You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Yves Goergen <no...@unclassified.de> on 2020/07/02 20:08:54 UTC
[users@httpd] Test an SSL certificate before installation
Hello,
I'd like to let my users install their own SSL certificates through a
web interface for self-management services. If a user provides a
malicious certificate, the entire server will fail to start and the
whole system is down. This is a bit hard but that's how it is.
So I'll have to make sure the certificate and key are usable by apache
before generating the config that will use it.
I could run basic checks like let openssl parse it. But I've managed to
break my test server by providing it a perfectly working certificate and
key - from an old domain from 2016. The server complained with this message:
> SSL Library Error: error:140AB18E:SSL
routines:SSL_CTX_use_certificate:ca md too weak
That's from my letsencrypt archives. A newer one of the same domain from
2018 works just fine on the same new dev server. So there are obviously
circumstances that let apache fail on the certificate that I can't fully
analyse.
Is there a method to have apache check that certificate and key in
advance, considering its usual configuration, before I expect it to use
the certificate? I don't want to let it try out the file on a production
system, and learn about an unsupported certificate by a web server
that's down. There has to be a smarter way to handle this.
-Yves
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Test an SSL certificate before installation
Posted by angel Hall-Coulston <ra...@me.com.INVALID>.
I agreeā¦ certs are all about trust and giving users carte blanche may not be such a great idea. LE certs are free to my current knowledge, and are building trust.
Angel
Scotland.
> On 3 Jul 2020, at 05:01, @lbutlr <kr...@kreme.com> wrote:
>
> On 02 Jul 2020, at 14:08, Yves Goergen <no...@unclassified.de> wrote:
>> I'd like to let my users install their own SSL certificates through a web interface for self-management services.
>
> WOuldn't it be simpler to just get a LE cert for those domains? What is the advantage to having them upload their own certs?
>
> --
> "Are you pondering what I'm pondering?"
> "I think so, Brain. But will anyone other than Eskimos buy
> blubber-flavored chewing gum?"
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Re: [users@httpd] Test an SSL certificate before installation
Posted by "@lbutlr" <kr...@kreme.com>.
On 02 Jul 2020, at 14:08, Yves Goergen <no...@unclassified.de> wrote:
> I'd like to let my users install their own SSL certificates through a web interface for self-management services.
WOuldn't it be simpler to just get a LE cert for those domains? What is the advantage to having them upload their own certs?
--
"Are you pondering what I'm pondering?"
"I think so, Brain. But will anyone other than Eskimos buy
blubber-flavored chewing gum?"
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Test an SSL certificate before installation
Posted by Filipe Cifali <ci...@gmail.com>.
Just an idea, run a separate stance locally on a random port (to avoid
collisions) with the certificate, if it fails to start bingo, if it doesn't
fail you are good to put the cert on the main instance.
On Thu, Jul 2, 2020 at 5:09 PM Yves Goergen <no...@unclassified.de>
wrote:
> Hello,
>
> I'd like to let my users install their own SSL certificates through a
> web interface for self-management services. If a user provides a
> malicious certificate, the entire server will fail to start and the
> whole system is down. This is a bit hard but that's how it is.
>
> So I'll have to make sure the certificate and key are usable by apache
> before generating the config that will use it.
>
> I could run basic checks like let openssl parse it. But I've managed to
> break my test server by providing it a perfectly working certificate and
> key - from an old domain from 2016. The server complained with this
> message:
>
> > SSL Library Error: error:140AB18E:SSL
> routines:SSL_CTX_use_certificate:ca md too weak
>
> That's from my letsencrypt archives. A newer one of the same domain from
> 2018 works just fine on the same new dev server. So there are obviously
> circumstances that let apache fail on the certificate that I can't fully
> analyse.
>
> Is there a method to have apache check that certificate and key in
> advance, considering its usual configuration, before I expect it to use
> the certificate? I don't want to let it try out the file on a production
> system, and learn about an unsupported certificate by a web server
> that's down. There has to be a smarter way to handle this.
>
> -Yves
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
[ ]'s
Filipe Cifali Stangler