|
|
Default virtualhost's secure certificate used with mod_ssl - Apache Webmaster Tips, Knowledge Base Webmaster Tools
| Home > Apache > Default virtualhost's secure certificate used with mod_ssl | |
| | Category | : Apache | | Written by | : Admin | | Date | : 2008-11-16 | | Rating | : 0  | Voted : 0 times | | Hit | : 413 | | | | |
|
fter getting mod_ssl for Apache installed on CentOS 5 yesterday, I discovered when I actually went to test the site through the SSL server that it wasn't actually configured correctly and wasn't using the real secure certificate.
When I opened the secure version of the site in Firefox 2, a dialogue box popped up with the following message:
Unable to verify the identity of www.example.com as a trusted site. Possible reasons for this error:
- Your browser does not recognize the Certificate Authority that issued the site's certificate.
- The site's certificate is incomplete due to a server misconfiguration.
... etc ...
certificate error in firefox
I was able to examine the certificate and was surprised to see that while it was displaying the correct name for the certificate (eg www.example.com) that the other information was bogus, with "SomeOrganization" as the Organization, "SomeOrganizationUnit" as the OrganizationUnit, and yesterday's date as the issue date.
certificate in firefox
A quick check in Internet Explorer 7 gave me something similar:
There is a problem with this website's security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
certificate error in msie 7
And similar again in Internet Explorer 6:
Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate.
The security certificate was issued by a company you have chosen not to trust. View the certificate to determine whether you want to trust the certifying authority.
certificate error in msie 6
Taking a look at the certificate in IE6 didn't show much useful information but just the text "This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store."
I did some searching on Google but nothing turned up that was of much use. In the end, I finally managed to figure out that when yum installed mod_ssl for Apache on this CentOS machine, the file it installed at /etc/httpd/conf.d/ssl.conf contained a default virtualhost secure server configuration with its own dummy certificate. This was why the Firefox dialog showed yesterday's date as the issue date, because that's when this dummy, self-signed certificate was created.
This default virtualhost started with <VirtualHost _default_:443> and some of the directives it contained are as follows:
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>
Although I had my own virtualhost set up in /etc/httpd/vhosts.d with the server's IP address (eg <VirtualHost 10.1.1.1:443>) it seems the __default__ virtualhost was being used first, and my one was being ignored. I checked the error log file it was generating and it had two lines like this every time I had reloaded Apache:
[Thu Sep 20 18:54:46 2007] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
I commented out this particular __default__ virtualhost from the ssl.conf file, reloaded Apache and now it was using the correct secure certificate.
|
|
