After purchasing a wildcard SSL certificate I was hoping to be able to redirect all traffic from http://example.com to https://www.example.com. There were two main goals which were to redirect all traffic to www.example.com and to require HTTPS. There is one flaw with this plan as it requires two valid certificates to work 100% of the time. The one scenario where it will not work is if a user types https://example.cominto a browser and you do not have a valid SSL certificate for example.com and instead only have a wildcard SSL certificate for *.example.com. The user will be prompted with an invalid certificate message when visiting the https://example.com domain.

The problem here is that the SSL handshake is happening before you are able to complete a redirect on the request. The only way to resolve this issue is to purchase two certificates to handle *.example.com and example.com. If you don’t mind the possibility of users typing in https://example.comand getting an invalid certificate message then purchasing a wildcard certificate only will cover you in 99% of situations.

The below error will be seen in the ssl_error_log typically located in /var/log/httpd for numerous reasons. Below is an explanation of what two of those reasons might cause Apache to not start and how to resolve the problem.

Error Example:
[Sat Oct 25 22:38:33 2008] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Oct 25 22:38:33 2008] [warn] RSA server certificate CommonName (CN) `server1.example.com’ does NOT match server name!?

Read the rest of this entry »

Use lftp for Linux command line FTP with explicit TLS/SSL. I was still having trouble though with lftp and implicit TLS/SSL. Below is the command to use lftp to connect to an FTP server that requires an explicit TLS/SSL.

Command:
lftp -du user,password ftp.example.com

You should see the below after connecting. Type ls to see if you get a directory listing and everything has worked.
lftp user@ftp.example.com:~> ls

Thats pretty much it. I will post in the future about lftp and implicit TLS/SSL connections.

I recently reinstalled a CentOS 5.2 server running ISPConfig using apache for virtual web hosting. The first site I was reinstalling the RapidSSL certificate for was not working. It continued to tell me that it was a non trusted self signed certificate. Eventually I figured out the only issue was that ISPConfig was not restarting the web server thus not taking the RapidSSL cert. Once I restarted the web server manually everything worked properly. A couple things to note though are exactly how to install a SSL Certificate with ISPConfig and how to regenerate the servers self signed certificate if necessary.

Installing a SSL Certificate for a Virtual Host with ISPConfig:

1. Create Site: Create the hosting account using your typical methods with ISPConfig

Read the rest of this entry »

Tags: apache, CentOS, certificate, CRT, CSR, ISPConfig, KEY, passphrase, RapidSSL, SSL

I had created a script to run ask for a couple CLI arguements and then run httperf against a server. The goal was to load test a server for HTTP and for HTTPS. I added the –ssl switch but could not verify a couple things including if httperf had been compiled with SSL support or if the –ssl was working at all.

1. Was httperf installed with SSL support?
This is an easy one. If the –ssl option exists then your httperf was compiled with SSL support. I wasn’t sure since I installed httperf via YUM in CentOS. I also tested by compiling myself and both versions had SSL support. If you do compile yourself you can check compile-dir/config.status and see if SSL support compiled properly.
Read the rest of this entry »