Whew, that was a bit of an exercise.
Some issues I discovered and some quick things that I learned - maybe
this will help others. Likely I need some correction/clarification too?!
FWIW I use a CD for the bulk of the packages and a floppy for 'partial'
backups of the packages that I adjust.
=-=-=-=-
1) The online PDF doc wasn't available while I was playing/testing so
maybe all my issues/questions are answered therein.
2) I had never played with SSL or certificates so I was learning on the fly.
3) Late in the game I discovered the help option on the main (first)
menu of lrcfg. It had some useful info there about mini_httpds.
4) the config file for mini_httpds (/etc/mini_httpds.conf) has a line to
specify the certificate file, by default this says:
certfile=mini_httpd.pem
this file is actually stored in the directory /var/webconf/www. For
clarity I changed my entry to read:
certfile=/var/webconf/www/mini_httpd.pem
This (actual directory) was evident after I peeked into
/etc/init.d/mini_httpds and saw that there was a specific directory
change into the /var/webconf/www directory.
Note that (AIUI) if you use a different http daemon (i.e. non
mini_httpd*) then that certfile line may need to be different, e.g.:
certfile=/var/sh-www/www/mini_httpd.pem
5) I discovered that in order to use SSL (via mini_httpds) I'd need to
acquire a certificate and thus go_through_hassles or self-sign a
certificate. Guess which I chose...
6) To create the self-signed certificate one needs needs to install
(albeit it only temporarily, for the purpose of this certificate
generation) the openssl.lrp package.
7) I found this single command gave me exactly the certificate file that
I needed:
openssl req -new -newkey rsa:1024 -days 9500 -nodes -x509 -keyout
/var/webconf/www/mini_httpd.pem \
-out /var/webconf/www/mini_httpd.pem
8) I chose 9500 days until expiry so as to not have to do this process
again for > 26 years.
9) This command causes two sections to appear in the certfile file
(/var/webconf/www/mini_httpd.pem): 'RSA PRIVATE KEY' & 'CERTIFICATE'.
This is unusual because normally the output files mentioned on the
openssl cmdline are different and thus each of the two files gets only
one 'section'. mini_httpds seems to need both sections in that single
PEM file.
10) It was a bit of a challenge to diagnose what mini_httpds was unhappy
about because it gave no output, and the filesize of mini_httpds.log
stayed at all times as zero. I got some hints about what I was doing
incorrectly by removing the '2>/dev/nul' parts from /etc/init.d/mini_httpds.
11) mini_httpd.pem has cooties! Nobody wants to backup this file (well,
neither mini_httpds nor webconf). I fixed this by adding
'var/webconf/www/mini_httpd.pem' to file: /var/lib/lrpkg/webconf.list
12) I then did a *full* backup of webconf (to floppy) and re-burned that
on my CD, because a partial backup would not backup that file. ...
Should this mini_httpd.pem file be part of a 'partial' backup? Should it
be a part of mhttpd.lrp or webconf.lrp? It should probably have an entry
in one of the <package>.list file ?!
13) A funny thing happened at some point - some of the files in
/var/webconf/www had their group membership removed, so they said
'nogroup'. I changed all these to be group=root. Until I made that fix I
couldn't see the full index.cgi page (i.e. the column at the left was
missing and all I got was the 'general information' blurb).
14) AIUI one can safely ignore all logfile entries which state "socket
:: - Address family not supported by protocol". This 'complaint' refers
to (AIUI) the fact that I don't have IPv6 support going on.
15) happy logfiles: when mini_httpds is loaded & running you'll see in
daemon.log these two lines:
started as root without requesting chroot(), warning only
mini_httpd/1.19 19dec2003 starting on R11, port 443
16) More on generating the self-signed certificate... If you type into
your browser window (for example) https://192.168.0.254 to access the
webconf screen you'll possibly get notified that the certificate does
not match the host you are connecting to ("Domain name mismatch" -
firefox v1.07 warning window). This seems to be related to the "Common
name" field of the self-signed certificate you are making. All of the
fields don't matter *at all*, except this field.
Basically, if this field is set to "192.168.0.254" then one won't get a
complaint about "Domain name mismatch" (firefox v1.07 syntax). In my
case, because I have an entry in my hosts file (on my usual workstation) as:
192.168.0.254 router
I would be entering:
https://router
into my browser. Thus at the time I generated a certificate I set my
"Common name" to be "router" and I don't get the domain-mismatch
warning. I still have to accept the certificate though, since it is
self-signed and thus not automatically trusted.
17) Curiously, the file /var/webconf/www/basic.cgi lives in the
webconf.lRp file, however the file /var/webconf/www/expert.cgi lives in
the webconf.lWp file. Is this segregation of the basic.cgi & expert.cgi
intentional?
Hopefully this is helpful to others and thanks to all for LEAF!
scott; canada
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
