Serveur Admin et https...comment ça marche?

LedZep2

Membre enregistré
25 Octobre 2007
2
0
Bonjour à tous,

Voilà, je vous soumet un problème que j'ai décrit dans le forum officiel Apple, et qui n'a toujours reçu aucune réponse.
Le problème me paralyse totalement dans mon boulot.
La moindre petite aide sera la bienvenue!
Voici la manipe :

HI there!

It took tones of hour trying to setup a https connexion and finally, it still not work.
I went to tones of forums and try all the tricks written, nothing worked.
Most of the time it is not clear.
Most of the time it changed nothing.

YOU are my last chance!
I listed several questions in green, it will kind of you if you've got some answer.
Here follow the processing steps that I did.

First, I used this site : http://developer.apple.com/internet/serverside/modssl.html

Nice site, not so clear but nice.
So here what I got :
openssl genrsa -des3 -out server.key 2048

Passphrase : 123456
(two times)

then :
openssl req -new -key server.key -out server.csr

Passphrase : 123456

Organization Name : GG LTD
Common Name : GOK


No challenge password neither optional company name.

openssl genrsa -des3 -out ca.key 2048

Passphrase : azerty (two times)

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Organization Name : GG HC
Common Name : GG HC OK


After that I continued :
chmod +x sign.sh
./sign.sh server.csr

Passphrase : azerty


Certificate is to be certified until Oct 22 18:11:15 2008 GMT (365 days)
Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK


So that seems to be ok!

Next step...

sudo mkdir /etc/httpd/ssl.key
sudo cp -r * /etc/httpd/ssl.key/


Here what I got :

powermacquad:/etc/httpd/ssl.key root# ll
total 72
drwx------ 12 root wheel 408 Oct 23 11:14 .
drwxr-xr-x 23 root wheel 782 Oct 22 19:24 ..
-rw-r--r-- 1 root wheel 1513 Oct 23 11:14 ca.crt
drwxr-xr-x 3 root wheel 102 Oct 23 11:14 ca.db.certs
-rw-r--r-- 1 root wheel 82 Oct 23 11:14 ca.db.index
-rw-r--r-- 1 root wheel 21 Oct 23 11:14 ca.db.index.attr
-rw-r--r-- 1 root wheel 3 Oct 23 11:14 ca.db.serial
-rw-r--r-- 1 root wheel 1751 Oct 23 11:14 ca.key
-rw-r--r-- 1 root wheel 3890 Oct 23 11:14 server.crt
-rw-r--r-- 1 root wheel 997 Oct 23 11:14 server.csr
-rw-r--r-- 1 root wheel 1743 Oct 23 11:14 server.key
-rwxr-xr-x 1 root wheel 1784 Oct 23 11:14 sign.sh


I did not do the "Removing the pass phrase requirement" because I am in production. So as I understand I will have to retype the Passphrase everytime I reboot. I will have to start apache manually via command line. 1-Is that true? or it is acceptable to remove the passphrase requirement (if the computer is physically protected from hackers or something else)?

The next step was :
sudo apachectl stop
cd /etc/httpd
sudo cp httpd.conf httpd.conf.backup


The next step is harder to understand.
What I want to do is to reserve this directory :
/Library/WebServer/html/secure/
for my https.
2-Is that possible?

Here are the important parts of my httpd.conf file :

LoadModule ssl_module libexec/httpd/libssl.so

AddModule mod_ssl.c

ServerSignature On

#Port 80
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
<IfModule mod_ssl.c>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase
SSLSessionCache dbm:/var/log/httpd/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/log/httpd/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLogLevel info
AddType application/x-x509-ca-cert crt
AddType application/x-pkcs7-crl crl
SSLProtocol all -SSLv2
SSLLog "/var/log/httpd/ssl_engine_log"
## SSL Virtual Host Context
##
<VirtualHost 127.0.0.1:80>
#Just to keep things sane...
DocumentRoot "/Library/WebServer/html"
ServerName 127.0.0.1
ServerAdmin [email protected]
SSLEngine Off
</VirtualHost>
<VirtualHost 127.0.0.1:443>
# General setup for the virtual host
DocumentRoot "/Library/WebServer/html/secure"
#ServerName has to match the server you entered into the CSR
ServerName secure
ServerAdmin [email protected]
ErrorLog "/var/log/httpd/error_log"
TransferLog /var/log/httpd/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine On
# enable SSLv3 but not SSLv2
SSLProtocol all -SSLv2
SSLCipherSuite "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
# Path to your certificates and private key
SSLCertificateFile "/etc/httpd/ssl.key/serveur.crt"
SSLCertificateKeyFile "/etc/httpd/ssl.key/serveur.key"
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/Library/WebServer/CGI-Executables">
SSLOptions +StdEnvVars
</Directory>
# correction for browsers that don't always handle SSL connections well
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Listen 443
Listen 80
</IfModule>
<IfModule mod_jk.c>
JKWorkersFile /etc/httpd/workers.properties
JKLogFile /var/log/httpd/mod_jk.log
JKLogLevel error
JKMount /*.jsp JBoss1
JKMount /servlet/* JBoss1
JKMount /examples/* JBoss1
</IfModule>
##
##
## The default server is used for status on a special port



3-Is there a problem with my httpd.conf?

At this point I have two options :
first one is to use this /settings/certificates
i1.jpg


the second one is to configure everything in /Web/Settings/General+Security/



Let see the first option.
I clicked on Import, a new window appeared and I entered my parameters :
i2.jpg


Just after clicking Import it freezed for a long long time.
The password entered was : 123456. 4-Is that right?
I had to force to quit the Admin Server application to not wait for 3 days more!!




So now let see the second option :

i3.jpg


I have only one ip.
On the first line there is my official website.
On the second it is the MySQL WebInterface : /Library/WebServer/Documents/phpMyAdmin/
Here I had to click on "+" to create a new Site.

i4.jpg


You can see 4 arrows ponting some delicate points.
5-Are all these points ok? Are the parameters appropriated?

Now it is time to try to enter this #@!+$£#@& certificate.
First thing to do is to select personnalised configuration :
i5.jpg


After that a question :
6-Why the default cert and key are stored in/etc/Certificates and not in the /etc/httpd/ssl.* like mine? Is that important?

i6.jpg


I entered the parameters as it follows :
i7.jpg

And that was good he said : Import successfull.
i8.jpg


Now it is easy you click OK, then you save the new configuration.
And when I want to restart the Web service, it fails like that :
i10.jpg

Saying :
"try to reactualize configuration, try to contact admin, see the logs, impossible to restart".
Two more precision :
-I have no cache performances
i11.jpg

-Last precision are :
httpd -D SSL
Invalid command '%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b', perhaps mis-spelled or defined by a module not included in the server configuration

I tried a lot of more things ofr example to comment these lines :
'%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b'
(for the following commands I am in root)
Then when I try httpd -D SSL
It gives : Processing config directory: /etc/httpd/sites/*.conf
Processing config file: /etc/httpd/sites/0000_any_80_.conf
Processing config file: /etc/httpd/sites/0001_127.0.0.1_80_phpmyadmin.conf
Processing config file: /etc/httpd/sites/virtual_host_global.conf

So i thought it was ok, but then when I did
apachectl start
Processing config directory: /etc/httpd/sites/*.conf
Processing config file: /etc/httpd/sites/0000_any_80_.conf
Processing config file: /etc/httpd/sites/0001_127.0.0.1_80_phpmyadmin.conf
Processing config file: /etc/httpd/sites/virtual_host_global.conf
/usr/sbin/apachectl start: httpd could not be started


And the log said :
/var/log/httpd root# tail 20 -f ssl_engine_log
[23/Oct/2007 12:59:50 09697] [info] Server: Apache/1.3.33, Interface: mod_ssl/2.8.24, Library: OpenSSL/0.9.7l
[23/Oct/2007 12:59:50 09697] [info] Init: 1st startup round (still not detached)
[23/Oct/2007 12:59:50 09697] [info] Init: Initializing OpenSSL library
[23/Oct/2007 12:59:50 09697] [info] Init: Loading certificate & private key of SSL-aware server secure:443
[23/Oct/2007 12:59:50 09697] [error] Init: Unable to read server certificate from file /etc/httpd/ssl.key/serveur.crt (OpenSSL library error follows)
[23/Oct/2007 12:59:50 09697] [error] OpenSSL: error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long


7-That will be my last question : what I did wrong? What should I do?

That's all.
My problem is as big as this post.
I must found a solution.
 
Bonsoir et bienvenue &#224; toi.
Ton fil n'est pas &#224; la bonne place.
Il peut &#234;tre soit dans UNIX soit dans la partie serveur.

Je le d&#233;place du c&#244;t&#233; serveur.

&#192; part &#231;a : mes souvenirs quant aux certificats sont que lorsqu'un certificat est "auto-sign&#233;" il faut effectivement qu'au lancement on le valide en entrant un mot de passe. Que le serveur soit prot&#233;g&#233; ou ouvert &#224; tous les vents n'y change rien.

Quant &#224; ton erreur finale : le certificat n'est pas valide, je pense. Je te conseillerais de suivre la documentation du site d'Apache pour constituer ton certificat.
 
Bonsoir et bienvenue à toi.
Ton fil n'est pas à la bonne place.
Il peut être soit dans UNIX soit dans la partie serveur.

Je le déplace du côté serveur.

À part ça : mes souvenirs quant aux certificats sont que lorsqu'un certificat est "auto-signé" il faut effectivement qu'au lancement on le valide en entrant un mot de passe. Que le serveur soit protégé ou ouvert à tous les vents n'y change rien.

Quant à ton erreur finale : le certificat n'est pas valide, je pense. Je te conseillerais de suivre la documentation du site d'Apache pour constituer ton certificat.

Ah!

Je suis désolé pour la confusion.
Merci de l'avoir déplacé et surtout merci de m'avoir répondu.
J'ai trouvé la solution finalement!! Aprés une semaine d'intenses réflexions et recherches.
Je vous la transmet :


Arf!
Finally I did it!

What is Mac? A simple way to do hard thing.
Why to use command line when all the tools you need are available in nice interfaces!! :-)
So here the answer at the question : just use ServerAdmin and only ServerAdmin.
How?

Like this way :
First go to the settings and click on "+".
<img src=http://bertonf.free.fr/MACOSX/i12.jpg>

A new window appears. This is <font color=red>THE</font> window you should use to enter certificate. This window should generate the key I imagine.
So, then, you just have to enter the parameter as described here :
http://docs.info.apple.com/article.html?path=ServerAdmin/10.4/en/c4ms11.html
http://docs.info.apple.com/article.html?path=ServerAdmin/10.4/en/c4ms6.html
Here an exemple :
<img src=http://bertonf.free.fr/MACOSX/i13.jpg>
After you complete the form, you <font color=red>MUST</font> save your work.
And after that, it will be possible to add a signed certificate.
It is a simple window where you must paste the body of the file ca.crt.
It begins by :
-----BEGIN CERTIFICATE-----
MIIEMDCCAxigAwIBAgIJAOZOIzRj02taMA0GCSqGSIb3DQEBBAUAMG0xCzAJBgNV
BAYTAkZSMREwDwYDVQQIEwhQcm92ZW5jZTESMBAGA1UEBxMJTWFyc2VpbGxlMQ4w
...
...
and finish by :
...
...
MZ8URgH7LxxsWB85aLCXfbqIFZE=
-----END CERTIFICATE-----

Click Ok and that's all.
Now you should see your settings window.
It should looks like this :
<img src=http://bertonf.free.fr/MACOSX/i14.jpg>

Then for the rest of the procedure, it is easy.
You just have to complete the General menu and choose the generated certificate in the Security menu.

That's magic!
All is working right now.
I think the problem was due to the localisation of the files *.crt and *.key.
It was no working because the files should be present here :
<font color=blue>/private/etc/certificates</font>

By the way, I did not try to manually create certificates and copy them in this localisation and retry to start server.
I imagine that works.

:up: