NSLU2-Linux
view · edit · print · history

The aim of this HowTo is to setup SSL with a self signed certificate on appWeb. The instructions are mostly copied from EnableHTTPSforApache (which is what I followed), but with slight modifications for appWeb. It is based on version 2.1.0-1; first step may not apply to future/past versions.

First Step: Check appWeb is working

Use a web browser to navigate to http://<slug(approve sites) ip>:7777/index.html (presuming you haven't changed default ports) If that succeeds, change the url to https://<slug(approve sites) ip>:4443/index.html The https url should generate some errors (such as certificate being for localhost, certificate expired); ignore these, clicking accept, etc. Once/if the page loads, check your browser to see if it gets encrypted properly (firefox: look in the address bar, there should be a padlock symbol)

If this step fails, check in /opt/var/appWeb/ if there is a server.crt file and a server.key.pem file. If not, go on to next step, as we will create them. If those files are there, there may be a config problem with appweb.

Step 2: Server Key

The following steps can be performed on the slug, or on a linux computer (much faster). Create a directory to work in:

 $ mkdir sslstuff
 $ cd sslstuff

and your server key:

 $ openssl genrsa -des3 -out server.key 1024
 $ mv server.key server.key.orig
 $ openssl rsa -in server.key.orig -out server.key

Now, prepare a certificate signing request (CSR):

 $ openssl req -new -key server.key -out server.csr

Important: you will be asked for the CommonName?. Enter your web servers name, i.e. www.example.com.

Step 3: Certificate Authority

Generate the key for the CA: $ openssl genrsa -des3 -out ca.key 1024

and generate a self signed certificate for it:

 $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Step 4: Sign Server Key

You should use the script that is shipped with mod_ssl. For your convenience the script can be found at the end of this page.

 $ ./sign.sh server.csr

You should be asked both these questions; if not, something has gone wrong:
Sign the certificate? [y/n]:
1 out of 1 certificate requests certified, commit? [y/n]

Answer yes to both, and you should see:
CA verifying: server.crt <-> CA cert
server.crt: OK

Unless something has gone wrong.

Step 5: Setup AppWeb?

Copy server.crt and server.key to /opt/var/appWeb/ (backup the original server.crt and server.key.pem if you wish or are prone to stuffups)

 $ cp server.crt /opt/var/appWeb/
 $ cp server.key /opt/var/appWeb/

Now all that remains is a slight modification to /opt/var/appWeb/appWeb.conf Find this block of text near the end of the file:
#
# WARNING: we are using the decrypted key here so it won't prompt for the
# password. Replace with server.key for higher security
#
SSLCertificateKeyFile? "$SERVER_ROOT/server.key.pem"

Replace the SSLCertificateKeyFile? line with this one:
SSLCertificateKeyFile? "$SERVER_ROOT/server.key"

Save the appWeb.conf and restart appWeb:

 $ /opt/etc/init.d/S81appweb

Step 6: Check it all works

Go back to https://<slug(approve sites) ip>:4443/index.html (or the common name used, if it's an private network one, e.g 'slug') This time, you should get an error about the certificate being for <CommonName?>, continue anyway, then it will say the certificate isn't signed by a trusted provider, it's only for private use, so this doesn't matter.

Everything should be working now.

sign.sh

This script has broadly been incorporated in the script above, although the script above does not attempt to varify the signing since it is problematic on the NSLU2.

 

#!/bin/sh
##
##  sign.sh -- Sign a SSL Certificate Request (CSR)
##  Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
##

#   argument line handling
CSR=$1
if [ $# -ne 1 ]; then
    echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
    echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
       * ) CERT="$CSR.crt" ;;
esac

#   make sure environment exists
if [ ! -d ca.db.certs ]; then
    mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
    echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
    cp /dev/null ca.db.index
fi

#   create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca              = CA_own
[ CA_own ]
dir                     = .
certs                   = \$dir
new_certs_dir           = \$dir/ca.db.certs
database                = \$dir/ca.db.index
serial                  = \$dir/ca.db.serial
RANDFILE                = \$dir/ca.db.rand
certificate             = \$dir/ca.crt
private_key             = \$dir/ca.key
unique_subject          = no
default_days            = 365
default_crl_days        = 30
default_md              = md5
preserve                = no
policy                  = policy_anything
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
EOT

#  sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT

#  cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old

#  die gracefully
exit 0


view · edit · print · history · Last edited by lexvictory.
Originally by lexvictory.
Page last modified on March 22, 2008, at 11:29 AM