Ubuntu Servers :: Encryption With Certificate And CA?
Oct 7, 2010
I have a server with Apache2 and I would like to use encryption to prevent eavesdropping POST requests and similar. I've had success using SSL with a self-signed certificate, but this will of course generate huge warnings from the web browser. It's no problem for me when I'm connecting to the server as I know what to expect, but any other user who sees such a warning will surely leave the site unless I have personally explained the procedure.
Is there really no way to encrypt HTTP without having to use certificates? I know that this is supposed to provide security by identifying the server,but my point is that an encrypted connection without a CA would in no way be inferior to one that sends passwords as plain text. All I want to do is prevent people who are using programs such as Cain or any other packet sniffer from getting their hands on my passwords. I'm not exactly running an online bank system her
Is it possible to provide encryption over HTTPS without a certificate?
I can't afford a certificate from a CA, but I do want to provide encryption with my website... without a self-signed certificate because I hate that screen popping up on the clients computer on first visits.
A few days ago I installed a new SVN server using ubuntu 10.04 server editiopn at our company and it runs almost flawlessly. Almost that is. The server uses a self-signed certificate so all communications go over https. The strange thing is this. When I run some svn command from my (windows) pc, like update I get asked whether or not I want to accept the certificate. Then I choose "accept permanently" end all goes well. In future command I don't get that question anymore. But when my colleague does the same from his pc, he also gets the same question. Now, when he chooses "accept temporary", all goes smooth. But when he chooses "accept permanently", like I did, he gets an error saying:
RA layer request failed svn: OPTIONS of 'https://path_to_some_repo': Could not read status line: An established connection was aborted by the software in your host machine.
Of course I googled on this and could find two things: Server settings are wrong there's something wrong with the firmware of the router. The first couldn't almost be the case since it works for me and I followed the manuals. The second one couldn't be it either because when I log in with my account on my colleague's pc, it works. This is also the case when he logs on to my pc. So the problem exists specifically when he is logged in on his own pc. The setup of this machine is exactly the same as mine.
On startup - prompt asking for apache certificate password doesn't accept input. Can switch to another tty but can't restart apache due to the port already being bound (suppose I could change ports for apache config after startup but that's pretty ugly and clearly not the right way to address the problem.
I'm trying to install an Ubuntu cloud on my home network - I've been following this guide. When I arrived at STEP 6: Install an image from the store PART 3: Click on the Store tab I get the following error message on the page: Error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
I've installed and reinstalled Ubuntu server 11.04 about five times now.
I want to have the LVM, with an encrypted partition for holding / and /home (the swap is not encrypted).
Each time, after installing the resolution (I have not installed GNOME) is very bad and the prompt for entering the key to unlock the disk seems to scroll each time a character is entered.
The system is almost unusable at this resolution.
What can I do? I want to have an encrypted disk, but it seems at the moment that the only way to have a workable system is to install on an unencrypted partition.
how to implement a password login system that both sends passwords over the internet in an encrypted form (so my users don't get that annoying message saying "this web site is about to send your password in an unsafe form..." and stores its user data in a MySQL database? This seems to need a combination of mod_auth_digest and mod_auth_mysql.
i've set a server Fedora 11 using Vsftpd + database berkley + ssl 'certificate) he works perfectly. So i wanted to set a new one on Fedora 14, there is the problem..On my fedora 14, i tryed to use the configuration file that i've made on the F11 but withtout success. It seems that when i activate the SSL option on the server it does not want to start anymore... and i have no errors messages. I notice that when i desactivate the SSL "ssl_enable=NO" my server on F14 can start normaly.
I am building an active directory and using BIND9 as my DNS. To allow for secure dynamic updates from the domain, I am enabling GSS-TSIG as detailed here and here. Unfortunately, some of the commands and configurations used here seem to be depreciated, at least in the newer versions that I'm using. My issue is one of keytab encryption. I generated a keytab using ktpass.exe on the Windows Server 2008 domain controller. I have tried DES/MD5, AES128/SHA1 and AES256/SHA1, each have been turned down by ktutil on the kerberos server (FreeBSD). Each time, it outputs the following error: ktutil: AES256/SHA1*: encryption type AES256/SHA1* not supported *Respective to encryption used.
I cannot find a list of suitable encryption schemes that ktutil will accept. The FreeBSD handbook details a means of producing a keytab file, but I'm not sure how to configure the Domain Controller to use the keytab.
I have PDF file that needs certificate to be shown.Its certificate is a .pfx file.I'm using Okular to view PDF files in Ubuntu 10.04 How can I use that certificate?
I opened Evolution to send an email, and up popped this warning: What's more, I can't get rid of the warning: clicking Cancel does no good, nor clicking the X in the corner of the box. And if I try to close it via the "Window Menu" at the top left corner of the box, Close does nothing. I haven't tried clicking OK, because I don't know what I'd be agreeing to.
I am trying to run Citrix XenDesktop on F13.I installed the .rpm package from their website and when I access my school's server, firefox acts like everything is ok but then I get a certificate error. A box pops up that says You have not chosen to trust "AddTrust External CA Root", the issuer of the server's security certificate (SSL error 61).' and I am not sure how to handle this.
Having read how a private company is providing governments (and probably criminals) with a box that can listen in on SSL traffic by the use of forged CA certificates - [URL]. It turns out there's already a forged certificate in Firefox 3.6. Go to Edit>Preferences>Advanced>Encryption>View Certificates and look for 'Equifax Secure Inc.' - You should see a proof-of-concept rogue certificate called 'MD5 Collisions Inc.' and a link to phreedom which explains the method used to generate it. That little lock doesn't necessarily mean that you're safe...
I was troubleshooting an error with my email and in the course of it chose to ignore a faulty SSL certificate. (I've reported it to the ISP in question.)Now that I want to remove that override command, I can't work out how to do it.where Evolution stores this setting so that I can remove it?
I am currently using vsftpd with ssl support.Currently when the certificate expires I have to generate a new certificate and distribute that new certificate among the clients.Ideally I would like automatic renewal of the certificate and that certificate to then be transferred to the client upon connection.
So I installed xubuntu-desktop and have been using XFCE as my desktop and everything's groovy except for one thing.
In Gnome, I created a certificate in order to allow me to login to my web host over SSH without requiring the SSH password (which is very long and complex, for good reason). It worked fine under Gnome but now in XFCE when I attempt to SSH to the server, my keyring password is not recognized.
Code: andrew@guardian:~$ ssh <hostname of server> Enter passphrase for key '/home/user/.ssh/id_dsa': Enter passphrase for key '/home/user/.ssh/id_dsa': Enter passphrase for key '/home/user/.ssh/id_dsa': *****@*******.net's password: (Note: I redacted the server name and username.)
A few weeks before switching to XFCE I changed my local username from user to andrew, which is why my home directory is called user, but it didn't break the keyring in Gnome.
How can I fix this? The certificate still works properly in PuTTY under Windows, so it's not the cert.
At home, I can easily connect to my home network with ubuntu. But at school, things are differently. The wireless security is tighter, and I need more then just my username and password to connect. (See attachment for Screenshot) The last two lines, okay, but I seem to need a certificate, and that MSCHAPv2, Anonimous identity. I don't understand what I need to enter in those fields. I only got a username and password from school and that's all I need for windows. So why does Ubuntu want/need more info?
Just did an auto update. Among the list of things was an SSL update and now I can no longer connect to my MSN account in Pidgeon. I get an error "unable to validate certificate, the certificate for Omega.contacts.msn.com could not be validated. The certificate chain present is invalid."
I just upgraded from Ubuntu 8.10 to 9.04. I installed Webmin 1.470 but when I tried to run it from Firefox 3.09 I got the following message.
localhost:10000 uses an invalid security certificate. The certificate is not trusted because it is self signed. (Error code: sec_error_untrusted_issuer).
The collage I am going to has a secure wireless net work that we are suppose to be able to log into with a user name and password they give us. They have instructions on how to connect with windows and mac, but not for linux.There tech support has not been any help and I have tried quit a few different combinations but with no luck.
According to their instructions for windows their net work uses WPA-Enterprise for security type, and PEAP. They do not seem to use any root certification authorities, and they have you unchecked "validate server certificate".At [URL]there is some similar thing were you can see screen shots, but I cannot follow these because I do not know what "CA Certificate" to use. Is there a way to do it with out a "CA Certificate"?
Security Type: WPA2-Enterprise Encryption Type: AES Network Authentication mode: Microsoft: Protected EAP (PEAP) - Unvalidated Server Certificate User must authenticate log-on. Its a wireless network. how to set this up for Ubuntu.
Firefox 3.6.12 on Ubuntu 10.10 on my desktop computer is reporting a "this connection is untrusted" error for sites that have security certificates provided by COMODO. Yet, the same sites work fine in Firefox 3.6.x on Windows XP, or Chromium in Ubuntu. Here is the more specific message: "The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)" The issuer is listed as "COMODO High Assurance Secure Server CA." Here are some examples that throw this error for me:[URL]... It appears that there was some controversy with COMODO and Mozilla (due to bad behavior by COMODO) in the past, but all I can find on that indicates that this should be not an issue any longer.
I am trying to connect to wireless in my office from my ubuntu. I checked with IT - as per them our office is using Acess Point networking. On a Windows machine I need to go to some URI in Internet explorer and request a certificate and then install the same.
I tried doing the same from firefox , but not sure how to proceed further. We dont have any WEP key etc. I tried fiddling with vaious other methods like LEAP, importing the certificate from windows etc.
I use WLM (And yes, I realise odds are this is a problem on microsofts side) and almost every time claws mail connects WLM returns a new certificate. Valid, but I have to constantly accept or deny the certificate. Why is WLM pumping out fresh certs all the time and how can I fix this?
Whenever this pops up whatever I have at the moment shows "Signature status: No certificate issuer found" and the other shows "Signature status: Correct".
I am having issues with using OpenSSL. How do I view the currently used certificate? Also, do you know of a good site that has instructions on how to install a certificate. The previous user installed a GoDaddy cert for an FTP server and I need to update it because it's expiring real soon.
Got F13 installed yesterday, this afternoon I suddenly started getting Secure Connection Failed warnings. I'm not sure whose problem it is because it mentions uses an invalid security certificate.This certificate is only valid for *.opendns.com(Error Code: ssl_error_bad_cert_domain)It continues to say that someone could be impersonating the actual server. I am still receiving mail through google and my google calendars seem to be working. I do use OpenDNS for my DNS instead of my ISPs (Comcast which would very often slow down) and obviously I use IMAP mail with google on Thunderbird. So is it google, or OpenDNS, or Thunderbird that has a problem. Firefox does not seem to have a problem
I am trying to get openssl to verify a certificate. I will walk you through what I have done so far.
1. openssl genrsa -des3 -out connect.mydomain.com.key 2048 2. openssl req -new -key connect.mydomain.com.key -out connect.mydomain.com.csr 3. Bought an SSL from GoDaddy. 4. Submitted my CSR 5. Downloaded sf_bundle.crt (CA File I presume) 6. Downloaded connect.mydomain.com.crt
Now I can do the following: [root@server tls]# openssl verify -CAfile sf_bundle.crt connect.mydomain.com.crt connect.mydomain.com.crt: OK This is specifying the CAfile.
How can I add an existing certificate (pem format) as trusted in Fedora via the command line?Do I have to copy the files to a certain keystore? Where does Fedora store the trusted certificates