[PLUG] About This Cert Thing
King Beowulf
kingbeowulf at gmail.com
Thu Nov 28 02:34:33 UTC 2013
On 11/27/2013 03:42 PM, Bill Thoen wrote:
> On 11/26/2013 04:33 PM, Russell Johnson wrote:
>> On Nov 26, 2013, at 3:03 PM, Bill Thoen<bthoen at gisnet.com> wrote:
>>
>>> Yesterday and today I received this notice:
>>>
>>> ################# SSL Certificate Warning ################
>>>
>>> Certificate for hostname 'server.gisnet.com', in file (or by nickname):
>>> /etc/pki/tls/certs/localhost.crt
>>>
>>> The certificate needs to be renewed; this can be done
>>> using the 'genkey' program.
>>>
>>> Browsers will not be able to correctly connect to this
>>> web site using SSL until the certificate is renewed.
>>>
>>> ##########################################################
>>> Generated by certwatch(1)
>>>
>>>
>>> I have no clue what to do about this, so I went to Google and asked the planetary brain for guidance. I must not have asked the question carefully enough, because I didn't get much of an answer. I did get a Googlet that told me that this was from root on my server, and it's telling me replace or renew the certificate on my server so that won't block people browsing my site.
>>>
>>> Now I'm stuck. I've run out of knowledge. I have only a vague understanding of certificates and I don't know which kind of cert I need or which renew command to use. Could someone help me choose the right option to use for genkey and give that notice what it wants to see?
>> If this is a self-signed cert, you need to generate a new one. This can be done with the original cert request, or a new one if you don't have the old one. The steps are outlined here:http://www.akadia.com/services/ssh_test_certificate.html
>>
>> If this is not a self-signed cert, then you will need to renew it with the certificate authority that you received the cert from originally, or a new authority.
>>
>> To display the cert details, which should tell you if it's self signed or not, use the following cheat sheet, in the "Display certificate information" section.
>>
>> http://wiki.samat.org/CheatSheet/OpenSSL
>>
>> (e.g. openssl x509 -in /etc/pki/tls/certs/localhost.crt -noout -text)
>>
>> I'm not an expert by any stretch of the imagination. If there are errors in my steps, others please feel free to correct me.
>>
>> Russell Johnson
>> russ at dimstar.net
> Well thanks for the help. I followed the steps up to step 5 in the
> akadia.com URL, and everything seemed to work, but when I restarted
> httpd, I saw that dreaded 6-letters in red, "FAILED" and no other news.
> I stopped at step 5 because I don'thave any virtual hosts now, and I
> didn't have SSLEngine software installed or enabled. A "file not found"
> issue.
>
> I'm running CentOS 5.5 and everything is up to date as far as CentOS is
> concerned. I had someone else who knows Linux way better than I set this
> system up, and I just focused on applications and building up new
> capabilities, and he took care of the fiddly bits below the surface.
> But he is unavailable this week, so I'm on my own. I don't know what
> sort of certificate I need but I guess its probably the self signed
> kind. What ever it needs. I was hoping that the notice I posted would
> tell you, but I guess it doesn't, so right now I've achieved in one day
> what that noticed threatened to do 27 days from now. I've killed my
> httpd process and it wont start. Does the following info reveal what's
> wrong? I really would like to get web service running again. If anyone
> can help, even just to the point the way, I'd appreciate it.
>
> The /var/log/httpd/error_log is now saying only this:
> [Wed Nov 27 11:42:14 2013] [notice] SELinux policy enabled; httpd
> running as context unconfined_u:system_r:httpd_t:s0
> [Wed Nov 27 11:42:14 2013] [notice] suEXEC mechanism enabled (wrapper:
> /usr/sbin/suexec)
>
>
> sestatus contains:
>
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: permissive
> Policy version: 24
> Policy from config file: targeted
>
> The /etc/selinux config says:
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - No SELinux policy is loaded.
> SELINUX=permissive
> # SELINUXTYPE= can take one of these two values:
> # targeted - Targeted processes are protected,
> # mls - Multi Level Security protection.
> SELINUXTYPE=targeted
>
> And here's the certificate I created:
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number:
> f0:26:0b:14:24:4e:e3:de
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=US, ST=Colorado, L=Boulder, O=GISnet,
> CN=www.gisnet.com/emailAddress=bthoen at gisnet.com
> Validity
> Not Before: Nov 27 18:38:59 2013 GMT
> Not After : Nov 27 18:38:59 2014 GMT
> Subject: C=US, ST=Colorado, L=Boulder, O=GISnet,
> CN=www.gisnet.com/emailAddress=bthoen at gisnet.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (1024 bit)
> Modulus:
> 00:c6:ef:ec:16:4a:07:3b:6f:ec:37:75:f8:17:9a:
> 0a:7c:3f:4d:7f:43:2d:e2:89:71:a3:7d:8d:37:6c:
> 79:ee:49:8f:0a:f1:19:06:a7:4a:9e:9b:39:5f:a2:
> 6f:21:9d:d4:24:c4:12:6f:8d:1f:b9:1a:8b:17:1c:
> 09:00:8c:cc:fc:69:d7:11:d2:18:a5:c5:29:20:d9:
> a7:21:b9:cb:cd:2c:27:36:8f:22:0d:ba:ce:87:a8:
> 1a:c3:f0:fa:0d:89:4c:c8:7f:05:a4:9d:19:04:fa:
> 7f:c8:c2:b3:c3:a5:e3:31:e1:fc:76:bf:19:ee:49:
> 41:61:6c:08:c8:5a:07:f7:25
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha1WithRSAEncryption
> 2c:df:14:f7:f4:38:d2:5e:7a:54:34:cc:4f:e9:94:f7:61:18:
> 8f:e7:67:3c:78:52:04:7f:2f:fb:b4:05:8c:56:c8:d8:67:a1:
> 61:88:64:2a:a4:c3:61:21:37:7c:13:8a:e8:f4:74:06:93:30:
> 67:1a:34:bb:d9:a9:fb:ff:91:b7:f2:25:04:17:4b:61:d5:84:
> db:70:5a:f6:e9:dd:d8:bc:26:ba:ba:97:43:95:d1:3d:f1:2f:
> 69:f9:71:9a:e5:d0:60:1c:34:d7:06:63:0f:a0:fb:80:10:e2:
> 49:fb:3d:5c:44:25:ff:df:37:93:24:cd:3b:4e:7b:db:48:ca:
> b2:14
>
> The httpd failed just as soon as I updated the certification.
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
Now that I know that you are on CentOS, you should study your CentOS
docs. There are so many distros that implement SSL certs and user
security via different schemes, utilities, etc, that it is difficult to
provide good advice via this list unless we know what you have.
http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s2-secureserver-generatingkey.html
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-httpd-secure-server.html
http://wiki.centos.org/HowTos/SELinux
http://wiki.centos.org/HowTos/Https
http://wiki.centos.org/HowTos/OS_Protection
If you need your site up fast, do not require users to log in, do not
take credit card etc payments, do not require https, you can just
configure to not use SSL certs and selinux (dump it all). Thus, you can
set up your server plain and simple for just http to serve plain HTML.
You might not need a SSL cert - which needs to be approved by a
Cerificate Authority, not you, to be useful anyway. Self signed certs
are useful only for intranets.
Even with the need to take payments, just use google checkout/wallet
and/or paypal to completely skip the need for SSL on your server.
Enjoy. Sorry to not be of more help along the "do this, then that"
lines. If you are pressed for time, in the long run, it might be easier
just to build your site on, for example,
https://www.nearlyfreespeech.net/ (Solid, dirt cheap, secure.)
More information about the PLUG
mailing list