.pem </VirtualHost>

I am not sure why the 443 block requires a NameVirtualHost line and the 80 block does not. Interestingly enough, this[2] says "Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol", which might have something to do with it? But despite this[3] I currently HAVE got name-based virtual hosting working on SSL, unless there is something I do not understand here.

Here is a useful reference[1], in addition to the installed apache docs.

[1] http://www.debian-administration.org/articles/349
[2] http://httpd.apache.org/docs/2.2/vhosts/name-based.html
[3] http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts

posted at: 01:01 | path: /Admin/Apache/HTTPS-SSL | permanent link to this entry