guidance on SSL certs and Apache2

To: debian-user@lists.debian.org
Cc: Ross Boylan <RossBoylan@stanfordalumni.org>
Subject: guidance on SSL certs and Apache2
From: Ross Boylan <RossBoylan@stanfordalumni.org>
Date: Sun, 18 Sep 2005 22:05:26 -0700
Message-id: <[🔎] 20050919050526.GA3505@wheat.boylan.org>
Mail-followup-to: debian-user@lists.debian.org, Ross Boylan <RossBoylan@stanfordalumni.org>

I'm trying to set up apache2 to use ssl.  I see numerous bugs about
this, including the fact that the setup is neither automated nor documented
(267477 -- which includes some recipes and references to help) and
that a tool, ssl-cert, used at one point by apache2 for debconf, has
problems (230485).  The changelog says that ssl-cert was dropped for
the setup.

There seem to be at least 3 ways to setup certificates:
openssl
ssl-cert
apache2-ssl-certificate

There is a configuration file /etc/ssl/openssl.cnf, and there seems to
be space for certificates and keys under /etc/ssl/ and
/etc/apache2/ssl.

Can anyone suggest which of these knobs I should tweak to set things
up?  And where should I put the resulting files?  I use KDE, and I see
it has Kleopatra for certificate management.  Is that useable?

I want to be my own CA as well as having the certificates (one for
each virtual domain).

Documentation seems sparse.  man apache2-ssl-cert gets me the openssl
man page; apache2-ssl-cert --help just runs the program.  ssl-cert's
manpage is under make-ssl-cert (I think), and is unilluminating.

When I originally installed apache2 the setup script ran and ended up
producing the same error as reported in 230485 (I think the script
invoked ssl-cert):

> writing new private key to '/etc/apache2/ssl/apache.pem'
> -----
> problems making Certificate Request
> 20712:error:0D07A098:asn1 encoding routines:ASN1_mbstring_copy:string too short:a_mbstr.c:147:minsize=1
> dpkg: error processing apache2-common (--configure):
>  subprocess post-installation script returned error exit status 1

When I added
	SSLCertificateFile /etc/apache2/ssl/apache.pem
to my Apache configuration (for a virtual server) I got further than
without it, but had the error
> [Sun Sep 18 18:50:57 2005] [error] Init: Unable to read server certificate from file /etc/apache2/ssl/apache.pem
> [Sun Sep 18 18:50:57 2005] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> [Sun Sep 18 18:50:57 2005] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

My theory is that the original setup used values from openssl.cnf.  I
hadn't touched them, so some were empty, producing the "string too
short."  The resulting certificate is no good, leading to the 2nd set
of errors.

Reply to:

Follow-Ups:
- Re: guidance on SSL certs and Apache2
  - From: "Roberto C. Sanchez" <roberto@familiasanchez.net>
- Re: guidance on SSL certs and Apache2
  - From: Nelson Castillo <nelsoneci@gmail.com>

Prev by Date: Apache2: httpd.conf or apache2.conf?
Next by Date: Re: Overwhelmed newbie
Previous by thread: Re: Apache2: httpd.conf or apache2.conf?
Next by thread: Re: guidance on SSL certs and Apache2
Index(es):
- Date
- Thread