0

I am doing this certificate setup for the first time and overall objective is that when a user hits https://mybox.com:8080 user should get a valid trusted certificate in return.

I have been provided by 2 files:

.crt  
.key

Those are currently copied to my home directory.

What until now I was able to do was to setup Apache with below config and bring it up successfully:

<VirtualHost mybox.com:8080>
DocumentRoot /var/www/html
DirectoryIndex index.html
ServerName mybox.com

SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 1
SSLCertificateFile /x/home/me/mybox.crt
SSLCertificateKeyFile /x/home/me/mybox.key
</VirtualHost>

But when I issue openssl command I get the below error output:

# openssl s_client -connect mybox:8080
CONNECTED(00000003)
depth=0 .....
Support/CN=mybox.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 .....
Support/CN=mybox.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 .....
Support/CN=mybox.com
verify error:num=21:unable to verify the first certificate
verify return:1
3154:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1092:SSL alert number 40
3154:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
#

I am not sure if it is at all picking up certs from my configured path - but the resource who gave me the .crt and .key files states that it is a valid certificate.

Please help me to setup this cert on my box.

Programmer
  • 8,303
  • 23
  • 78
  • 162
  • Often, the openssl 'unable to get local issuer certificate' error, and the ensuing errors, is just because openssl does not know where to find the trusted root ca certificates on the local system. On most linux systems, these are stored in /etc/ssl/. Try: openssl s_client -connect mybox:8080 -CApath /etc/ssl/ – mti2935 Sep 18 '15 at 20:14
  • This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Server Fault](http://serverfault.com/), [Super User](http://superuser.com/), [Webmaster Stack Exchange](http://webmasters.stackexchange.com/) or [Web Apps Stack Exchange](http://webapps.stackexchange.com/) would be a better place to ask. – jww Sep 20 '15 at 10:48
  • 1
    To help you along, visit the CentOS docs on the subject. RedHat and CentOS are almost identical. The CentOS docs can be found at [Apache HTTP Secure Server Configuration](https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-httpd-secure-server.html). You will also want to use `s_client` with TLS and SNI: `openssl s_client -connect mybox:8443 -servername mybox -tls1`. – jww Sep 20 '15 at 10:49
  • And this is wrong *if* you plan on using a Browser to access the host: *`CN=mybox.com`*. To build a well formed certificate, see [How to create a self-signed certificate with openssl?](http://stackoverflow.com/a/27931596/608639) and [How can I generate a self-signed certificate with SubjectAltName using OpenSSL?](http://stackoverflow.com/a/21494483/608639) – jww Sep 20 '15 at 10:54
  • I am not sure but what I am requesting is how to do I setup the certificates as per my requirement and since I am facing the issue can anybody please help – Programmer Sep 20 '15 at 12:37
  • @jwww - Yes I cannot past the FQDN here since it belongs to private n/w. The CN does comes something as mybox.xx.xxx.com . The issue is that I have valid certs .crt and .key file I am facing issue of how to deploy it such that the certs are served upon connection request like https://mybox.com:8080 – Programmer Sep 20 '15 at 12:41

0 Answers0