Openssl certificate issue

Solved
kakashi05 Posted messages 195 Status Member -  
 Manu -
Hello,
I am trying to set up an Apache server on Mandriva 2009 and I would like to use OpenSSL after creating a certificate. However, when I try to connect to one of my VirtualHosts using https, I receive the following error message:

www.secure.com:443 uses an invalid security certificate.

The certificate is not trusted because it is self-signed.

(Error code: sec_error_untrusted_issuer)

And when I type the following command to verify, I get

[root@localhost conf]# openssl s_server -cert certificat.pem -www
unable to load server certificate private key file
4464:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY

If anyone has any ideas, thanks.
Configuration: Linux Mandriva Firefox 3.0.3

7 answers

kakashi05 Posted messages 195 Status Member 32
 
In fact, the Apache server is just a little exercise I'm doing at home to revise a bit.

Let me explain a little what I've done

I edited the following file in conf

#vi /etc/httpd/conf/httpd.conf

I added the following lines:

<VirtualHost *:443>
DocumentRoot /var/www/secure.com
ServerName www.secure.com

SSLCertificateFile /etc/httpd/conf/certificat.pem
sslcertificatekeyfile /etc/httpd/conf/server.key
SSLEngine on

<Directory /var/www/secure.com>
Options +Indexes
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

Then I added a certificate with the following command

#openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/httpd/conf/certificat.pem -out /etc/httpd/conf/server.key

Then I uncommented the line in the httpd.conf file

LoadModule ssl_module modules/mod_ssl.so

Then I edited the file vi /etc/hosts

127.0.0.1 www.secure.com

And when I type in my terminal
#firefox https://www.secure.com

I get the following error message and it's really the one that bothers me

www.secure.com:443 uses an invalid security certificate.

The certificate is not trusted because it is self-signed.

(Error code: sec_error_untrusted_issuer)

Well, I hope you understand my configuration a bit, I think I may not have configured something or I may have misconfigured it.

If anyone has an idea, thank you.
1
kakashi05 Posted messages 195 Status Member 32
 
The problem was solved; it just needed to be accepted by the browser. Thank you.
1
kakashi05 Posted messages 195 Status Member 32
 
Another point when doing

[root@localhost conf]# /etc/init.d/httpd restart
Shutting down httpd: [ OK ]
Starting httpd: Warning: DocumentRoot /srv/www/secure.com does not exist
[Sat Nov 29 13:35:18 2008] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[Sat Nov 29 13:35:18 2008] [warn] NameVirtualHost *:80 has no VirtualHosts
[ OK ]

I had a small conflict that is resolved

[root@localhost conf]# /etc/init.d/httpd restart
Shutting down httpd: [ OK ]
Starting httpd: Warning: DocumentRoot /srv/www/secure.com does not exist
[Sat Nov 29 13:35:18 2008] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[Sat Nov 29 13:35:18 2008] [warn] NameVirtualHost *:80 has no VirtualHosts
[ OK ]
But when I run the test command, the same message still appears

[root@localhost conf]# openssl s_server -cert certificat.pem -www
unable to load server certificate private key file
5373:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY
0
kakashi05 Posted messages 195 Status Member 32
 
After some modifications, I get

[root@localhost conf]# openssl s_server -cert certificat.pem -www
unable to load server certificate private key file
6105:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY
0
kakashi05 Posted messages 195 Status Member 32
 
Someone has an idea.
0
Manu
 
Hello,

I'm not sure I understood everything, but

The certificate is not secure because it is self-signed
means that you are using a certificate from a certificate authority for the server. These certificates should only be used to sign server or client certificates.

In OpenSSL, you first need to create an authority (self-signed certificate), and then with this certificate, you need to create the server certificate. The latter must have the same name as your server (is srv/www/secure.com really your own server?) and it is the private key (not the certificate) that you need to place on the server.

You also have issues with sharing http(80)/https(443), but I'm not knowledgeable in that area.

Manu
0
Manu
 
Hello again,

Two corrections:
- On the server, you need to put the private key and the server certificate.
- The server certificate must be in the name of the server, so if I understand correctly www.secure.com

Manu
0
lami20j Posted messages 21506 Registration date   Status Moderator, Security Contributor Last intervention   3 571
 
Hi,

Shouldn't a private key remain private?
Isn't it the public key that should be sent to the server?
--
106485010510997108
0
Manu > lami20j Posted messages 21506 Registration date   Status Moderator, Security Contributor Last intervention  
 
Hello,

A private key should not remain private?
Isn't it the public key that should be sent to the server?


Of course the private key must be private, meaning known only to its owner, here the server.

A server key is used to authenticate the server, allowing the client to be sure that it is not addressing a non-authentic server. During the connection phase, the client sends a random piece of information, the server encrypts it with its private key and sends the client the encrypted value and the certificate (which contains the public key). The client can verify the certificate because it is established in the name of the server and is signed by a known authority (*) and can verify that decrypting the received encrypted value returns the original random number. The client is then sure that the one who responded to it possessed the private key, thus confirming it is the authentic server.

(*) I forgot to mention that the certification authority's certificate must be placed in the client's certificate store.

Manu
0
lami20j Posted messages 21506 Registration date   Status Moderator, Security Contributor Last intervention   3 571 > Manu
 
Re,

Oops, I skimmed through it ;-)
--
106485010510997108
0
seth > Manu
 
Bonjour, j'aurais une petite question : si le serveur crypte le message avec sa clé privée et le renvoie au client, n'importe qui peut intercepter ce message et le décrypter grâce à la clé publique du serveur... Non ? De plus, est-ce qu'on n'est pas censé crypter un message à envoyer avec la clé publique du destinataire ? Je n'ai pas très bien suivi ce passage...
Merci pour votre réponse.
0
Manu
 
Hello,

Hello, I have a quick question: if the server encrypts the message with its private key and sends it back to the client, anyone can intercept this message and decrypt it using the server's public key... Right?

Yes.

However, this was during the mutual authentication phase, and the message in question is a random piece of information generated by the client. What benefit would a spy gain from listening? Only the client can compare it to the original value, which allows them to verify that their interlocutor has the private key of which the client has the public key.

Manu
0