# ssl configuration help please.

## cwc

I'm setting up a ssl server.  At least I am trying.

Additionally this is the first time I've done this.

I am trying to use oepnssl and this is probably the problem but I thought I'd query the worlds greatest linux forum.

I've read multiple forum posts and tired to apply https in a simple way.

Here is the command I use to generate my certs.

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout cserver.key -out cserver.crt

and this is how I access them at:

# pwd

/etc/ssl/apache2

ciclo apache2 # ls -l

total 28

-rw-r--r-- 1 root root 1375 Aug 15 06:54 cserver.crt

-rw-r--r-- 1 root root 1704 Aug 15 06:54 cserver.key

drwxr-xr-x 2 root root 4096 Aug 11 06:05 hide

-r--r--r-- 1 root root 1042 Aug 14 07:47 server.crt

-r--r--r-- 1 root root  749 Aug 14 07:47 server.csr

-r-------- 1 root root  891 Aug 14 07:47 server.key

-r-------- 1 root root 1934 Aug 14 07:47 server.pem

```

## Server Certificate:

   # Point SSLCertificateFile at a PEM encoded certificate. If the certificate

   # is encrypted, then you will be prompted for a pass phrase. Note that a 

   # kill -HUP will prompt again. Keep in mind that if you have both an RSA

   # and a DSA certificate you can configure both in parallel (to also allow

   # the use of DSA ciphers, etc.) #cwc

   SSLCertificateFile /etc/ssl/apache2/cserver.crt

   ## Server Private Key:

   # If the key is not combined with the certificate, use this directive to

   # point at the key file. Keep in mind that if you've both a RSA and a DSA

   # private key you can configure both in parallel (to also allow the use of

   # DSA ciphers, etc.)#cwc

   SSLCertificateKeyFile /etc/ssl/apache2/cserver.key

```

I get the following error when I access the site using firefox.

The owner of https://icebowl.cc has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

I'd appreciate any advice.

----------

## chiefbag

That's normal, Firefox is complaining because your certificate is self signed.

ie. the root CA can not be verified by the browser.

```
Certificate chain

 0 s:/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com

   i:/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com

---

Server certificate

-----BEGIN CERTIFICATE-----

MIID7zCCAtegAwIBAgIJAKqqbaqiDkYFMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD

VQQGEwJVUzELMAkGA1UECAwCV0ExEjAQBgNVBAcMCUtFTk5FV0lDSzETMBEGA1UE

CgwKaWNlYm93bC5jYzETMBEGA1UECwwKaWNlYm93bC5jYzETMBEGA1UEAwwKaWNl

Ym93bC5jYzEeMBwGCSqGSIb3DQEJARYPY29sZW1hbkBvd3QuY29tMB4XDTE2MDgx

NTE4MjEzNloXDTE3MDgxNTE4MjEzNlowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQI

DAJXQTESMBAGA1UEBwwJS0VOTkVXSUNLMRMwEQYDVQQKDAppY2Vib3dsLmNjMRMw

EQYDVQQLDAppY2Vib3dsLmNjMRMwEQYDVQQDDAppY2Vib3dsLmNjMR4wHAYJKoZI

hvcNAQkBFg9jb2xlbWFuQG93dC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw

ggEKAoIBAQDgy91Z9q+tGlP3Qx6Xl+EfdiB2aajmUechG+02E+CziwXMH8vdIR9W

kkaVWRzyikDHlRqW6oaNPDr8pgRifH6YtGQpfPkrOH4Oy3azkP4UJgs1p4aVeFJr

LJCJmB10LI3KNOTnnKm3hWt/JQwqVSasoDIm6+acGyEDmAE8O83Kc+Wj+hRL1xBh

gIRrWNyzXUrYGZ6gBPHg6aFmjyxmaooTMf7ieAakPT3qdXF9W9n937W81xD6g+zI

nb2L01u2fv1Mc2ngGxUmqwf4GwDQrFl6NpTuWaFZ+Lu0smpNEIwuT6HiwHnZJrnL

Wdw327HoOmRi+LNrbH7ZSZTME03esTorAgMBAAGjUDBOMB0GA1UdDgQWBBRL9W1+

oKbgs6h2LnYu/8T3t6M2QTAfBgNVHSMEGDAWgBRL9W1+oKbgs6h2LnYu/8T3t6M2

QTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAQ/vANLxe3NglAzhiN

fY33PfaiSKwBYdbU7Jp5e3/N8WppmyKn9OERnv2Znh8MudRA2doV899eQdHlCon/

67eZlmJcnwDWziANmHRlQ1B4uV6cu3Hn3KTg1ewMOzEgbkTryTFHhZ6TAVrRqjwJ

gFtLkMrbCtH8CFUoeb8fmF+LddbD3pVfbAWVSd6vjWMzw6jdfO3+Unxx2LePrZcY

l27KXCr9pYvW7SDZDm6XaL+JbsoZP17h/uO/2W4NQ5FAbqjujb6XHYgixsVbQyq7

9ukA84pRXwJq0MRJ/6vPpNGpksAtN4zNIruNDnjZgWX8rGHeg1DahAkuHJ3ecvIj

AZC/

-----END CERTIFICATE-----

subject=/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com

issuer=/C=US/ST=WA/L=KENNEWICK/O=icebowl.cc/OU=icebowl.cc/CN=icebowl.cc/emailAddress=coleman@owt.com

---

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 1702 bytes and written 444 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

    Session-ID: BE18E042A1020984AA26A9B05FCB24B29816B515CAFEDEE04696E0CADE7DD599

    Session-ID-ctx: 

    Master-Key: 3F73F7478756A0BDCAEAC163578635D22BA51B17F9CE43FDF95B79C70460BE5F8B89C03F792B0D9738703A2F2C901330

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 300 (seconds)

    TLS session ticket:

    0000 - 84 d7 af be 9e f6 e4 57-43 b5 b3 ba 71 c0 7e 3f   .......WC...q.~?

    0010 - 11 1d 61 49 a5 aa 9b 91-bb 2e 9e eb 21 00 58 0e   ..aI........!.X.

    0020 - 4f 3c 85 28 43 d1 83 10-a4 1f 4c 0f 9a 00 7a 8a   O<.(C.....L...z.

    0030 - ca 64 56 1c 99 7c ba b0-7b 65 5f e2 97 5a 65 7a   .dV..|..{e_..Zez

    0040 - 5a 62 88 17 b2 a4 e8 67-e1 c2 e2 78 78 12 1b 66   Zb.....g...xx..f

    0050 - cc 4c 20 ac 11 8d 58 0f-cd 60 f0 ef 57 48 25 a0   .L ...X..`..WH%.

    0060 - 50 68 1c c8 f8 1e 8b 54-82 f1 94 d9 1c 4e e8 99   Ph.....T.....N..

    0070 - f9 69 48 22 af 16 ee 4e-d9 24 13 65 b0 52 f5 ee   .iH"...N.$.e.R..

    0080 - c4 f1 9e ce 65 20 fa 37-e3 70 03 dc c6 a5 f5 34   ....e .7.p.....4

    0090 - b0 44 fd 17 ec 23 f4 d7-1a 32 03 ea 70 8b 37 5b   .D...#...2..p.7[

    00a0 - 5e 20 c2 24 7b 4f 2f 33-cc b0 1d 02 15 62 97 a4   ^ .${O/3.....b..

    00b0 - ac 7a 09 1f c5 5b 98 03-5b 6b 04 24 a6 e7 6c cb   .z...[..[k.$..l.

    Start Time: 1471335125

    Timeout   : 300 (sec)

    Verify return code: 18 (self signed certificate)

---
```

----------

## chiefbag

To work around the error you can import your CA to your browser that you signed it with.

Otherwise get it signed by Comodo etc. and add their CA to your server config.

----------

## cwc

 *chiefbag wrote:*   

> To work around the error you can import your CA to your browser that you signed it with.
> 
> Otherwise get it signed by Comodo etc. and add their CA to your server config.

 

Thank You!

$ $ $

https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/37

I was hoping to do this for free using OpenSSL.

Thanks for the response.

cwc

----------

## cwc

how did you get the following:

 *chiefbag wrote:*   

> That's normal, Firefox is complaining because your certificate is self signed.
> 
> ie. the root CA can not be verified by the browser.
> 
> ```
> ...

 

----------

## Hu

If you want free, and you can run code on the server, you could use EFF's Let's Encrypt project.  They issue free short lived certificates (seems to be ~3 months), and provide a client that can be installed on the server to obtain and install replacement certificates as needed.

----------

## cwc

 *Hu wrote:*   

> If you want free, and you can run code on the server, you could use EFF's Let's Encrypt project.  They issue free short lived certificates (seems to be ~3 months), and provide a client that can be installed on the server to obtain and install replacement certificates as needed.

 

thank you!

is this the link: https://letsencrypt.org/

----------

## Hu

Yes.  It seems to be in Portage, too, as app-crypt/certbot.  I have not tried it.

----------

