Ubuntu Security :: SSL Cert And CSR - Generating An HTTPS Cert For Apache And / Or Mail Access?
Aug 9, 2011
I'm about to create a CSR and was reading this page in the Ubuntu docs: [URL] A couple of things:
* There's no date on the article. The documentation needs DATES because this information gets out of date! Check MySQL docs, for instance -- they are organized by version.
* The instructions for generating a cert only specify 2048 bits. I believe that's kind of out of date? The verisign site has big red warnings saying you need 2048 if you want your cert to last past 2013 -- and that article is 4 years old!
* The instructions are confusing when discussing the passphrase. We enter a passphrase only to remove it immediately. We need some clarity here. Why do this?
How to understand the current best practices for generating an HTTPS cert for apache and/or mail access?
View 6 Replies
ADVERTISEMENT
Jan 28, 2011
I'm trying to access a Verisign signed site [URL] and getting a certificate not known error when I do. Do I really need to import Verisign? If so, how?
View 6 Replies
View Related
May 27, 2010
I've setup OpenVPN-ALS (formerly known as Adito) on Ubuntu Server 10.04 edition. I have a security router (Untangle) in front of my internal network. I have a domain name and an SSL Certificate setup on our security router. I can access our web interface on our security router with no problems.
I've setup a portforward rule on our router to access this OpenVPN-ALS portal and I can access it, but I get an invalid certificate message. So I've bought another SSL certificate to install our our Portal, but I'm getting an error message when I enter in our information at the provider where I've bought the certificate.
Common Name does not contain fully qualified domain name. I'm not sure what the problem is. Do I use the hostname I've setup on the portal or do I use the hostname on my security router when I setup the SSL certificate on our portal?
View 5 Replies
View Related
Feb 11, 2011
When I do a "openssl x509 -in server1.pem -issuer -noout" after I've supposedly signed it with the CA, the issuer is, for some reason, the DN string of server1. If server1 generated the CSR, and it is coming up as issued by server1, doesn't that indicate a self signed cert? How could the CA be producing a cert that has an issuer of another server? Am I just completely off base? Sorry, I'm a bit of a newb with the SSL pieces.
I hope this is the right place for this, but I'm having some difficulty using the java keytool and OpenSSL tool on a Solaris system.
I have a server (CA server) with OpenSSL installed that I would like to use as a Certificate Authority. The second server (server1) is a WebLogic server with JDK 1.6.0_21. I'm trying to configure it to use a certificate that has been signed by server1.
For some reason it keeps giving me this error when I try to import the signed SSL certificate: keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Am I doing something wrong in this whole process?
1) Generate the Private Key for the CA server
openssl genrsa -out CA.key -des 2048
2) Generate the CSR on the CA
openssl req -new -key CA.key -out CA.csr
3) Sign the new CSR so that it can be used as the root certificate openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 730 -req -in CA.csr -out CA.pem -extfile /usr/local/ssl/openssl.cnf
4) On server1, create Server Private Key KeyStore keytool -genkey -alias server1 -keysize 2048 -keyalg RSA keystore server1.jks -dname "CN=server1.domain.com,OU=Organization,O=Company,L=City,ST=State,C=US"
5) On server1, create a CSR from the recently created Private Key
keytool -certreq -alias server1 -sigalg SHA1WithRSA -keystore server1.jks -file server1.csr
6) Transfer the CSR over to the CA (server1) so that it can be signed openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 365 -req -in server1.csr -out server1.pem -extfile /usr/local/ssl/openssl.cnf
7) Transfer CA Public Cert to server1 and Import into keytool keytool -import -trustcacerts -alias CA_Public -file CA.pem -keystore server1.jks
8) Import recently signed CSR to app server keystore (This is where I receive the error) keytool -import -trustcacerts -alias server1 -file server1.pem -keystore server1.jks
View 1 Replies
View Related
Aug 6, 2011
I am running a ubuntu server and want to host a web application (php/mysql based) however I dont want to use usernames and passwords for authentication. I'd like to use a client certificate. The military uses similar technology using the CAC card to provide the certificate for authentication.
not sure if this would be done using the apache modules or if php would be a better place to play with this
View 3 Replies
View Related
Feb 8, 2010
I need to build a cert from an CRT file/
View 1 Replies
View Related
Apr 5, 2011
I removed using yast the package "ssl-cert". At this point yast2 started throwing the error:
Code:
Download failed:
Download (curl) error for 'https://nu.novell.com/repo/repoindex.xml?cookies=0&credentials=NCCcredentials':
Error code: Unrecognized error
Error message: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
And of course a redownload and install of ssl-cert is not possible,I get the same error So I tried downloading and installing the openssl package by hand, but still I got nowhere Does anyone knows how to reinstall this ssl-cert package again??
View 3 Replies
View Related
May 18, 2010
I'm having some problems setting up SSL certs.
Here's what I've done...
In the file ssl.conf I have (along with all the normal stuff):
Quote:
But, when I navigate to url], I get a 404 error (not found).
My SSL cert is with GoDaddy. I created the key and a csr file, for which GoDaddy supplied me with the files mydomain.com.crt and gd_bundle.crt. I placed all the files where they should be, and restarted Apache.
And... 404. No errors on Apache restart.
The cert still seems to be showing up as localhost.localdomain:
Quote:
When I go to [url], I'm told the cert is still a "self signed" cert (out of date, by the way).
The GoDaddy "help" on this (such that it is) is here: [url]
View 2 Replies
View Related
Apr 14, 2010
At work we are trying to avoid paying for a cert for our outlook owa. I thought of Tiny CA, but can't find a windows variant, it appears to depend on things that would not allow that.
Does anyone know if it is possible to create a Tiny CA Cert and install it on a Windows Server 2003? If not does anyone know of a good free Cert creation utility for Winedoze.
I have a feeling this is going to be another feather in the basket to convince my boss to go Ubunutu.
View 1 Replies
View Related
Jul 3, 2009
I am new and I need help to install VPN. I have use yum install openvpn and I am stuck on how I can input a cert and run the VPN.
View 5 Replies
View Related
Jan 14, 2011
Updating my install of OpenSUSE from 11.0 to 11.3 and notice that the Nagios network monitor can no longer probe servers with self signed certs.It appears to be any monitor that used openssl 1.0.0 has an issue. If I install the openssl 0.9.8 libraries and use old plugins linked against it, they work fine.
View 9 Replies
View Related
May 4, 2010
I have a Godaddy UCC (Multiple domain) certificate for the following domains:
example.com
upload1-example.com
upload2-example.com
The rsa was generated from example.com server using example.com as CN Common name.
GoDaddy's website adds the extra names to a CSR you provide, does the checks and grants the cert.
My problem is that whilst the certificate works fine on the server example.com (from which the csr was created), it comes up with two errors when restarting apache on remote servers.
1>> Certificate common name does not match server name
2>> SSL Library error - check private key:key missmatch.
I donn't understand how these keys could ever work as no reference to the private keys of the remote servers is ever used in creating the UCC certificate.
View 4 Replies
View Related
Jun 22, 2010
Is it possible to somehow setup an ssh server that doesn't require a username,password or cert to login?I wish to provide shell access to a console program, which will prompt for a username and password.Encryption is essential though, and users must not be able to snoop in on each other
View 9 Replies
View Related
Jun 24, 2011
I've got an uber simple test mail script in php on my awesome new dev machine running Ubuntu:
PHP Code:
Unfortunately, something is preventing mail delivery. I can't tell from this error log whether it's the remote machine rejecting me or whether it's my machine rejecting the self-signed cert on the remote machine:
Code:
I'm wondering what I could change in my postfix configuration to remedy this problem.
I tried setting smtp_tls_security_level = may = may but this did not change anything.
View 10 Replies
View Related
May 2, 2011
I am facing an issue connecting to WPA Enterprise network using a CA Root Cert. I have traced it to a bug report here [URL] when the fix is going to get push?
View 4 Replies
View Related
Nov 5, 2010
My Problem is: I want to stop gmail access without blocking https. Yes in my squid proxy normal http://gmail.com is not accessible. But gmail recently started https service by which user can still get access to gmail. I DONT WANT TO STOP https CAUSE ITS BEING USING BY MY COMPANY GOOGLE MAIL PROGRAM.
View 2 Replies
View Related
Mar 6, 2010
I happened to be looking at my Apache-2.2.8 log on an Ubuntu LTS 8.04.4 system, and noticed a few lines like this:
Code:
61.160.212.242 - - [06/Mar/2010:07:04:41 -0800] "GET http://218.30.115.246/ HTTP/1.1" 200 295 "-" "-"
61.160.212.242 - - [06/Mar/2010:07:05:29 -0800] "GET http://218.30.115.246/ HTTP/1.1" 200 295 "-" "-"
xxx.xxx.xxx.xxx - - [06/Mar/2010:07:56:15 -0800] "GET http://218.30.115.246/ HTTP/1.1" 400 290 "-" "-"
(The third line is me telnetting to the server and trying to issue the same request. Note that I got a 400 error response, while the guy coming from 61.160.212.242 got 200s. Also, if you just open the http://218.30.114.246/ URL, you get back "hello" (nothing else, just 5 characters). I'm presently putting together a bootable CD with chkrootkit to run on the machine. (I found a thread that mentioned in passing that this was related to PHP, which I have running on that Apache server, but my Google-fu isn't strong enough to track down the original thread.) (After checking with chkrootkit: nothing unusual found.)
View 10 Replies
View Related
Jul 1, 2011
I'm trying to find some tool on generating reports based on apache access_log files (of Common format). I found some of them (awstats, lire/logreport, weblog expert, apache logs viewer, etc..) but they generate some global and general report about the log file. Also some perl script I found they just show the Top X number of different patterns. My request is how can I generate some similar report with this output:
IP-s | Total nr. of connections | Number of pages visited | Total time of connection
So basically this is a list with every IP on the log and the respective numbers (connection/pages/time) associated.
View 5 Replies
View Related
Jun 30, 2010
I'm about to have a web server at home for the first time. I've always missed having full control and not having to contact my hosting company when I need to do some specific changes - and some changes they won't do for you at all.I've chosen the non-GUI Ubuntu Server with LAMP, and nothing more is installed really except for a couple of command line tools from the repository. The LAMP software has been locked down as good as I can by following some guides on the net and using common sense. Like Apache 2 don't have access to the file system except for the www folder, and setting the headers to Prod. MySQL has skip-networking and I've commented out the listen string to localhost. PHP has a truckload of functions that I've disabled in the php.ini, also by following some guides on the net, among some other security enhancing php.ini editing.
The only thing the server will serve is a well known PHP forum and some html docs, and that's all. Nothing advanced or complicated stuff, and I'm definitely not programming PHP myself or letting anyone do it for me.But I do want to sleep well at night knowing that my server is always on and sitting on the edge of my home network! And can I do that? I've heard that you don't need to be worried about getting your Linux server box hacked, but you should be worried about anyone getting root access to it. But is it really that simple? Ubuntu is shipped without root account and you must have the sudo password, right? What's the odds for anyone to get full access to my system?An issue: I've heard that Apache never must run as root. When I do a ps -ef, I see that there are several www-data processes running apache, but there's one root process running apache too. Is this normal and is it safe?An issue: I've heard that PHP can fail pretty easily. But isn't PHP running under apache 2 and limited by the www-data filesystem access?An issue: MySQL is running as a MySQL user, and I guess that's an unprivileged user right?
View 9 Replies
View Related
Dec 31, 2010
I managed to configure my W890i phone to get access to internet through an ubuntu-based computer. It's very easy to use the phone to give internet access to the computer, but the opposite is quite more tricky. For that I've done the following
----On the phone---
-Set the USB network option to "through computer", so that the phone uses the computer's internet connection and not the opposite.
-Decide and set "Shared Network" parameters: user, pasword and workgroup.
-In "conectivity-> internet connection" set "allow local network" to "yes"
----On Ubuntu 10.04---
-Install samba, samba-client, smbfs, smbclient, firestarter and dhcp3-server
-Configure Samba (System-> Administration-> Shared folders): same workgroup as in the phone, add new user (the phone), passwd this new user. In my case the user was called "w890i" and the password given was the same.
-Once the phone is connected to the computer through USB (then select "phone mode"), a new connection appears in NetworkManager: usb0.The aim is to create a shared network that gives internet access to this device. Edit the IPv4 parameters of this new connection, set them to Manual and give an IP adress (192.168.0.1) and a subnet mask (255.255.255.0); the rest of the fields are left empty.Connect this network.
-Set firestarter to use dhcp3: sudo ln -sf /etc/init.d/dhcp3-server /etc/init.d/dhcpd
-Launch firestarter and follow the wizard. Set "allow internet shared connection", choose the device for the primary internet access, and then the device for the shared network (usb0). Then change the settings for firestarter: activate DHCP for local network, set IP to the one we gave before (192.168.0.1).
-Open dhcp3-server config file sudo gedit /etc/default/dhcp3-server And set INTERFACES="usb0"
-Set the policies of firestarter: in incoming connections, allow connections from the IP adress given to the phone (192.168.0.1). Then add rules for the ports that need to be open for this connection. I opened HTTP, HTTPS, SMB, SMTP, POP3, IMAP, IMAPS, DHCP for all the connections in the local network.
-Apply policies and start the firewall.
------------
After all this, the phone can access the internet through the computer. Two problems appeared:
1. I couldn't get access to https sites, like webmails. The phone gave a "communication error". But then I tried with Opera instead of the browser built in the phone's firmware, and I could finally get to https sites.
2. I couldn't retrieve mail, neither POP nor IMAP nor IMAPS. I thought it was a firmware problem again, and I tried out several mobile phone email clients written in java, but none of them worked.
So this is at the moment the problem. If I connect from the phone to the internet directly through 3G, the email clients work for all my accounts. I don't think it's a firewall problem, because the ports are opened for this connection
View 3 Replies
View Related
Apr 2, 2010
I have one requirement i.e I want to call the java file from the php function using shell_exec command , i am using the chroot jail concept , if i using this command i am getting the empty file because java environment is outside the chroot jail,so how to access the the files those are out side the chroot jail.
View 3 Replies
View Related
Jun 24, 2010
I am currently using [URL] to send and receive faxes at work. I need the faxes to be encrypted. They offer public key encryption with PGP 9.8.2 They just need my public key to be compatible with their PGP version. I found a few statements at the GPG site, which may not be true for newer versions of gpg: PGP, Inc. refuses to accept Elgamal keys of type 20 even for encryption.They only support type 16.PGP 5.x does not accept v4 signatures for data material but OpenPGP requests generation of v4 signatures for all kind of data, that's why GnuPG defaults to them. By default, GnuPG encrypts your secret key using the Blowfish symmetric algorithm. Older PGPs will only understand 3DES, CAST5, or IDEA symmetric algorithms. PGP doesn't do Elgamal signing keys at all, so they are not usable with any version. I attempt to avoid using trial and error here, because an incompatible key may provoke loss of crucial information. It is difficult to estimate how long it would take them/me to find out that the key provided was not compatible; but probably it would entail a significant loss for the business.
View 1 Replies
View Related
Apr 11, 2011
I am trying to get name based virtual hosts all running on HTTPS (port 443) so I can run multiple sites on the one IP.
The DocumentRoot needs to be different for each host.
[URL]
However, I am unable to find where to actually enable these hosts in the configs. The apache website says to put it in httpd.conf however that file is empty on my machine.
The existing default virtual hosts are in "/etc/apache2/sites-available/default" and "default-ssl"
The main config file is /etc/apache2/apache2.conf
I am running version 2.2.16 of apache
I need to use the same .htpasswd file for all the sites.
I have configured CNAMES on my domain for all of these hosts.
View 4 Replies
View Related
Jul 18, 2010
i just got a new internet connection from the local service provider. While installation, he insisted that i use my mobile number as the wpa password for the wifi. From what Ive heard, this is company policy. Im a little skeptical about this as ive read wpa is crackable using a dictionary if the password is in there. So i looked around and found the air-crack suite to test the security for my access point. As my password is only numeric, i couldn't find only a numeric dictionary to use with air-crack.
So, i would like to create a dictionary that has only 10 digits, and the first two digit should be "05", because thats what mobile numbers here start from. I would be really grateful if anyone could point me to a way to do this easily.
View 9 Replies
View Related
Nov 23, 2010
I was wondering if it is possible to have different certificates for different directories in a https-directory ?So what I want is that for a specificry a specific TLS-certificate is needed by the http-client to be authorized to the directory.Directory /var/www/html/secure/1 needs a certificate A.Directory /var/www/html/secure/2 need a different certificate B.So I have 1 CA, which signs the other certificates of the specific directory. The http-client gets the certificate A or certificate B (to be authenticated for secure/1 of secure/2)
View 5 Replies
View Related
May 10, 2011
Is there a guide somewhere that covers all the security module topics for Linux, somewhat from top to bottom. Such as LDAP TLS RSA secure auth... generating certs etc etc. All of it and how it all ties together. Sure I can find you should use this etc., or guides that don't explain much or how they work together to complete the sweet. TLD seems to suffer from the same thing that I just stated...
View 1 Replies
View Related
Mar 7, 2011
For some of the files that I share using Apache, I want to make sure that they are served ONLY via https.
How can I configure this for Apache?
View 1 Replies
View Related
Apr 1, 2010
I have configured apache using mod_jk to front tomcat. Then I configured tomcat and my application to use https. but after that I cannot access it through https without adding port 8080 in the URL. I think I need to add some configurations to apache to cope with this situation, but I still couldn't find the proper config though I tried many.
View 4 Replies
View Related
Nov 3, 2010
For some years now I have been able to use openssl (apache-mod_ssl) to process encrypted traffic because I had, in effect, only one host - the main server - as the sole entry in our ssl_vhost.conf file.
Now we are working toward serving a couple of more secure sites for closely related organizations, but with their own distinct identities. This, in the past, would have meant additional static IPs with matching nic cards for starters. But my understanding is that since 2007/8 we have been able to use gnutls (apache-mod_gnutls) which gets around the old problem of Apache not being able to direct name-based traffic because that would not yet have been decoded. This is referred to as SNI - Server Name Indication.
Here my confusion begins. Is there an overlap between SSL and TLS? For instance, I would have generated RSA keys and a self-signed certificate with the genrsa command. Is this sufficient for gnutls or does it need to generate its own keys and certificates? I realize gnutls is relatively a new kid on the block but it is appealing and I'd like to give it a try.
I am working with the Mandriva/Mageia cooker with an x86_64 architecture so all packages are up-to-the-minute.
View 3 Replies
View Related
Oct 30, 2015
How to best manage both http and https pages on the same apache-server without conflicts. For example, if i have both 000-default.conf and 000-default-ssl.conf pointing to mydomain.com, and don't want users who visit mydomain.com without specifically type the https-prefix to be redirected to the https-page - how to handle users using browserplugins such as https-everywhere etc?
Another option would be to create a subdomain ssl.mudomain.com and have users who want to reach the ssl site to have to type ssl. I have tested several things with https everywhere enabled in my own browser, and it seems really hard to make this working the way i want, in one way or another i always end up getting redirected to the ssl-site automatically.
The reason i need this to work is because i run one site that i don't care much about SSL, that is the "official" part of that site, and i also host some things for friends and family on the SSL-part. This would not have been a problem if it wasn't that i use self-signed certificates for my ssl-site and the major user become afraid when a certificate-warning pops up in their browser and therefor leave the site.
View 2 Replies
View Related
