Bonjour à tous,
Voilà, je vous soumet un problème que j'ai décrit dans le forum officiel Apple, et qui n'a toujours reçu aucune réponse.
Le problème me paralyse totalement dans mon boulot.
La moindre petite aide sera la bienvenue!
Voici la manipe :
HI there!
It took tones of hour trying to setup a https connexion and finally, it still not work.
I went to tones of forums and try all the tricks written, nothing worked.
Most of the time it is not clear.
Most of the time it changed nothing.
YOU are my last chance!
I listed several questions in green, it will kind of you if you've got some answer.
Here follow the processing steps that I did.
First, I used this site : http://developer.apple.com/internet/serverside/modssl.html
Nice site, not so clear but nice.
So here what I got :
openssl genrsa -des3 -out server.key 2048
Passphrase : 123456 (two times)
then :
openssl req -new -key server.key -out server.csr
Passphrase : 123456
Organization Name : GG LTD
Common Name : GOK
No challenge password neither optional company name.
openssl genrsa -des3 -out ca.key 2048
Passphrase : azerty (two times)
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Organization Name : GG HC
Common Name : GG HC OK
After that I continued :
chmod +x sign.sh
./sign.sh server.csr
Passphrase : azerty
Certificate is to be certified until Oct 22 18:11:15 2008 GMT (365 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
So that seems to be ok!
Next step...
sudo mkdir /etc/httpd/ssl.key
sudo cp -r * /etc/httpd/ssl.key/
Here what I got :
powermacquad:/etc/httpd/ssl.key root# ll
total 72
drwx------ 12 root wheel 408 Oct 23 11:14 .
drwxr-xr-x 23 root wheel 782 Oct 22 19:24 ..
-rw-r--r-- 1 root wheel 1513 Oct 23 11:14 ca.crt
drwxr-xr-x 3 root wheel 102 Oct 23 11:14 ca.db.certs
-rw-r--r-- 1 root wheel 82 Oct 23 11:14 ca.db.index
-rw-r--r-- 1 root wheel 21 Oct 23 11:14 ca.db.index.attr
-rw-r--r-- 1 root wheel 3 Oct 23 11:14 ca.db.serial
-rw-r--r-- 1 root wheel 1751 Oct 23 11:14 ca.key
-rw-r--r-- 1 root wheel 3890 Oct 23 11:14 server.crt
-rw-r--r-- 1 root wheel 997 Oct 23 11:14 server.csr
-rw-r--r-- 1 root wheel 1743 Oct 23 11:14 server.key
-rwxr-xr-x 1 root wheel 1784 Oct 23 11:14 sign.sh
I did not do the "Removing the pass phrase requirement" because I am in production. So as I understand I will have to retype the Passphrase everytime I reboot. I will have to start apache manually via command line. 1-Is that true? or it is acceptable to remove the passphrase requirement (if the computer is physically protected from hackers or something else)?
The next step was :
sudo apachectl stop
cd /etc/httpd
sudo cp httpd.conf httpd.conf.backup
The next step is harder to understand.
What I want to do is to reserve this directory :
/Library/WebServer/html/secure/
for my https.
2-Is that possible?
Here are the important parts of my httpd.conf file :
LoadModule ssl_module libexec/httpd/libssl.so
AddModule mod_ssl.c
ServerSignature On
#Port 80
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
<IfModule mod_ssl.c>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase
SSLSessionCache dbm:/var/log/httpd/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/log/httpd/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLogLevel info
AddType application/x-x509-ca-cert crt
AddType application/x-pkcs7-crl crl
SSLProtocol all -SSLv2
SSLLog "/var/log/httpd/ssl_engine_log"
## SSL Virtual Host Context
##
<VirtualHost 127.0.0.1:80>
#Just to keep things sane...
DocumentRoot "/Library/WebServer/html"
ServerName 127.0.0.1
ServerAdmin [email protected]
SSLEngine Off
</VirtualHost>
<VirtualHost 127.0.0.1:443>
# General setup for the virtual host
DocumentRoot "/Library/WebServer/html/secure"
#ServerName has to match the server you entered into the CSR
ServerName secure
ServerAdmin [email protected]
ErrorLog "/var/log/httpd/error_log"
TransferLog /var/log/httpd/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine On
# enable SSLv3 but not SSLv2
SSLProtocol all -SSLv2
SSLCipherSuite "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
# Path to your certificates and private key
SSLCertificateFile "/etc/httpd/ssl.key/serveur.crt"
SSLCertificateKeyFile "/etc/httpd/ssl.key/serveur.key"
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/Library/WebServer/CGI-Executables">
SSLOptions +StdEnvVars
</Directory>
# correction for browsers that don't always handle SSL connections well
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Listen 443
Listen 80
</IfModule>
<IfModule mod_jk.c>
JKWorkersFile /etc/httpd/workers.properties
JKLogFile /var/log/httpd/mod_jk.log
JKLogLevel error
JKMount /*.jsp JBoss1
JKMount /servlet/* JBoss1
JKMount /examples/* JBoss1
</IfModule>
##
##
## The default server is used for status on a special port
3-Is there a problem with my httpd.conf?
At this point I have two options :
first one is to use this /settings/certificates
the second one is to configure everything in /Web/Settings/General+Security/
Let see the first option.
I clicked on Import, a new window appeared and I entered my parameters :
Just after clicking Import it freezed for a long long time.
The password entered was : 123456. 4-Is that right?
I had to force to quit the Admin Server application to not wait for 3 days more!!
So now let see the second option :
I have only one ip.
On the first line there is my official website.
On the second it is the MySQL WebInterface : /Library/WebServer/Documents/phpMyAdmin/
Here I had to click on "+" to create a new Site.
You can see 4 arrows ponting some delicate points.
5-Are all these points ok? Are the parameters appropriated?
Now it is time to try to enter this #@!+$£#@& certificate.
First thing to do is to select personnalised configuration :
After that a question :
6-Why the default cert and key are stored in/etc/Certificates and not in the /etc/httpd/ssl.* like mine? Is that important?
I entered the parameters as it follows :
And that was good he said : Import successfull.
Now it is easy you click OK, then you save the new configuration.
And when I want to restart the Web service, it fails like that :
Saying :
"try to reactualize configuration, try to contact admin, see the logs, impossible to restart".
Two more precision :
-I have no cache performances
-Last precision are :
httpd -D SSL
Invalid command '%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b', perhaps mis-spelled or defined by a module not included in the server configuration
I tried a lot of more things ofr example to comment these lines :
'%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b'
(for the following commands I am in root)
Then when I try httpd -D SSL
It gives : Processing config directory: /etc/httpd/sites/*.conf
Processing config file: /etc/httpd/sites/0000_any_80_.conf
Processing config file: /etc/httpd/sites/0001_127.0.0.1_80_phpmyadmin.conf
Processing config file: /etc/httpd/sites/virtual_host_global.conf
So i thought it was ok, but then when I did
apachectl start
Processing config directory: /etc/httpd/sites/*.conf
Processing config file: /etc/httpd/sites/0000_any_80_.conf
Processing config file: /etc/httpd/sites/0001_127.0.0.1_80_phpmyadmin.conf
Processing config file: /etc/httpd/sites/virtual_host_global.conf
/usr/sbin/apachectl start: httpd could not be started
And the log said :
/var/log/httpd root# tail 20 -f ssl_engine_log
[23/Oct/2007 12:59:50 09697] [info] Server: Apache/1.3.33, Interface: mod_ssl/2.8.24, Library: OpenSSL/0.9.7l
[23/Oct/2007 12:59:50 09697] [info] Init: 1st startup round (still not detached)
[23/Oct/2007 12:59:50 09697] [info] Init: Initializing OpenSSL library
[23/Oct/2007 12:59:50 09697] [info] Init: Loading certificate & private key of SSL-aware server secure:443
[23/Oct/2007 12:59:50 09697] [error] Init: Unable to read server certificate from file /etc/httpd/ssl.key/serveur.crt (OpenSSL library error follows)
[23/Oct/2007 12:59:50 09697] [error] OpenSSL: error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
7-That will be my last question : what I did wrong? What should I do?
That's all.
My problem is as big as this post.
I must found a solution.
Voilà, je vous soumet un problème que j'ai décrit dans le forum officiel Apple, et qui n'a toujours reçu aucune réponse.
Le problème me paralyse totalement dans mon boulot.
La moindre petite aide sera la bienvenue!
Voici la manipe :
HI there!
It took tones of hour trying to setup a https connexion and finally, it still not work.
I went to tones of forums and try all the tricks written, nothing worked.
Most of the time it is not clear.
Most of the time it changed nothing.
YOU are my last chance!
I listed several questions in green, it will kind of you if you've got some answer.
Here follow the processing steps that I did.
First, I used this site : http://developer.apple.com/internet/serverside/modssl.html
Nice site, not so clear but nice.
So here what I got :
openssl genrsa -des3 -out server.key 2048
Passphrase : 123456 (two times)
then :
openssl req -new -key server.key -out server.csr
Passphrase : 123456
Organization Name : GG LTD
Common Name : GOK
No challenge password neither optional company name.
openssl genrsa -des3 -out ca.key 2048
Passphrase : azerty (two times)
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Organization Name : GG HC
Common Name : GG HC OK
After that I continued :
chmod +x sign.sh
./sign.sh server.csr
Passphrase : azerty
Certificate is to be certified until Oct 22 18:11:15 2008 GMT (365 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
So that seems to be ok!
Next step...
sudo mkdir /etc/httpd/ssl.key
sudo cp -r * /etc/httpd/ssl.key/
Here what I got :
powermacquad:/etc/httpd/ssl.key root# ll
total 72
drwx------ 12 root wheel 408 Oct 23 11:14 .
drwxr-xr-x 23 root wheel 782 Oct 22 19:24 ..
-rw-r--r-- 1 root wheel 1513 Oct 23 11:14 ca.crt
drwxr-xr-x 3 root wheel 102 Oct 23 11:14 ca.db.certs
-rw-r--r-- 1 root wheel 82 Oct 23 11:14 ca.db.index
-rw-r--r-- 1 root wheel 21 Oct 23 11:14 ca.db.index.attr
-rw-r--r-- 1 root wheel 3 Oct 23 11:14 ca.db.serial
-rw-r--r-- 1 root wheel 1751 Oct 23 11:14 ca.key
-rw-r--r-- 1 root wheel 3890 Oct 23 11:14 server.crt
-rw-r--r-- 1 root wheel 997 Oct 23 11:14 server.csr
-rw-r--r-- 1 root wheel 1743 Oct 23 11:14 server.key
-rwxr-xr-x 1 root wheel 1784 Oct 23 11:14 sign.sh
I did not do the "Removing the pass phrase requirement" because I am in production. So as I understand I will have to retype the Passphrase everytime I reboot. I will have to start apache manually via command line. 1-Is that true? or it is acceptable to remove the passphrase requirement (if the computer is physically protected from hackers or something else)?
The next step was :
sudo apachectl stop
cd /etc/httpd
sudo cp httpd.conf httpd.conf.backup
The next step is harder to understand.
What I want to do is to reserve this directory :
/Library/WebServer/html/secure/
for my https.
2-Is that possible?
Here are the important parts of my httpd.conf file :
LoadModule ssl_module libexec/httpd/libssl.so
AddModule mod_ssl.c
ServerSignature On
#Port 80
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
<IfModule mod_ssl.c>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase
SSLSessionCache dbm:/var/log/httpd/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/log/httpd/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLogLevel info
AddType application/x-x509-ca-cert crt
AddType application/x-pkcs7-crl crl
SSLProtocol all -SSLv2
SSLLog "/var/log/httpd/ssl_engine_log"
## SSL Virtual Host Context
##
<VirtualHost 127.0.0.1:80>
#Just to keep things sane...
DocumentRoot "/Library/WebServer/html"
ServerName 127.0.0.1
ServerAdmin [email protected]
SSLEngine Off
</VirtualHost>
<VirtualHost 127.0.0.1:443>
# General setup for the virtual host
DocumentRoot "/Library/WebServer/html/secure"
#ServerName has to match the server you entered into the CSR
ServerName secure
ServerAdmin [email protected]
ErrorLog "/var/log/httpd/error_log"
TransferLog /var/log/httpd/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine On
# enable SSLv3 but not SSLv2
SSLProtocol all -SSLv2
SSLCipherSuite "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
# Path to your certificates and private key
SSLCertificateFile "/etc/httpd/ssl.key/serveur.crt"
SSLCertificateKeyFile "/etc/httpd/ssl.key/serveur.key"
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/Library/WebServer/CGI-Executables">
SSLOptions +StdEnvVars
</Directory>
# correction for browsers that don't always handle SSL connections well
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Listen 443
Listen 80
</IfModule>
<IfModule mod_jk.c>
JKWorkersFile /etc/httpd/workers.properties
JKLogFile /var/log/httpd/mod_jk.log
JKLogLevel error
JKMount /*.jsp JBoss1
JKMount /servlet/* JBoss1
JKMount /examples/* JBoss1
</IfModule>
##
##
## The default server is used for status on a special port
3-Is there a problem with my httpd.conf?
At this point I have two options :
first one is to use this /settings/certificates
the second one is to configure everything in /Web/Settings/General+Security/
Let see the first option.
I clicked on Import, a new window appeared and I entered my parameters :
Just after clicking Import it freezed for a long long time.
The password entered was : 123456. 4-Is that right?
I had to force to quit the Admin Server application to not wait for 3 days more!!
So now let see the second option :
I have only one ip.
On the first line there is my official website.
On the second it is the MySQL WebInterface : /Library/WebServer/Documents/phpMyAdmin/
Here I had to click on "+" to create a new Site.
You can see 4 arrows ponting some delicate points.
5-Are all these points ok? Are the parameters appropriated?
Now it is time to try to enter this #@!+$£#@& certificate.
First thing to do is to select personnalised configuration :
After that a question :
6-Why the default cert and key are stored in/etc/Certificates and not in the /etc/httpd/ssl.* like mine? Is that important?
I entered the parameters as it follows :
And that was good he said : Import successfull.
Now it is easy you click OK, then you save the new configuration.
And when I want to restart the Web service, it fails like that :
Saying :
"try to reactualize configuration, try to contact admin, see the logs, impossible to restart".
Two more precision :
-I have no cache performances
-Last precision are :
httpd -D SSL
Invalid command '%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b', perhaps mis-spelled or defined by a module not included in the server configuration
I tried a lot of more things ofr example to comment these lines :
'%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b'
(for the following commands I am in root)
Then when I try httpd -D SSL
It gives : Processing config directory: /etc/httpd/sites/*.conf
Processing config file: /etc/httpd/sites/0000_any_80_.conf
Processing config file: /etc/httpd/sites/0001_127.0.0.1_80_phpmyadmin.conf
Processing config file: /etc/httpd/sites/virtual_host_global.conf
So i thought it was ok, but then when I did
apachectl start
Processing config directory: /etc/httpd/sites/*.conf
Processing config file: /etc/httpd/sites/0000_any_80_.conf
Processing config file: /etc/httpd/sites/0001_127.0.0.1_80_phpmyadmin.conf
Processing config file: /etc/httpd/sites/virtual_host_global.conf
/usr/sbin/apachectl start: httpd could not be started
And the log said :
/var/log/httpd root# tail 20 -f ssl_engine_log
[23/Oct/2007 12:59:50 09697] [info] Server: Apache/1.3.33, Interface: mod_ssl/2.8.24, Library: OpenSSL/0.9.7l
[23/Oct/2007 12:59:50 09697] [info] Init: 1st startup round (still not detached)
[23/Oct/2007 12:59:50 09697] [info] Init: Initializing OpenSSL library
[23/Oct/2007 12:59:50 09697] [info] Init: Loading certificate & private key of SSL-aware server secure:443
[23/Oct/2007 12:59:50 09697] [error] Init: Unable to read server certificate from file /etc/httpd/ssl.key/serveur.crt (OpenSSL library error follows)
[23/Oct/2007 12:59:50 09697] [error] OpenSSL: error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
7-That will be my last question : what I did wrong? What should I do?
That's all.
My problem is as big as this post.
I must found a solution.
