On Mon, 2015-04-06 at 20:31 +0200, Sebastian Pipping wrote: > On 06.04.2015 19:24, Victor Porton wrote: > > I've tried to set SSL for one site at my Debian Linux wheezy server > > (which serves multiple domains). > > > > I've prepared StartSSL keys and certificate and put them into > > /etc/apache2/ssl/ > > How did you prepare those? > Did you follow the StartSSL steps on the website wizard and obtained > both of these files through downloading from their website? >
I've obtained both the certificate and the key (which I have deciphered on my machine) from StartSSL. I have copy&pasted them from their site's control panel (if it is called control panel). > > But when I started the below configuration (with Debian command > > `a2ensite withoutvowels.conf`), after I opened > > https://withoutvowels.org/wiki/Without_Vowels_project I've got > > > > [[[[ > > This Connection is Untrusted > > > > You have asked Iceweasel to connect securely to withoutvowels.org, but > > we can't confirm that your connection is secure. > > > > Normally, when you try to connect securely, sites will present trusted > > identification to prove that you are going to the right place. However, > > this site's identity can't be verified. > > What Should I Do? > > > > If you usually connect to this site without problems, this error could > > mean that someone is trying to impersonate the site, and you shouldn't > > continue. > > > > withoutvowels.org uses an invalid security certificate. The certificate > > is not trusted because it is self-signed. The certificate is only valid > > for d1stkfactory (Error code: sec_error_unknown_issuer) > > ]]]] > > That "d1stkfactory" in there is interesting. > > Are you hosted at DigitalOcean? I found this using Google: > > http://blog.vucica.net/2014/03/mails-appearing-from-d1stkfactory.html > Yes, I am hosted at Digital Ocean. I've verified my cert for a domain (withoutvowels.org) not for an IP. So I wonder where "d1stkfactory" got from. > My guess right now is that you made the certificate on a machine of > yours rather than downling a cert from StartSSL. Did you use a > certificate signing request to get your existing cert signed? > I didn’t made the certificate on my machine. The only things I did on my machine was: 1. I've deciphered the private key. 2. I've renamed the file from ssl.key into private.key. > > > After this error I've stopped to use the below configuration and > > replaced it with my old (non-SSL) configuration. > > > > The config /etc/apache2/sites-available/withoutvowels.conf for the site > > is below: > > > > <VirtualHost *:443> > > ServerName withoutvowels.org > > > > SuexecUserGroup withoutvowels withoutvowels > > > > ServerAdmin webmaster@localhost > > > > SSLEngine on > > SSLProtocol all -SSLv2 > > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM > > SSLCertificateFile /etc/apache2/ssl/ssl.crt > > SSLCertificateKeyFile /etc/apache2/ssl/private.key > > SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem > > This looks alot like > https://www.startssl.com/?app=21 > > Please consider disabling SSLv3 as well, because: > https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack > Please explain how to disable SSLv3 in Apache. > Having SSLv3 enabled will also not look good on the ssllabs test page, e.g. > https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=74.125.224.8 > > Best, > > > > Sebastian I've also reported the bug to StartSSL: https://bugzilla.startcom.org/show_bug.cgi?id=363 -- Victor Porton - http://portonvictor.org
