Ask Question Forum:
Model Library:2025-02-08:A.I. model is online auto reply
C
O
M
P
U
T
E
R
2
8
Show
#
ASK
RECENT
←
- Underline
- Bold
- Italic
- Indent
- Step
- Bullet
- Quote
- Cut
- Copy
- Paste
- Table
- Spelling
- Find & Replace
- Undo
- Redo
- Link
- Attach
- Clear
- Code
Below area will not be traslated by Google,you can input code or other languages
Hint:If find spelling error, You need to correct it,1 by 1 or ignore it (code area won't be checked).
X-position of the mouse cursor
Y-position of the mouse cursor
Y-position of the mouse cursor
Testcursor
caretPos
Attachment:===
Asked by duncanb7
at 2024-12-17 04:58:14
Point:500 Replies:6 POST_ID:828863USER_ID:11059
Topic:
Linux;Apache Web Server;Secure Socket Layer (SSL) & HTTPS
I am using Linux CentOS6.5 with apache VPS server with the following apache version which is reported from phpinfo() php function.
Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.0-fips mod_bwlimited/1.4 PHP/5.3.21
Question-1 from the apache version, whether it is told I have already installed mod_ssl apache module or not ? If yes, why I could not find anything in "httpd.conf" file like as follows quotes
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
Why ?
And I am doing SSL self-cert installation for CentOS and follow this link to do it.
https://library.linode.com/web-servers/apache/ssl-guides/centos, and I could
NOT install mod_ssl modules from "yum install mod_ssl" (Error report: no package available) but I can generate the self-cert and its key by openssl command. Now I go to visit my site with https such as https://mysite.com that I can access the site index page but with red crossed mark and slash mark on https.
Question-2
I could not find the file of mod_ssl.so either at /usr/local/apache/modules or /usr/lib64/httpd or all my directories with my root access. Why my site still works for SSL https access even there is no any apache mod_ssl module enabled or exists ?
Question-3. How can I install mod_ssl module if yum install mod_ssl is not working ?
More my information provided: I had used Cpanel before on my hosting company and now I've switched to VPS server and stop to use Cpanel(since Cpanel was expired)
Duncan
Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.0-fips mod_bwlimited/1.4 PHP/5.3.21
Question-1 from the apache version, whether it is told I have already installed mod_ssl apache module or not ? If yes, why I could not find anything in "httpd.conf" file like as follows quotes
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
Why ?
And I am doing SSL self-cert installation for CentOS and follow this link to do it.
https://library.linode.com/web-servers/apache/ssl-guides/centos, and I could
NOT install mod_ssl modules from "yum install mod_ssl" (Error report: no package available) but I can generate the self-cert and its key by openssl command. Now I go to visit my site with https such as https://mysite.com that I can access the site index page but with red crossed mark and slash mark on https.
Question-2
I could not find the file of mod_ssl.so either at /usr/local/apache/modules or /usr/lib64/httpd or all my directories with my root access. Why my site still works for SSL https access even there is no any apache mod_ssl module enabled or exists ?
Question-3. How can I install mod_ssl module if yum install mod_ssl is not working ?
More my information provided: I had used Cpanel before on my hosting company and now I've switched to VPS server and stop to use Cpanel(since Cpanel was expired)
Duncan
Author: duncanb7 replied at 2024-12-17 11:26:33
Probably, it is my new thread question or other question and has been posted
and thanks for all of your reply
and thanks for all of your reply
Expert: gr8gonzo replied at 2024-12-17 11:05:00
If the red cross and red slash mark still exists after you import the certificate, it may be that Apache is not using the right certificate. You should be able to click on the red cross/slash or somewhere nearby in the address bar and be able to see which certificate is being presented by Apache for that site.
The Apache configuration should indicate what certificate it is using to enable HTTPS, so if it's not the right certificate, then you'll just have to update the Apache configuration and restart Apache.
The Apache configuration should indicate what certificate it is using to enable HTTPS, so if it's not the right certificate, then you'll just have to update the Apache configuration and restart Apache.
Author: duncanb7 replied at 2024-12-17 10:07:26
I could save my self-sign cert into trusted cert folder on browser suggested from
the article of Microsoft ,
http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx
and then the SSL warning page from browser is gone when everytime I access my https site.
But the red-cross and red-slash mask on https still exists so the only way to get rid of
that is buying third-party authorized trusted certificate. Probably it is last method.
and some company's free certificate is free but it just do encryption on domain name and email address only and other information is not included unless buying his other SSL certificate package.
So you agree what I post ?
Duncan
the article of Microsoft ,
http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx
and then the SSL warning page from browser is gone when everytime I access my https site.
But the red-cross and red-slash mask on https still exists so the only way to get rid of
that is buying third-party authorized trusted certificate. Probably it is last method.
and some company's free certificate is free but it just do encryption on domain name and email address only and other information is not included unless buying his other SSL certificate package.
So you agree what I post ?
Duncan
Expert: gr8gonzo replied at 2024-12-17 08:34:34
1. A certificate is just a set of files that is used for encryption and decryption (and some other things, too).
2. A "certificate authority" is simply a certificate that is used to put a seal of approval on another certificate (at least that's the basic idea). A certificate authority issues other certificates.
3. Certificate authorities are handy because it allows your computer to AUTOMATICALLY trust certificates that come from any certificate authority that your computer already trusts.
For example, if you have a friend who NEVER tells a lie, then you probably trust that friend. If that friend has a baby, then you can assume that the child will become honest and trustworthy, too. This is sort of how it works with certificates.
3. Operating systems like Windows or Linux will come with a list of really well-known certificate authorities that they already trust, like VeriSign. That way, your computer will automatically trust certificates that come from VeriSign (and from any other certificate authority that your computer has in its list of trusted certificate authorities).
4. When you create a self-signed certificate, you are creating a new certificate authority that is issuing itself. It is brand-new and does not come from any known certificate authority, so there will never be ANY computer that trusts your self-signed certificate right away. As long as your computer doesn't trust your certificate, you will get that red X and warnings in your browsers.
5. You can copy the certificate to your computer and then import it as a "trusted root" certificate authority. This tells YOUR computer that your self-signed certificate is just like VeriSign and is trustworthy. Anyone else will still get the red X, but you can make YOUR computer trust that certificate.
6. You don't do anything different when you generate the certificate. You simply copy the public certificate file to your computer and import it.
2. A "certificate authority" is simply a certificate that is used to put a seal of approval on another certificate (at least that's the basic idea). A certificate authority issues other certificates.
3. Certificate authorities are handy because it allows your computer to AUTOMATICALLY trust certificates that come from any certificate authority that your computer already trusts.
For example, if you have a friend who NEVER tells a lie, then you probably trust that friend. If that friend has a baby, then you can assume that the child will become honest and trustworthy, too. This is sort of how it works with certificates.
3. Operating systems like Windows or Linux will come with a list of really well-known certificate authorities that they already trust, like VeriSign. That way, your computer will automatically trust certificates that come from VeriSign (and from any other certificate authority that your computer has in its list of trusted certificate authorities).
4. When you create a self-signed certificate, you are creating a new certificate authority that is issuing itself. It is brand-new and does not come from any known certificate authority, so there will never be ANY computer that trusts your self-signed certificate right away. As long as your computer doesn't trust your certificate, you will get that red X and warnings in your browsers.
5. You can copy the certificate to your computer and then import it as a "trusted root" certificate authority. This tells YOUR computer that your self-signed certificate is just like VeriSign and is trustworthy. Anyone else will still get the red X, but you can make YOUR computer trust that certificate.
6. You don't do anything different when you generate the certificate. You simply copy the public certificate file to your computer and import it.
Author: duncanb7 replied at 2024-12-17 08:06:51
It is good post to reply my question exectly,
From you post, in other words, it seems I can set my self-cert SSL certificate to be trusted
SSL certificate so that the browser won't do red-cross or red-slash mask on https address bar. How to do it when I do openssl command ?
From you post, in other words, it seems I can set my self-cert SSL certificate to be trusted
SSL certificate so that the browser won't do red-cross or red-slash mask on https address bar. How to do it when I do openssl command ?
Accepted Solution
Expert: gr8gonzo replied at 2024-12-17 07:54:07
500 points EXCELLENT
Apache modules can be plugged into the Apache server in two different ways:
1. "Static"
-OR-
2. "Shared"
Static modules are compiled right into the server WHEN the server is built. You can't update them or change them in any way without re-compiling the Apache server.
Shared modules are compiled as separate files that end in ".so", like mod_ssl.so. The shared modules can be added to or removed from Apache at any time, which makes them more FLEXIBLE than static modules.
It is very similar to a car being built with an engine and seats and a steering wheel. Those are all pieces of the car that NEED to be in there for the car to run, so they are added when the car is built, and you cannot change them easily, but they are necessary pieces. Those pieces are like the "static" modules. They just become part of the car.
Then you have a stereo or radio in your car, which is ALSO probably added into the car when it is built, but it is designed so that anyone can easily remove the stereo and replace it. This is like a "shared" module.
Any module can be either static or shared, but there are usually many modules that are defaulted to being compiled into Apache statically. Static modules have a benefit of making Apache faster because they are loaded ONCE when Apache starts. Shared modules have to be loaded each time a child process is loaded, so they are slower.
Now, for your questions:
1. The Apache signature says mod_ssl, so mod_ssl -is- enabled. It is probably compiled statically, which is why you can't find a mod_ssl.so file. If you find your httpd binary, just run it like this:
httpd -M
That should tell you a full list of what modules are loaded and which are static or shared. If they are static, then you won't have a ".so" file because the code is INSIDE Apache.
2. When you use yum to install any Apache modules, you're going to be installing the shared versions. Don't try to install a shared module if you already have the module as a static module inside Apache. That said, I usually do this on my servers (in a cron job):
yum list > /root/yum.list
Then at any time, I can just use grep to quickly search for availability inside yum like this:
grep -i "mod_ssl" /root/yum.list
or
grep -i "ssl" /root/yum.list
If you don't have mod_ssl for some reason, then you may not have your yum repos set up properly.
3. Apache can be set up in different ways. You don't ALWAYS have to have a separate SSL config file. The config entries can go anywhere, and sometimes people have everything in one or two big config files for maintenance or performance reasons. Try searching your configs for "SSLEngine" or "SSLCertificateFile" and you might find your config entries for SSL.
4. Unless you add the self-signed certificate as a trusted root certificate to your own computer system (the one you're using to visit / test the web site), the browser will not recognize your self-signed certificate as a valid one. It will still allow HTTPS to work, but it is trying to warn you that it doesn't recognize the certificate. When you add the certificate to your own computer as a trusted root certificate and then close and reload your browser, you shouldn't get the red X over https anymore.
1. "Static"
-OR-
2. "Shared"
Static modules are compiled right into the server WHEN the server is built. You can't update them or change them in any way without re-compiling the Apache server.
Shared modules are compiled as separate files that end in ".so", like mod_ssl.so. The shared modules can be added to or removed from Apache at any time, which makes them more FLEXIBLE than static modules.
It is very similar to a car being built with an engine and seats and a steering wheel. Those are all pieces of the car that NEED to be in there for the car to run, so they are added when the car is built, and you cannot change them easily, but they are necessary pieces. Those pieces are like the "static" modules. They just become part of the car.
Then you have a stereo or radio in your car, which is ALSO probably added into the car when it is built, but it is designed so that anyone can easily remove the stereo and replace it. This is like a "shared" module.
Any module can be either static or shared, but there are usually many modules that are defaulted to being compiled into Apache statically. Static modules have a benefit of making Apache faster because they are loaded ONCE when Apache starts. Shared modules have to be loaded each time a child process is loaded, so they are slower.
Now, for your questions:
1. The Apache signature says mod_ssl, so mod_ssl -is- enabled. It is probably compiled statically, which is why you can't find a mod_ssl.so file. If you find your httpd binary, just run it like this:
httpd -M
That should tell you a full list of what modules are loaded and which are static or shared. If they are static, then you won't have a ".so" file because the code is INSIDE Apache.
2. When you use yum to install any Apache modules, you're going to be installing the shared versions. Don't try to install a shared module if you already have the module as a static module inside Apache. That said, I usually do this on my servers (in a cron job):
yum list > /root/yum.list
Then at any time, I can just use grep to quickly search for availability inside yum like this:
grep -i "mod_ssl" /root/yum.list
or
grep -i "ssl" /root/yum.list
If you don't have mod_ssl for some reason, then you may not have your yum repos set up properly.
3. Apache can be set up in different ways. You don't ALWAYS have to have a separate SSL config file. The config entries can go anywhere, and sometimes people have everything in one or two big config files for maintenance or performance reasons. Try searching your configs for "SSLEngine" or "SSLCertificateFile" and you might find your config entries for SSL.
4. Unless you add the self-signed certificate as a trusted root certificate to your own computer system (the one you're using to visit / test the web site), the browser will not recognize your self-signed certificate as a valid one. It will still allow HTTPS to work, but it is trying to warn you that it doesn't recognize the certificate. When you add the certificate to your own computer as a trusted root certificate and then close and reload your browser, you shouldn't get the red X over https anymore.