You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Victor Porton <po...@narod.ru> on 2015/04/06 19:24:16 UTC
[users@httpd] StartSSL (not self-signed) cert but says "The certificate is not
trusted because it is self-signed"
I've tried to set SSL for one site at my Debian Linux wheezy server
(which serves multiple domains).
I've prepared StartSSL keys and certificate and put them
into /etc/apache2/ssl/
But when I started the below configuration (with Debian command
`a2ensite withoutvowels.conf`), after I opened
https://withoutvowels.org/wiki/Without_Vowels_project I've got
[[[[
This Connection is Untrusted
You have asked Iceweasel to connect securely to withoutvowels.org, but
we can't confirm that your connection is secure.
Normally, when you try to connect securely, sites will present trusted
identification to prove that you are going to the right place. However,
this site's identity can't be verified.
What Should I Do?
If you usually connect to this site without problems, this error could
mean that someone is trying to impersonate the site, and you shouldn't
continue.
withoutvowels.org uses an invalid security certificate. The certificate
is not trusted because it is self-signed. The certificate is only valid
for d1stkfactory (Error code: sec_error_unknown_issuer)
]]]]
After this error I've stopped to use the below configuration and
replaced it with my old (non-SSL) configuration.
The config /etc/apache2/sites-available/withoutvowels.conf for the site
is below:
<VirtualHost *:443>
ServerName withoutvowels.org
SuexecUserGroup withoutvowels withoutvowels
ServerAdmin webmaster@localhost
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/apache2/ssl/ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
DocumentRoot /var/www/withoutvowels/web
<Directory /var/www/withoutvowels>
Options Indexes SymlinksIfOwnerMatch
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error,
crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName www.withoutvowels.org
Redirect permanent / https://withoutvowels.org/
</VirtualHost>
<VirtualHost *:443>
ServerName www.withoutvowels.org
Redirect permanent / https://withoutvowels.org/
</VirtualHost>
<VirtualHost *:80>
ServerName withoutvowels.org
Redirect permanent / https://withoutvowels.org/
</VirtualHost>
--
Victor Porton - http://portonvictor.org
Re: [users@httpd] StartSSL (not self-signed) cert but says "The
certificate is not trusted because it is self-signed"
Posted by Victor Porton <po...@narod.ru>.
On Mon, 2015-04-06 at 21:32 +0200, Sebastian Pipping wrote:
> On 06.04.2015 21:07, Victor Porton wrote:
> > I've verified my cert for a domain (withoutvowels.org) not for an IP. So
> > I wonder where "d1stkfactory" got from.
>
> Have you tried
>
> fgrep -R d1stkfactory /etc
>
This fgrep prints nothing.
>
> > Please explain how to disable SSLv3 in Apache.
>
> That would be
>
> SSLProtocol all -SSLv2 -SSLv3
>
Done.
> https://wiki.mozilla.org/Security/Server_Side_TLS#Apache
>
> Best,
>
>
>
> Sebastian
--
Victor Porton - http://portonvictor.org
Re: [users@httpd] StartSSL (not self-signed) cert but says "The certificate
is not trusted because it is self-signed"
Posted by Sebastian Pipping <se...@pipping.org>.
On 06.04.2015 21:07, Victor Porton wrote:
>> How did you prepare those?
>> Did you follow the StartSSL steps on the website wizard and obtained
>> both of these files through downloading from their website?
>>
> I've obtained both the certificate and the key (which I have deciphered
> on my machine) from StartSSL.
>
> I have copy&pasted them from their site's control panel (if it is called
> control panel).
I just refound this screenshot story of the process:
https://github.com/ioerror/duraconf/tree/master/startssl#user-content-startssl
You could compare if anything went different for you, if you like.
> I've verified my cert for a domain (withoutvowels.org) not for an IP. So
> I wonder where "d1stkfactory" got from.
Have you tried
fgrep -R d1stkfactory /etc
?
> Please explain how to disable SSLv3 in Apache.
That would be
SSLProtocol all -SSLv2 -SSLv3
https://wiki.mozilla.org/Security/Server_Side_TLS#Apache
Best,
Sebastian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] StartSSL (not self-signed) cert but says "The
certificate is not trusted because it is self-signed"
Posted by Victor Porton <po...@narod.ru>.
On Mon, 2015-04-06 at 20:31 +0200, Sebastian Pipping wrote:
> On 06.04.2015 19:24, Victor Porton wrote:
> > I've tried to set SSL for one site at my Debian Linux wheezy server
> > (which serves multiple domains).
> >
> > I've prepared StartSSL keys and certificate and put them into
> > /etc/apache2/ssl/
>
> How did you prepare those?
> Did you follow the StartSSL steps on the website wizard and obtained
> both of these files through downloading from their website?
>
I've obtained both the certificate and the key (which I have deciphered
on my machine) from StartSSL.
I have copy&pasted them from their site's control panel (if it is called
control panel).
> > But when I started the below configuration (with Debian command
> > `a2ensite withoutvowels.conf`), after I opened
> > https://withoutvowels.org/wiki/Without_Vowels_project I've got
> >
> > [[[[
> > This Connection is Untrusted
> >
> > You have asked Iceweasel to connect securely to withoutvowels.org, but
> > we can't confirm that your connection is secure.
> >
> > Normally, when you try to connect securely, sites will present trusted
> > identification to prove that you are going to the right place. However,
> > this site's identity can't be verified.
> > What Should I Do?
> >
> > If you usually connect to this site without problems, this error could
> > mean that someone is trying to impersonate the site, and you shouldn't
> > continue.
> >
> > withoutvowels.org uses an invalid security certificate. The certificate
> > is not trusted because it is self-signed. The certificate is only valid
> > for d1stkfactory (Error code: sec_error_unknown_issuer)
> > ]]]]
>
> That "d1stkfactory" in there is interesting.
>
> Are you hosted at DigitalOcean? I found this using Google:
>
> http://blog.vucica.net/2014/03/mails-appearing-from-d1stkfactory.html
>
Yes, I am hosted at Digital Ocean.
I've verified my cert for a domain (withoutvowels.org) not for an IP. So
I wonder where "d1stkfactory" got from.
> My guess right now is that you made the certificate on a machine of
> yours rather than downling a cert from StartSSL. Did you use a
> certificate signing request to get your existing cert signed?
>
I didn’t made the certificate on my machine. The only things I did on my
machine was:
1. I've deciphered the private key.
2. I've renamed the file from ssl.key into private.key.
>
> > After this error I've stopped to use the below configuration and
> > replaced it with my old (non-SSL) configuration.
> >
> > The config /etc/apache2/sites-available/withoutvowels.conf for the site
> > is below:
> >
> > <VirtualHost *:443>
> > ServerName withoutvowels.org
> >
> > SuexecUserGroup withoutvowels withoutvowels
> >
> > ServerAdmin webmaster@localhost
> >
> > SSLEngine on
> > SSLProtocol all -SSLv2
> > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
> > SSLCertificateFile /etc/apache2/ssl/ssl.crt
> > SSLCertificateKeyFile /etc/apache2/ssl/private.key
> > SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
>
> This looks alot like
> https://www.startssl.com/?app=21
>
> Please consider disabling SSLv3 as well, because:
> https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
>
Please explain how to disable SSLv3 in Apache.
> Having SSLv3 enabled will also not look good on the ssllabs test page, e.g.
> https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=74.125.224.8
>
> Best,
>
>
>
> Sebastian
I've also reported the bug to StartSSL:
https://bugzilla.startcom.org/show_bug.cgi?id=363
--
Victor Porton - http://portonvictor.org
Re: [users@httpd] StartSSL (not self-signed) cert but says "The certificate
is not trusted because it is self-signed"
Posted by Sebastian Pipping <se...@pipping.org>.
On 06.04.2015 19:24, Victor Porton wrote:
> I've tried to set SSL for one site at my Debian Linux wheezy server
> (which serves multiple domains).
>
> I've prepared StartSSL keys and certificate and put them into
> /etc/apache2/ssl/
How did you prepare those?
Did you follow the StartSSL steps on the website wizard and obtained
both of these files through downloading from their website?
> But when I started the below configuration (with Debian command
> `a2ensite withoutvowels.conf`), after I opened
> https://withoutvowels.org/wiki/Without_Vowels_project I've got
>
> [[[[
> This Connection is Untrusted
>
> You have asked Iceweasel to connect securely to withoutvowels.org, but
> we can't confirm that your connection is secure.
>
> Normally, when you try to connect securely, sites will present trusted
> identification to prove that you are going to the right place. However,
> this site's identity can't be verified.
> What Should I Do?
>
> If you usually connect to this site without problems, this error could
> mean that someone is trying to impersonate the site, and you shouldn't
> continue.
>
> withoutvowels.org uses an invalid security certificate. The certificate
> is not trusted because it is self-signed. The certificate is only valid
> for d1stkfactory (Error code: sec_error_unknown_issuer)
> ]]]]
That "d1stkfactory" in there is interesting.
Are you hosted at DigitalOcean? I found this using Google:
http://blog.vucica.net/2014/03/mails-appearing-from-d1stkfactory.html
My guess right now is that you made the certificate on a machine of
yours rather than downling a cert from StartSSL. Did you use a
certificate signing request to get your existing cert signed?
> After this error I've stopped to use the below configuration and
> replaced it with my old (non-SSL) configuration.
>
> The config /etc/apache2/sites-available/withoutvowels.conf for the site
> is below:
>
> <VirtualHost *:443>
> ServerName withoutvowels.org
>
> SuexecUserGroup withoutvowels withoutvowels
>
> ServerAdmin webmaster@localhost
>
> SSLEngine on
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
> SSLCertificateFile /etc/apache2/ssl/ssl.crt
> SSLCertificateKeyFile /etc/apache2/ssl/private.key
> SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
This looks alot like
https://www.startssl.com/?app=21
Please consider disabling SSLv3 as well, because:
https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
Having SSLv3 enabled will also not look good on the ssllabs test page, e.g.
https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=74.125.224.8
Best,
Sebastian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org