Enabling the SSL

[Buffer]

Hi,

We're planning to enable the SSL-encryption according to the howto to our server which is running actually 2.4.8rc1. First of all just a small question, this howto should be fully usable also with 2.4.8rc1 when you just make the name and path changes rightyo?

Secondly, if I understood the howto correctly, the SSL is created for only one domains login page because you have to enter "your domain" to the settings. Should I therefore tell my clients only use the login page on one specific domain or does the SSL-protection come to work on all virtualhost domains and login pages?

[joximu]

Hi

the howto should work also with the old vhcs.

The thing with the vhost/main domain is: the certificate normally is issued for one hostname. And the certificate is tested while a connection to the HTTPS server is initiated - and in this moment there is no difference for the different virtual ServerNames.
so: one certificate per IP is the normal solution.
I heard there is a possibility to create sort of wild card certificates - but you need to read different docs about this...

Since ispcp removes the "admin-login-on-every-vhost" - only the main hostname is the right one (mostly due to the fastcgi environment this is a must) - the second question becomes automatically answered...
I'd change form Alias to Redirects for the vhost/admin URLs then this is no more problem...

/J

[Buffer]

Thanks joximu for a very quick answer.

It would be pretty easy to create a "Secure Login" link to the login page which would the redirect to a center login-page which is SSL protected.

Just a wild shout then, if there's any German ppl around there, could anyone translate the couple of lines from the [reg_destinquishedname] section in the beginning of the howto. I see it's just a basic contact data but it would be nice to see if there's any specific forms there.

Then one last question before I test this howto out..
In the part where you generate the key it says this:
openssl genrsa -aes256 -out private/RootCA.key.pem -rand private/.rand 2048
Is the passphrase the -aes256 in this example? I mean can I change this the way I want?

[rbtux]

you can use mod_rewrite modules to force the user using ssl encryption...

[Buffer]

Oh, the aes256 seems to be an encryption method.. Where can I set the passphrase on that command or should I just input the default command said in the howto?

[joximu]

... just as it's written there - as long as you don't want to dig deeper in the stuff...

AFAIK there is no passphrase - otherwise you'd have to enter it after every apache start (IIRC).

/J

[Buffer]

Alrighty, I've started testing the script and everything seems to run fine to the part where I have to start using the /etc/apache2/sites-available/01_ssl_master.conf

In the basic vhcs2 we don't have 00_master.conf so we can't do this section:
cp /etc/apache2/sites-available/00_master.conf /etc/apache2/sites-available/01_ssl_master.conf

I tried to create my own 01_ssl_master.conf with only copying the data that told in the howto "Change the 01_ssl_master.conf file like this:" and conffed it to my use but it didn't do the trick. Could anyone help me how to create a working 01_ssl_master.conf for me?

*EDIT:
When I create the 01_ssl_master.conf only with the lines described in the howto i get the certificate working but I get this:
Warning: Unknown: open_basedir restriction in effect. File(/var/www/vhcs2/gui/index.php) is not within the allowed path(s): (/usr/share/php, /tmp) in Unknown on line 0

Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0

Fatal error: Unknown: Failed opening required '/var/www/vhcs2/gui/index.php' (include_path='.:/usr/share/php:/usr/share/pear') in Unknown on line 0

Which in my opinion means that the domains is not binded to any virtualhost on the server.

****EDIT3
Worked it out, I created a similar virtualhost section from my vhcs2.conf to the same file but changed the port to 443. To that section I added the information that was supposed to add to the 01_ssl_master.conf. WORKS!

[Buffer]

Just one more last question.

Because we created the certificate ourselves, is it normal that by default settings internet explorer gives out massive warnings about the site. First of all explorer first shows a site which asks whether you want to really enter this SSL-protected site or not. Firefox seems to be working just nice, is it possible test if the SSL is working correct?

[rbtux]

Yeah thats normal... First microsoft didn't care about security at all and now they've gone paranoid...

[joximu]

With ie6 you could accept a self signed certificat very easily (you need the ca.crt file), with firefox it is still easy (accept cert forever :-) - with ie7 it's more tricky, you need to import the ca.crt to the own trusted certificates... you have to try and error... :-)
But a "ca.crt" is always helpfull...

/J