Re: converting my local site to be https only access

To: debian-user@lists.debian.org
Subject: Re: converting my local site to be https only access
From: Gene Heskett <gheskett@shentel.net>
Date: Sat, 29 Apr 2017 09:03:06 -0400
Message-id: <[🔎] 201704290903.06896.gheskett@shentel.net>
In-reply-to: <[🔎] 87mvazprki.fsf@sperrhaken.name>
References: <[🔎] 201704282335.06170.gheskett@shentel.net> <[🔎] 87mvazprki.fsf@sperrhaken.name>

On Saturday 29 April 2017 04:05:01 Felix Dietrich wrote:

> Gene Heskett <gheskett@shentel.net> writes:
> > Where can I find a tut that is a complete instruction set to have it
> > do an auto-redirect to itself, but using the "s" stuff regardless of
> > the accessing client as long as the client can handle the https
> > stuff this conversion will return to the client?
>
> For the apache webserver, which I am assuming you are using, I found
>
>     https://wiki.apache.org/httpd/RedirectSSL
>
> which describes how to permanently redirect clients to an encrypted
> connection.  Clients without the capability to use SSL encryption will
> not be able to see the contents of your site.
>
> > I tried putting those 3 lines quoted numerous times at the bottom of
> > the httpd/conf/httpd.conf, but that killed local access so I assume
> > it also killed external access too.  And its failure did not
> > generate an error.log entry.
>
> Which 3 lines are you referring to?  I cannot see any lines that look
> like they represent configuration file syntax in your message.
>
> > Something was said about the AllowRedirect settings in httpd.conf,
> > but it did not specify what to change it to.
>
> Where was something said about AllowRedirect?  What was stated
> exactly?
>
> > URL to the best tut please.
>
> As much as I enjoy a bit of social interaction: are you abusing us to
> do your internet searches for you?  Searching for "SSL redirect
> apache" yields plenty of results.  Part of the "joy" of the computer
> hobby is to wheat out obsolete information, identify the wrong, and
> copy and paste the slightly less wrong.  I also won't judge anything
> to be "the best" – unless it is my own of course. :-p
>
Chuckle, point taken, used your search string and got smarter hits for 
apache2.  Since my domain registrar is namecheap, I'm reading this link:
<https://www.namecheap.com/support/knowledgebase/article.aspx/9821/38/redirect-to-https-on-apache>

The recommended commands, and responses:

sudo a2enmod rewrite
[sudo] password for gene: 
Enabling module rewrite.
To activate the new configuration, you need to run:
  service apache2 restart

gene@coyote:/etc/httpd/conf$ sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure 
SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  service apache2 restart

On restarting apache2, I get this error report on screen but the 
error.log is not showing the attempted restart.
Error shown:

Syntax error on line 71 of /etc/apache2/mods-enabled/ssl.conf:
Invalid command 'Header', perhaps misspelled or defined by a module not 
included in the server configuration
Action 'start' failed.

That files line 71: region
68:SSLCipherSuite AES128+EECDH:AES128+EDH
69:SSLHonorCipherOrder on # enable only secure protocols: SSLv3 and 
TLSv1, but not SSLv2
70:SSLProtocol -all +TLSv1
71:Header always set Strict-Transport-Security "max-age=63072000; include 
SubDomains"
72:Header alway set X-Frame-Options DENY

Being big dummy, whats this tell me?  So I read the file it recommends, 
which contains 2 more commands:
	a2ensite default-ssl
	a2enmod ssl
which appear to have worked, but it still will not restart.

The next recommended command is:

If you install the ssl-cert package, a self-signed certificate will be
automatically created using the hostname currently configured on your 
computer.
You can recreate that certificate (e.g. after you have changed /etc/hosts 
or
DNS to give the correct hostname) as user root with:

make-ssl-cert generate-default-snakeoil --force-overwrite

But this brings up a question:
The hostname of this computer doesn't match the name in the sig, my whole 
home networks domain name is coyote.den, and this machine is 
coyote.coyote.den.  Since its all behind a dd-wrt install, and its not 
even running on a normal port number, this to bypass the ususal port 80 
blocking the ISP's do in order to force you to use their servers at X$ a 
month, and to honor one of the cpu industries most enforced secrets 
ever, which is the Hitachi HD63C09, a clone of the Moto 6809, but which 
we have discovered is many times smarter. Hence the port:6309 in the 
sig, and the only port forwarded to this machine.

So in internal name and the one in the sig don't match?
So which name will it use if I run the above cert generator command?

 Ah, reading further, thats addressed by:

To create more certificates with different host names, you can use

	make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt

This will ask you for the hostname and place both SSL key and certificate 
in
the file /path/to/cert-file.crt . Use this file with the 
SSLCertificateFile
directive in the Apache config (you don't need the SSLCertificateKeyFile 
in
this case as it also contains the key). The file /path/to/cert-file.crt 
should
only be readable by root. A good directory to use for the additional
certificates/keys is /etc/ssl/private.

So I run it this way:
root@coyote:~# 
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by 
another process: Resource temporarily unavailable.

synaptic was running in another workspace, waiting on input, and it wants 
to restart the gui among other things, canceled it.

Now a 2nd attempt:
Could not create certificate. Openssl output was:
Error Loading extension section v3_req
4147165448:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing 
value:v3_alt.c:531:
4147165448:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in 
extension:v3_conf.c:95:name=subjectAltName, 
value=coyote.coyote.den,IP:192,168.71.3

Aha! a comma in the wrong place.

3rd pass:
root@coyote:~# 
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private
Could not create certificate. Openssl output was:
Error Loading extension section v3_req
4147910920:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing 
value:v3_alt.c:531:
4147910920:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in 
extension:v3_conf.c:95:name=subjectAltName, 
value=coyote.coyote.den,IP:192.168.71.3

WTH is v3_req?  Apparently refers to man 5 x509_config,
and that is way above my pay grade.

4th pass, different arguments for the extras.Failed, same report.

Looks like it did work when I used the snake-oil version:
root@coyote:~# ls -l /etc/ssl/private/
total 4
-rw-r----- 1 root ssl-cert 1704 Apr 29 08:46 ssl-cert-snakeoil.key

And the 2nd version about 6" up then appeared to fail as before.

however, no httpd start
And still no entry's from the restarts in /var/log/apache2/error.log.

My site is offline.  And I need to reboot after the last update.

Thanks Felix.
> --
> Felix Dietrich

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply to:

Follow-Ups:
- Re: converting my local site to be https only access
  - From: Jochen Spieker <ml@well-adjusted.de>

References:
- converting my local site to be https only access
  - From: Gene Heskett <gheskett@shentel.net>
- Re: converting my local site to be https only access
  - From: Felix Dietrich <felix.dietrich@sperrhaken.name>

Prev by Date: Re: Quest Software Clients
Next by Date: Re: Old, stale bug reports (bug triage)
Previous by thread: Re: converting my local site to be https only access
Next by thread: Re: converting my local site to be https only access
Index(es):
- Date
- Thread