1-12-05 09:45
Problemi sa SSL certifikatima za AOSI
piše IVAN RAKO
Nekoliko se kolega javilo na helpdesk s primjedbom da im se AOSI buni zbog krivih certifikata. Naime, AOSI pokupi postojeće certifikate od Apacheja. Ako slučajno imate greške u tim certifikatima, AOSI odbija suradnju.
Evo primjera pogreške na AOSI WWW sučelju:
curl_exec error 51 SSL: certificate subject name 'host.lab.carnet.hr' does not match target host name 'host1.carnet.hr'
Problem je u tome što bi CN polje (Common Name) u certifikatu trebalo odgovarati imenu hosta. Provjerite certifikate:
# openssl x509 -noout -text -in /etc/apache/ssl.crt/server.crt | grep Subject: Subject: C=HR, O=lab.carnet.hr, CN=host.lab.hr/emailAddress=webmaster@host.lab.carnet.hr
# openssl x509 -noout -text -in /etc/aosi/certs/aosi_cert.pem | grep Subject: Subject: C=HR, O=lab.carnet.hr, CN=host.lab.hr/emailAddress=webmaster@host.lab.carnet.hr
Vidimo da su certifikati neispravni. Obrisati ćemo stare i generirati nove certifikate za Apache, te ih iskopirati u /etc/aosi/certs/.
# find /etc/apache -name server.\* | xargs rm # dpkg-reconfigure apache-cn
CN: Missing SSL certificates, generating.
Successfully generated server key pairs:
- ssl.crt/ca.crt
- ssl.key/ca.key
- ssl.crt/server.crt
- ssl.key/server.key
CN: Found: /etc/apache/mod-ssl.conf.
CN: mod_ssl configuration by CARNet is now in /etc/apache/conf.d/ssl.conf.
Check your configuration and remove the unneeded files.
Reloading apache modules.
Mailing upgrade output to root.
# cp /etc/apache/ssl.crt/server.crt /etc/aosi/certs/aosi_cert.pem
# cp /etc/apache/ssl.key/server.key /etc/aosi/certs/aosi_key.pem
Na kraju restartamo AOSI:
# /etc/init.d/aosi restart
I to je to.
|
