29 March
2008

I recently configured a Linux (Ubuntu) web server for SSL support. I had not done this for a long time, and had largely forgotten how. Here is the recipe and a fix to this problem.

Prologue: making your own SSL certificates

The easy solution to generating self-signed certificates needed for SSL is the the CA.pl perl script, which is included in the openssl installation tar ball. You can find it at
http://www.openssl.org/source/
or else Google for "openssl-0.9.8 tar gz".

You need to generate suitable security keys (certificates) before you can use SSL. This can be accomplished using these steps from a suitable configuration directory:


perl CA.pl -newca
perl CA.pl -newreq
perl CA.pl -sign

You will have to answer various questions. The questions are stored locally, so the actual answers do not matter much, except for the domain name.
In particular, you should enter your server host name (e.g. www.dudek.org) when asked for a "common name".
This should produce the files newcert.pem and newkey.pem in the current directory.

Setting up Apache to use SSL

The apache2 configuration section for SSL then needs to use these keys with lines like:

SSLCertificateFile /etc/apache2/ssl/newcert.pem
SSLCertificateKeyFile /etc/apache2/ssl/newkey.pem


Whoops: error -12227

After this I was getting the error in my log file

OpenSSL: Exit: error in SSLv3 read client certificate B

which leads to an error -12227 from Firefox when the site is accessed.

After searching Google I found other people complaining about this, but with no actual diagnosis. Well, I have the answer. Looking at the error logs, I found that it was due to having configured apache/ssl for client authentication without having provided suitable certificates (the detailed story is that apache needs to understand you are acting as your own certificate authority, and not depending on an external one).

Solution to error: SSLCACertificate

The fix is to change the line in the apache config file that reads:

SSLCACertificate require

to instead read

SSLCACertificate none

After that, it should all work.


CA.pl manual page: http://www.openssl.org/docs/apps/CA.pl.html

SSL configuration explanation:
http://www.securityfocus.com/infocus/1818

Ubuntu instructions (good) which avoids using CA.pl:

https://help.ubuntu.com/6.06/ubuntu/serverguide/C/httpd.html


More user's stories:
http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/doc/myownca.html



By Gregory Dudek at | Read (3) or Leave a comment |    
Comments
Re: apache2 SSL configuration, error -12227 and self-signed certificates

This post just bailed me out of a jam. Thanks so much!

Posted by: anonymous at May 23,2008 11:22
Re: apache2 SSL configuration, error -12227 and self-signed certificates

THANK YOU!!!

Posted by: anonymous at June 10,2009 12:05
Re: apache2 SSL configuration, error -12227 and self-signed certificates

Thanks for sharing. I have forgotten it, too.

Posted by: Mike at October 31,2010 01:09
Post your own response

Each comment is manually screened for the presence of appropriate and substantive content, due to a constant onslaught of comment-spam. This means there may be a delay before your comment appears.


(Some kind of name is required, will be visible)

Required, whatever you enter will be visible to other users.


(Optional, used for "mailto" link)

Your email address is not required, but if you insert it it will be displayed so people can contact you.

Answer this question correctly to demonstrate that you are not a dumb spambot.



The title for your comment.



Your comment goes here. All relevant comments are welcome, except for those that simply promote an irrelevant product or else are used to fraudulently inflate the link count to an irrelevant web page. They appear after moderation. Don't forget to also fill in the captcha below or your text will be rejected automatically!

You must answer this question to prove you are human
What kind of restaurant has waiters, napkins, and pizza (enter a number): 1:Seafood, 2:Drive-through, 3:Pizzeria, 4:Reform school, 5:Roadside hot-dog stand?

Answer this question correctly to demonstrate that you are not a dumb spambot.