SSL
Insert the following into your ssl.conf and continue creating the keys:
SSLCertificateFile /etc/mail/certs/newcert.pem
SSLCertificateKeyFile /etc/mail/certs/req.pem
SSLCertificateChainFile /etc/mail/certs/cacert.pemNew certificate
To create a certificate do the following:
Generate the CA key:
cd /etc/mail/certs/
edit CA.pl and set days to high value like 10-20 years
maybe edit /etc/ssl/openssl.cnf
/usr/src/crypto/openssl/apps/CA.pl -newca
cp demoCA/cacert.pem .Generate keypair:
edit CA.pl again and set it to 1-2 years
/usr/src/crypto/openssl/apps/CA.pl -newreq
as COMMON NAME put FQDNSign the keypair:
/usr/src/crypto/openssl/apps/CA.pl -signRemove the password from keypair:
openssl rsa -in newkey.pem -out req.pem
rm newreq.pem
chmod 0600 *Chain of Trust
To add you self created CA to the chain of trust you must import the file cacert.pem on all computers and select trust completely.
Renew a certificate
Sign the keypair:
cd /etc/mail/certs
/usr/src/crypto/openssl/apps/CA.pl -signsee:
- http://linio.boo.pl/eng/certs.html
- http://www.freebsddiary.org/openssl-client-authentication.php
- http://www.bsdguides.org/guides/freebsd/webserver/apache_ssl_php_mysql.php
- http://wiki.cacert.org/wiki/VhostTaskForce
Convert PEM to DER to import on Android
To convert your own CA to a format Android can read use:
openssl x509 -inform PEM -outform DER -in newcert.pem -out CA.crtStartSSL
To create your certificate (same for renewal) by going to http://startssl.com and login. To have a secure key, make sure we have the following settings in /etc/ssl/openssl.cnf:
default_md = sha2 # which md to use.
default_bits = 4096Create your key:
/usr/src/crypto/openssl/apps/CA.pl -newreqCopy the content of newreq.pem to the certificate request on startssl.com. Store the content from startssl.com to a file ssl.crt.
Remove the passphrase with:
openssl rsa -in newkey.pem -out ssl.keyDownload the files from startssl.com:
wget -N https://www.startssl.com/certs/sub.class1.server.ca.pem
wget -N https://www.startssl.com/certs/ca.pemYou have the following:
| Datei | Beschreibung |
|---|---|
| ca.pem | startssl root certificate |
| sub.class1.server.ca.pem | startssl intermediate certificate |
| newkey.pem | encrypted private key |
| newreq.pem | certificate request |
| ssl.key | decrypted private key |
| ssl.crt | certificate for your key, signed by startssl.com |
Configure your apache:
SSLCertificateFile /usr/local/etc/apache22/ssl/ssl.crt
SSLCertificateKeyFile /usr/local/etc/apache22/ssl/ssl.key
SSLCertificateChainFile /usr/local/etc/apache22/ssl/sub.class1.server.ca.pem
SSLCACertificateFile /usr/local/etc/apache22/ssl/ca.pemCreate Certificate with more than one (Wildcard)-Domain
Create openssl config file name openssl.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = DE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Bayern
localityName = Locality Name (eg, city)
localityName_default = Munich
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = FM-Data
commonName = FM-Data
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.fechner.net
DNS.2 = *.idefix.lanopenssl genrsa -out newkey.pem 4096
openssl req -new -out san_idefix_lan.csr -key newkey.pem -config openssl.cnf
openssl req -text -noout -in san_idefix_lan.csr
openssl x509 -req -days 3650 -in san_idefix_lan.csr -signkey newkey.pem -out
mv san_idefix_lan.csr cacert.pem
openssl x509 -req -days 3650 -in cacert.pem -signkey newkey.pem -out newreq.pem -extensions v3_req -extfile openssl.cnf
mv newreq.pem newcert.pem
mv newkey.pem req.pem
See http://apetec.com/support/GenerateSAN-CSR.htm
Secure SSL connection
Based on this calculator https://mozilla.github.io/server-side-tls/ssl-config-generator/
...
SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder on
SSLSessionTickets off
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)Check SSL chipers
nmap -p 993 --script ssl-enum-ciphers hostname
Tomcat Connector
To conffigure the tomcat connector for apache 2.4 I added in the httpd.conf:
Include conf/tomcat_connector.confAnd configure then all in the tomcat_connector.conf:
LoadModule jk_module modules/mod_jk.so
# Where to find workers.properties
# Update this path to match your conf directory location (put workers.properties next to httpd.conf)
JkWorkersFile "conf/workers.properties"
# Where to put jk shared memory
# Update this path to match your local state directory or logs directory
JkShmFile "logs/mod_jk.shm"
<VirtualHost _default_:80>
# Where to put jk logs
# Update this path to match your logs directory location (put mod_jk.log next to access_log)
JkLogFile "logs/mod_jk.log"
# Set the jk log level [debug/error/info]
JkLogLevel error
# Select the timestamp log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# Define the mapping
JkMountFile "conf/uriworkermap.properties"
</VirtualHost>Enable IE Quirks Mode
Sometimes you have a buggy website and the company is not willing to fix the problems on it. The website only works if the IE is forced to Quirks mode. To get this fixed with apache you can use the module headers_module. To enable it load the module:
LoadModule headers_module modules/mod_headers.soNow add to your virtual host the line:
Header set X-UA-Compatible "IE=5;charset=iso-8859-1"SSL Certificate with Windows
Before you start, make sure you have a current version of apache from [[http://www.apachehaus.com/cgi-bin/download.plx|here]] installed. Do not forget the openssl update!
At first make sure that the path to openssl is in the windows path so we can execute the openssl command from the console. Path for me is d:\Apache24\bin.
To create a SSL certificate for apache with windows:
d:
cd apache24
cd conf
cd ssl
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout hostname.key -out hostname.crt
Add to your virtual host config something like this:
<VirtualHost _default_:443>
ServerName hostname
...
# SSL configuration
SSLEngine on
SSLCertificateFile conf/ssl/hostname.crt
SSLCertificateKeyFile conf/ssl/hostname.key
SSLCertificateChainFile conf/ssl/hostname.crt
</VirtualHost>Using PHP together with Apache24
We use apache 2.4 together php-fpm to use the event model instead of the pre-fork module which memory consuming and slow. Make sure you have php-fpm running.
# PHP FPM
php_fpm_enable="YES"service php-fpm restart
Make sure the proxy modules are loaded:
LoadModule proxy_module libexec/apache24/mod_proxy.so
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.soIn your virtalhost definition:
<VirtualHost *>
...
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://localhost:9000/opt/local/www/phpmyadmin/$1
DirectoryIndex /index.php index.php
<Directory /opt/local/www/phpmyadmin>
...| Feb 03 | Letsencrypt | 3 min read |
| Nov 15 | Migrate system from i386 (32-bit mode) to amd64 (64-bit mode) | 4 min read |
| Mar 12 | Samba 4 | 1 min read |
| Feb 13 | Gogs | 2 min read |
| Jan 18 | Clonezilla | 2 min read |