NSLU2-Linux
view · edit · print · history

HowTo.EnableHTTPSforAppWeb History

Hide minor edits - Show changes to markup

March 22, 2008, at 11:29 AM by lexvictory --
Changed lines 7-8 from:

Use a web browser to navigate to http://<slug ip>:7777/index.html\\ (presuming you haven't changed default ports) If that succeeds, change the url to https://<slug ip>:4443/index.html

to:

Use a web browser to navigate to http://<slug ip>:7777/index.html (presuming you haven't changed default ports) If that succeeds, change the url to https://<slug ip>:4443/index.html

Changed line 89 from:

Go back to https://<slug ip>:4443/index.html (or the common name used, if it's an private network one, e.g 'slug')

to:

Go back to https://<slug ip>:4443/index.html (or the common name used, if it's an private network one, e.g 'slug')

March 22, 2008, at 11:27 AM by lexvictory --
Changed lines 1-2 from:

The aim of this HowTo is to setup SSL with a self signed certificate on AppWeb?. The instructions are mostly copied from EnableHTTPSforApache (which is what I followed), but with slight modifications for AppWeb?.

to:

The aim of this HowTo is to setup SSL with a self signed certificate on appWeb. The instructions are mostly copied from EnableHTTPSforApache (which is what I followed), but with slight modifications for appWeb.

Changed lines 5-7 from:

First Step: Check AppWeb? is working

Use a web browser to navigate to http://<slug ip>:7777/index.html (presuming you haven't changed default ports)

to:

First Step: Check appWeb is working

Use a web browser to navigate to http://<slug ip>:7777/index.html\\ (presuming you haven't changed default ports)

Added line 48:

\\

Changed lines 51-52 from:
to:


Added line 54:

\\

Changed lines 57-58 from:
to:


Added line 70:

\\

Changed lines 76-77 from:
to:


Added line 79:

\\

Changed lines 81-82 from:
to:


March 22, 2008, at 11:24 AM by lexvictory -- created page
Added lines 1-170:

The aim of this HowTo is to setup SSL with a self signed certificate on AppWeb?. The instructions are mostly copied from EnableHTTPSforApache (which is what I followed), but with slight modifications for AppWeb?. It is based on version 2.1.0-1; first step may not apply to future/past versions.

First Step: Check AppWeb? is working

Use a web browser to navigate to http://<slug ip>:7777/index.html (presuming you haven't changed default ports) If that succeeds, change the url to https://<slug ip>:4443/index.html The https url should generate some errors (such as certificate being for localhost, certificate expired); ignore these, clicking accept, etc. Once/if the page loads, check your browser to see if it gets encrypted properly (firefox: look in the address bar, there should be a padlock symbol)

If this step fails, check in /opt/var/appWeb/ if there is a server.crt file and a server.key.pem file. If not, go on to next step, as we will create them. If those files are there, there may be a config problem with appweb.

Step 2: Server Key

The following steps can be performed on the slug, or on a linux computer (much faster). Create a directory to work in:

 $ mkdir sslstuff
 $ cd sslstuff

and your server key:

 $ openssl genrsa -des3 -out server.key 1024
 $ mv server.key server.key.orig
 $ openssl rsa -in server.key.orig -out server.key

Now, prepare a certificate signing request (CSR):

 $ openssl req -new -key server.key -out server.csr

Important: you will be asked for the CommonName?. Enter your web servers name, i.e. www.example.com.

Step 3: Certificate Authority

Generate the key for the CA: $ openssl genrsa -des3 -out ca.key 1024

and generate a self signed certificate for it:

 $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Step 4: Sign Server Key

You should use the script that is shipped with mod_ssl. For your convenience the script can be found at the end of this page.

 $ ./sign.sh server.csr

You should be asked both these questions; if not, something has gone wrong: Sign the certificate? [y/n]:
1 out of 1 certificate requests certified, commit? [y/n]
Answer yes to both, and you should see: CA verifying: server.crt <-> CA cert
server.crt: OK
Unless something has gone wrong.

Step 5: Setup AppWeb?

Copy server.crt and server.key to /opt/var/appWeb/ (backup the original server.crt and server.key.pem if you wish or are prone to stuffups)

 $ cp server.crt /opt/var/appWeb/
 $ cp server.key /opt/var/appWeb/

Now all that remains is a slight modification to /opt/var/appWeb/appWeb.conf Find this block of text near the end of the file: #
# WARNING: we are using the decrypted key here so it won't prompt for the
# password. Replace with server.key for higher security
#
SSLCertificateKeyFile? "$SERVER_ROOT/server.key.pem"
Replace the SSLCertificateKeyFile? line with this one: SSLCertificateKeyFile? "$SERVER_ROOT/server.key"
Save the appWeb.conf and restart appWeb:

 $ /opt/etc/init.d/S81appweb

Step 6: Check it all works

Go back to https://<slug ip>:4443/index.html (or the common name used, if it's an private network one, e.g 'slug') This time, you should get an error about the certificate being for <CommonName?>, continue anyway, then it will say the certificate isn't signed by a trusted provider, it's only for private use, so this doesn't matter.

Everything should be working now.

sign.sh

This script has broadly been incorporated in the script above, although the script above does not attempt to varify the signing since it is problematic on the NSLU2.

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 

#!/bin/sh
##
##  sign.sh -- Sign a SSL Certificate Request (CSR)
##  Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
##

#   argument line handling
CSR=$1
if [ $# -ne 1 ]; then
    echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
    echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
       * ) CERT="$CSR.crt" ;;
esac

#   make sure environment exists
if [ ! -d ca.db.certs ]; then
    mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
    echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
    cp /dev/null ca.db.index
fi

#   create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca              = CA_own
[ CA_own ]
dir                     = .
certs                   = \$dir
new_certs_dir           = \$dir/ca.db.certs
database                = \$dir/ca.db.index
serial                  = \$dir/ca.db.serial
RANDFILE                = \$dir/ca.db.rand
certificate             = \$dir/ca.crt
private_key             = \$dir/ca.key
unique_subject          = no
default_days            = 365
default_crl_days        = 30
default_md              = md5
preserve                = no
policy                  = policy_anything
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
EOT

#  sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT

#  cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old

#  die gracefully
exit 0


(:tableend:)

view · edit · print · history · Last edited by lexvictory.
Originally by lexvictory.
Page last modified on March 22, 2008, at 11:29 AM