Solved

Self-cert SSL on linux centos6.5 apache

Posted on 2013-12-17
6
1,204 Views
Last Modified: 2013-12-17
Dear Experts,

 I am using Linux CentOS6.5 with apache VPS server with the following apache version which is reported from phpinfo() php function.

Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.0-fips mod_bwlimited/1.4 PHP/5.3.21
Question-1 from the apache version, whether it is told I have already installed mod_ssl apache module or not ? If yes, why I could not find anything in "httpd.conf" file  like as follows quotes

LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
Why ?

And I am doing SSL self-cert installation for CentOS and follow  this link to do it.
https://library.linode.com/web-servers/apache/ssl-guides/centos, and I could
NOT install mod_ssl modules from "yum install mod_ssl" (Error report: no package available) but I can generate the self-cert and its key by openssl command.  Now I go to visit my site with https such as https://mysite.com that I can access the site index page but with red crossed mark and slash mark on https.

Question-2
I could not find the file of mod_ssl.so either at /usr/local/apache/modules or /usr/lib64/httpd or all my directories with my root access. Why my site still works for SSL https  access even there is no any apache mod_ssl module enabled or exists ?


Question-3. How can I install mod_ssl module  if yum install mod_ssl is not working ?

More my information provided: I had used Cpanel before on my hosting company and now I've switched to VPS server and stop to use Cpanel(since Cpanel was expired)

Duncan
0
Comment
Question by:duncanb7
  • 3
  • 3
6 Comments
 
LVL 34

Accepted Solution

by:
gr8gonzo earned 500 total points
ID: 39724243
Apache modules can be plugged into the Apache server in two different ways:

1. "Static"

-OR-

2. "Shared"

Static modules are compiled right into the server WHEN the server is built. You can't update them or change them in any way without re-compiling the Apache server.

Shared modules are compiled as separate files that end in ".so", like mod_ssl.so. The shared modules can be added to or removed from Apache at any time, which makes them more FLEXIBLE than static modules.

It is very similar to a car being built with an engine and seats and a steering wheel. Those are all pieces of the car that NEED to be in there for the car to run, so they are added when the car is built, and you cannot change them easily, but they are necessary pieces. Those pieces are like the "static" modules. They just become part of the car.

Then you have a stereo or radio in your car, which is ALSO probably added into the car when it is built, but it is designed so that anyone can easily remove the stereo and replace it. This is like a "shared" module.

Any module can be either static or shared, but there are usually many modules that are defaulted to being compiled into Apache statically. Static modules have a benefit of making Apache faster because they are loaded ONCE when Apache starts. Shared modules have to be loaded each time a child process is loaded, so they are slower.

Now, for your questions:

1. The Apache signature says mod_ssl, so mod_ssl -is- enabled. It is probably compiled statically, which is why you can't find a mod_ssl.so file. If you find your httpd binary, just run it like this:

httpd -M

That should tell you a full list of what modules are loaded and which are static or shared. If they are static, then you won't have a ".so" file because the code is INSIDE Apache.

2. When you use yum to install any Apache modules, you're going to be installing the shared versions. Don't try to install a shared module if you already have the module as a static module inside Apache. That said, I usually do this on my servers (in a cron job):

yum list > /root/yum.list

Then at any time, I can just use grep to quickly search for availability inside yum like this:

grep -i "mod_ssl" /root/yum.list
or
grep -i "ssl" /root/yum.list

If you don't have mod_ssl for some reason, then you may not have your yum repos set up properly.

3. Apache can be set up in different ways. You don't ALWAYS have to have a separate SSL config file. The config entries can go anywhere, and sometimes people have everything in one or two big config files for maintenance or performance reasons. Try searching your configs for "SSLEngine" or "SSLCertificateFile" and you might find your config entries for SSL.

4. Unless you add the self-signed certificate as a trusted root certificate to your own computer system (the one you're using to visit / test the web site), the browser will not recognize your self-signed certificate as a valid one. It will still allow HTTPS to work, but it is trying to warn you that it doesn't recognize the certificate. When you add the certificate to your own computer as a trusted root certificate and then close and reload your browser, you shouldn't get the red X over https anymore.
0
 
LVL 13

Author Closing Comment

by:duncanb7
ID: 39724284
It is good post to reply my question exectly,

From you post, in other words, it seems I can set my self-cert SSL certificate to be trusted
SSL certificate  so that the browser won't do red-cross or red-slash mask  on https address bar. How to do it when I do openssl command ?
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 39724382
1. A certificate is just a set of files that is used for encryption and decryption (and some other things, too).

2. A "certificate authority" is simply a certificate that is used to put a seal of approval on another certificate (at least that's the basic idea). A certificate authority issues other certificates.

3. Certificate authorities are handy because it allows your computer to AUTOMATICALLY trust certificates that come from any certificate authority that your computer already trusts.

For example, if you have a friend who NEVER tells a lie, then you probably trust that friend. If that friend has a baby, then you can assume that the child will become honest and trustworthy, too. This is sort of how it works with certificates.

3. Operating systems like Windows or Linux will come with a list of really well-known certificate authorities that they already trust, like VeriSign. That way, your computer will automatically trust certificates that come from VeriSign (and from any other certificate authority that your computer has in its list of trusted certificate authorities).

4. When you create a self-signed certificate, you are creating a new certificate authority that is issuing itself. It is brand-new and does not come from any known certificate authority, so there will never be ANY computer that trusts your self-signed certificate right away. As long as your computer doesn't trust your certificate, you will get that red X and warnings in your browsers.

5. You can copy the certificate to your computer and then import it as a "trusted root" certificate authority. This tells YOUR computer that your self-signed certificate is just like VeriSign and is trustworthy. Anyone else will still get the red X, but you can make YOUR computer trust that certificate.

6. You don't do anything different when you generate the certificate. You simply copy the public certificate file to your computer and import it.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 13

Author Comment

by:duncanb7
ID: 39724683
I could save my self-sign cert into trusted cert folder on browser suggested  from
the article of Microsoft ,
http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx
and then the SSL warning page  from browser is gone when everytime I access my https site.
But the red-cross and red-slash mask on https still exists so the only way to get rid of
that is buying third-party authorized trusted certificate. Probably it is last method.
and some company's  free certificate is free but it just do encryption on  domain name and email address only  and other information is not included unless buying  his other SSL certificate package.  

So you agree what I post ?

Duncan
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 39724838
If the red cross and red slash mark still exists after you import the certificate, it may be that Apache is not using the right certificate. You should be able to click on the red cross/slash or somewhere nearby in the address bar and be able to see which certificate is being presented by Apache for that site.

The Apache configuration should indicate what certificate it is using to enable HTTPS, so if it's not the right certificate, then you'll just have to update the Apache configuration and restart Apache.
0
 
LVL 13

Author Comment

by:duncanb7
ID: 39724902
Probably, it is my new thread question or other question and has been posted
and thanks for all of your reply
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now