# setting up apache https server, invalid certificate?

## rizzo

I'm trying to set up mod_ssl onto my apache 1.3.27 box.  I already had apache and mod_php running fine.  I followed instructions that I found on this forum and another page including using the sign.sh script to self-sign the cert.

However when I try to bring up the host in my webpage on my desktop box I get a pop-up error that says thusly:

 *Quote:*   

> Could not establish an encrypted connection because certificate presented by <my.domain.tld> is invalid or corrupted.  Error Code: -8182

 

My apache ssl-error_log has this:

```
[Mon Mar 24 19:55:57 2003] [error] mod_ssl: SSL handshake failed (server my.domain.tld:443, client 172.16.30.127) (OpenSSL library error follows)

[Mon Mar 24 19:55:57 2003] [error] OpenSSL: error:14094412:lib(20):func(148):reason(1042)

```

The webserver is actually a box behind the firewall on my lan.  my.domain.tld (name changed to protect the bandwidth) routes to my firewall from the outside, which forwards 80 and 443 to the webserver.  On the inside however (which is where I'm testing), I have my.domain.tld entered in my /etc/hosts file to go to the internal address of the webserver directly.  Might this be causing a problem?

----------

## kashani

It might be the name, but that will usually just through up and error and let you click through. I had the same problems, especially with Mozilla, until I built my own cert.  The default Gentoo stuff seemed to have some issues.

kashani

----------

## rizzo

Yes I did build my own cert, so the original gentoo cert isn't an issue.

The "ServerName" in apache.conf matches the name that I gave for the CommonName when creating both the CA cert and the server cert.

----------

## rizzo

A friend has directed me to the script at /usr/lib/ssl/mod_ssl/gentestcrt.sh. I ran that and while I don't get any errors, I don't get anything at all. It spins for a while and finally I get a "The document contains no data." error message.

*shrug*

----------

## SNo0py

The default-cert worked fine, but the new generated one does produce your  error (code -8182) -> how to resolve???

----------

## stream

hi,

I have the same problem (code -8182). I generated the cert with /usr/lib/ssl/mod_ssl/gentestcrt.sh

have somebody a solution to solve this problem?

----------

## rizzo

My problem is knowing what to enter for what values.  Read the prompts at the script CAREFULLY and you should be fine.

----------

## jingo

bump

Having this wierd problem to!

Solution anyone??

----------

## sokai

The solution - not realy but the error is away - is the following:

1. delete your certificate

```
rm /etc/apache2/conf/ssl/server.*
```

2. create new certificate with NO own properties (if you will be asked hit ENTER)

```
cd /usr/lib/ssl/apache2-mod_ssl/

./gentestcrt.sh

! FOR ALL PROPERTIES HIT ENTER !

mv server.* /etc/apache2/conf/ssl/

```

3. restart apache

```
/etc/init.d/apache2 restart
```

4. direct your browser to https://localhost and accept the certificate for localhost

THAT'S IT...

My question now is:

How I can create a self-signed certificate for another domain than localhost!?

sofar

sokai

----------

## dedxi

It might work f you enter your actual domain name for the CN entry for the certificate.  If that gives you an error (it did on my server), you might try editing the script and replacing the default entries for localhost to whatever.com and then making the certificate with all defaults.  That seemed to work for me.

----------

## sokai

 *dedxi wrote:*   

> It might work if you enter your actual domain name for the CN entry for the certificate.

 

No, that's the problem...

 *dedxi wrote:*   

> If that gives you an error (it did on my server),

 

Me too...

 *dedxi wrote:*   

> you might try editing the script and replacing the default entries for localhost to whatever.com and then making the certificate with all defaults.  That seemed to work for me.

 

Thanks for this hint - it works!  :Smile: 

But I don't understand that thing...

If I change something else than localhost too (maybe the "countryName") I will get the error. Konqueror says that he will not accept that certificate becaus it's selfsigned. But if I only change localhost, the certificate is selfsigned but it will be accepted...

sofar

sokai

----------

## sogood007

I have similar issue too.  I am not sure whether it is because I always mis-type something and I need to use backspace.  I ended up modified the script to put all my information in the defaults and just keep press enter.   Then the certificate works. 

I think modified the script also make sense because every year I need to generate a new cert so I don't need to retype the information again.

Hope this trick work for others.

----------

## Ox-

Just did forum search on "corrupted certificate", read this thread, edited the script, and now everything works for me too.

Thanks everyone!  :Smile: 

----------

## CoolAce

Hm, I don't think that editing the script really does the trick. I bet all of you did solve a different issue while editing the script.

There is a bug in firefox that prevents him to deal with certificates that are signed by authorities that have the same common name as the certificate itself. 

So either by editing the script or by entering the values directly: You have to make sure that you enter different values when you are prompted for the CN (common name). 

At least _that_ solved the issue for me.

----------

## MrWolf

My Solution was simple just change the certificate domain from localhost to the address I was trying to access the site from e.g. www.buzbox.net

----------

