-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stefano Pogliani wanted us to know:
>I am struggling in having an Apache virtual host defined to support SSL. FYI, it is not necessary to pay multiple hundreds of dollars to get a cert signed by Thawte or Verisign. (aren't they the same company now anyway?) You can go to www.freessl.org and buy a one year cert for them for $35.00. It's an SSLv3 cert, which means it's a chained cert. All you do is create a certificate signing request (CSR) with the appropriate information and submit it to them, pay the money, do the phone verification thing, and then wait for the email. The entire process can be done in about 15 minutes. ADVICE: practice getting all the information correct that the CSR generation process asks for. Once you submit the CSR, you have lost the $35.00 if you put it in wrong. A good example of wrong is putting "domain.com" as your CN when your box is accessed as "mail.domain.com" or "www.domain.com". CAVEAT: when you get a chained cert, they send it to you as one file with two parts, their signed cert and your signed cert. I could never get Apache to work properly if they were both in the same file. Once I split it up into two files and modified the appropriate Apache ssl directives in the config file, it worked great. DISCLAIMER: I've only done this for Apache 1.3.x. I've not tried it with Apache 2.0. > 1. why the ssl logs are written to the "wrong file" I'd guess it's using a different config file than you think. > 2. why in this "wrong file" I always get two lines of warning at > startup ? I didn't see the exact "warnings" that you talk about in your original email. Maybe I just missed it. >Now, in addition to this, I wanted to create an SSL virtual host for a >new server, called webmail.poglianis.net. For this: Ah, now you hit the weakness of SSL. You cannot have virtual hosts and have your certificate check out. You *CAN* have an SSL virtual host that won't match the certficate, but you'll get the warning every time you connect to it. Why? Because there are two parts: encryption and authentication. Encryption is the goal of preventing someone in the middle from listening to the traffic and figuring out what it says. Authentication is the goal of connecting to a machine and knowing without a doubt that the machine you are talking to is the one machine it claims to be. Somehow (and this is beyond me), there's no way to figure out which virtual host you're trying to connect to until after you've already done the authentication, which means that the certificate doesn't match the site that you're trying to connect to. > 2. Now, any time I type https://webmail.poglianis.net, I get a box > telling me that the "connection with webmail.poglianis.net has > terminated unexpectedly. Some data may have been transferred". But > actually I do not see my web page. That just means that your private key or public key file does not have the correct information in it or it is encoded the wrong way. - -- Blue skies... Todd | Get a bigger hammer! | Sometimes you get what you want. | | http://www.mrball.net | Sometimes you get experience. | | http://faq.mrball.net | --unknown origin | Linux kernel 2.4.19-24mdk 6 users, load average: 0.00, 0.18, 0.35 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.mrball.net/todd.asc iD8DBQE/LKU6IBT1264ScBURAhrRAKDU5eMOOjqNakn+g84vmol0UuDrsACguG73 /Mnqt/xywlq4WAviJPu1uBc= =VBlx -----END PGP SIGNATURE-----
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
