Openssl certificate issue
Solved
kakashi05
Posted messages
195
Status
Member
-
Manu -
Manu -
Hello,
I am trying to set up an Apache server on Mandriva 2009 and I would like to use OpenSSL after creating a certificate. However, when I try to connect to one of my VirtualHosts using https, I receive the following error message:
www.secure.com:443 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_untrusted_issuer)
And when I type the following command to verify, I get
[root@localhost conf]# openssl s_server -cert certificat.pem -www
unable to load server certificate private key file
4464:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY
If anyone has any ideas, thanks.
I am trying to set up an Apache server on Mandriva 2009 and I would like to use OpenSSL after creating a certificate. However, when I try to connect to one of my VirtualHosts using https, I receive the following error message:
www.secure.com:443 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_untrusted_issuer)
And when I type the following command to verify, I get
[root@localhost conf]# openssl s_server -cert certificat.pem -www
unable to load server certificate private key file
4464:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY
If anyone has any ideas, thanks.
Configuration: Linux Mandriva Firefox 3.0.3
7 answers
In fact, the Apache server is just a little exercise I'm doing at home to revise a bit.
Let me explain a little what I've done
I edited the following file in conf
#vi /etc/httpd/conf/httpd.conf
I added the following lines:
<VirtualHost *:443>
DocumentRoot /var/www/secure.com
ServerName www.secure.com
SSLCertificateFile /etc/httpd/conf/certificat.pem
sslcertificatekeyfile /etc/httpd/conf/server.key
SSLEngine on
<Directory /var/www/secure.com>
Options +Indexes
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Then I added a certificate with the following command
#openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/httpd/conf/certificat.pem -out /etc/httpd/conf/server.key
Then I uncommented the line in the httpd.conf file
LoadModule ssl_module modules/mod_ssl.so
Then I edited the file vi /etc/hosts
127.0.0.1 www.secure.com
And when I type in my terminal
#firefox https://www.secure.com
I get the following error message and it's really the one that bothers me
www.secure.com:443 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_untrusted_issuer)
Well, I hope you understand my configuration a bit, I think I may not have configured something or I may have misconfigured it.
If anyone has an idea, thank you.
Let me explain a little what I've done
I edited the following file in conf
#vi /etc/httpd/conf/httpd.conf
I added the following lines:
<VirtualHost *:443>
DocumentRoot /var/www/secure.com
ServerName www.secure.com
SSLCertificateFile /etc/httpd/conf/certificat.pem
sslcertificatekeyfile /etc/httpd/conf/server.key
SSLEngine on
<Directory /var/www/secure.com>
Options +Indexes
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Then I added a certificate with the following command
#openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/httpd/conf/certificat.pem -out /etc/httpd/conf/server.key
Then I uncommented the line in the httpd.conf file
LoadModule ssl_module modules/mod_ssl.so
Then I edited the file vi /etc/hosts
127.0.0.1 www.secure.com
And when I type in my terminal
#firefox https://www.secure.com
I get the following error message and it's really the one that bothers me
www.secure.com:443 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_untrusted_issuer)
Well, I hope you understand my configuration a bit, I think I may not have configured something or I may have misconfigured it.
If anyone has an idea, thank you.
Another point when doing
[root@localhost conf]# /etc/init.d/httpd restart
Shutting down httpd: [ OK ]
Starting httpd: Warning: DocumentRoot /srv/www/secure.com does not exist
[Sat Nov 29 13:35:18 2008] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[Sat Nov 29 13:35:18 2008] [warn] NameVirtualHost *:80 has no VirtualHosts
[ OK ]
I had a small conflict that is resolved
[root@localhost conf]# /etc/init.d/httpd restart
Shutting down httpd: [ OK ]
Starting httpd: Warning: DocumentRoot /srv/www/secure.com does not exist
[Sat Nov 29 13:35:18 2008] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[Sat Nov 29 13:35:18 2008] [warn] NameVirtualHost *:80 has no VirtualHosts
[ OK ]
But when I run the test command, the same message still appears
[root@localhost conf]# openssl s_server -cert certificat.pem -www
unable to load server certificate private key file
5373:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY
[root@localhost conf]# /etc/init.d/httpd restart
Shutting down httpd: [ OK ]
Starting httpd: Warning: DocumentRoot /srv/www/secure.com does not exist
[Sat Nov 29 13:35:18 2008] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[Sat Nov 29 13:35:18 2008] [warn] NameVirtualHost *:80 has no VirtualHosts
[ OK ]
I had a small conflict that is resolved
[root@localhost conf]# /etc/init.d/httpd restart
Shutting down httpd: [ OK ]
Starting httpd: Warning: DocumentRoot /srv/www/secure.com does not exist
[Sat Nov 29 13:35:18 2008] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[Sat Nov 29 13:35:18 2008] [warn] NameVirtualHost *:80 has no VirtualHosts
[ OK ]
But when I run the test command, the same message still appears
[root@localhost conf]# openssl s_server -cert certificat.pem -www
unable to load server certificate private key file
5373:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY
After some modifications, I get
[root@localhost conf]# openssl s_server -cert certificat.pem -www
unable to load server certificate private key file
6105:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY
[root@localhost conf]# openssl s_server -cert certificat.pem -www
unable to load server certificate private key file
6105:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY
Hello,
I'm not sure I understood everything, but
The certificate is not secure because it is self-signed
means that you are using a certificate from a certificate authority for the server. These certificates should only be used to sign server or client certificates.
In OpenSSL, you first need to create an authority (self-signed certificate), and then with this certificate, you need to create the server certificate. The latter must have the same name as your server (is srv/www/secure.com really your own server?) and it is the private key (not the certificate) that you need to place on the server.
You also have issues with sharing http(80)/https(443), but I'm not knowledgeable in that area.
Manu
I'm not sure I understood everything, but
The certificate is not secure because it is self-signed
means that you are using a certificate from a certificate authority for the server. These certificates should only be used to sign server or client certificates.
In OpenSSL, you first need to create an authority (self-signed certificate), and then with this certificate, you need to create the server certificate. The latter must have the same name as your server (is srv/www/secure.com really your own server?) and it is the private key (not the certificate) that you need to place on the server.
You also have issues with sharing http(80)/https(443), but I'm not knowledgeable in that area.
Manu
Hello again,
Two corrections:
- On the server, you need to put the private key and the server certificate.
- The server certificate must be in the name of the server, so if I understand correctly www.secure.com
Manu
Two corrections:
- On the server, you need to put the private key and the server certificate.
- The server certificate must be in the name of the server, so if I understand correctly www.secure.com
Manu
Hello,
A private key should not remain private?
Isn't it the public key that should be sent to the server?
Of course the private key must be private, meaning known only to its owner, here the server.
A server key is used to authenticate the server, allowing the client to be sure that it is not addressing a non-authentic server. During the connection phase, the client sends a random piece of information, the server encrypts it with its private key and sends the client the encrypted value and the certificate (which contains the public key). The client can verify the certificate because it is established in the name of the server and is signed by a known authority (*) and can verify that decrypting the received encrypted value returns the original random number. The client is then sure that the one who responded to it possessed the private key, thus confirming it is the authentic server.
(*) I forgot to mention that the certification authority's certificate must be placed in the client's certificate store.
Manu
A private key should not remain private?
Isn't it the public key that should be sent to the server?
Of course the private key must be private, meaning known only to its owner, here the server.
A server key is used to authenticate the server, allowing the client to be sure that it is not addressing a non-authentic server. During the connection phase, the client sends a random piece of information, the server encrypts it with its private key and sends the client the encrypted value and the certificate (which contains the public key). The client can verify the certificate because it is established in the name of the server and is signed by a known authority (*) and can verify that decrypting the received encrypted value returns the original random number. The client is then sure that the one who responded to it possessed the private key, thus confirming it is the authentic server.
(*) I forgot to mention that the certification authority's certificate must be placed in the client's certificate store.
Manu
Bonjour, j'aurais une petite question : si le serveur crypte le message avec sa clé privée et le renvoie au client, n'importe qui peut intercepter ce message et le décrypter grâce à la clé publique du serveur... Non ? De plus, est-ce qu'on n'est pas censé crypter un message à envoyer avec la clé publique du destinataire ? Je n'ai pas très bien suivi ce passage...
Merci pour votre réponse.
Merci pour votre réponse.
Hello,
Hello, I have a quick question: if the server encrypts the message with its private key and sends it back to the client, anyone can intercept this message and decrypt it using the server's public key... Right?
Yes.
However, this was during the mutual authentication phase, and the message in question is a random piece of information generated by the client. What benefit would a spy gain from listening? Only the client can compare it to the original value, which allows them to verify that their interlocutor has the private key of which the client has the public key.
Manu
Hello, I have a quick question: if the server encrypts the message with its private key and sends it back to the client, anyone can intercept this message and decrypt it using the server's public key... Right?
Yes.
However, this was during the mutual authentication phase, and the message in question is a random piece of information generated by the client. What benefit would a spy gain from listening? Only the client can compare it to the original value, which allows them to verify that their interlocutor has the private key of which the client has the public key.
Manu