Re: Fwd: Enabling and using SSL on a web server - Solved

[Bob McClure Jr <robertmcclure earthlink net>]

Re-ordering this to our bottom posting standard ...

On Sat, Feb 14, 2004 at 03:34:25PM -0600, Greg Julius wrote:
> >>Date: Fri, 13 Feb 2004 21:33:22 -0600
> >>To: redhat-install-list redhat com
> >>From: Greg Julius <fromRedHatLists outtacyte com>
> >>Subject: Enabling and using SSL on a web server
> >>
> >>Hello all,
> >>
> >>I'm hoping folks on the list can give me some assistance as I've spent 
> >>the last couple of hours googling around and just haven't got any 
> >>traction yet on the task.
> >>
> >>Task:  Enable and use SSL on my test web server for in house testing.
> >>
> >>OK, I know that I have Openssl and mod_ssl on the system.  I am planning 
> >>on using a self-signed certificate on my system so I created a Host key 
> >>and cert.  I can see that I have the mod_ssl rpm on the system.  I have 
> >>RH 8 with a 2.4 kernel and I'm using Apache for the web server.
> >>
> >>How do I tell if Apache is using mod_ssl ?  Where do I look?  I don't see 
> >>anything in the httpd.conf and my trusty phpinfo.php doesn't show it 
> >>either.  Is there some place I can look or some empirical test?
> >>
> >>If I find that it's not enabled or installed, how do I go about 
> >>installing / enabling?
> >>
> >>If I find that it is installed and enabled, how do I go about installing 
> >>the key and cert that I've created?
> >>
> >>Finally, as I don't want the whole server to be secure, just certain 
> >>virtual hosts (like secure.example.com), what do I need to configure to 
> >>accomplish that?  I know about setting up virtual hosts, it's the secure 
> >>part that I'm going in circles on.
> >>
> >>OK.  I know that is a big laundry list.  If you don't have the answers at 
> >>your fingertips, I'm not adverse to reading so if you all can point me to 
> >>some instructions or places to read I'd be grateful.  So far I've found 
> >>discussion, but nothing with do this, then this, then that.  I could use 
> >>a cookbook right about now.
> >>
> >>Regards & Happy Valentine's Day,
> >>-g
>
> <Greg answers himself, to wit:>
>
> >Date: Fri, 13 Feb 2004 22:22:01 -0600
> >To: redhat-install-list redhat com
> >From: Greg Julius <fromRedHatLists outtacyte com>
> >Subject: Fwd: Enabling and using SSL on a web server
> >
> >Hello all,
> >
> >Another note.  I've poked around the log after trying to go to my 
> >webserver using https: .  I find this in the log called ssl_error_log
> >
> >[Fri Feb 13 21:40:12 2004] [warn] RSA server certificate is a CA 
> >certificate (BasicConstraints: CA == TRUE !?)
> >[Fri Feb 13 21:40:12 2004] [warn] RSA server certificate CommonName (CN) 
> >`internal' does NOT match server name!?
> >
> >My dns knows about:  (BTW, names are illustrative not actual)
> >internal.example.com            (this is my zone)
> >secure.internal.example.com     (this is a CNAME)
> >I can ping both of them just fine.  I have set up my virtual hosts on 
> >Apache so that I can get to secure.internal.example.com and have it 
> >serving pages from my secure directory when I use HTTP.  If I change it to 
> >HTTPS I get a 'cannot find server' page on IE.
> >
> >I get the feeling I'm good to go if I can just install my keys and 
> >certificates in the correct places.
> >
> >Ideally, I want references to secure.internal.example.com to only work if 
> >HTTPS is used.
> >
> >More grist as I find it...
> >-g
> >
> >
> 
> <Greg answers himself, again, to wit:>
>
> Hello All,
> 
> I was successful with this task.  A reply to my note from Harold gave me 
> just enough to crack the door that lead to success.  Sorry if this note is 
> long, but I wanted to put this info in the archives for future reference.
> 
> Before I go further, the RH docs contain a good description of the whole 
> secure setup thing at:
> http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/custom-guide/ch-httpd-secure-server.html
> 
> And, while not as directly useful, the Apache documentation contains a 
> description of it's use of ssl here:
> http://httpd.apache.org/docs-2.0/ssl/
> 
> <what appears to be an excellent tutorial, snipped>
> 
> Bob/Rick, if you want to dress it up and include it in the rhil how-to 
> area, feel free.
> 
> Regards,

Sounds good to me.  What think ye, Rick?

I know I'm going to squirrel it away in my "smart book".

Cheers,
-- 
Bob McClure, Jr.             Bobcat Open Systems, Inc.
robertmcclure earthlink net  http://www.bobcatos.com
God promised a safe landing, not smooth sailing.