Hello,
I'd like to let my users install their own SSL certificates through a
web interface for self-management services. If a user provides a
malicious certificate, the entire server will fail to start and the
whole system is down. This is a bit hard but that's how it is.
So I'll have to make sure the certificate and key are usable by apache
before generating the config that will use it.
I could run basic checks like let openssl parse it. But I've managed to
break my test server by providing it a perfectly working certificate and
key - from an old domain from 2016. The server complained with this message:
> SSL Library Error: error:140AB18E:SSL
routines:SSL_CTX_use_certificate:ca md too weak
That's from my letsencrypt archives. A newer one of the same domain from
2018 works just fine on the same new dev server. So there are obviously
circumstances that let apache fail on the certificate that I can't fully
analyse.
Is there a method to have apache check that certificate and key in
advance, considering its usual configuration, before I expect it to use
the certificate? I don't want to let it try out the file on a production
system, and learn about an unsupported certificate by a web server
that's down. There has to be a smarter way to handle this.
-Yves
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|