Perhaps a silly question but it's not something as simple as file permissions or owner/group membership or environment path is it?
-----Original Message----- From: u2-users-boun...@listserver.u2ug.org [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King Sent: Wednesday, 20 February 2013 10:03 To: U2 Users List Subject: Re: [U2] AIX 5.3 IBMIHS Web Server Yes, I have both the LoadModule and Listen, though my Listen is unqualified, like this: Listen 443 The error I'm getting in the logs tells me there is no key for "api" or " api.client.com" (I've tried both) despite the fact that gsk7cmd shows that the certificate absolutely is in there. That's what's vexing; I can see the certificate, but for some reason Apache cannot. You don't suppose the unqualified Listen might have something to do with it, do you? On Tue, Feb 19, 2013 at 11:19 AM, John Hester <jhes...@momtex.com> wrote: > Kevin, I have both chained and self-signed certs on various servers. > The example from my workstation is a self-signed cert. Self-signed is > actually less prone to error because you don't have to worry about > importing the intermediate certs into the keystore database. The only > other thing I know to suggest at the moment is verify you're loading > the IBM ssl module and listening on port 443: > > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 0.0.0.0:443 > > Are you getting any errors in the IHS SSL logs, either at server > startup or when you attempt to browse to port 443? > > -John > > -----Original Message----- > From: u2-users-boun...@listserver.u2ug.org > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin King > Sent: Monday, February 18, 2013 5:04 PM > To: U2 Users List > Subject: Re: [U2] AIX 5.3 IBMIHS Web Server > > John (Thompson)... This IHS Apache is definitely a cracked Apache with > some odd configuration SSL setup in particular is completely different. > > John (Hester), I can see the cert in the key file (through the gsk7cmd > command) but with the name api.client.com it cannot be found. I even > recreated the cert as "api" (without dots) because I found a page that > said that the dots could be causing problems, but still no love. It > seems I've done everything correctly but still it just can't find a > combination that works. I'm wondering if the problem here is the fact > that it's a self-signed cert without a chain? Are you using a > self-signed cert here? > Do you have other certs in your key file that may represent a chain > for the self-signed cert? > > Thank you gentlemen for the insight. Most appreciated. > > -K > > On Mon, Feb 18, 2013 at 3:09 PM, John Hester <jhes...@momtex.com> wrote: > > > It sounds like you've done all you need to for basic IHS SSL > > functionality. As long as api.client.com matches the name you gave > > the certificate via ikeyman, and you have the KeyFile directive, you > > should be OK. There are a lot of other options you can add for > > optimization and browser compatibility, but I don't think leaving > > any of those out would break it outright. Here's my working IHS > > config from the development server on my Windows workstation for comparison: > > > > <VirtualHost *:443> > > SSLEnable > > SSLProtocolDisable SSLv2 > > SSLServerCert is12.momtex.com > > <Directory "c:/IBM/HTTPServer/htdocs/html"> > > Options +Includes > > AddType text/html .shtml > > AddOutputFilter INCLUDES .shtml > > </Directory> > > </VirtualHost> > > KeyFile "C:/IBM/HTTPServer/key.kdb" > > SSLDisable > > > > -John > > > > -----Original Message----- > > From: u2-users-boun...@listserver.u2ug.org > > [mailto:u2-users-boun...@listserver.u2ug.org] On Behalf Of Kevin > > King > > Sent: Saturday, February 16, 2013 4:02 PM > > To: U2 Users List > > Subject: [U2] AIX 5.3 IBMIHS Web Server > > > > Might anyone have any tips or tricks for getting SSL to work on the > > IBMIHS/Apache 2.0.47 web server on an AIX 5.3 box? The > > documentation I've found on the web is byzantine at best and it > > would be fine if the > > > commands actually worked, but I keep getting odd error messages and > > stalled at every turn. > > > > I've upgrade the GSK so that the server will start with SSL enabled, > > I > > > have a virtual host configured, but I have no clue how to tie a > > specific certificate to the VirtualHost. Well, let's say I have > > clues, but nothing is working. Here's the <VirtualHost> stanza I > > have > > > set up in > > httpd.conf: > > > > <VirtualHost *:443> > > SSLEnable > > SSLClientAuth None > > SSLServerCert api.client.com > > ServerName api.client.com > > DocumentRoot /usr/www > > <Directory "/usr/www"> > > Order Allow,Deny > > Allow From All > > </Directory> > > ErrorLog logs/api_error.log > > CustomLog logs/api_error.log common </VirtualHost> > > > > I've been able to generate a CSR and create a self-signed > > certificate, > > > and it would appear that I've even successfully imported that > > certificate into my key database, as demonstrated by this command: > > > > $ gsk7cmd -cert -details -db /usr/IBMIHS/ssl/client.kdb -label " > > api.client.com" -pw "password" > > > > ...which produces the following output... > > > > Label: api.client.com > > Key Size: 512 > > Version: X509 V1 > > Serial Number: 00 DB 00 41 9A 19 77 7E 9F Issued By: api.client.com > > CLIENT City, ST, US > > Subject: api.client.com > > CLIENT > > City, ST, US > > Valid From: Saturday, February 16, 2013 6:06:08 PM EST To: Saturday, > > April 17, 2032 7:06:08 PM EDT > > Fingerprint: ... > > Signature Algorithm: 1.2.840.1135188.8.131.52 Trust Status: enabled > > > > But even though this certificate is in the keyfile (and yes, I have > > a KeyFile directive elsewhere in the httpd.conf file pointing to the > > client.kdb file) I can't seem to associate it to the virtual host. > > What am I missing? > > > > (And yes, I'm aware this is not specifically a U2 question but I > > need this to provide web connectivity to a Unidata machine from a > > Rackspace > > > hosted server. So in a way... it sorta is U2 related.) > > > > Help? > > _______________________________________________ > > U2-Users mailing list > > U2-Users@listserver.u2ug.org > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > _______________________________________________ > > U2-Users mailing list > > U2-Users@listserver.u2ug.org > > http://listserver.u2ug.org/mailman/listinfo/u2-users > > > _______________________________________________ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > _______________________________________________ > U2-Users mailing list > U2-Users@listserver.u2ug.org > http://listserver.u2ug.org/mailman/listinfo/u2-users > _______________________________________________ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users ------------------------------------------------------------------------------- Note: This email (inc all attachments) is for the use of the intended recipient(s) only. Privileged or confidential information may be contained in this communication. If you have received this email in error, please notify the sender immediately and then delete all copies of this message from your computer network. If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this email without the author's prior permission. If you are the intended recipient and you do not wish to receive similar electronic messages from us in future, then please respond to the sender to this effect. We have taken precautions to minimise the risk of transmitting software viruses, but advise you to carry out your own virus checks on this email and its attachments. We do not accept liability for any loss or damage caused by software viruses and do not represent that this transmission is free from viruses or other defects. Firstmac Limited (ABN 59 094 145 963) (AFSL 290600) ------------------------------------------------------------------------------- _______________________________________________ U2-Users mailing list U2-Users@listserver.u2ug.org http://listserver.u2ug.org/mailman/listinfo/u2-users