Clarification of copius reading


#1

Hi LetsEncrypt.org,

with assistance of your community i have achieved what appears to be a secure server.

however, in my reading, i understood it to say that …/conf.d/ssl.conf is an extension to
the environment inherited from httpd.conf.

i inserted stuff in httpd.conf along with,…

  SSLCertificateFile    /etc/letsencrypt/live/linuxlighthouse.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/linuxlighthouse.com/privkey.pem

however, reading …/conf.d/ssl.conf i see,…

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Q 1: it appears to be using the first certfile/key it encounters, but should the 2
pairs of certfile/key’s be the same?

Q 2: on connecting to https, i see the lock symbol gray, not green, how to i fix that?

TIA for another newbie query, jackc…


#2

Without seeing all of your httpd.conf and conf.d/ssl.conf, it’s hard to say, but if you’re only serving one domain, you should really only have one certificate/key pair. I’d probably either (1) remove your edits from httpd.conf, and make your changes to ssl.conf instead; or (2) remove ssl.conf, and have all your SSL-related directives in httpd.conf.

As to Q2, there are a number of possible reasons, depending on your browser, what else is on the page, and other factors. What do you see if you click on the lock symbol? If you’re using Chrome, then click on the Connection tab in the pop-up, and it should give you the reason for the gray symbol. One reason I see it on one of my pages is if the https page loads some content via http instead.


#3

Two questions:

  1. Where does that ../conf.d/ssl.conf come from? Was it always there? How and where is it included from your httpd.conf? (For example, my Apache configuration doesn’t have a /conf.d/. How does yours fit in?)
  2. What is the contents of that certificate? You can check with: openssl x509 -noout -text </etc/pki/tls/certs/localhost.crt

#4

a) my install of fedora 21, httpd seems to have provided that file.
i think the localhost.crt may be a dummy provided in httpd pkg.

the tree looks like, …
tree /etc/httpd
[sudo] password for jackc:
/etc/httpd
├── conf
│ ├── httpd.conf
│ ├── httpd.conf.orig
│ └── magic
├── conf.d
│ ├── autoindex.conf
│ ├── README
│ ├── ssl.conf
│ ├── ssl.conf.orig
│ ├── ssl.conf.rpmsave
│ ├── userdir.conf
│ └── welcome.conf
├── conf.modules.d
│ ├── 00-base.conf
│ ├── 00-dav.conf
│ ├── 00-lua.conf
│ ├── 00-mpm.conf
│ ├── 00-optional.conf
│ ├── 00-proxy.conf
│ ├── 00-ssl.conf
│ ├── 00-systemd.conf
│ ├── 01-cgi.conf
│ └── README
├── logs -> …/…/var/log/httpd
├── modules -> …/…/usr/lib64/httpd/modules
└── run -> /run/httpd
you can see where i keep .orig’s of the original to track my hacking.

i did create a system.key & system.cert i created locally using fedora doc,
i failed to swap them into the default paths as i wasn’t sure they were ok.

b) the output from your cli is, …

openssl x509 -noout -text < /etc/pki/tls/certs/localhost.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 369 (0x171)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=–, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=ws.linuxlighthouse.com/emailAddress=root@ws.linuxlighthouse.com
Validity
Not Before: Nov 9 21:04:41 2015 GMT
Not After : Nov 8 21:04:41 2016 GMT
Subject: C=–, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=ws.linuxlighthouse.com/emailAddress=root@ws.linuxlighthouse.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ea:f7:b9:b6:46:d4:6e:3a:48:2c:49:e7:0d:c3:
6c:1f:d6:76:b3:fb:dd:46:86:19:c0:c8:51:69:ed:
2c:14:3c:82:2c:9e:bb:03:dc:db:8c:ac:84:7c:72:
18:69:56:51:7e:e6:4b:7f:a1:97:e6:fd:e5:07:53:
2b:b9:51:82:d6:a0:43:e9:b2:06:66:26:57:3f:32:
34:ea:ac:87:26:24:3f:40:ac:07:19:de:05:9e:80:
1a:d8:ca:ac:8d:4d:a1:56:43:f5:cd:35:67:09:8b:
cb:d4:89:c8:40:fa:09:7e:be:8c:f6:a4:9b:04:12:
40:c0:3c:a1:05:89:ab:db:a3:f6:c3:ce:c5:97:0f:
eb:7d:5c:70:f3:84:c2:f6:70:98:69:81:66:95:d9:
8c:7d:50:b5:3b:cf:b5:de:34:80:75:24:f7:41:63:
57:f6:23:e6:d4:54:bc:99:de:50:42:40:af:80:a5:
f5:26:1b:69:db:d2:b0:c0:73:5a:6d:9f:34:08:cc:
7c:0d:8f:4e:1b:fd:99:3e:86:0c:c4:9d:bd:5e:dd:
12:0f:16:b1:ed:c9:11:ba:49:ac:17:6c:ee:40:50:
75:5f:27:30:ce:3f:d3:e4:bd:70:52:b8:cb:77:2d:
01:5b:2f:dd:33:ef:30:d3:72:56:cd:17:ec:b4:cd:
87:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
4d:28:54:57:37:6b:d5:75:49:3a:cc:85:89:c6:2a:c2:d9:53:
10:fc:9e:b7:b1:e5:ed:20:21:7b:e4:24:65:91:84:ea:60:82:
63:6f:ee:9b:37:15:2d:82:3c:2c:e1:c1:3d:9b:93:23:af:fc:
4a:ec:c4:af:d6:c1:f9:bf:4a:67:8a:d6:7d:11:6d:00:cf:d6:
bd:e7:e5:98:7c:b6:7b:90:98:7a:d4:81:2f:28:86:cc:28:15:
97:74:0b:a3:8f:e5:e5:75:98:d4:c8:7b:94:5e:d2:23:36:de:
9d:f1:84:38:79:b2:a9:0a:fe:13:62:a2:74:98:00:d4:cb:ab:
40:5b:ab:d0:1c:4a:52:f9:af:fa:16:6c:3d:d9:56:39:09:48:
f3:91:da:3a:1c:65:81:1b:4d:9c:13:df:47:6e:0c:2e:1a:f6:
76:12:9f:d5:5c:7e:32:87:14:3a:72:89:48:ab:94:9d:7a:a2:
d6:8c:a5:b8:ef:76:c9:65:a7:50:0c:84:b1:9b:21:e5:05:a8:
e8:1f:c1:97:c5:06:aa:ff:97:12:bc:c3:72:67:db:e0:cf:d0:
da:fa:e9:f6:2e:2b:3b:0c:48:f5:7b:df:e9:05:86:19:e1:3d:
87:7a:36:8c:0d:f3:76:05:35:f4:78:b7:bf:9b:66:c2:46:f8:
a4:7b:f8:3a

c) slight correction to earlier text, when i connect to https on my server from a remote client shows a green padlock, but connecting to https form the server itself continues w/a gray padlock.

suggestions? Thx, jackc…


#5

So, as I asked before, what shows up when you click on the gray padlock? And, if you’re using Chrome, then click on the connection tab.


#6

sorry, here is what happens first just clicking the graylock, then also what more info loks like… what additionally useful information am i not providing?

again, thanks for your time, jackc…


#7

and second img from nb,…


#8

Hello @jack.craig.aptos,

So your concern is because you are seeing a gray padlock in your browser?, well as far as I can see, you are using a dark theme in your firefox and this theme is changing the color of the padlock. Switch to default theme and you will see a green padlock.

Cheers,
sahsanu


#9

so much egg on face so early in hte day!!!:confused:

Thank You!!


#10

Hi @jack.craig.aptos,

Off Topic: I don’t know what is the theme that you are using but if you are using FT Deep Dark, today I talked with the theme developer and he has released a new beta to include a green padlock (the beta verson of the theme only works on firefox beta 44.*).

Here the link to this new version :slight_smile:

Cheers,
sahsanu


#11

Thx! my FF version is 41, so as soon as i get a newer ff, i’ll update the theme.

Thx!!