12
edits
Changes
From Amahi Wiki
m
1. Create a sub-folder of '''/etc/httpd/''' called '''ssl.crt'''<pre><nowiki>mkdir #!/etcusr/httpdbin/ssl.crt</nowiki></pre>env bash2. Generate a new Secure key file, called server.key.org, and output the file to mkdir ~/etc/httpdssl/ssl.crt (our newly created folder) '''**REMEMBER TO CHANGE "asecretpassword" TO A PASSWORD OF YOUR CHOICE**'''. <pre><nowiki>openssl genrsa -des3 -passout pass:asecretpassword -out /etc/httpd~/ssl.crt/server.key.org 1024</nowiki></pre>The output should look something like:{{META_BOX_Green||Generating RSA private key, 1024 bit long modulus<br>.........++++++<br>....++++++<br>e is 65537 (0x10001)}}3. Create server.crt and serverrootCA.csr from our newly self-generated key (server.key.org):2048<pre><nowiki>openssl req -x509 -new -passin pass:asecretpassword -passout pass:asecretpassword nodes -key /etc/httpd~/ssl.crt/serverrootCA.key.org -out /etc/httpd/ssl.crt/server.csr sha256 -days 3650openssl req -x509 -passin pass:asecretpassword -passout pass:asecretpassword -key /etc/httpd/ssl.crt/server.key.org -in /etc/httpd/ssl.crt/server.csr 1024 -out /etc/httpd~/ssl.crt/serverrootCA.crt -days 3650pem</nowiki></pre>The output of these files will look something like:{{META_BOX_Green||You are about to be asked to enter information that will be incorporated<br>into your certificate request.<br>What you are about to enter is what is called a Distinguished Name or a DN.<br>There are quite a few fields but you can leave some blank<br>For some fields there will be a default value,<br>If you enter '.', the field will be left blank.<br><nowiki>-----</nowiki><br>Country Name (2 letter code) [XX]:<br>State or Province Name (full name) [ ]:<br>Locality Name (eg, city) [Default City]:<br>Organization Name (eg, company) [Default Company Ltd]:<br>Organizational Unit Name (eg, section) [ ]:<br>Common Name (eg, your name or your server's hostname) [ ]:<br>Email Address [ ]:<br><br>Please enter the following 'extra' attributes<br>to be sent with your certificate request<br>A challenge password [ ]:An optional company name [ ]:}}You should make entries at each stage in the second section (after Country Name...).
43. Create a thrid Now create another file, createselfsignedcertificate.sh: <pre><nowiki>#!/usr/bin/env bashmkdir /etc/httpd/ssl.crtmkdir /etc/httpd/ssl.keyopenssl req -new -sha256 -nodes -out /etc/httpd/ssl.crt/server.csr -newkey rsa:2048 -keyout /etc/httpd/ssl.crt/server.key, from from our self-generated key config <(cat /etc/httpd/server.keycsr.orgcnf ):<pre><nowiki>openssl rsa x509 -passin pass:asecretpassword req -in /etc/httpd/ssl.crt/server.csr -CA ~/ssl/rootCA.pem -CAkey ~/ssl/rootCA.key.org -CAcreateserial -out /etc/httpd/ssl.crt/server.keycrt -days 3650 -sha256 -extfile v3.ext</nowiki></pre>54. Create another subthe configuration file server.csr.cnf. <pre><nowiki>[req]default_bits = 2048prompt = nodefault_md = sha256distinguished_name = dn [dn]C=USST=MarylandL=AnnapolisO=Home AdministratorOU=HDA DomainemailAddress=your-address@your-folder of domain.comCN = localhost</nowiki></pre> 5. Now, create a file called v3.ext for the x509 v3 certificate <pre><nowiki>authorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentsubjectAltName = @alt_names [alt_names]DNS.1 = localhostDNS.2 = ''hostname.yourdomain'/etc/httpd/'DNS.2 = hdaDNS.3 = hda.'' called yourdomain''DNS.4 = cockpit.'ssl.key'yourdomain'', and move our newly created server</nowiki></pre> 6.key Now it's time to this foldercreate your certificates. Run createRootCA.sh. Follow the prompts <pre><nowiki>bash ./createRootCA.sh</nowiki></pre> Then createselfsignedcertificate.sh <pre><nowiki>mkdir bash ./etccreateselfsignedcertificate.sh</httpdnowiki></pre> 7. Copy your newly created server.key to the ssl.keydirectory.<pre><nowiki>mv cp /etc/httpd/ssl.crt/server.key /etc/httpd/ssl.key/server.key
→Generate your own certificates
Here I will discuss accessing your Amahi HDA over SSL. This means that you will go to your home page ''<nowiki>http://hda</nowiki>'' and it will automatically convert to ''<nowiki>https://hda</nowiki>''.
'''NOTE:''' Following this guidance is at your own risk and could break your HDA. This has been tested with Amahi 10, Fedora 25 which is still in development.
= Why is this recommended? =
Currently you access your Amahi HDA control panel unsecured. This means that anyone sniffing your network can get the password to your HDA. If your password is compromised then this means they can log in to possibly modify your shares or even access SSH (if you have it enabled). So I recommend anyone using SSH to at least have SSL access to their Amahi HDA.
[[User:Sag47|Sag47]] 00:38, 15 June 2011 (PDT). Updates and clarifications [[User:Spaceman|spaceman]] 15:23, 27 March 2017 (BST).[[User:Tamorgen|Tamorgen]] 09:15, 31 Oct 2018 (EST). Made changes for Subject Alternative Name.
'''NOTE:''' This may interfere with [[Hosting_a_website|Hosting a Website]] tutorial.
= Prerequisites =
I assume you already have Fedora 23 25 installed with Amahi up and running.
= Instructions =
== Generate your own certificates ==
'''NOTE:''' Leaving defaults will not make your server less secure. Make sure that you change "asecretpassword" in the commands below to something else. Otherwise any commands which don't have "asecretpassword" in it can be copied and pasted. This has to do with the challenge password for the private key. If you don't understand what I mean then you should read about [http://en.wikipedia.org/wiki/Public-key_cryptography public-key cryptography] which is essentially what SSL uses. As of Chrome version 58, the Chrome browser requires SSL certificates to use SAN (Subject Alternative Name) and has removed Common Name (CN). Using a CN will produce an error within the Security Overview section of the certificate, telling the user that the SAN is missing. A new method of creating the certificate is required. 1. Change directory to /etc/httpd/, and switch users <pre><nowiki>cd /etc/httpd/sudo -s</nowiki></pre> 2. Create a new file createRootCA.sh using vi, nano, or your favorite text editor.
chmod 400 /etc/httpd/ssl.key/server.key</nowiki></pre>
8. Copy your rootCA.pem certificate to a network share, so you may import it to your favorite browser, to eliminate the untrusted certificate warning.
<pre><nowiki>
cd ~/ssl/
cp rootCA.pem /var/hda/files/docs/.
</nowiki></pre>
9. Import rootCA into your browser. For Chrome, Settings --> Advanced --> Manage Certificates --> Authorities --> Import. Select your root certificate from a locally accessible resource, either directly from, or after copying it from your share.
== Modify apache initialization ==
Restart your server to apply the changes you've made. If you did everything right you shouldn't receive any warnings when restarting the server.
systemctl restart httpd
== Bonus ==
Fedora 27/Amahi 11 provides [http://www.amahi.org/apps/cockpit Cockpit], a powerful browser-based server administration portal. To eliminate the SSL warning on this page, you need to create a .cert file using files previously created in this walkthrough. The .cert file consists of the contents of the server.crt and server.key. To create the file, run the following commands. This will automatically place the file in the correct directory.
<pre><nowiki>
cat /etc/httpd/ssl.crt/server.crt > /etc/cockpit/ws-certs.d/01-self-signed.cert
cat /etc/httpd/ssl.crt/server.key >> /etc/cockpit/ws-certs.d/01-self-signed.cert
</nowiki></pre>
= Finished =
Now that you're done go ahead and visit '''<nowiki>http://hda</nowiki>''' and watch it turn into '''<nowiki>https://hda</nowiki>'''! Understand that the certificates you generated have not been verified by a certificate authority so you'll need to confirm a security exception.
= Troubleshooting =
service httpd configtest
If all goes well and you get "'''Syntax OK'''" then you can start your Apache server again.
systemctl restart httpd
{{META_BOX_Green||AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf.d/00-init.conf:1<br>
Syntax OK}}
is acceptable and will work.
If all things end badly and you can't figure it out then it is possible to restart this tutorial from scratch. Just start it over.
