Welcome to the Linux Foundation Forum!

Lab 7.5 - Created Self Signed Certificate - Browser doesn't show it's secure

I followed the Lab 7.5 steps verbatim to create my own Self Signed Certificate on CentOS7. However, when I finish with the steps and restart the httpd service, I'm prompted for a pass phrase for localhost:443 (RSA).

When I open up Firefox, it shows "Not Secure" for the website.

Is there anything that I might have missed? How do I get the SSL cert to work?

Thanks

Comments

  • lee42x
    lee42x Posts: 380

    Most of the "newer" browsers consider self signed keys to be "insecure" and will prompt you. There should be an option in the browser pop-up to acknowledge the usage of a self signed key. As for the passphrase, yes if a passphrase is set the server will prompt for it on startup. We can remove the passphrase if desired.

  • Sorry, I should have clarified. It shows it as "Connection Not Encrypted". It says, "The website ipvhost.example.com does not support encryption for the page you are viewing".

  • Thanks for the tip, lee42. Looking at the logs for errors - I see [ssl:warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?).

    What does this mean? Is this wrong? How should I fix it?

  • lee42x
    lee42x Posts: 380

    That message is indicating a CA "Certificate Authority" (the signing authority) is being used as a server certificate. Please review the certification generation section for the lab.

  • KonstantinA
    KonstantinA Posts: 29
    edited June 2020

    Everything is configured up to 7.5 lab.
    If i do any of the following, i get connected to the proper host and have the index.html displayed correcty:
    lynx http://localhost
    lynx http://ipvhost.example.com
    lynx http://namevhost.example.com

    But if i add an "s" to the above, lynx https://.... i get prompted to accept the self signed certificate, i do, but i always connect to the localhost and it displays the default index.html

    lynx https://localhost --> correct index.html
    lynx https://ipvhost.example.com --> displays localhost's index.html
    lynx https://namevhost.example.com --> displays localhost's index.html

    If i change the listening port from 80 to 443 for ipvhost and namevhost, i can't connect to those sites at all.

    ---------------------- EDIT --------------------------------------

    I think i found the reason: "VirtualHost default:443" (from the file default-ssl.conf in /etc/apache2/sites-enabled directory)

    Should i edit the the default-ssl.conf or create similar files for my other hosts? Like ipvhost-ssl.conf and namevhost-ssl.conf with proper configuration?

  • lee42x
    lee42x Posts: 380

    Hi KonstantinA,
    The results you are seeing are what is expected. The additional steps of creating ssl namevhost configuration is currently not in the lab exercise.

    Another option to be used is the SNI switch "SLStrictSNIVHostCheck off/on" to allow non-SNI hosts to access the https pages.

    Regards Lee

Categories

Upcoming Training