NSLU2-Linux
- FAQ: Frequently Asked Questions
- Donations
- Downloads
- Trac Bug Tracker
- Package Search Engine
- All Recent Wiki Changes
General
- HowTo Recipes
- Cool Peripherals
- Cool Applications
- Information Pages
- Ideas and Wish List
- Slug Success Stories
- Slug-Related Articles
- Project Mailing Lists
- Project IRC Channels
- Donations and Sponsors
- NSLU2-Linux Photo Gallery
OS/Firmware Projects
- NSLU2-Linux Development
- How Do I Get Involved?
- Unslung Firmware
- Debian Installation
- SlugOS Firmware
- OpenSlug Firmware
- SlugOS/LE Firmware
- OpenWrt Firmware
- Angstrom Firmware
- UcSlugC Firmware
- GentooSlug Firmware
- UpSlug Upload Tool
- Puppy Topfield Access
Firmware Targets
Optware
Optware Targets
Other Hardware
Wiki Resources
Sponsored Links
hosting by:
The aim of this HowTo is to setup SSL with a self signed certificate on appWeb. The instructions are mostly copied from EnableHTTPSforApache (which is what I followed), but with slight modifications for appWeb. It is based on version 2.1.0-1; first step may not apply to future/past versions.
First Step: Check appWeb is working
Use a web browser to navigate to http://<slug(approve sites) ip>:7777/index.html (presuming you haven't changed default ports)
If that succeeds, change the url to https://<slug(approve sites) ip>:4443/index.html
The https url should generate some errors (such as certificate being for localhost, certificate expired); ignore these, clicking accept, etc.
Once/if the page loads, check your browser to see if it gets encrypted properly (firefox: look in the address bar, there should be a padlock symbol)
If this step fails, check in /opt/var/appWeb/ if there is a server.crt file and a server.key.pem file. If not, go on to next step, as we will create them. If those files are there, there may be a config problem with appweb.
Step 2: Server Key
The following steps can be performed on the slug, or on a linux computer (much faster). Create a directory to work in:
$ mkdir sslstuff $ cd sslstuff
and your server key:
$ openssl genrsa -des3 -out server.key 1024 $ mv server.key server.key.orig $ openssl rsa -in server.key.orig -out server.key
Now, prepare a certificate signing request (CSR):
$ openssl req -new -key server.key -out server.csr
Important: you will be asked for the CommonName?. Enter your web servers name, i.e. www.example.com.
Step 3: Certificate Authority
Generate the key for the CA: $ openssl genrsa -des3 -out ca.key 1024
and generate a self signed certificate for it:
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Step 4: Sign Server Key
You should use the script that is shipped with mod_ssl. For your convenience the script can be found at the end of this page.
$ ./sign.sh server.csr
You should be asked both these questions; if not, something has gone wrong:
Sign the certificate? [y/n]:1 out of 1 certificate requests certified, commit? [y/n]
Answer yes to both, and you should see:
CA verifying: server.crt <-> CA certserver.crt: OK
Unless something has gone wrong.
Step 5: Setup AppWeb?
Copy server.crt and server.key to /opt/var/appWeb/ (backup the original server.crt and server.key.pem if you wish or are prone to stuffups)
$ cp server.crt /opt/var/appWeb/ $ cp server.key /opt/var/appWeb/
Now all that remains is a slight modification to /opt/var/appWeb/appWeb.conf
Find this block of text near the end of the file:
# # WARNING: we are using the decrypted key here so it won't prompt for the # password. Replace with server.key for higher security # SSLCertificateKeyFile? "$SERVER_ROOT/server.key.pem"
Replace the SSLCertificateKeyFile? line with this one:
SSLCertificateKeyFile? "$SERVER_ROOT/server.key"
Save the appWeb.conf and restart appWeb:
$ /opt/etc/init.d/S81appweb
Step 6: Check it all works
Go back to https://<slug(approve sites) ip>:4443/index.html (or the common name used, if it's an private network one, e.g 'slug')
This time, you should get an error about the certificate being for <CommonName?>, continue anyway, then it will say the certificate isn't signed by a trusted provider, it's only for private use, so this doesn't matter.
Everything should be working now.
sign.sh
This script has broadly been incorporated in the script above, although the script above does not attempt to varify the signing since it is problematic on the NSLU2.
#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
##
# argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac
# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi
# create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = .
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
unique_subject = no
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT
# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT
# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old
# die gracefully
exit 0
|