View previous topic :: View next topic |
Author |
Message |
SillyNoodlz -
Joined: 18 Oct 2005 Posts: 40 Location: France
|
Posted: Wed Nov 09, 2005 11:58 am Post subject: STunnel & SSL |
|
|
Hi,
Ok, I tried searching the forum, but I couldn't find what I wanted quickly.
I've installed STunnel with the help of the tutorial on trustabyss.com, which was fairly easy.
I now have it working, and my pages work in https:// with no problem.
BUT ... I used that free SSL certificat thingy you can make on stunnel.org/pem
Whenever I view a page using SSL, it comes up with the following :
If I click on yes, it works fine.
So, the question is, how can I get rid of this message/alert thingy?
I assume that I need to get a "proper" certificat.
If that's the case, can I make one? If so, how, and where?
If not, where and how do I get one easily (without spending a fortune)? _________________ ~ Dan
One day, I'll finish this ...
My website : www.sillynoodlz.com |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Wed Nov 09, 2005 12:42 pm Post subject: |
|
|
You can't make a 'proper' certificate. The whole point is that the certificate is generated by a trusted authority who are responsible for issuing certificates - you have to pay them to give you a certificate. The cost covers them running servers against which certificates can be verified etc...
The cheaper services you find selling SSL certificates are more likely to cause problems as peoples browsers will not be already updated to recognise root certificates / certificate authorities. The borderline price seems to be around $50 for a certificate - I don't know whether you consider this a fortune or not. You can either cough up or live with the security warning...
Edit: After a quick look around, Registerfly doesn't sound too bad...
http://registerfly.com/ssl/
$15-25 for their starter certificates...
You can also get a free certificate from CACert, but it will require users to update their browsers root certicate store, as I mentioned above.
http://www.cacert.org/index.php _________________
"Invent an idiot proof webserver and they'll invent a better idiot..."
Last edited by Anonymoose on Wed Nov 09, 2005 1:28 pm; edited 1 time in total |
|
Back to top |
|
|
SillyNoodlz -
Joined: 18 Oct 2005 Posts: 40 Location: France
|
Posted: Wed Nov 09, 2005 12:57 pm Post subject: |
|
|
$50 isn't excessive, just when I looked around, prices seemed to go between $15 and $850!
I'll have a look into that site and let you know how I get on ...
Thanks for your reply anyway ... :-) _________________ ~ Dan
One day, I'll finish this ...
My website : www.sillynoodlz.com |
|
Back to top |
|
|
SillyNoodlz -
Joined: 18 Oct 2005 Posts: 40 Location: France
|
Posted: Wed Nov 09, 2005 6:44 pm Post subject: |
|
|
Ok ... got so far ... :-/
Could somebody please explain how I make a CSR ?
It gives me various options, non of which I understand, really, and none of which are Abyss or STunnel (not suprising).
registerfly.com wrote: | Generating a CSR
Apache + ApacheSSL
Apache + MODSSL
Apache + Raven
Apache +SSLeay
Apache 2
C2Net Stronghold
Cobalt RaQ3/RaQ4/XTR
Ensim
IBM HTTP
IBM Domino Go 4.6.2.6+
iPlanet Enterprise Server 4.1
Jakart-Tomcat
Lotus Domino 4.6
Lotus Domino 5.0.x
Microsoft Internet Information Server 4.0
Microsoft Internet Information Server 5.0
Netscape Enterprise 3.51
O'Reilly WebSite Professional 2.x
Plesk
Weblogic 5
WebSTAR 4
Zeus Web Server v3
https://registerfly.com/ssl/cert.php |
_________________ ~ Dan
One day, I'll finish this ...
My website : www.sillynoodlz.com |
|
Back to top |
|
|
SillyNoodlz -
Joined: 18 Oct 2005 Posts: 40 Location: France
|
Posted: Thu Nov 10, 2005 12:14 am Post subject: |
|
|
Ok, after alot of pissing about, I got there ... :-)
https://host.danzserv.com/test/ssl/
And it only cost me $15,99 and a few hours of head scratching.
Now, is it possible to do the same for my other sites ... hmmm ... _________________ ~ Dan
One day, I'll finish this ...
My website : www.sillynoodlz.com |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Thu Nov 10, 2005 1:57 am Post subject: |
|
|
Perfect! I think that's the first time anyone's done this with Abyss & STunnel... Congratulations!
Maybe you could add here the information about how you generated the CSR so it can be added to the TrustAbyss tutorial? _________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
Back to top |
|
|
SillyNoodlz -
Joined: 18 Oct 2005 Posts: 40 Location: France
|
Posted: Thu Nov 10, 2005 2:03 am Post subject: |
|
|
Anonymoose wrote: | the first time anyone's done this with Abyss & STunnel |
Really? lol ...
Anonymoose wrote: | Maybe you could add here the information about how you generated the CSR |
Sure. I'll get it done tomorrow (it's 2am now, work at 9, lol) ... _________________ ~ Dan
One day, I'll finish this ...
My website : www.sillynoodlz.com |
|
Back to top |
|
|
richardyork -
Joined: 22 Jun 2004 Posts: 410 Location: United Kingdom
|
Posted: Thu Nov 10, 2005 8:12 am Post subject: |
|
|
Brilliant!
Like anonymoose said, hope to see a tutorial ;-) _________________ Please SEARCH the forums BEFORE asking questions! |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Thu Nov 10, 2005 9:21 am Post subject: |
|
|
DanzServ wrote: | Anonymoose wrote: | the first time anyone's done this with Abyss & STunnel |
Really? lol ...
|
It's definitely the first mention I've seen on the forum of anyone using a real signed SSL certificate since I first put together the original tutorial... _________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
Back to top |
|
|
ddd admin -
Joined: 15 Dec 2005 Posts: 10
|
Posted: Thu Dec 15, 2005 4:33 am Post subject: Final SSL Help requested!! |
|
|
Like Silly Noodlz, I too have gotten STunnel running with OpenSSL. I created a private key, generated the CSR...
Submitted that to GoDaddy.com for my $29 cert and got my cert!
Now, here's the only problem:
How do I install the intermediate cert and the main cert???
No where in the OpenSSL docs (as limited as they are) does it say??? Abyss doesn't presently support SSL, so I'm not quite sure how to install these shiny new files that I just bought??
HELP!!!!!!!
And thank you! |
|
Back to top |
|
|
TRUSTAbyss -
Joined: 29 Oct 2003 Posts: 3752 Location: USA, GA
|
Posted: Thu Dec 15, 2005 5:48 am Post subject: |
|
|
You will need to contact the STunnel people about that issue.
http://www.stunnel.org |
|
Back to top |
|
|
ddd admin -
Joined: 15 Dec 2005 Posts: 10
|
Posted: Thu Dec 15, 2005 1:36 pm Post subject: Will do |
|
|
I will do that, thank you! |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Thu Dec 15, 2005 2:05 pm Post subject: Re: Final SSL Help requested!! |
|
|
ddd admin wrote: | How do I install the intermediate cert and the main cert???
No where in the OpenSSL docs (as limited as they are) does it say??? |
As far as we know, you'll have to merge all the certificates that GoDaddy gave you like this (of course work on copies, and not on the originals):
* Create a file called mycert.crt and open it with NotePad.
* First, copy in it GoDaddy's root certificate. It is valicert_class2_root.crt (open this also with NotePad). If you do not have that file, download it from https://certificates.godaddy.com/Repository.go .
* Append to it the intermediate certificate. It is in sf_issuing.crt (also available from https://certificates.godaddy.com/Repository.go .
* Copy then your certificate generated for you by GoDaddy.
* Save and close mycert.crt.
Configure STunnel to use mycert.crt as your certificate file.
Your file should look like that:
Code: |
-----BEGIN CERTIFICATE-----
MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0
IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAz
BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9y
aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG
9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNjAwMTk1NFoXDTE5MDYy
NjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y
azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs
YXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw
Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl
cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOOnHK5avIWZJV16vY
dA757tn2VUdZZUcOBVXc65g2PFxTXdMwzzjsvUGJ7SVCCSRrCl6zfN1SLUzm1NZ9
WlmpZdRJEy0kTRxQb7XBhVQ7/nHk01xC+YDgkRoKWzk2Z/M/VXwbP7RfZHM047QS
v4dk+NoS/zcnwbNDu+97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADt/UG9v
UJSZSWI4OB9L+KXIPqeCgfYrx+jFzug6EILLGACOTb2oWH+heQC1u+mNr0HZDzTu
IYEZoDJJKPTEjlbVUjP9UNV+mWwD5MlM/Mtsq2azSiGM5bUMMj4QssxsodyamEwC
W/POuZ6lcg5Ktz885hZo+L7tdEy8W9ViH0Pd
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEQTCCA6qgAwIBAgICAQQwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Zh
bGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIElu
Yy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
QXV0aG9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAe
BgkqhkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTA0MDExNDIxMDUyMVoX
DTI0MDEwOTIxMDUyMVowgewxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25h
MRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5v
bG9naWVzLCBJbmMuMTAwLgYDVQQLEydodHRwOi8vd3d3LnN0YXJmaWVsZHRlY2gu
Y29tL3JlcG9zaXRvcnkxMTAvBgNVBAMTKFN0YXJmaWVsZCBTZWN1cmUgQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkxKjAoBgkqhkiG9w0BCQEWG3ByYWN0aWNlc0BzdGFy
ZmllbGR0ZWNoLmNvbTCBnTANBgkqhkiG9w0BAQEFAAOBiwAwgYcCgYEA2xFDa9zR
aXhZSehudBQIdBFsfrcqqCLYQjx6z59QskaupmcaIyK+D7M0+6yskKpbKMJw9raK
gCrgm5xS4JGocqAW4cROfREJs5651POyUMRtSAi9vCqXDG2jimo8ms9KNNwe3upa
JsChooKpSvuGIhKQOrKC1JKRn6lFn8Ok2/sCAQOjggEhMIIBHTAMBgNVHRMEBTAD
AQH/MAsGA1UdDwQEAwIBBjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vY2VydGlm
aWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvcm9vdC5jcmwwTwYD
VR0gBEgwRjBEBgtghkgBhvhFAQcXAzA1MDMGCCsGAQUFBwIBFidodHRwOi8vd3d3
LnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkwOQYIKwYBBQUHAQEELTArMCkG
CCsGAQUFBzABhh1odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNoLmNvbTAdBgNVHQ4E
FgQUrFXet+oT6/yYaOJTYB7xJT6M7ucwCQYDVR0jBAIwADANBgkqhkiG9w0BAQUF
AAOBgQB+HJi+rQONJYXufJCIIiv+J/RCsux/tfxyaAWkfZHvKNF9IDk7eQg3aBhS
1Y8D0olPHhHR6aV0S/xfZ2WEcYR4WbfWydfXkzXmE6uUPI6TQImMwNfy5wdS0XCP
mIzroG3RNlOQoI8WMB7ew79/RqWVKvnI3jvbd/TyMrEzYaIwNQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
YOUR CERTIFICATE CONTENTS SHOULD GO HERE
-----END CERTIFICATE----- |
The first two certificates between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- are the root and the intermediate GoDaddy's. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
ddd admin -
Joined: 15 Dec 2005 Posts: 10
|
Posted: Thu Dec 15, 2005 8:48 pm Post subject: Great!! |
|
|
Thank you VERY much, I completely understand your instructions and I created the new file as you indicated, my new cert (called mycert.crt) contains the following information in this order:
valicert_class2_root.cer
sf_issuing.crt
mywebsite.com.crt
Obviously I'm just referencing the names of the files, the actual content in between the:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
is there as you had indicated in your example.
Unfortunately, now the Stunnel server won't start, this is the error it comes back with:
2005.12.15 14:23:08 LOG5[2116:2120]: stunnel 4.14 on x86-pc-mingw32-gnu WIN32+SELECT+IPv6 with OpenSSL 0.9.7i 14 Oct 2005
2005.12.15 14:23:08 LOG3[2116:2124]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
2005.12.15 14:23:08 LOG3[2116:2124]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line
2005.12.15 14:23:08 LOG3[2116:2124]: Server is down
I looked in the original "cert" file that came with STunnel (which is called stunnel.pem) and the context of the contents there followed this format:
-----BEGIN RSA PRIVATE KEY-----
encrypted information...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
encrypted information...
-----END CERTIFICATE-----
Is there a reason that the stunnel.pem file had a begin and end RSA private key? And is that the reason that this new cert isn't working (since it now has 3 sections, all of which begin and end for certificates, not RSA private keys)?? Also, just to be sure, I created my new cert using the "stunnel.pem" file name and repointed the stunnel.conf file there, but that didn't work either.
Any ideas or suggestions?? I'm sure it must be something simple??
Thank you all again. |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Fri Dec 16, 2005 3:50 pm Post subject: Re: Great!! |
|
|
ddd admin,
It looks like STunel expects the key to be also in the "certificate" file. So all you have to do is to insert it before the certificates.
Your file should now look as the following:
Code: | -----BEGIN RSA PRIVATE KEY-----
COPY HERE YOUR PRIVATE KEY INFORMATION... IT IS THE KEY USED TO GENERATE THE CSR.
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0
IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAz
BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9y
aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG
9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNjAwMTk1NFoXDTE5MDYy
NjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y
azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs
YXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw
Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl
cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOOnHK5avIWZJV16vY
dA757tn2VUdZZUcOBVXc65g2PFxTXdMwzzjsvUGJ7SVCCSRrCl6zfN1SLUzm1NZ9
WlmpZdRJEy0kTRxQb7XBhVQ7/nHk01xC+YDgkRoKWzk2Z/M/VXwbP7RfZHM047QS
v4dk+NoS/zcnwbNDu+97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADt/UG9v
UJSZSWI4OB9L+KXIPqeCgfYrx+jFzug6EILLGACOTb2oWH+heQC1u+mNr0HZDzTu
IYEZoDJJKPTEjlbVUjP9UNV+mWwD5MlM/Mtsq2azSiGM5bUMMj4QssxsodyamEwC
W/POuZ6lcg5Ktz885hZo+L7tdEy8W9ViH0Pd
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEQTCCA6qgAwIBAgICAQQwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Zh
bGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIElu
Yy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
QXV0aG9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAe
BgkqhkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTA0MDExNDIxMDUyMVoX
DTI0MDEwOTIxMDUyMVowgewxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25h
MRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5v
bG9naWVzLCBJbmMuMTAwLgYDVQQLEydodHRwOi8vd3d3LnN0YXJmaWVsZHRlY2gu
Y29tL3JlcG9zaXRvcnkxMTAvBgNVBAMTKFN0YXJmaWVsZCBTZWN1cmUgQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkxKjAoBgkqhkiG9w0BCQEWG3ByYWN0aWNlc0BzdGFy
ZmllbGR0ZWNoLmNvbTCBnTANBgkqhkiG9w0BAQEFAAOBiwAwgYcCgYEA2xFDa9zR
aXhZSehudBQIdBFsfrcqqCLYQjx6z59QskaupmcaIyK+D7M0+6yskKpbKMJw9raK
gCrgm5xS4JGocqAW4cROfREJs5651POyUMRtSAi9vCqXDG2jimo8ms9KNNwe3upa
JsChooKpSvuGIhKQOrKC1JKRn6lFn8Ok2/sCAQOjggEhMIIBHTAMBgNVHRMEBTAD
AQH/MAsGA1UdDwQEAwIBBjBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vY2VydGlm
aWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvcm9vdC5jcmwwTwYD
VR0gBEgwRjBEBgtghkgBhvhFAQcXAzA1MDMGCCsGAQUFBwIBFidodHRwOi8vd3d3
LnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkwOQYIKwYBBQUHAQEELTArMCkG
CCsGAQUFBzABhh1odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNoLmNvbTAdBgNVHQ4E
FgQUrFXet+oT6/yYaOJTYB7xJT6M7ucwCQYDVR0jBAIwADANBgkqhkiG9w0BAQUF
AAOBgQB+HJi+rQONJYXufJCIIiv+J/RCsux/tfxyaAWkfZHvKNF9IDk7eQg3aBhS
1Y8D0olPHhHR6aV0S/xfZ2WEcYR4WbfWydfXkzXmE6uUPI6TQImMwNfy5wdS0XCP
mIzroG3RNlOQoI8WMB7ew79/RqWVKvnI3jvbd/TyMrEzYaIwNQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
YOUR CERTIFICATE CONTENTS SHOULD GO HERE
-----END CERTIFICATE----- |
Does it work now? _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
ddd admin -
Joined: 15 Dec 2005 Posts: 10
|
Posted: Tue Dec 20, 2005 12:33 am Post subject: Unfortunately... |
|
|
It still does not work??
I have created the file, just as you layed out in your prior post, however, now it is generating a different error message:
2005.12.19 18:27:10 LOG5[7800:4480]: stunnel 4.14 on x86-pc-mingw32-gnu WIN32+SELECT+IPv6 with OpenSSL 0.9.7i 14 Oct 2005
2005.12.19 18:27:10 LOG3[7800:7956]: SSL_CTX_use_RSAPrivateKey_file: B080074: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
2005.12.19 18:27:10 LOG3[7800:7956]: Server is down
I know it has to be something simple, I'm just not sure where to look to fix it. I compared the temporary cert I created from the openssl website and it just has the RSA code and then the cert code in it. My new file now has the RSA code followed by the code from the valicert root, the sf issuing cert and finally my new cert in this format:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
I have read on the Stunnel site that I needed a space between the RSA key and the cert(s)...that didn't work. I also tried creating a .PEM file that just contained the RSA key and the goDaddy cert so it followed the format of the temp one I have that does work...but no luck there either??
My guess is that the RSA key somehow needs to be linked or created from(?) the goDaddy cert, but I have no clue how to do that?
Can you suggest something else?? |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Tue Dec 20, 2005 4:29 pm Post subject: Re: Unfortunately... |
|
|
ddd admin,
The error is related to mismatched keys:
Code: | 2005.12.19 18:27:10 LOG3[7800:7956]: SSL_CTX_use_RSAPrivateKey_file: B080074: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch |
Are you sure you've copied in the file the key you've used to generate your CSR? _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
ddd admin -
Joined: 15 Dec 2005 Posts: 10
|
Posted: Tue Dec 20, 2005 9:58 pm Post subject: |
|
|
No, I didn't copy the file in that I used to create the CSR, I created a new RSA key. The original .PEM file from Stunnel had a RSA key as well as the cert information in it. If I include the info used to create the CSR, that won't be a RSA key??? |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Wed Dec 21, 2005 12:54 pm Post subject: |
|
|
ddd admin,
STunnel must have your certificate and your private key in order to encrypt data. Both must match which means that the private key must be the same one that generated the CSR which has beem used by GoDaddy to generate your certificate.
You cannot use any combination of keys and certificates.
You said:
Quote: | If I include the info used to create the CSR, that won't be a RSA key??? |
Can you explain us that? The key can be RSA or DSA. But in all the cases, you should put there your key (open the key file and copy it with its headers and trailers). _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
ddd admin -
Joined: 15 Dec 2005 Posts: 10
|
Posted: Thu Dec 22, 2005 6:03 am Post subject: Great news! |
|
|
It's working...but not without a ton of effort (and help from Aprelium!). Here's what it took:
Recreated the RSA key to generate the CSR (the key MUST be unencrypted)
resubmitted the CSR for a new cert.
Pasted the RSA key that made the CSR into the stunnel.pem document followed by a CR
Pasted the root cert into the stunnel.pem document followed by a CR
Edited the stunnel.conf file as such: CAfile = valicert_class2_root.cer
It all works fine now. Except one thing, LOL...
When I try and create a new host on the server and tell it to listen on port 443, it won't start (generates a "listening error")??
Do I now have the web server app configured wrong?? |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Thu Dec 22, 2005 12:56 pm Post subject: Re: Great news! |
|
|
ddd admin wrote: | When I try and create a new host on the server and tell it to listen on port 443, it won't start (generates a "listening error")??
Do I now have the web server app configured wrong?? |
STunnel is listening toport 443 and will forward any connection it receives to the web server on port 80.
So leave the web port of Abyss set to 80 and check that STunnel is configured to listen on port 443 and forward to port 80. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
ddd admin -
Joined: 15 Dec 2005 Posts: 10
|
Posted: Thu Dec 22, 2005 1:55 pm Post subject: |
|
|
I figured that out after the post, but thank you for all your help! Please keep all of us posted on your progress with the SSL version of the application, I'm sure it has to be MUCH simpler to set up than what I've gone through with Stunnel and openssl :) |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Fri Dec 23, 2005 1:25 pm Post subject: |
|
|
ddd admin,
You're welcome. :-) _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
gray -
Joined: 15 Aug 2003 Posts: 13
|
Posted: Mon Feb 06, 2006 7:09 pm Post subject: private key and CSR |
|
|
Good to see someone got it working O.K. but can anyone tell me how to generate my PRIVATE KEY and CSR ? I`ve got ssl working fine with a key from stunnel but I want to get a proper valid one |
|
Back to top |
|
|
ddd admin -
Joined: 15 Dec 2005 Posts: 10
|
Posted: Tue Feb 07, 2006 4:15 am Post subject: |
|
|
In order for everything to work properly, you HAVE to have it right from the beginning, in other words, it's all linked together.
The privkey.pem file that came with openssl (the one you probably used to create your csr or cert) won't work for your site. Read through the materials at openssl or at the stunnel site, one of them gives the command that you need to use within openssl.exe to create a new RSA key (that's the file called privkey.pem). You can also go thru the help function within openssl.exe to get assistance. Make SURE you set all the parameters correct when you create the RSA key, and that you remember the information you entered.
Once you have that key, you will use it to create your CSR. You don't have to call it privkey.pem, you can name it yourkey.pem or whatever. Again, when you make the CSR, make certain that your information is exact with what corresponds in the key. Once you've done that, you can submit the CSR to a GoDaddy or Verisign or whomever if you want to purchase your cert. Or you can create a self signed cert from the CSR as well.
I would suggest you read through the thread here because once you have your cert, Aprelium is right in that you have to create a new file that includes the key, the CA and the cert in the format that they indicated.
It's not a lot of fun going through all this, but it is cool when you finally get everything working. I ended up swapping my phpbb over to port 443 and running it SSL which (of course) created a wealth of other issues...but that's another post!
Good luck |
|
Back to top |
|
|
gray -
Joined: 15 Aug 2003 Posts: 13
|
Posted: Tue Feb 07, 2006 4:24 pm Post subject: certificates |
|
|
thanks for that bit of help, I`ve eventually managed to create an RSA and CSR files and tried a couple of free certificates from Verisign etc. they work but of course when browsed they come up with warnings ... so i`ve paid Litessl and they`ve sent me 4 certificates ! I`ve created an Stunnel.pem file with all 4 certs one after the other, now I can open https:// pages but the padlock doesn`t show ! the 4 certs are mysite.crt AddTrustUTNServerCA.crt LiteSSLCA.crt and UTN-USERFirst-Hardware.crt , what am I doing wrong ? do I have to name the certs in the conf file or something ? or put them in a different order ? or somewhere else on the server machine ? any help is much appreciated.... |
|
Back to top |
|
|
gray -
Joined: 15 Aug 2003 Posts: 13
|
Posted: Tue Feb 07, 2006 4:49 pm Post subject: strange !!! |
|
|
well i`ll add to my last post.... it is working but the padlock only shows on some pages and not on others very strange, I can access all pages through https:// but some don`t show as secure.... I can`t see any logical reason , I thought it might be pages with outside links that aren`t secure but it`s not that , it`s not even just pages inside folders.... some of them are secure, some not... my sites are at https://a1uk.net if anyone want`s to take a look , I`d be interested in any ideas to solve this anomoly ... cheers.... |
|
Back to top |
|
|
gray -
Joined: 15 Aug 2003 Posts: 13
|
Posted: Tue Feb 07, 2006 5:13 pm Post subject: oops.... |
|
|
I think I`m too good at solving my own problems l.o.l. it seems that pages with actve outside links to none secure sites will cause the padlock not to show... so anyone using SSL should take this into account when creating pages. |
|
Back to top |
|
|
ccs -
Joined: 02 Apr 2005 Posts: 101
|
Posted: Sun Apr 09, 2006 7:39 am Post subject: Aaaarrrrggggg |
|
|
Ok, I've spent the better part of 12 hours trying to get Abyss and sTunnel to work. I have ONE site that needs SSL. I've installed sTunnel and it works fine with the "default" certificate but of course I need my purchased cert for this site, not a made-up one.
I've installed SSL on Apache and Sambar in the past. Together I don't think I spent 10 minutes.
I really don't want to give up on Abyss, but it seems like I keep hitting brick walls. Is it really this hard to make a decent web server with all the necessary components to run a business site??????
Before I toss in the towel and go back to Sambar AGAIN, is there anyone out there who can tell me, in simple English, step-by-step, exactly how to take a previously purchased (and working) SSL certificate and use it with Abyss?
Thank you in advance for ANY and all assistance. |
|
Back to top |
|
|
gray -
Joined: 15 Aug 2003 Posts: 13
|
Posted: Sun Apr 09, 2006 10:51 am Post subject: stunnel |
|
|
well the only prob I had was getting the cert to work, but in the end it was just a matter of installing Stunnel on the server machine, putting the certs together in a file and naming the file stunnel.pem then accessing the sites via https:// there`s no actual connection between Stunnel and Abyss , the only thing I don`t like is that all connections via https:// show as 127.0.0.1 ip but apart from that it works fine, hope this helps. by the way the Stunnel.conf file simply reads
[web]
accept=443
connect=80
also it`s important that the cert. is created for the correct URL etc. |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Sun Apr 09, 2006 1:07 pm Post subject: Re: Aaaarrrrggggg |
|
|
ccs,
The problem you have is with STunnel needing all the certificates in one file. Refer to our exchange with ddd admin above in this thread. He experienced a similar problem.
How many certicate files do you have? From which company have you bought your SSL certificate? _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
ccs -
Joined: 02 Apr 2005 Posts: 101
|
Posted: Sun Apr 09, 2006 8:25 pm Post subject: |
|
|
Quote: |
The problem you have is with STunnel needing all the certificates in one file. Refer to our exchange with ddd admin above in this thread. He experienced a similar problem
|
Well, it may be "only" but I've spent 12+ hours trying to get it to work with no luck at all. The reason I posted here was because I had gone through the above dialog over and over and over and over again.
I have 1 server, 1 domain, 1 certificate purchased through GoDaddy for the correct url/domain. With Apache and Sambar, the process takes 3-5 mouse clicks and less than 5 minutes start to finish.
I'll admit that SSL is not my strong point and I don't fully understand all the terminology used, but I'm not an idiot either :) I have copy and pasted everything that I understand needs to be done from the dialog above, but now sTunnel doesn't run and I'm stuck with an irate customer complaining that they want both SSL and FireFox support. I really can't argue with his logic.
So what I'm hoping for, is a fairly easy to follow direction how I go about taking my commercial SSL certificate and get sTunnel (or ANY add-on product) to work so I can secure my e-commerce pages hosted on an Abyss server.
TIA |
|
Back to top |
|
|
admin Site Admin
Joined: 03 Mar 2002 Posts: 1295
|
Posted: Sun Apr 09, 2006 9:53 pm Post subject: |
|
|
ccs,
All we can find in your message is "it does not work". Could you please explain us better how is it behaving? Is STunnel reporting an error message? If so, what is it exactly?
Of course, you can contact our technical support if you want us to check the certificate files and the way you've assembled them in a single file.
Thanks. _________________ Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com |
|
Back to top |
|
|
ccs -
Joined: 02 Apr 2005 Posts: 101
|
Posted: Mon Apr 10, 2006 12:44 am Post subject: |
|
|
Thanks for the reply.
The error message I get when I try to start sTunnel is:
Quote: |
2006.04.09 18:41:40 LOG3[1368:1572]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
2006.04.09 18:41:40 LOG3[1368:1572]: error stack: 906700D : error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib
2006.04.09 18:41:40 LOG3[1368:1572]: error stack: D09A00D : error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
2006.04.09 18:41:40 LOG3[1368:1572]: error stack: D08303A : error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error
2006.04.09 18:41:40 LOG3[1368:1572]: error stack: D06C03A : error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error
2006.04.09 18:41:40 LOG3[1368:1572]: SSL_CTX_use_RSAPrivateKey_file: D0680A8: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
2006.04.09 18:41:40 LOG3[1368:1572]: Server is down
|
Similar to the issues mentioned above, but I can't make heads nor tails out of the error message :( |
|
Back to top |
|
|
admin Site Admin
Joined: 03 Mar 2002 Posts: 1295
|
Posted: Mon Apr 10, 2006 1:23 am Post subject: |
|
|
ccs,
The error messages are very cryptic unless you have already programmed OpenSSL (which is used by STunnel).
In your case, STunnel asked OpenSSL to read the PEM file but it failed to decode it. It seems that you have not respected the format or that some characters or lines were corrupted.
Could you send us the PEM file you are using so that we check it? Knowing that it could contain sensitive information we ask you to substitute (in place) the encrypted data characters of your key section with * without changing the general layout of the file. Please do not move or change the sections headers and footers (such as -----BEGIN CERTIFICATE-----).
Note that only the private key section has to remain secret. The rest of the file contains public certificates that anyone could know by accessing your web site and retrieving the certificate exchanged between the server and the browser. _________________ Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com |
|
Back to top |
|
|
ccs -
Joined: 02 Apr 2005 Posts: 101
|
Posted: Mon Apr 17, 2006 9:52 pm Post subject: |
|
|
Well, I finally have some time to try and figure this out again. I'd be happy to send you all my certificates, but I'm not even sure which ones are what and how they fit into all this. So, let me give you a bit of the background with some basic questions and maybe I can make Abyss my production server again.
First of all. I have a certificate from GoDaddy. I purchased it last September and honestly don't remember anything about how I created it. All I know is they sent it to me via email, I stuck in into the Sambar Config folder along with a small change in the ini file and it worked just fine.
If I need to buy a new cert, so be it, but if I can keep using this one, that's even better.
What I have now are these files, all encrypted:
- sf_issuing.crt
- valicert_class2_root.cer
- ca.crt
- cert.pem
- key.pem
- ca-bundle.crt
In the Sambar config.ini file, there are these lines:
Public Key = Sambar Server Encryption Key
Certificate File = cert.pem
Private Key File = key.pem
CA Certificate File = ca-bundle.crt
I'm assuming then, that the cert.pem is the certificate GoDaddy issued to me and key.pem is the encrypted private key (I created?) ?
So, now the question is, do these files look like the right ones, or do I need something else?
Is it possible to construct a proper security file for sTunnel using these files?
My concern is that, it looks like I might need to know the private key in an unencrypted form. If that's the case, I'm 99% sure I don't have it, and probably can't guess what it would have been. If that is necessary, can I somehow create a new private key, or would be be faster/easier just to purchase a new one? Money is not nearly as important to me as time, so if I'm willing to do what is necessary to get this working as soon as possible, even if I need a new certificate.
Thanks again!
--Joe |
|
Back to top |
|
|
admin Site Admin
Joined: 03 Mar 2002 Posts: 1295
|
Posted: Mon Apr 17, 2006 10:23 pm Post subject: |
|
|
ccs wrote: |
What I have now are these files, all encrypted:
- sf_issuing.crt
- valicert_class2_root.cer
- ca.crt
- cert.pem
- key.pem
- ca-bundle.crt
In the Sambar config.ini file, there are these lines:
Public Key = Sambar Server Encryption Key
Certificate File = cert.pem
Private Key File = key.pem
CA Certificate File = ca-bundle.crt |
As far as we know, the STunnel file only needs these files: cert.pem, key.pem, and ca-bundle.crt.
But in case one of the files (ca-bundle.crt) does not contain all the required information, could you send us the 6 files listed above?
Please zip and password protect these files with your license key (L0-....) before sending them to our priority support email (this password protection suggestion is meant to reduce the risks during the transfer from your mail client to our mail server). _________________ Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com |
|
Back to top |
|
|
ccs -
Joined: 02 Apr 2005 Posts: 101
|
Posted: Mon Apr 17, 2006 10:38 pm Post subject: |
|
|
Very well. the file is on its way.
Thanks! |
|
Back to top |
|
|
ccs -
Joined: 02 Apr 2005 Posts: 101
|
Posted: Tue Apr 18, 2006 6:56 am Post subject: |
|
|
Quote: |
As far as we know, the STunnel file only needs these files: cert.pem, key.pem, and ca-bundle.crt.
|
THAT SEEMED TO DO THE TRICK!!!
I figured I'd paste those three files in and see what happens, and sure enough, sTunnel fired right up.
Thanks!
--Joe |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Tue Apr 18, 2006 10:49 am Post subject: |
|
|
ccs,
You're welcome. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
ccs -
Joined: 02 Apr 2005 Posts: 101
|
Posted: Thu Apr 20, 2006 5:04 am Post subject: |
|
|
Just a quick follow-up. I have finished the conversion of my first ecommerce site from Sambar to Abyss!!!
The site is 45% dynamic with a number of compiled CGI applications and I'm using sTunnel for the SSL support. (Thanks again for the help!)
I'm glad to report that all of the browsers I've tested are rendering the pages properly, Sambar had trouble with Firefox and Opera. The speed of the CGI applications appears to be quite good. Hard to say if the FastCGI support makes a difference or not, but if it keeps the programs in memory rather than closing them each time, great, if not, well they are performing just fine even under heavy test loads.
I'd like to toss my hat into the beta ring for the time that native SSL is in development. While sTunnel is working, I'm still uncomfortable with additional layers on top with critical production servers.
Thanks again....I'm back to being a loyal and happy Aprelium customer :) |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Thu Apr 20, 2006 10:49 am Post subject: |
|
|
ccs,
Thank you for the update and for your positive feedback. We've already added you to the list of our Beta testers and will contact you as soon as a preview of the SSL release is ready. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
Siert -
Joined: 11 Jun 2004 Posts: 23 Location: Hoog-Keppel, the Netherlands
|
Posted: Thu Sep 07, 2006 3:17 pm Post subject: |
|
|
Same problems here: help!
I have 3 files. My stunnel.conf configuration:
1. CAfile = xxxxx.ca-bundle
2. cert = xxxxx.crt
3. key = xxxxx.key (encrypted RSA-key)
STunnel is stopped by Windows!
When I use cert = stunnel.pem (without CAfile and key) STunnel works well, but don't use my SSL-certificates.
What's wrong?
The RSA-key must be non-encrypted?
Or only 1 cert.pem file needed (with copy and paste)?
Thanks for your help! |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Fri Sep 08, 2006 1:26 pm Post subject: |
|
|
Siert,
What is the exact error message that is reported by STunnel? _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
Siert -
Joined: 11 Jun 2004 Posts: 23 Location: Hoog-Keppel, the Netherlands
|
Posted: Fri Sep 08, 2006 2:39 pm Post subject: |
|
|
All problems gone!
It's working now. Great!
I de-encrypted my xxxxx.key:
openssl rsa -in xxxxx.key -out new.key
and changed stunnel.conf:
key = new.key
Done!
(no need to make 1 stunnel.pem file: in fact, I deleted all .pem files. I think it's better to use the separate, original 3 files you create yourself and get back from your SSL-certificates provider) ...
Thank's for trying to help me ...
I like STunnel: no need to change Abyss Web Server. The same files can be handled by other webserver applications that use OpenSSL (like that Indian).
|
|
Back to top |
|
|
aprelium-beta -
Joined: 24 Jun 2004 Posts: 383
|
|
Back to top |
|
|
|