Problemi sa SSL certifikatima za AOSI

Nekoliko se kolega javilo na helpdesk s primjedbom da im se AOSI buni zbog krivih certifikata. Naime, AOSI pokupi postojeće certifikate od Apacheja. Ako slučajno imate greške u tim certifikatima, AOSI odbija suradnju.

Evo primjera pogreške na AOSI WWW sučelju:

curl_exec error 51 SSL: certificate subject name 'host.lab.carnet.hr' does not match target host name 'host1.carnet.hr'

Problem je u tome što bi CN polje (Common Name) u certifikatu trebalo odgovarati imenu hosta. Provjerite certifikate:

# openssl x509 -noout -text -in /etc/apache/ssl.crt/server.crt | grep Subject:

Subject: C=HR, O=lab.carnet.hr, CN=host.lab.hr/emailAddress=webmaster@host.lab.carnet.hr

# openssl x509 -noout -text -in /etc/aosi/certs/aosi_cert.pem | grep Subject:

Subject: C=HR, O=lab.carnet.hr, CN=host.lab.hr/emailAddress=webmaster@host.lab.carnet.hr

Vidimo da su certifikati neispravni. Obrisati ćemo stare i generirati nove certifikate za Apache, te ih iskopirati u /etc/aosi/certs/.

# find /etc/apache -name server.\* | xargs rm

(Ukoliko ovdje dobijete poruke "rm: too few arguments" i "Try `rm --help' for more information." to znači da su navedene datoteke već prije pobrisane i možete nastaviti dalje sa procedurom - Op. Željko Boroš )

# dpkg-reconfigure apache-cn

CN: Missing SSL certificates, generating.

Successfully generated server key pairs:

- ssl.crt/ca.crt

- ssl.key/ca.key

- ssl.crt/server.crt

- ssl.key/server.key

CN: Found: /etc/apache/mod-ssl.conf.

CN: mod_ssl configuration by CARNet is now in /etc/apache/conf.d/ssl.conf.

Check your configuration and remove the unneeded files.

Reloading apache modules.

Mailing upgrade output to root.

# cp /etc/apache/ssl.crt/server.crt /etc/aosi/certs/aosi_cert.pem

# cp /etc/apache/ssl.key/server.key /etc/aosi/certs/aosi_key.pem

Na kraju restartamo AOSI:

# /etc/init.d/aosi restart

I to je to.