top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

SSL setup checking using apache

+2 votes
585 views

I'm using multi ipaddress setup with virtual hosts to support different certificates.

For one of the hosts we currently don't have DNS pointing to the right IP so I edited my hosts file to point myextended.host.com at the relevant IP. This host has a GlobalSign extended cert. We want to check the setup before going live.

On windows I checked that all the popular browsers see my extended certificate and see green url bars ok.

On linux chromium shows green, but on one machine firefox shows untrusted and on another it shows green.

Is there a way to check the certificate setup from a linux box without having the correct dns in place? I normally use GlobalSign's test stuff, but that won't work without the right dns in place.

posted Oct 7, 2013 by Amit Parthsarthi

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote

OpenSSL supports each of the options you need (one at a time). http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/

Just add the server to the hosts file.

answer Oct 7, 2013 by Sanketi Garg
thanks for the above, certainly bits of my setup are OK, but now the dns has gone live and various checkers are saying that the chain is broken.

I used the instructions for GlobalSign Extended, but I'm not sure how to make use of three certs from them; ie I don't know what to do with the cross certificate.

See
https://support.globalsign.com/customer/portal/articles/1223443-intermediate-certificate---extendedssl

where it says

"As an ExtendedSSL customer you must install your end entity ExtendedSSL Certificate (received by email) and both the ExtendedSSL CA - G2 Intermediate Certificate and the GlobalSign Cross Certificate to your web server."

So I have my cert the GS root cert and the intermediate cert pointed at by the apache conf like this

     SSLCertificateFile /xxxx/etc/certs/myhost.com.crt
     SSLCertificateKeyFile /xxxx/etc/certs/myhost.key
     SSLCACertificateFile /xxxx/etc/certs/globalsign-root-ca-rc2.crt
     SSLCertificateChainFile /xxxx/etc/certs/globalsign-intermediate-extended.crt

but where / how do I inject the 'cross' certificate?

Unless you want to use client certificates from globalsign, "SSLCACertificateFile" will not make sense. See  http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile
Similar Questions
0 votes

I am trying to refresh our web site with the latest version of apache. As part of the refresh I want to enforce SSL access to the site. I've setup SSL and the site mostly works with basic authentication, but I have errors when trying to download/view video files from the web site.

I've tried several different clients and 80% of the time I get a window with a big square and if one clicks on the square it says "The specified movie could not be found". Sometime firefox on a Mac will actually play the movie but mostly not.

I can retrieve the movie using wget just fine.

In the error log a debug trace shows it making one request for the web page and the authentication for that suceeds, but then the second request for the video file is rejected because the credentials are not available! Is there an option which tells the client not to send the authentication information? or to clear when requesting?

AH01626: authorization result of Require group svsaccess: granted,
AH01626: authorization result of Require group svsaccess: denied (no authenticated user yet)

BTW, the site works as expected under non-SSL connections.

+4 votes

The ssl cert on my apache server have expired. It is actually a server at work - a important one as well so I'm a bit stressed at the moment.

The cert is renewed and I have received the cert files. I'm now trying to install them but I can't get it to work.

I thought it was as simple as just copying the new crt file to the server and restart apache but apache start fails.

I see this in the log:

509 certificate routines:X509_check_private_key:key values mismatch

Server: Apache 2.2.22 on Ubuntu 12.04. How does one install a renewed ssl cert? Do I need to create a new private key and ca-bundle? Please point me in the right direction.

+1 vote

I have 3 virtual hosts that for all I can see are configured identically other the the obviously needed differences. The same is true of the 3 crt files.

 ServerName public.mydomain.com
 DocumentRoot /var/www/html
 SSLEngine on
 SSLCertificateFile /etc/httpd/SSL/public.crt
 SSLCertificateKeyFile /etc/postfix/SSL/server.key

 ServerName distrib.mydomain.com
 DocumentRoot /var/www/html/distrib
 SSLEngine on
 SSLCertificateFile /etc/httpd/SSL/distrib.crt
 SSLCertificateKeyFile /etc/postfix/SSL/server.key

 ServerName mail.mydomain.com
 DocumentRoot /usr/local/squirrelmail/www
 SSLEngine on
 SSLCertificateFile /etc/httpd/SSL/mail.crt
 SSLCertificateKeyFile /etc/postfix/SSL/server.key

The problem is that 2 of them work perfectly and the lock shows up in the browser. With the third (public), I get a gray globe indicating partial encryption which does not prevent eavesdropping. I have no clue
how to debug this or even where to look. Can someone point me in the right direction?

+1 vote

I have an idea how to setup Apache for doing load balancer based on mod_proxy and mod_balance modules. But in my case the backend server requires ssl client certificate authentication and therefore the Apache Server cannot terminate the ssl connection.

I do no need http session cookie stickyness. The application is stateless. Can I somehow configure Apache as a transparent balancer?

Or I should use even another software - squid, iptables? The backend application is a web service running on Tomcat.

+2 votes

I'm trying to set TLS protocol with the next parameter into the ssl.conf file:

 SSLProtocol all -SSLv2 -SSLv3 

but then my web application fails. I only can see next error in log file

[info] SSL library error 1 in handshake (server my.server:443, client xx.xx.xx.xx)
[info] SSL Library Error: 336027900 error:140760FC:SSL routines:func(118):reason(252)
[info] Connection to child 4 closed with abortive shutdown(server my.server:443, client xx.xx.xx.xx) 

I can`t see as well, into the customlog file, a "GET" that I can see when all protocols are enabled (no forcing TLS):

10.5.137.162 - - [03/Feb/2015:09:30:47 0100] "GET /application/resources/css/template_v6.0.xsl HTTP/1.0" 200 28323  

Any help will be appreciated

...