# Serveur Admin et https...comment ça marche?



## LedZep2 (25 Octobre 2007)

Bonjour à tous,

Voilà, je vous soumet un problème que j'ai décrit dans le forum officiel Apple, et qui n'a toujours reçu aucune réponse.
Le problème me paralyse totalement dans mon boulot.
La moindre petite aide sera la bienvenue!
Voici la manipe :

HI there!

It took tones of hour trying to setup a https connexion and finally, it still not work.
I went to tones of forums and try all the tricks written, nothing worked.
Most of the time it is not clear.
Most of the time it changed nothing.

YOU are my last chance!
I listed several questions in green, it will kind of you if you've got some answer.
Here follow the processing steps that I did.

First, I used this site : http://developer.apple.com/internet/serverside/modssl.html

Nice site, not so clear but nice.
So here what I got :
openssl genrsa -des3 -out server.key 2048

Passphrase : 123456  (two times)

then :
openssl req -new -key server.key -out server.csr 

Passphrase : 123456

Organization Name : GG LTD
Common Name : GOK

No challenge password neither optional company name.

openssl genrsa -des3 -out ca.key 2048

Passphrase : azerty (two times)

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Organization Name : GG HC
Common Name : GG HC OK

After that I continued :
chmod +x sign.sh
./sign.sh server.csr

Passphrase : azerty

Certificate is to be certified until Oct 22 18:11:15 2008 GMT (365 days)
Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK

So that seems to be ok!

Next step...

sudo mkdir /etc/httpd/ssl.key
sudo cp -r * /etc/httpd/ssl.key/


Here what I got :

powermacquad:/etc/httpd/ssl.key root# ll
total 72
drwx------   12 root  wheel   408 Oct 23 11:14 .
drwxr-xr-x   23 root  wheel   782 Oct 22 19:24 ..
-rw-r--r--    1 root  wheel  1513 Oct 23 11:14 ca.crt
drwxr-xr-x    3 root  wheel   102 Oct 23 11:14 ca.db.certs
-rw-r--r--    1 root  wheel    82 Oct 23 11:14 ca.db.index
-rw-r--r--    1 root  wheel    21 Oct 23 11:14 ca.db.index.attr
-rw-r--r--    1 root  wheel     3 Oct 23 11:14 ca.db.serial
-rw-r--r--    1 root  wheel  1751 Oct 23 11:14 ca.key
-rw-r--r--    1 root  wheel  3890 Oct 23 11:14 server.crt
-rw-r--r--    1 root  wheel   997 Oct 23 11:14 server.csr
-rw-r--r--    1 root  wheel  1743 Oct 23 11:14 server.key
-rwxr-xr-x    1 root  wheel  1784 Oct 23 11:14 sign.sh

I did not do the "Removing the pass phrase requirement" because I am in production. So as I understand I will have to retype the Passphrase everytime I reboot. I will have to start apache manually via command line. 1-Is that true? or it is acceptable to remove the passphrase requirement (if the computer is physically protected from hackers or something else)?

The next step was :
sudo apachectl stop
cd /etc/httpd
sudo cp httpd.conf httpd.conf.backup

The next step is harder to understand.
What I want to do is to reserve this directory :
/Library/WebServer/html/secure/
for my https.
2-Is that possible?

Here are the important parts of my httpd.conf file :

LoadModule ssl_module libexec/httpd/libssl.so

AddModule mod_ssl.c

ServerSignature On

#Port 80
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
<IfModule mod_ssl.c>
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    SSLPassPhraseDialog exec:/etc/httpd/getsslpassphrase
    SSLSessionCache dbm:/var/log/httpd/ssl_scache
    SSLSessionCacheTimeout 300
    SSLMutex file:/var/log/httpd/ssl_mutex
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    SSLLogLevel info
    AddType application/x-x509-ca-cert crt
    AddType application/x-pkcs7-crl crl
    SSLProtocol all -SSLv2
    SSLLog "/var/log/httpd/ssl_engine_log"
## SSL Virtual Host Context
##
    <VirtualHost 127.0.0.1:80>
#Just to keep things sane...
        DocumentRoot "/Library/WebServer/html"
        ServerName 127.0.0.1
        ServerAdmin admin@gg.fr
        SSLEngine Off
    </VirtualHost>
    <VirtualHost 127.0.0.1:443>
# General setup for the virtual host
        DocumentRoot "/Library/WebServer/html/secure"
#ServerName has to match the server you entered into the CSR
        ServerName secure
        ServerAdmin admin@gg.fr
        ErrorLog "/var/log/httpd/error_log"
        TransferLog /var/log/httpd/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
        SSLEngine On
# enable SSLv3 but not SSLv2
        SSLProtocol all -SSLv2
        SSLCipherSuite "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
# Path to your certificates and private key        
        SSLCertificateFile "/etc/httpd/ssl.key/serveur.crt"
        SSLCertificateKeyFile "/etc/httpd/ssl.key/serveur.key"
        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
            SSLOptions +StdEnvVars
        </Files>
        <Directory "/Library/WebServer/CGI-Executables">
            SSLOptions +StdEnvVars
        </Directory>
# correction for browsers that don't always handle SSL connections well
        SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </VirtualHost>
    Listen 443
    Listen 80
</IfModule>
<IfModule mod_jk.c>
    JKWorkersFile /etc/httpd/workers.properties
    JKLogFile /var/log/httpd/mod_jk.log
    JKLogLevel error
    JKMount /*.jsp JBoss1
    JKMount /servlet/* JBoss1
    JKMount /examples/* JBoss1
</IfModule>
## 
##
## The default server is used for status on a special port


3-Is there a problem with my httpd.conf?

At this point I have two options :
first one is to use this /settings/certificates






the second one is to configure everything in /Web/Settings/General+Security/



Let see the first option.
I clicked on Import, a new window appeared and I entered my parameters :





Just after clicking Import it freezed for a long long time.
The password entered was : 123456. 4-Is that right?
I had to force to quit the Admin Server application to not wait for 3 days more!!




So now let see the second option :






I have only one ip.
On the first line there is my official website.
On the second it is the MySQL WebInterface : /Library/WebServer/Documents/phpMyAdmin/
Here I had to click on "+" to create a new Site.






You can see 4 arrows ponting some delicate points.
5-Are all these points ok? Are the parameters appropriated?

Now it is time to try to enter this #@!+$£#@& certificate.
First thing to do is to select personnalised configuration :





After that a question :
6-Why the default cert and key are stored in/etc/Certificates and not in the /etc/httpd/ssl.* like mine? Is that important?






I entered the parameters as it follows :




And that was good he said : Import successfull.





Now it is easy you click OK, then you save the new configuration.
And when I want to restart the Web service, it fails like that :




Saying :
"try to reactualize configuration, try to contact admin, see the logs, impossible to restart".
Two more precision :
-I have no cache performances




-Last precision are :
httpd -D SSL
Invalid command '%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b', perhaps mis-spelled or defined by a module not included in the server configuration

I tried a lot of more things ofr example to comment these lines :
'%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b'
(for the following commands I am in root)
Then when I try httpd -D SSL
It gives : Processing config directory: /etc/httpd/sites/*.conf
 Processing config file: /etc/httpd/sites/0000_any_80_.conf
 Processing config file: /etc/httpd/sites/0001_127.0.0.1_80_phpmyadmin.conf
 Processing config file: /etc/httpd/sites/virtual_host_global.conf
So i thought it was ok, but then when I did
apachectl start
Processing config directory: /etc/httpd/sites/*.conf
 Processing config file: /etc/httpd/sites/0000_any_80_.conf
 Processing config file: /etc/httpd/sites/0001_127.0.0.1_80_phpmyadmin.conf
 Processing config file: /etc/httpd/sites/virtual_host_global.conf
/usr/sbin/apachectl start: httpd could not be started

And the log said :
/var/log/httpd root# tail 20 -f ssl_engine_log
[23/Oct/2007 12:59:50 09697] [info]  Server: Apache/1.3.33, Interface: mod_ssl/2.8.24, Library: OpenSSL/0.9.7l
[23/Oct/2007 12:59:50 09697] [info]  Init: 1st startup round (still not detached)
[23/Oct/2007 12:59:50 09697] [info]  Init: Initializing OpenSSL library
[23/Oct/2007 12:59:50 09697] [info]  Init: Loading certificate & private key of SSL-aware server secure:443
[23/Oct/2007 12:59:50 09697] [error] Init: Unable to read server certificate from file /etc/httpd/ssl.key/serveur.crt (OpenSSL library error follows)
[23/Oct/2007 12:59:50 09697] [error] OpenSSL: error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long

7-That will be my last question : what I did wrong? What should I do?

That's all.
My problem is as big as this post.
I must found a solution.


----------



## bompi (25 Octobre 2007)

Bonsoir et bienvenue &#224; toi.
Ton fil n'est pas &#224; la bonne place.
Il peut &#234;tre soit dans UNIX soit dans la partie serveur.

Je le d&#233;place du c&#244;t&#233; serveur.

&#192; part &#231;a : mes souvenirs quant aux certificats sont que lorsqu'un certificat est "auto-sign&#233;" il faut effectivement qu'au lancement on le valide en entrant un mot de passe. Que le serveur soit prot&#233;g&#233; ou ouvert &#224; tous les vents n'y change rien.

Quant &#224; ton erreur finale : le certificat n'est pas valide, je pense. Je te conseillerais de suivre la documentation du site d'Apache pour constituer ton certificat.


----------



## LedZep2 (26 Octobre 2007)

bompi a dit:


> Bonsoir et bienvenue à toi.
> Ton fil n'est pas à la bonne place.
> Il peut être soit dans UNIX soit dans la partie serveur.
> 
> ...



Ah!

Je suis désolé pour la confusion.
Merci de l'avoir déplacé et surtout merci de m'avoir répondu.
J'ai trouvé la solution finalement!! Aprés une semaine d'intenses réflexions et recherches.
Je vous la transmet :


Arf!
Finally I did it!

What is Mac? A simple way to do hard thing.
Why to use command line when all the tools you need are available in nice interfaces!! 
So here the answer at the question : just use ServerAdmin and only ServerAdmin.
How?

Like this way :
First go to the settings and click on "+".
<img src=http://bertonf.free.fr/MACOSX/i12.jpg>

A new window appears. This is <font color=red>THE</font> window you should use to enter certificate. This window should generate the key I imagine.
So, then, you just have to enter the parameter as described here :
http://docs.info.apple.com/article.html?path=ServerAdmin/10.4/en/c4ms11.html
http://docs.info.apple.com/article.html?path=ServerAdmin/10.4/en/c4ms6.html
Here an exemple :
<img src=http://bertonf.free.fr/MACOSX/i13.jpg>
After you complete the form, you <font color=red>MUST</font> save your work.
And after that, it will be possible to add a signed certificate.
It is a simple window where you must paste the body of the file ca.crt.
It begins by : 
-----BEGIN CERTIFICATE-----
MIIEMDCCAxigAwIBAgIJAOZOIzRj02taMA0GCSqGSIb3DQEBBAUAMG0xCzAJBgNV
BAYTAkZSMREwDwYDVQQIEwhQcm92ZW5jZTESMBAGA1UEBxMJTWFyc2VpbGxlMQ4w
...
...
and finish by :
...
...
MZ8URgH7LxxsWB85aLCXfbqIFZE=
-----END CERTIFICATE-----

Click Ok and that's all.
Now you should see your settings window.
It should looks like this :
<img src=http://bertonf.free.fr/MACOSX/i14.jpg>

Then for the rest of the procedure, it is easy.
You just have to complete the General menu and choose the generated certificate in the Security menu.

That's magic!
All is working right now.
I think the problem was due to the localisation of the files *.crt and *.key.
It was no working because the files should be present here :
<font color=blue>/private/etc/certificates</font>

By the way, I did not try to manually create certificates and copy them in this localisation and retry to start server.
I imagine that works.


----------

