On Saturday 29 April 2017 04:05:01 Felix Dietrich wrote:
> Gene Heskett <ghesk...@shentel.net> writes:
> > Where can I find a tut that is a complete instruction set to have it
> > do an auto-redirect to itself, but using the "s" stuff regardless of
> > the accessing client as long as the client can handle the https
> > stuff this conversion will return to the client?
>
> For the apache webserver, which I am assuming you are using, I found
>
> https://wiki.apache.org/httpd/RedirectSSL
>
> which describes how to permanently redirect clients to an encrypted
> connection. Clients without the capability to use SSL encryption will
> not be able to see the contents of your site.
>
> > I tried putting those 3 lines quoted numerous times at the bottom of
> > the httpd/conf/httpd.conf, but that killed local access so I assume
> > it also killed external access too. And its failure did not
> > generate an error.log entry.
>
> Which 3 lines are you referring to? I cannot see any lines that look
> like they represent configuration file syntax in your message.
>
> > Something was said about the AllowRedirect settings in httpd.conf,
> > but it did not specify what to change it to.
>
> Where was something said about AllowRedirect? What was stated
> exactly?
>
> > URL to the best tut please.
>
> As much as I enjoy a bit of social interaction: are you abusing us to
> do your internet searches for you? Searching for "SSL redirect
> apache" yields plenty of results. Part of the "joy" of the computer
> hobby is to wheat out obsolete information, identify the wrong, and
> copy and paste the slightly less wrong. I also won't judge anything
> to be "the best" – unless it is my own of course. :-p
>
Chuckle, point taken, used your search string and got smarter hits for
apache2. Since my domain registrar is namecheap, I'm reading this link:
<https://www.namecheap.com/support/knowledgebase/article.aspx/9821/38/redirect-to-https-on-apache>
The recommended commands, and responses:
sudo a2enmod rewrite
[sudo] password for gene:
Enabling module rewrite.
To activate the new configuration, you need to run:
service apache2 restart
gene@coyote:/etc/httpd/conf$ sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure
SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart
On restarting apache2, I get this error report on screen but the
error.log is not showing the attempted restart.
Error shown:
Syntax error on line 71 of /etc/apache2/mods-enabled/ssl.conf:
Invalid command 'Header', perhaps misspelled or defined by a module not
included in the server configuration
Action 'start' failed.
That files line 71: region
68:SSLCipherSuite AES128+EECDH:AES128+EDH
69:SSLHonorCipherOrder on # enable only secure protocols: SSLv3 and
TLSv1, but not SSLv2
70:SSLProtocol -all +TLSv1
71:Header always set Strict-Transport-Security "max-age=63072000; include
SubDomains"
72:Header alway set X-Frame-Options DENY
Being big dummy, whats this tell me? So I read the file it recommends,
which contains 2 more commands:
a2ensite default-ssl
a2enmod ssl
which appear to have worked, but it still will not restart.
The next recommended command is:
If you install the ssl-cert package, a self-signed certificate will be
automatically created using the hostname currently configured on your
computer.
You can recreate that certificate (e.g. after you have changed /etc/hosts
or
DNS to give the correct hostname) as user root with:
make-ssl-cert generate-default-snakeoil --force-overwrite
But this brings up a question:
The hostname of this computer doesn't match the name in the sig, my whole
home networks domain name is coyote.den, and this machine is
coyote.coyote.den. Since its all behind a dd-wrt install, and its not
even running on a normal port number, this to bypass the ususal port 80
blocking the ISP's do in order to force you to use their servers at X$ a
month, and to honor one of the cpu industries most enforced secrets
ever, which is the Hitachi HD63C09, a clone of the Moto 6809, but which
we have discovered is many times smarter. Hence the port:6309 in the
sig, and the only port forwarded to this machine.
So in internal name and the one in the sig don't match?
So which name will it use if I run the above cert generator command?
Ah, reading further, thats addressed by:
To create more certificates with different host names, you can use
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt
This will ask you for the hostname and place both SSL key and certificate
in
the file /path/to/cert-file.crt . Use this file with the
SSLCertificateFile
directive in the Apache config (you don't need the SSLCertificateKeyFile
in
this case as it also contains the key). The file /path/to/cert-file.crt
should
only be readable by root. A good directory to use for the additional
certificates/keys is /etc/ssl/private.
So I run it this way:
root@coyote:~#
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/
debconf: DbDriver "config": /var/cache/debconf/config.dat is locked by
another process: Resource temporarily unavailable.
synaptic was running in another workspace, waiting on input, and it wants
to restart the gui among other things, canceled it.
Now a 2nd attempt:
Could not create certificate. Openssl output was:
Error Loading extension section v3_req
4147165448:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing
value:v3_alt.c:531:
4147165448:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:v3_conf.c:95:name=subjectAltName,
value=coyote.coyote.den,IP:192,168.71.3
Aha! a comma in the wrong place.
3rd pass:
root@coyote:~#
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private
Could not create certificate. Openssl output was:
Error Loading extension section v3_req
4147910920:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing
value:v3_alt.c:531:
4147910920:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:v3_conf.c:95:name=subjectAltName,
value=coyote.coyote.den,IP:192.168.71.3
WTH is v3_req? Apparently refers to man 5 x509_config,
and that is way above my pay grade.
4th pass, different arguments for the extras.Failed, same report.
Looks like it did work when I used the snake-oil version:
root@coyote:~# ls -l /etc/ssl/private/
total 4
-rw-r----- 1 root ssl-cert 1704 Apr 29 08:46 ssl-cert-snakeoil.key
And the 2nd version about 6" up then appeared to fail as before.
however, no httpd start
And still no entry's from the restarts in /var/log/apache2/error.log.
My site is offline. And I need to reboot after the last update.
Thanks Felix.
> --
> Felix Dietrich
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
