On 06.04.2015 19:24, Victor Porton wrote: > I've tried to set SSL for one site at my Debian Linux wheezy server > (which serves multiple domains). > > I've prepared StartSSL keys and certificate and put them into > /etc/apache2/ssl/ How did you prepare those? Did you follow the StartSSL steps on the website wizard and obtained both of these files through downloading from their website? > But when I started the below configuration (with Debian command > `a2ensite withoutvowels.conf`), after I opened > https://withoutvowels.org/wiki/Without_Vowels_project I've got > > [[[[ > This Connection is Untrusted > > You have asked Iceweasel to connect securely to withoutvowels.org, but > we can't confirm that your connection is secure. > > Normally, when you try to connect securely, sites will present trusted > identification to prove that you are going to the right place. However, > this site's identity can't be verified. > What Should I Do? > > If you usually connect to this site without problems, this error could > mean that someone is trying to impersonate the site, and you shouldn't > continue. > > withoutvowels.org uses an invalid security certificate. The certificate > is not trusted because it is self-signed. The certificate is only valid > for d1stkfactory (Error code: sec_error_unknown_issuer) > ]]]] That "d1stkfactory" in there is interesting. Are you hosted at DigitalOcean? I found this using Google: http://blog.vucica.net/2014/03/mails-appearing-from-d1stkfactory.html My guess right now is that you made the certificate on a machine of yours rather than downling a cert from StartSSL. Did you use a certificate signing request to get your existing cert signed? > After this error I've stopped to use the below configuration and > replaced it with my old (non-SSL) configuration. > > The config /etc/apache2/sites-available/withoutvowels.conf for the site > is below: > > <VirtualHost *:443> > ServerName withoutvowels.org > > SuexecUserGroup withoutvowels withoutvowels > > ServerAdmin webmaster@localhost > > SSLEngine on > SSLProtocol all -SSLv2 > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM > SSLCertificateFile /etc/apache2/ssl/ssl.crt > SSLCertificateKeyFile /etc/apache2/ssl/private.key > SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem This looks alot like https://www.startssl.com/?app=21 Please consider disabling SSLv3 as well, because: https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack Having SSLv3 enabled will also not look good on the ssllabs test page, e.g. https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=74.125.224.8 Best, Sebastian --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|