Expat-IT Tech Bits

Home

Contact

Links

Search this site:

Categories:

/ (287)
  Admin/ (122)
    Apache/ (10)
      HTTPS-SSL/ (4)
      PHP/ (3)
      performance/ (2)
    Cherokee/ (1)
    LAN/ (4)
    LVM/ (6)
    Monitoring/ (2)
      munin/ (2)
    SSH/ (6)
    SSL/ (1)
    Samba/ (1)
    VPN-options/ (6)
      OpenVPN/ (1)
      SSH-Proxy/ (3)
      Tinc/ (1)
      sshuttle/ (1)
    backups/ (17)
      SpiderOak/ (1)
      backuppc/ (5)
      dirvish/ (1)
      misc/ (6)
      rdiff-backup/ (1)
      rsync/ (1)
      unison/ (2)
    commandLine/ (24)
      files/ (8)
      misc/ (10)
      network/ (6)
    crontab/ (1)
    databases/ (15)
      MSSQL/ (2)
      MySQL/ (8)
      Oracle/ (3)
      PostgreSQL/ (1)
    dynamicDNS/ (2)
    email/ (11)
      Dovecot/ (1)
      deliverability/ (1)
      misc/ (1)
      postfix/ (7)
      puppet/ (1)
    iptables/ (3)
    tripwire/ (1)
    virtualization/ (9)
      VMware/ (1)
      virtualBox/ (8)
  Coding/ (14)
    bash/ (1)
    gdb/ (1)
    git/ (3)
    php/ (5)
    python/ (4)
      Django/ (2)
  Education/ (1)
  Hosting/ (27)
    Amazon/ (18)
      EBS/ (3)
      EC2/ (10)
      S3/ (1)
      commandline/ (4)
    Godaddy/ (2)
    NearlyFreeSpeech/ (3)
    Rackspace/ (1)
    vpslink/ (3)
  Linux/ (30)
    Android/ (1)
    Awesome/ (3)
    CPUfreq/ (1)
    China/ (2)
    Debian/ (8)
      APT/ (3)
      WPA/ (1)
    audio/ (1)
    encryption/ (3)
    fonts/ (1)
    misc/ (6)
    remoteDesktop/ (1)
    router-bridge/ (3)
  SW/ (45)
    Micro$soft/ (1)
    browser/ (2)
      Chrome/ (1)
      Firefox/ (1)
    business/ (28)
      Drupal/ (9)
      KnowledgeTree/ (6)
      Redmine/ (2)
      SugarCRM/ (7)
      WebERP/ (2)
      WordPress/ (1)
      eGroupware/ (1)
    chat/ (1)
    email/ (1)
    fileSharing/ (2)
      btsync/ (1)
      mldonkey/ (1)
    graphics/ (2)
    research/ (2)
    website/ (6)
      blog/ (6)
        blosxom/ (3)
        rss2email/ (1)
        webgen/ (1)
  Security/ (15)
    IMchat/ (2)
    circumvention/ (2)
    cryptoCurrency/ (1)
    e-mail/ (4)
    greatFirewall/ (1)
    hacking/ (1)
    password/ (1)
    privacy/ (2)
    skype/ (1)
  Services/ (1)
    fileSharing/ (1)
  TechWriting/ (1)
  xHW/ (14)
    Lenovo/ (1)
    Motorola_A1200/ (2)
    Thinkpad_600e/ (1)
    Thinkpad_a21m/ (3)
    Thinkpad_i1300/ (1)
    Thinkpad_x24/ (1)
    USB_audio/ (1)
    scanner/ (1)
    wirelessCards/ (2)
  xLife/ (17)
    China/ (9)
      Beijing/ (5)
        OpenSource/ (3)
    Expatriation/ (1)
    Vietnam/ (7)

Archives:

  • 2016/07
  • 2016/05
  • 2016/02
  • 2016/01
  • 2015/12
  • 2015/11
  • 2015/06
  • 2015/01
  • 2014/12
  • 2014/11
  • 2014/10
  • 2014/09
  • 2014/07
  • 2014/04
  • 2014/02
  • 2014/01
  • 2013/12
  • 2013/10
  • 2013/08
  • 2013/07
  • 2013/06
  • 2013/05
  • 2013/04
  • 2013/02
  • 2013/01
  • 2012/12
  • 2012/10
  • 2012/09
  • 2012/08
  • 2012/07
  • 2012/06
  • 2012/05
  • 2012/04
  • 2012/03
  • 2012/01
  • 2011/12
  • 2011/11
  • 2011/10
  • 2011/09
  • 2011/08
  • 2011/07
  • 2011/06
  • 2011/05
  • 2011/04
  • 2011/02
  • 2010/12
  • 2010/11
  • 2010/10
  • 2010/09
  • 2010/08
  • 2010/07
  • 2010/06
  • 2010/05
  • 2010/04
  • 2010/03
  • 2010/02
  • 2010/01
  • 2009/12
  • 2009/11
  • 2009/10
  • 2009/09
  • 2009/08
  • 2009/07
  • 2009/06
  • 2009/05
  • 2009/04
  • 2009/03
  • 2009/02
  • 2009/01
  • 2008/12
  • 2008/11
  • 2008/10
  • 2008/09
  • Subscribe XML RSS Feed

    Creative Commons License
    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
    PyBlosxom

    This site has no ads. To help with hosting, crypto donations are accepted:
    Bitcoin: 1JErV8ga9UY7wE8Bbf1KYsA5bkdh8n1Bxc
    Zcash: zcLYqtXYFEWHFtEfM6wg5eCV8frxWtZYkT8WyxvevzNC6SBgmqPS3tkg6nBarmzRzWYAurgs4ThkpkD5QgiSwxqoB7xrCxs

    Wed, 16 Sep 2009


    /Admin/Apache/HTTPS-SSL: Desktop Apache https Quick Start

    I expect to be accessing some services on my laptop via Apache over an untrusted network in the near future, so I need to turn on SSL.

    As usual, turn on the Apache SSL module:

    cd /etc/apache2/mods-enabled/
    ln -s ../mods-available/ssl.conf .
    ln -s ../mods-available/ssl.load .
    
    and the default SSL configuration:
    cd /etc/apache2/sites-enabled/
    ln -s ../sites-available/default-ssl 001-default-ssl
    

    Now restart Apache and it just works!? Apparently there is a "snakeoil" certificate already in place to get the job done. Trivial. Thank you, Debian Apache packagers.

    posted at: 09:23 | path: /Admin/Apache/HTTPS-SSL | permanent link to this entry

    Thu, 02 Apr 2009


    /Admin/Apache/HTTPS-SSL: SSL Certificates 101

    Generally speaking, it would appear that a vanilla single root SSL certificate, self-signed or otherwise, is only good for exactly one domain that corresponds exactly to the "common name" used in creating the certificate.

    Some vendors[1] sell something called a "wildcard" certificate, where the common name on the certificate takes the form of "*.domain.com", and can be used to secure multiple sub-domains. Such a "wildcard" certificate, not suprisingly, seems to be considerably more expensive then a single root certificate. Apache even provides a built-in mechanism using a document root wildcard[2] for mapping each sub-domain to a different document root.

    Some vendors like Godaddy[3] sell multiple domain certificates which seem to provide a discount to purchasing the same number of single root certificates.

    A good source for a free certificate is cacert.org[4]. cacert.org will sign a certificate for you for a domain if your e-mail address is in the whois record for the domain (this is an automated process on their end, they verify your identity by sending you a link in an e-mail ....) The Apache website[5] has a nice concise explanation of how to create a server key and certificate signing request for cacert.org (or anyone else....)

    Basically the process is[7]:

    cacert.org certificates seem to be good for six months. They send you an e-mail in advance of expiry.

    For a particular SSL-enabled Apache virtual host, force users to always use https by placing a redirect in http virtual host, ie.:

    <VirtualHost *:80> DocumentRoot /var/www/vsc/apps ServerName apps.vancouversolidcomputing.com ServerAlias apps.vancouversolidcomputing.com ServerAdmin ckoeni@gmail.com CustomLog /var/log/apache2/access.log combined Redirect / https://apps.vancouversolidcomputing.com/ </VirtualHost>

    [1] http://www.sslshopper.com/best-ssl-wildcard-certificate.html
    [2] http://phaseshiftllc.com/archives/2008/10/27/multiple-secure-subdomains-with-a-wildcard-ssl-certificate
    [3] http://www.godaddy.com/gdshop/ssl/ssl.asp?ci=9039
    [4] https://www.cacert.org/
    [5] http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#realcert
    [6] http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#removepassphrase
    [7] http://www.cacert.org/help.php?id=6
    [8] http://www.cacert.org/help.php?id=4

    posted at: 00:57 | path: /Admin/Apache/HTTPS-SSL | permanent link to this entry


    /Admin/Apache/HTTPS-SSL: Multiple SSL Certificates in Apache

    As I noted in an earlier post, name-based virtual hosting "seemed" to be working. "Seemed". In fact, the virtual hosts were finding the correct web root and loading the correct site, but browsers were consistently giving an error to the effect that the domain name in the certificate and the domain name the browser was pointed to were not the same.

    Someone on the cacert.org e-mail list[1] set me straight:

    From: Pete Stephenson
    To: cacert-support@lists.cacert.org
    Subject: Re: Certificate somehow associated with wrong sub-domain?
    
    Both subdomains share the same IP address.
    
    SSL is IP-based, rather than name-based. Specifically, when a client
    connects to a server, it establishes the SSL connection prior to
    sending the HTTP Host header, so the server has no idea which specific
    certificate to send. Depending on the server, it may send the first
    certificate mentioned in the configuration file or do something else
    entirely.
    
    You can solve this by adding multiple SubjectAltNames to a certificate
    (e.g. you'd have a SAN for apps.vancouversolidcomputing.com and
    another one for vsc.vancouversolidcomputing.com all in a single
    certificate) and telling your server to use the same certificate for
    both subdomains.
    
    More details, including a handy shell script which can generate the
    required CSR (some options, like the RSA key length are manually
    configurable in the shell script; it doesn't prompt the user for the
    keylength), are available here:
    http://wiki.cacert.org/wiki/VhostTaskForce
    
    Cheers!
    -Pete
    

    So what I take from this is:

    This page[2] talks about the issue in general, and the various somewhat fuzzy and partially supported options -- "Currently the different browsers, servers and CAs all implement different and incompatible ways to use SSL certificates for several VHosts on the same server" -- this situation has not been entirely standardized yet!

    This page[3] seems to recommend the cacert.org way to setup Apache with the right kind of multiple SubjectAltName certificate, complete with a script[4] for generating an appropriate Certificate Request and associated key. I used the script to generate the request, and sure enough:

    # openssl req -noout -text -in vancouversolidcomputing_csr.pem Certificate Request: Data: Version: 0 (0x0) Subject: CN=www.vancouversolidcomputing.com <snip> Requested Extensions: X509v3 Subject Alternative Name: DNS:www.vancouversolidcomputing.com, DNS:vancouversolidcomputing.com, DNS:printshopdemo.vancouversolidcomputing.com, DNS:vsc.vancouversolidcomputing.com , DNS:solid.vancouversolidcomputing.com, DNS:apps.vancouversolidcomputing.com, DNS:ofri.vancouversolidcomputing.com <snip>

    out comes a Certificate Request with multiple SubjectAltNames.

    I then replaced *all* certificates in my Apache virtual hosts with this new certificate, ie.

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/vancouversolidcomputing_crt.pem
    SSLCertificateKeyFile /etc/apache2/ssl/vancouversolidcomputing_privatekey.pem

    in each virtual host block for each sub-domain / web root.

    The certificate now works flawlessly in Iceape (which apparently contains the cacert.org Certificate Authority information) and Internet Explorer still complains about an untrusted Certificate Authority. Neither complains about domain names not matching, which was happening before.

    [3] contained several other directives in each of the SSL virtual host blocks:

    UseCanonicalName On
    SSLCipherSuite HIGH
    SSLProtocol all -SSLv2

    but I have so far found these unnecessary.

    [1] https://lists.cacert.org/wws/info/cacert-support
    [2] http://wiki.cacert.org/wiki/VhostTaskForce
    [3] http://wiki.cacert.org/wiki/CSRGenerator
    [4] http://svn.cacert.org/CAcert/Software/CSRGenerator/csr

    posted at: 00:30 | path: /Admin/Apache/HTTPS-SSL | permanent link to this entry

    Sat, 14 Mar 2009


    /Admin/Apache/HTTPS-SSL: Turn on SSL in Apache

    Turn on the SSL module:

    cd /etc/apache2/mods-enabled/
    ln -s ../mods-available/ssl.conf .
    ln -s ../mods-available/ssl.load .
    /etc/init.d/apache2 restart
    

    In Debian, /etc/apache2/mods-enabled/ports.conf should already have logic to listen on the default port 443 if the SSL module is loaded.

    Now create a self-signed certificate (tinyca is a nice simple GUI that will do the job....) Just enter minimal information, and export the newly generated cert and key to files, being careful to set the expiration date nice and long, and export the key WITHOUT a password (otherwise you will have to provide a password every time apache is restarted).

    Copy the exported certificate files to your server, into directory /etc/apache2/ssl. Now create an SSL block in the Apache Virtual Host where you would like SSL. The *:80 block will respond to normal http requests, and the *:443 block will respond to https (SSL) requests:

    <VirtualHost *:80> DocumentRoot /var/www/webroot ServerName subdomain.domain.com ServerAlias subdomain.domain.com ServerAdmin webmaster@domain.com CustomLog /var/log/apache2/access.log combined </VirtualHost> NameVirtualHost *:443 <VirtualHost *:443> DocumentRoot /var/www/webroot ServerName subdomain.domain.com ServerAlias subdomain.domain.com ServerAdmin webmaster@domain.com CustomLog /var/log/apache2/access.log combined SSLEngine on SSLCertificateFile /etc/apache2/ssl/cert.pem SSLCertificateKeyFile /etc/apache2/ssl/key.pem </VirtualHost>

    I am not sure why the 443 block requires a NameVirtualHost line and the 80 block does not. Interestingly enough, this[2] says "Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol", which might have something to do with it? But despite this[3] I currently HAVE got name-based virtual hosting working on SSL, unless there is something I do not understand here.

    Here is a useful reference[1], in addition to the installed apache docs.

    [1] http://www.debian-administration.org/articles/349
    [2] http://httpd.apache.org/docs/2.2/vhosts/name-based.html
    [3] http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts

    posted at: 02:01 | path: /Admin/Apache/HTTPS-SSL | permanent link to this entry