On Mon, Jul 03, 2006 at 03:02:46PM +0200, FTP wrote: > On Mon, Jul 03, 2006 at 10:47:04AM +0200, Joachim Schipper wrote: > > On Sun, Jul 02, 2006 at 10:32:12PM +0200, FTP wrote: > > > On Tue, Jun 27, 2006 at 05:03:52PM +0200, FTP wrote: > > > > when I try to access the site via lynx I do get an SSL error message > > > > moaning that I have a self-signed cert. After accepting this, the > > > > page gets dispalyed. So it looks like the problem is with the CA? > > > > How do I correct that? I found the a reference in > > > > "manual/mod/mod_ssl/ssl_faq.html#ToC24" but mentions a "sign.sh" > > > > script wich isn't present in the OBSD package. > > > > > > any chance to draw some attention to the above? > > > > There are two basic solutions: > > 1. Get a certificate from a commercial CA - Verisign, Thawte, > > and the like. This will be trusted by default in most applications, > > especially browsers. > > 2. Create your own certificate, or whole CA chain. In this case, > > you'll have to tell applications and visitors to accept the certificate. > > I created my own CA, and had it sign one certificate per service. The > > users then import the CA (in the ideal world) or just click 'accept > > always' or the equivalent in their browser/mail client/... (in the real > > world). [1] > > > > If you want to go with the second option, Google has lots of HOWTO's. > > It's not too difficult, but it does cost some work - and, being crypto, > > finding out just why it doesn't work is not trivial. > > > > Joachim > > > > [1] And then complain when the certificate expires. Well, the CA has a > > much longer lifetime... > > > > but I was following the procedure described in: > http://openbsd.org/faq/faq10.html#HTTPS > > which normally should cover the self-signed cert part as well - or not? > > Thanks > > George >
now I get via lynx the following: # lynx https://x.x.x.x Looking up x.x.x.x Making HTTPS connection to x.x.xx. Alert!: Unable to connect to remote host. lynx: Can't access startfile https://x.x.x.x/
