duncanb7
asked on
Self-cert SSL on linux centos6.5 apache
Dear Experts,
I am using Linux CentOS6.5 with apache VPS server with the following apache version which is reported from phpinfo() php function.
And I am doing SSL self-cert installation for CentOS and follow this link to do it.
https://library.linode.com/web-servers/apache/ssl-guides/centos, and I could
NOT install mod_ssl modules from "yum install mod_ssl" (Error report: no package available) but I can generate the self-cert and its key by openssl command. Now I go to visit my site with https such as https://mysite.com that I can access the site index page but with red crossed mark and slash mark on https.
Question-2
I could not find the file of mod_ssl.so either at /usr/local/apache/modules or /usr/lib64/httpd or all my directories with my root access. Why my site still works for SSL https access even there is no any apache mod_ssl module enabled or exists ?
Question-3. How can I install mod_ssl module if yum install mod_ssl is not working ?
More my information provided: I had used Cpanel before on my hosting company and now I've switched to VPS server and stop to use Cpanel(since Cpanel was expired)
Duncan
I am using Linux CentOS6.5 with apache VPS server with the following apache version which is reported from phpinfo() php function.
Question-1 from the apache version, whether it is told I have already installed mod_ssl apache module or not ? If yes, why I could not find anything in "httpd.conf" file like as follows quotes
Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.0-fips mod_bwlimited/1.4 PHP/5.3.21
Why ?
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
And I am doing SSL self-cert installation for CentOS and follow this link to do it.
https://library.linode.com/web-servers/apache/ssl-guides/centos, and I could
NOT install mod_ssl modules from "yum install mod_ssl" (Error report: no package available) but I can generate the self-cert and its key by openssl command. Now I go to visit my site with https such as https://mysite.com that I can access the site index page but with red crossed mark and slash mark on https.
Question-2
I could not find the file of mod_ssl.so either at /usr/local/apache/modules or /usr/lib64/httpd or all my directories with my root access. Why my site still works for SSL https access even there is no any apache mod_ssl module enabled or exists ?
Question-3. How can I install mod_ssl module if yum install mod_ssl is not working ?
More my information provided: I had used Cpanel before on my hosting company and now I've switched to VPS server and stop to use Cpanel(since Cpanel was expired)
Duncan
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
1. A certificate is just a set of files that is used for encryption and decryption (and some other things, too).
2. A "certificate authority" is simply a certificate that is used to put a seal of approval on another certificate (at least that's the basic idea). A certificate authority issues other certificates.
3. Certificate authorities are handy because it allows your computer to AUTOMATICALLY trust certificates that come from any certificate authority that your computer already trusts.
For example, if you have a friend who NEVER tells a lie, then you probably trust that friend. If that friend has a baby, then you can assume that the child will become honest and trustworthy, too. This is sort of how it works with certificates.
3. Operating systems like Windows or Linux will come with a list of really well-known certificate authorities that they already trust, like VeriSign. That way, your computer will automatically trust certificates that come from VeriSign (and from any other certificate authority that your computer has in its list of trusted certificate authorities).
4. When you create a self-signed certificate, you are creating a new certificate authority that is issuing itself. It is brand-new and does not come from any known certificate authority, so there will never be ANY computer that trusts your self-signed certificate right away. As long as your computer doesn't trust your certificate, you will get that red X and warnings in your browsers.
5. You can copy the certificate to your computer and then import it as a "trusted root" certificate authority. This tells YOUR computer that your self-signed certificate is just like VeriSign and is trustworthy. Anyone else will still get the red X, but you can make YOUR computer trust that certificate.
6. You don't do anything different when you generate the certificate. You simply copy the public certificate file to your computer and import it.
2. A "certificate authority" is simply a certificate that is used to put a seal of approval on another certificate (at least that's the basic idea). A certificate authority issues other certificates.
3. Certificate authorities are handy because it allows your computer to AUTOMATICALLY trust certificates that come from any certificate authority that your computer already trusts.
For example, if you have a friend who NEVER tells a lie, then you probably trust that friend. If that friend has a baby, then you can assume that the child will become honest and trustworthy, too. This is sort of how it works with certificates.
3. Operating systems like Windows or Linux will come with a list of really well-known certificate authorities that they already trust, like VeriSign. That way, your computer will automatically trust certificates that come from VeriSign (and from any other certificate authority that your computer has in its list of trusted certificate authorities).
4. When you create a self-signed certificate, you are creating a new certificate authority that is issuing itself. It is brand-new and does not come from any known certificate authority, so there will never be ANY computer that trusts your self-signed certificate right away. As long as your computer doesn't trust your certificate, you will get that red X and warnings in your browsers.
5. You can copy the certificate to your computer and then import it as a "trusted root" certificate authority. This tells YOUR computer that your self-signed certificate is just like VeriSign and is trustworthy. Anyone else will still get the red X, but you can make YOUR computer trust that certificate.
6. You don't do anything different when you generate the certificate. You simply copy the public certificate file to your computer and import it.
ASKER
I could save my self-sign cert into trusted cert folder on browser suggested from
the article of Microsoft ,
http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx
and then the SSL warning page from browser is gone when everytime I access my https site.
But the red-cross and red-slash mask on https still exists so the only way to get rid of
that is buying third-party authorized trusted certificate. Probably it is last method.
and some company's free certificate is free but it just do encryption on domain name and email address only and other information is not included unless buying his other SSL certificate package.
So you agree what I post ?
Duncan
the article of Microsoft ,
http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx
and then the SSL warning page from browser is gone when everytime I access my https site.
But the red-cross and red-slash mask on https still exists so the only way to get rid of
that is buying third-party authorized trusted certificate. Probably it is last method.
and some company's free certificate is free but it just do encryption on domain name and email address only and other information is not included unless buying his other SSL certificate package.
So you agree what I post ?
Duncan
If the red cross and red slash mark still exists after you import the certificate, it may be that Apache is not using the right certificate. You should be able to click on the red cross/slash or somewhere nearby in the address bar and be able to see which certificate is being presented by Apache for that site.
The Apache configuration should indicate what certificate it is using to enable HTTPS, so if it's not the right certificate, then you'll just have to update the Apache configuration and restart Apache.
The Apache configuration should indicate what certificate it is using to enable HTTPS, so if it's not the right certificate, then you'll just have to update the Apache configuration and restart Apache.
ASKER
Probably, it is my new thread question or other question and has been posted
and thanks for all of your reply
and thanks for all of your reply
Linux
Linux is a UNIX-like open source operating system with hundreds of distinct distributions, including: Fedora, openSUSE, Ubuntu, Debian, Slackware, Gentoo, CentOS, and Arch Linux. Linux is generally associated with web and database servers, but has become popular in many niche industries and applications.
71K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
From you post, in other words, it seems I can set my self-cert SSL certificate to be trusted
SSL certificate so that the browser won't do red-cross or red-slash mask on https address bar. How to do it when I do openssl command ?