[CentOS] https
R P Herrold
herrold at owlriver.com
Thu Sep 16 17:19:22 UTC 2010
On Thu, 16 Sep 2010, Matthew Miller wrote:
> Or get one from: http://cert.startcom.org/
I had seen this cross as well from another poster:
> Sorry, but you need to buy a certificate.
Bzzzrttt
I am firmly with Matthew on this one. When I saw the initial
post hit my email inbound queue (not sure what time --
something after 11:45), I started the process of
deploying a test box, and setting up a new certificate with
them (I have previously gone through their Class I and II
authentication processes and have an account with them). I
post this around 13:15 [the spell checker is very unhappy
with that key ... ]
This rough outline will get some parkup, and turn into a blog
post later this week, and I'll mark it so:
http://planet.centos.org picks it up. The timestamps of this
email and of the certificate on that page show how quickly
this may be done (and with startcom, with no additional
per-certificate issuance fees other than as related to the
authentication process)
==============================================
1. Deploy, secure and name a box
victim-centos.pmman.net
2. Set the A record in DNS
198.178.231.140
3. Set the PTR
4. Install the mod_ssl package
(which pulls in httpd and its dependencies)
also useful is: crypto-utils as it will 'watch' for upcoming
expirations
5. Position a placeholder page to look for in a test
... I installed php as well, and here use a php scriptlet
that does a redirect into https on the fly when a connection
comes in on http
[root at vm178231140 html]# cat index.php
<?php
$SITE="victim-centos.pmman.net";
$SERVER_PORT = $_SERVER[SERVER_PORT];
if ("$SERVER_PORT" != "443")
header("Location: https://$SITE");
print "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0
Transitional//EN\" >";
print "<html><head><title>CentOS and SSL are
easy</title></head>";
print "<body><h4>CentOS and SSL are easy</h4>";
print "<p>This example lives at: <a href=\"";
print "https://" . $SITE ;
print "\">https://" . $SITE . "</a> on a box provided by: ";
print "<a href=\"http://www.pmman.com\" target=\"_blank\">";
print "pmman.com</a></p></body></html>";
?>
6. Open up port 80/tcp and 443/tcp in iptables
7. Read: /etc/httpd/conf.d/ssl.conf
[root at victim-centos conf.d]# grep -v ^# ssl.conf | grep -v ^$
LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
[root at victim-centos conf.d]# grep -v ^# ssl.conf | grep -v ^$ | wc
32 77 1089
-----------
... the lines starting: ^SSL and containing the fragment File
are what need to be configured (and in the case with one from
startcom, a chained key file)
8. Set up a place to make the keys. signing request, and
pemfile, along with key chains
mkdir attic
cd attic
# we intentionally make one without a passphrase here
# to simplify the discussion
openssl genrsa -out victim-centos.pmman.net-2010.key 2048
openssl req -new -key victim-centos.pmman.net-2010.key -out
victim-centos.pmman.net-2010.csr
9. Get the CSR onto the clipboard so it may be pasted into the
web GUI at startcom
[root at victim-centos attic]# cat
victim-centos.pmman.net-2010.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC7TCCAdUCAQAwgacxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UE
BxMIQ29sdW1idXMxHDAaBgNVBAoTEzc4MSBSZXNvbHV0aW9uLCBMTEMxDjAMBgNV
... snippage ...
eKGhP2r4C8kVBrK13lgmlOt1OYLn+rvV8y/hkrlPbDSRoW4cNmoX3F4hFWUKxWZc
hvtc52ImrMe4vikYYIZGPk6Lhw3xSnVwZzoU0QxgR1XN
-----END CERTIFICATE REQUEST-----
[root at victim-centos attic]#
... startcom will indicate the CSR has been countersigned, and
a CRT may be retrieved
10. While you are waiting, retrieve the certificate chaining
back to the CA roots in any modern browser
wget -O sub.class1.server.ca.pem \
http://www.startssl.com/certs/sub.class1.server.ca.pem
wget -O sub.class2.server.ca.pem \
http://www.startssl.com/certs/sub.class2.server.ca.pem
wget -O ca.pem http://www.startssl.com/certs/ca.pem
... and copy them into place
cp sub.class2.server.ca.pem /etc/pki/tls/certs/
cp ca.pem /etc/pki/tls/certs/
11. Edit /etc/httpd/conf.d/ssl.conf and adjust the values for:
SSLCertificateFile \
/etc/pki/tls/certs/victim-centos.pmman.net.crt
SSLCertificateKeyFile \
/etc/pki/tls/private/victim-centos.pmman.net-2010.key
SSLCertificateChainFile \
/etc/pki/tls/certs/sub.class2.server.ca.pem
SSLCACertificateFile /etc/pki/tls/certs/ca.pem
# we also need to add:
SSLCertificateChainFile \
/etc/pki/tls/certs/sub.class2.server.ca.pem
... and look at the config file edits:
[root at victim-centos conf.d]# grep ^SSL ssl.conf | grep File
SSLCertificateFile /etc/pki/tls/certs/victim-centos.pmman.net.crt
SSLCertificateKeyFile /etc/pki/tls/private/victim-centos.pmman.net-2010.key
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
SSLCACertificateFile /etc/pki/tls/certs/ca.pem
[root at victim-centos conf.d]#
12. Retrieve that countersigned CRT from Startcom, and
place into a file: victim-centos.pmman.net.crt
13. Position and set perms on the key, and the certificate:
cp victim-centos.pmman.net-2010.key /etc/pki/tls/private/
cp victim-centos.pmman.net.crt /etc/pki/tls/certs/
chmod 600 /etc/pki/tls/certs/*.crt
14. Restart the webserver, and tail the logs in
/var/log/httpd
15. View the web page (here: https://victim-centos.pmman.net/
), and make sure no errors appear; check the certificate chain
in your local browser. This chain is present in Windows 7
Internet Explorer, Firefox, and Safari
16. All done
--
end
==================================
.-- -... ---.. ... -.- -.--
Copyright (C) 2010 R P Herrold
herrold at owlriver.com
My words are not deathless prose,
but they are mine.
More information about the CentOS
mailing list