 | | | Taroon-list Digest, Vol 15, Issue 6 | Taroon-list Digest, Vol 15, Issue 6 2005-05-10 - By jiantao
Back
Send Taroon-list mailing list submissions to
taroon-list@(protected)
To subscribe or unsubscribe via the World Wide Web, visit
http://www.redhat.com/mailman/listinfo/taroon-list
or, via email, send a message with subject or body 'help' to
taroon-list-request@(protected)
You can reach the person managing the list at
taroon-list-owner@(protected)
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Taroon-list digest..."
Today's Topics:
1. RE: How to properly install and configure mod_ssl on RHEL 4?
(Mike Kercher)
2. Re: How to properly install and configure mod_ssl on RHEL 4?
(John Haxby)
3. Re: How to properly install and configure mod_ssl on RHEL 4?
(Olaf Greve)
4. Re: How to properly install and configure mod_ssl on RHEL 4?
(Doug Stewart)
5. RE: How to properly install and configure mod_ssl on RHEL 4?
(Mike Kercher)
6. Re: Scripting help please (Ed Wilts)
7. RE: Scripting help please (Collins, Kevin [MindWorks])
8. Re: Scripting help please (John Haxby)
9. Re: How to properly install and configure mod_ssl on RHEL 4?
(Ed Wilts)
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
Message: 1
Date: Wed, 4 May 2005 09:24:09 -0500
From: "Mike Kercher" <mike@(protected)>
Subject: RE: How to properly install and configure mod_ssl on RHEL 4?
To: "'Discussion of Red Hat Enterprise Linux 3 \(Taroon\)'"
<taroon-list@(protected)>
Message-ID: <200505041424.j44EO9Hx027160@(protected)>
Content-Type: text/plain; charset="iso-8859-1"
-- --Original Message-- --
From: taroon-list-bounces@(protected) [mailto:taroon-list-bounces@(protected)]
On Behalf Of John Haxby
Sent: Wednesday, May 04, 2005 9:14 AM
To: Discussion of Red Hat Enterprise Linux 3 (Taroon)
Subject: Re: How to properly install and configure mod_ssl on RHEL 4?
Olaf Greve wrote:
> ...indicated that something was amiss with the CA certificate.
>
> Yesterday evening it already dawned on me that I think it's necessary
> to purchase a certificate (from companies such as Verisign). If so,
> then I guess that's the missing link.
It's not necessary to buy a certificate (although it may be
desirable). In fact, it's not actually necessary to do anything at
all. If you've installed mod_ssl (and it installs by default anyway)
then connecting to https://localhost with, say, firefox will work just fine.
Having said that you'll get dialog boxes popping up telling you that the
certificate isn't signed by a trusted authority and that it doesn' match
the host you're connecting to. That's because the certificate is
self-signed and is for "localhost.localdomain". A proper certificate
comes from Verisign or similar and will cost you money -- the last one I
bought was ?50, but that was a few years ago. For most purposes you
can get by with a self-signed certificate. As it happens, I've just
had to do this for an FC3 machine, but RHEL4 is the same.
This is an out-of-the-box installation, I didn't have to edit any
configuration files. I didn't explicitly select mod_ssl for installation
either.
With firefox, the first dialog box that pops up starts "Unable to verify
the identity of localhost.localdomain as a trusted site." It goes on
to offer some resonable causes and lets me accep the certificate
temporarily. Having done that I get another dialogue box saying that
the machine I'm connecting to doesn't match the name on the certificate
(that is, localhost.localdomain) and lets me see the certificate and
also lets me continue. The certificate is the one that installs by
default and it's issued to localhost.localdomain, in SomeOrganisation
and signed by the issuer. It was issued on 1-May-2005 which is when I
installed the server.
To get the self-signed certificate:
make -C/usr/share/ssl/certs testcert or
make -C/etc/httpd/conf testcert
(The Makefile in /etc/httpd/conf is a symbolic link to the other one.)
If you're not root you'll get an error, if you are it'll tell you
there's nothing to do. You need to remove the certificate, but not the
key (if I'm not mistaken, the make rule for generating the key will want a
passphrase which will mean that you'll need to type the passphrase in every
time you restart apache). so, delete /etc/httpd/conf/ssl.crt/server.crt (or
at least move out of the way) and re-run the make command and then restart
httpd. If you reload the page in firefox now you'll only get the first
dialog box and you should accept the certificate permanently (having first
checked that it matches what you've just generated). I don't need to tell
you that you should make sure that the hostname in the certificate matches
the hostname you connect to and that it should be the FQDN.
If, in a year's time you need to renew the certificate you'll need to change
the serial number (unless you change some of the other details).
You'll need to edit the Makefile to do this (or run the openssl req
command directly) to add a "-set_serial 1" parameter. You won't
remember that, but you might remember to do a "man req" and look it up
yourself.
As another poster said, "make -C/etc/httpd/conf certreq" will generate the
certificate request you'll need for a real certificate. When I went through
this with Verisign they were quite picky about what you actually put in the
certificate fields so you'll need to read their web site (or
the web site of their local representative, in my case, it's BT). And
it takes a couple of weeks from start to finish, so a self-signed
certificate is a good thing to get you going anyway.
Most software can be persuaded to accept a self-signed certificate. The
various browsers, including curl, can be so persuaded. Java can as
well. It depends on how much you want to make life easy compared to
how much you're prepared to spend money :-) It would be nice to be able to
get cheap (or even free) certificates for home servers and the like.
jch
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
============================================================================
======
An SSL cert from http://www.rapidssl.com/index_ssl.htm is much cheaper that
350
Mike
-- ---- ---- ---- ---- ---- --
Message: 2
Date: Wed, 4 May 2005 15:40:15 +0100
From: John Haxby <jch@(protected)>
Subject: Re: How to properly install and configure mod_ssl on RHEL 4?
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
<taroon-list@(protected)>
Message-ID: <4278DECF.7080907@(protected)>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Mike Kercher wrote
>An SSL cert from http://www.rapidssl.com/index_ssl.htm is much cheaper that
>350
>
>
I was hoping someone would come up with that sort of reply!
Of course, the more you pay for a certificate, the more users of the web
site are likely to trust you. I still think that a certificate should
include the amount paid for it: someone prepared to pay, say, ?0,000
for a certificate for a web site selling ink cartridges is much less
likely to be behaving badly than someone doing the same with a $49
certificate. (Quite why Verisign certificates are $350 or ?50 is a bit
of a mystery, considering the exchange rate.)
Self-signed certificates are fine for non-public web sites though.
jch
-- ---- ---- ---- ---- ---- --
Message: 3
Date: Wed, 04 May 2005 16:48:35 +0200
From: Olaf Greve <o.greve@(protected)>
Subject: Re: How to properly install and configure mod_ssl on RHEL 4?
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
<taroon-list@(protected)>
Message-ID: <4278E0C3.4010200@(protected)>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi all,
Tnx alot!
Indeed simply pointing the browser to https://localhost already does the
trick.
The client themselves will request a signed certificate, so that's up to
them to do.
Thanks for your help!
Cheers,
Olafo
-- ---- ---- ---- ---- ---- --
Message: 4
Date: Wed, 04 May 2005 10:52:58 -0400
From: Doug Stewart <dstewart@(protected)>
Subject: Re: How to properly install and configure mod_ssl on RHEL 4?
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
<taroon-list@(protected)>
Message-ID: <4278E1CA.1020609@(protected)>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On a related-but-not-entirely-germane subject, anyone have any
experience in https-protecting a single directory using Apache? I would
like to force all requests to a certain directory to use https and make
the dir inaccessible via regular http.
Can it be done?
--
-- ---- --
Doug Stewart
Systems Administrator/Web Applications Developer
Lockheed Martin Advanced Technology Labs
dstewart@(protected)
-- ---- ---- ---- ---- ---- --
Message: 5
Date: Wed, 4 May 2005 09:53:25 -0500
From: "Mike Kercher" <mike@(protected)>
Subject: RE: How to properly install and configure mod_ssl on RHEL 4?
To: "'Discussion of Red Hat Enterprise Linux 3 \(Taroon\)'"
<taroon-list@(protected)>
Message-ID: <200505041453.j44ErP1L002358@(protected)>
Content-Type: text/plain; charset="US-ASCII"
-- --Original Message-- --
From: taroon-list-bounces@(protected) [mailto:taroon-list-bounces@(protected)]
On Behalf Of Olaf Greve
Sent: Wednesday, May 04, 2005 9:49 AM
To: Discussion of Red Hat Enterprise Linux 3 (Taroon)
Subject: Re: How to properly install and configure mod_ssl on RHEL 4?
Hi all,
Tnx alot!
Indeed simply pointing the browser to https://localhost already does the
trick.
The client themselves will request a signed certificate, so that's up to
them to do.
Thanks for your help!
Cheers,
Olafo
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
===========================================================
Chances are, you'll end up doing it for them since you will need to generate
the CSR for the certificate.
Mike
-- ---- ---- ---- ---- ---- --
Message: 6
Date: Wed, 4 May 2005 09:59:08 -0500
From: Ed Wilts <ewilts@(protected)>
Subject: Re: Scripting help please
To: Truejack <truejack@(protected)>, "Discussion of Red Hat Enterprise
Linux 3 (Taroon)" <taroon-list@(protected)>
Message-ID: <20050504145908.GA10798@(protected)>
Content-Type: text/plain; charset=us-ascii
On Wed, May 04, 2005 at 06:34:30PM +0530, Truejack wrote:
> I need some scripting help please.
>
> I have a file which has the following output.
> I need to change all the commas after the $ to a * (or any other
> character other than a comma).
> Only the commas after the $ need to be changed.
>
> 109889-01 : 109353-04,109353-04 : : $ SUNWkvmx, SUNWkvm, SUNWctu, SUNWmdb
If you have the mysql package installed, you've got a fantastic tool
called replace. In my opinion, this should be taken out of mysql and
bundled in a more common location like coreutils. You don't need a
mysql server running - just the client package installed.
replace ', ' '* ' -- $filename
replace can process multiple files at once and does the changes in
place.
[ewilts@(protected) ewilts]$ cat foo
109889-01 : 109353-04,109353-04 : : $ SUNWkvmx, SUNWkvm, SUNWctu, SUNWmdb
[ewilts@(protected) ewilts]$ replace ', ' '* ' -- foo
foo converted
[ewilts@(protected) ewilts]$ cat foo
109889-01 : 109353-04,109353-04 : : $ SUNWkvmx* SUNWkvm* SUNWctu* SUNWmdb
--
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts@(protected)
Member #1, Red Hat Community Ambassador Program
-- ---- ---- ---- ---- ---- --
Message: 7
Date: Wed, 4 May 2005 08:02:55 -0700
From: "Collins, Kevin [MindWorks]" <KCollins@(protected)>
Subject: RE: Scripting help please
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
<taroon-list@(protected)>, "Truejack" <truejack@(protected)>
Message-ID:
<9AEA87EE3180D0409F0377B843FD90236E1971@(protected)>
Content-Type: text/plain; charset=us-ascii
Useless use of cat! Try:
perl -F\\$ -nae '$F[1] =~ s/,/*/g; print join("\$", @(protected))' file
Kevin
-- --Original Message-- --
From: taroon-list-bounces@(protected)
[mailto:taroon-list-bounces@(protected)] On Behalf Of Josh Kelley
Sent: Wednesday, May 04, 2005 6:20 AM
To: Truejack; Discussion of Red Hat Enterprise Linux 3 (Taroon)
Subject: Re: Scripting help please
Truejack wrote:
>I have a file which has the following output.
>I need to change all the commas after the $ to a * (or any other
>character other than a comma).
>Only the commas after the $ need to be changed.
>
>109889-01 : 109353-04,109353-04 : : $ SUNWkvmx, SUNWkvm, SUNWctu,
SUNWmdb
>
>
cat file | perl -F\\$ -nae '$F[1] =~ s/,/*/g; print join("\$", @(protected))'
Josh Kelley
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
-- ---- ---- ---- ---- ---- --
Message: 8
Date: Wed, 4 May 2005 16:28:48 +0100
From: John Haxby <jch@(protected)>
Subject: Re: Scripting help please
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
<taroon-list@(protected)>
Message-ID: <4278EA30.9090506@(protected)>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Collins, Kevin [MindWorks] wrote:
>Useless use of cat! Try:
>
> perl -F\\$ -nae '$F[1] =~ s/,/*/g; print join("\$", @(protected))' file
>
>
I know I'm name dropping, but Brian Kernighan said the same thing some
time ago ('83, I think, but it was a while ago.). He was commenting on
"cat xxx | yyy" vs "yyy < xxx" (or even "<xxx yyy").
Having thought about it, his conclusion was that you shouldn't worry
about it. With something like the perl script, the performance
advantage is minimal. On the other hand, "cat file | awk
'fifty-line-awk-script'" is more likely to be readable than "awk
'fifty-line-awk-script" file". My personal style depends on how I'm
feeling: I might like the challenge of using just the shell or just sed,
or I might want to try a different approach. Or I might be writing
something that has to be maintained -- in which case clarity and
readability move way up the list.
jch
-- ---- ---- ---- ---- ---- --
Message: 9
Date: Wed, 4 May 2005 10:29:18 -0500
From: Ed Wilts <ewilts@(protected)>
Subject: Re: How to properly install and configure mod_ssl on RHEL 4?
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)"
<taroon-list@(protected)>
Message-ID: <20050504152918.GA11920@(protected)>
Content-Type: text/plain; charset=us-ascii
On Wed, May 04, 2005 at 10:52:58AM -0400, Doug Stewart wrote:
> On a related-but-not-entirely-germane subject, anyone have any
> experience in https-protecting a single directory using Apache? I would
> like to force all requests to a certain directory to use https and make
> the dir inaccessible via regular http.
>
> Can it be done?
Sure - just put in a redirect.
I had something like this (which doesn't work anymore, so don't even
bother testing it!):
Redirect /webmails https://webmail.ewilts.org/
I had then set up a virtual host for webmail.ewilts.org (the only
virtual host I had listening on port 443).
--
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts@(protected)
Member #1, Red Hat Community Ambassador Program
-- ---- ---- ---- ---- ---- --
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
End of Taroon-list Digest, Vol 15, Issue 6
******************************************
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
Earn $52 per hosting referral at Lunarpages.
|
|
|