29 March
2008

apache2 SSL configuration, error -12227 and self-signed certificates

I recently configured a Linux (Ubuntu) web server for SSL support. I had not done this for a long time, and had largely forgotten how. Here is the recipe and a fix to n problem.

The easy solution to generating self-signed certificates needed for SSL is the the CA.pl perl script, which is included in the openssl installation tar ball. You can find it at
http://www.openssl.org/source/
or else Google for "openssl-0.9.8 tar gz".

You need to generate suitable security keys (certificates) before you can use SSL. This can be accomplished using these steps from a suitable configuration directory:



perl CA.pl -newca

perl CA.pl -newreq

perl CA.pl -sign

You will have to answer various questions. The questions are stored locally, so the actual answers do not matter much, except for the domain name.
In particular, you should enter your server host name (e.g. www.dudek.org) when asked for a "common name".
This should produce the files newcert.pem and newkey.pem in the current directory.

The apache2 configuration section for SSL then needs to use these keys with lines like:



SSLCertificateFile /etc/apache2/ssl/newcert.pem

SSLCertificateKeyFile /etc/apache2/ssl/newkey.pem

After this I was getting the error in my log file



OpenSSL: Exit: error in SSLv3 read client certificate B

which leads to an error -12227 from Firefox when the site is accessed.

After searching Google I found other people complaining about this, but with no actual diagnosis. Well, I have the answer. Looking at the error logs, I found that it was due to having configured apache/ssl for client authentication without having provided suitable certificates. The fix is to change the line in the apache config file that reads:

SSLCACertificate require

to instead read

SSLCACertificate none

After that, it should all work.

CA.pl manual page: http://www.openssl.org/docs/apps/CA.pl.html

SSL configuration explanation:
http://www.securityfocus.com/infocus/1818

Ubuntu instructions (good) which avoids using CA.pl:

https://help.ubuntu.com/6.06/ubuntu/serverguide/C/httpd.html

More user's stories:
http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/doc/myownca.html

Posted by dudek at March 29 21:53 | Read (1) or Leave a comment | permalink link to this entry |

<< Sky Scout star finder | Main | Earth Hour Montreal: not much happens >>

Comments

Re: apache2 SSL configuration, error -12227 and self-signed certificates

This post just bailed me out of a jam. Thanks so much!

Posted by: anonymous at May 23,2008 11:22

Related ads

New book: digital TV

Check out my new book dealing with digital television, broadcast video encoding and how to select, install, understand and manipulate satellite, cable and over-the-air broadcast television. Available at Amazon.com or via the publisher.
Digital Television at Home Book cover