[lug] self-signed apache certs on fedora core?

Lee Woodworth blug-mail at duboulder.com
Tue Sep 6 22:32:01 MDT 2005


D. Stimits wrote:
> Jeffrey Brown wrote:
> 
>>>>> stimits at comcast.net 9/6/2005 2:16:43 PM >>>
>>
>>
>> Now I have a new question about self-signed certs used on machines that
>>
>> do not have reverse DNS lookup...e.g., if I access my apache server via
>>
>> https://localhost or https://some_name_in_etc_hosts, where locahost and
>>
>> some_name_in_etc_hosts is not visible to the outside world. Is it 
>> possible to remove this error via a system configuration setting in 
>> combination with a CommonName such as localhost or 127.0.0.1?
>> << Response >>
>> CommonName on certificate generation should correspond to an A record
>> in DNS to avoid the error I believe your talking about. So if CN is
>> www.mysite.com then pointing my browser to mysite.com will incur the
>> error or myhost.mysite.com will incur the error etc. To get around this
>> you'll have to get into some virtual IP hosting on Apache and of course
>> have the IP addresses.
> 
> 
> I see...I don't necessarily have to have a real world DNS lookup (though 
> that would be simplest), but I need to "fake it" on a level beyond the 
> /etc/hosts file. So I could use some sort of VPN feature to do this 
> without running bind?
> 
> What I'm testing out are ways to set up an apache svn server that's 
> accessible only to a few individuals via https. Trying to do this first 
> means having non-snakeoil sample certs. This part is done, though I 
> still hope to remove the non-matching name warning.
Are you talking about an error a web browser reports when it connects
or a message in apache error log as apache starts?

For the former case, the client's name lookup is what matters and
a VPN doesn't help. The clients either need a working DNS server to query,
or appropriate entries in their /etc/hosts.

For the latter case, the apache ServerName directive is expected to
match the CN of the cert. The ServerName directive is supposed to match
the host part of the URL the web clients use to access the web service.

If there are multiple sites on the same machine, then as mentioned before
you need to use virtual IP-based hosts.

> 
> D. Stimits, stimits AT comcast DOT net
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug




More information about the LUG mailing list