Re: OpenSSL and apache2 wildcard self-signed certificate for nested subdomain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le mer. 14 déc. 2011 14:19:09 CET, Igor Galić a écrit :



----- Original Message -----

Le mer. 14 déc. 2011 13:49:54 CET, Tom Evans a écrit :

On Wed, Dec 14, 2011 at 12:43 PM, rey sebastien<reyman64@xxxxxxxxx>
  wrote:

Hello users :)
I try to ask a "smart" question on my problem...

I have some problem with nested subdomain and wildcard openssl
certificate..
perhaps, i don't know, this is because the subdomain type is :
site1.parisgeo.cnrs.fr, or site2.parisgeo.cnrs.fr, or other
subdomain like
xxxx.parisgeo.cnrs.fr
…
I generate my certificate like this (CN = *.parisgeo.cnrs.fr) :

openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl req -newkey rsa:1024 -nodes -keyout parisgeo.cnrs.fr.key
-out
…
root@xxxx:/etc/ssl# openssl s_client -connect
partage.parisgeo.cnrs.fr:443
…
      Verify return code: 18 (self signed certificate)
---
closed

The firefox error when i try to connect to the site is :

An error occurred during a connection to partage.parisgeo.cnrs.fr.
Peer's certificate has an invalid signature.
(Error code: sec_error_bad_signature)



Firefox will not trust a self signed certificate unless you install
the CA certificate into your browser's keychain. Other browsers
will
ask if you want to accept a self signed certificate.

Cheers

Tom



Thanks for yout great explain,
I try to connect with chrome, and it's possible to access the
website,
so you're right ...

Is there any solution to bypass this problem ? With another type of
self signed certificate wich need no CA ? or contain the Ca i don't
know ?


cacert.org will issue free certificates, and, IIRC, also wildcard
certificates. They are available in *most* browsers.


Cheers,
SR.


i



Thanks for information Igor,
I find the cacert.org site, but not the IIRC site, can you give me more information ? I'm not the owner of parisgeo.cnrs.fr because the root domain is the french institution cnrs.fr, so can i create this type of certificate ? 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux