How to accomplish this?
Here is what we did:
cd /home/interworx/etc/ssl/
openssl genrsa -out servername.com.key 1024
openssl req -new -key servername.com.key -out servername.com.csr
Use the self signed cert or purchase one, then:
vi /home/interworx/etc/httpd/httpd-custom.conf
REPLACE FOLLOWING LINES TO MAKE YOUR DOMAIN:
SSLCertificateFile \
/home/interworx/etc/ssl/servername.com.crt
SSLCertificateKeyFile \
/home/interworx/etc/ssl/servername.com.key
Save the file and restart iworx
/etc/init.d/iworx restart
We already have a Cert.
Then just point the two lines to the cert and key
Awesome, thank you!
Updated our Cert, now I get this :
[root@acme ~]# /etc/init.d/iworx restart
Stopping InterWorx-web: [ OK ]
Stopping InterWorx-db: [ OK ]
Starting InterWorx-db: [ OK ]
Syntax error on line 108 of /home/interworx/etc/httpd/httpd-custom.conf:
SSLCertificateFile takes one argument, SSL Server Certificate file (`/path/to/file' - PEM or DER encoded)
Starting InterWorx-web: [FAILED]
Binding IP Aliases: [ OK ]
Confused
[quote=xlogicgroup;4515]Here is what we did:
cd /home/interworx/etc/ssl/
openssl genrsa -out servername.com.key 1024
openssl req -new -key servername.com.key -out servername.com.csr
Use the self signed cert or purchase one, then:
vi /home/interworx/etc/httpd/httpd-custom.conf
REPLACE FOLLOWING LINES TO MAKE YOUR DOMAIN:
SSLCertificateFile \
/home/interworx/etc/ssl/servername.com.crt
SSLCertificateKeyFile \
/home/interworx/etc/ssl/servername.com.key
Save the file and restart iworx
/etc/init.d/iworx restart[/quote]
You meant:
openssl req -new -key servername.com.key -out servername.com.crt right? =)
Either way, even if i change it to .crt, after following your steps, when i restart iworx, iworx-web fails to restart - any idea why that might be?
Syntax error on line 108 of /home/interworx/etc/httpd/httpd-custom.conf:
SSLCertificateFile takes one argument, SSL Server Certificate file (`/path/to/file' - PEM or DER encoded)
That should be a little self-explanatory… Make sure “SSLCertificateFile /path/to/file” is on a line on its own…
[quote=Catalyst;12028]
Syntax error on line 108 of /home/interworx/etc/httpd/httpd-custom.conf:
SSLCertificateFile takes one argument, SSL Server Certificate file (`/path/to/file' - PEM or DER encoded)
That should be a little self-explanatory… Make sure “SSLCertificateFile /path/to/file” is on a line on its own…[/quote]
That wasn’t my error. For me, no error was displayed as to why iworx-web failed to restart, and the /path/to/file was definitely on its own line.
This is what I see when i restart iworx, after following the steps to create the .crt and .key files, and point the httpd-custom.conf to the right file:
[root@tsh httpd]# /etc/init.d/iworx restart
Stopping InterWorx-web: [ OK ]
Stopping InterWorx-db: [ OK ]
Starting InterWorx-db: [ OK ]
Starting InterWorx-web: [FAILED]
Binding IP Aliases: [ OK ]
Any error in /home/interworx/var/log/error.log when trying to restart iworx?
Paul
[Mon Mar 26 11:30:47 2007] [info] Init: Initializing OpenSSL library
[Mon Mar 26 11:30:47 2007] [info] Init: Seeding PRNG with 136 bytes of entropy
[Mon Mar 26 11:30:47 2007] [info] Loading certificate & private key of SSL-aware server
[Mon Mar 26 11:30:47 2007] [error] Init: Unable to read server certificate from file /home/interworx/etc/ssl/tsh.com.crt
[Mon Mar 26 11:30:47 2007] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Mar 26 11:30:47 2007] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
Thanks for the quick reply Paul =)
EDIT: I thought maybe it was because the owner/group and permissions of the newly generated .crt and .key files were wrong (they were root rather than iworx), but after having fixed all that, I still get:
[Mon Mar 26 15:58:02 2007] [info] Init: Initializing OpenSSL library
[Mon Mar 26 15:58:02 2007] [info] Init: Seeding PRNG with 136 bytes of entropy
[Mon Mar 26 15:58:02 2007] [info] Loading certificate & private key of SSL-aware server
[Mon Mar 26 15:58:02 2007] [error] Init: Unable to read server certificate from file /home/interworx/etc/ssl/tsh.com.crt
[Mon Mar 26 15:58:02 2007] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Mar 26 15:58:02 2007] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
Try creating a self-signed cert in a SiteWorx account, then copy that cert information (found in /home/username/var/domain.com/ssl) to where you need it to be.
The error you’re getting leads me to believe something went wrong when generating your SSL cert.
I think I found out (the bad way) what goes wrong with mister INT.
Above there’s not mentioned you have to create a certificate (CRT) also en not only a certificate signing request CSR.
apache does nog start up on a signing request very well (;-))
command:
openssl x509 -in domain.tld.csr -out domain.tld.crt -req -signkey domain.tld.key -days 365
response
Signature ok
gtz
[quote=Colly-K;12134]I think I found out (the bad way) what goes wrong with mister INT.
Above there’s not mentioned you have to create a certificate (CRT) also en not only a certificate signing request CSR.
apache does nog start up on a signing request very well (;-))
gtz[/quote]
Thanks for the reply!
I successfully created the .crt by following your instructions Colly-K, however, weirdly – when I restart Iworx after changing the certificate it uses, I get this the first time:
[root@tsh ssl]# service iworx restart
Stopping InterWorx-web: [ OK ]
Stopping InterWorx-db: [ OK ]
Starting InterWorx-db: [ OK ]
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:2080
no listening sockets available, shutting down
Unable to open logs
Starting InterWorx-web: [FAILED]
Binding IP Aliases: [ OK ]
When I try restarting the same service right after (15 seconds after getting the above), I see:
[root@tsh ssl]# service iworx restart
Stopping InterWorx-web: [ OK ]
Stopping InterWorx-db: [ OK ]
Starting InterWorx-db: [ OK ]
Starting InterWorx-web: [ OK ]
Binding IP Aliases: [ OK ]
Anyways, it worked! I still get a certificate error when accessing www.domain.tld/nodeworx, but at least the certificate being used is self-signed now rather than signed by Iworx =)
Thanks!
You get a different warning, a warning its a self-signed (actualy not trusted bij IE) certificate. If you want to lose the warnings at all:
- trust the certificate explitly by IE-options “view certificate” and then “install certificate” next next next etc. Then IE will be satisfied but the thing is you have to do this on every client-pc.
or
- send the CRS-file to a already trusted party like verisign, thawte ect. Prices for signing server-certificates by public party’s are between 20-1000 euro (a year). I personaly haven’t found a party who’s in the default IE-list of trusted roots and which is for free, anyone?
Sorry can’t help you with the sock-thing.