Difference between revisions of "HowTo Configure Apache SSL For davfs, subversion, etc."

From NST Wiki
Jump to navigationJump to search
(Manually Configuring SSL)
(Manually Configuring SSL)
 
(7 intermediate revisions by 2 users not shown)
Line 5: Line 5:
 
The following shows an example of the output of Subversion when trying to connect to a improperly configured NST system:
 
The following shows an example of the output of Subversion when trying to connect to a improperly configured NST system:
  
tortilla-e:tmp pkb$ svn ls https://192.168.1.3/svn-trash/trash
+
<pre>
svn: OPTIONS of 'https://192.168.1.3/svn-trash/trash': could not connect to server (https://192.101.77.44)
+
[joe@bogey tmp]$ svn ls https://192.168.1.20/svn-vmvdi/vmvdi
tortilla-e:tmp pkb$
+
svn: OPTIONS of 'https://192.168.1.20/svn-vmvdi/vmvdi': SSL handshake failed: \
 +
SSL error code -1/1/336032856 (https://192.168.1.20)
 +
</pre>
  
The above failed because the ''ServerName'' parameter was not set to ''192.101.77.44'' in "''/etc/httpd/conf.d/ssl.conf''".
+
The above failed because the ''ServerName'' parameter was not set to ''192.168.1.20'' in "''/etc/httpd/conf.d/ssl.conf''" on the SVN web server.
  
To fix this problem, you need to:
+
To fix this problem in this example, you need to:
  
* Edit the file: "''/etc/httpd/conf.d/ssl.conf''"
+
* SSH into NST system: 192.168.1.20
 +
ssh root@192.168.1.20
 +
 
 +
* Edit the file: "''/etc/httpd/conf.d/ssl.conf''" and set the ''ServerName'' parameter to IP Address '192.168.1.20'.
  
 
  vi /etc/httpd/conf.d/ssl.conf
 
  vi /etc/httpd/conf.d/ssl.conf
Line 21: Line 26:
 
  service httpd restart  
 
  service httpd restart  
  
'''NOTE''': This issue is often run into when you setup a NST system using a static IP address, or when using the ''NetworkManager'' service instead of the ''network'' service.
+
'''NOTE''': This issue is often run into when you setup a NST system using a static IP Address, or when using the ''NetworkManager'' service instead of the ''network'' service.
  
 
== Automatically Configuring SSL ==
 
== Automatically Configuring SSL ==
  
If your NST system is configured to use DHCP and the ''network'' service, the ''/etc/dhcp/dhclient-exit-hooks'' script will automatically set the ''ServerName'' in your ''/etc/httpd/conf.d/ssl.conf''. You won't need to do any manual configuration.
+
If your NST system is configured to use DHCP and the ''network'' service, the "''/etc/dhcp/dhclient-exit-hooks''" script will automatically set the ''ServerName'' in your "''/etc/httpd/conf.d/ssl.conf''". You won't need to do any manual configuration.
  
 
However, there are some situations where you may not want your SSL configuration file updated. If you would like to disable the automatic SSL configuration, do the following:
 
However, there are some situations where you may not want your SSL configuration file updated. If you would like to disable the automatic SSL configuration, do the following:
  
* Editing the file: ''/etc/dhcp/dhclient-exit-hooks''
+
* Editing the file: "''/etc/dhcp/dhclient-exit-hooks''"
  
 
  vi /etc/dhcp/dhclient-exit-hooks
 
  vi /etc/dhcp/dhclient-exit-hooks
Line 38: Line 43:
  
 
  service network restart
 
  service network restart
 
  
 
== Configuring SSL For A Host Name ==
 
== Configuring SSL For A Host Name ==
Line 44: Line 48:
 
If you would like to configure SSL so that users can connect using a host name (like: "mysvn") instead of a IP address, you must:
 
If you would like to configure SSL so that users can connect using a host name (like: "mysvn") instead of a IP address, you must:
  
* Set the ''ServerName'' parameter in ''/etc/httpd/conf.d/ssl.conf'' to the new name ("mysvn").
+
* Set the ''ServerName'' parameter in "''/etc/httpd/conf.d/ssl.conf''" to the new name ("mysvn").
  
* Make sure that "mysvn" resolves to the proper IP address. There are many ways to accomplish this. In the worst case scenario, you can edit the ''/etc/hosts'' file on ALL systems involved.
+
* Make sure that "mysvn" resolves to the proper IP address. There are many ways to accomplish this. In the worst case scenario, you can edit the "''/etc/hosts''" file on ALL systems involved.
  
 
* Restart the web server.
 
* Restart the web server.

Latest revision as of 14:34, 23 January 2011

Manually Configuring SSL

When accessing an NST system using the https protocol, you may run into troubles with some applications if your SSL configuration is not setup correctly. Most likely, the configuration issue will be that the ServerName parameter in "/etc/httpd/conf.d/ssl.conf" is not set to exactly match the host name of the system you are connecting to.

The following shows an example of the output of Subversion when trying to connect to a improperly configured NST system:

[joe@bogey tmp]$ svn ls https://192.168.1.20/svn-vmvdi/vmvdi
svn: OPTIONS of 'https://192.168.1.20/svn-vmvdi/vmvdi': SSL handshake failed: \
SSL error code -1/1/336032856 (https://192.168.1.20)

The above failed because the ServerName parameter was not set to 192.168.1.20 in "/etc/httpd/conf.d/ssl.conf" on the SVN web server.

To fix this problem in this example, you need to:

  • SSH into NST system: 192.168.1.20
ssh root@192.168.1.20
  • Edit the file: "/etc/httpd/conf.d/ssl.conf" and set the ServerName parameter to IP Address '192.168.1.20'.
vi /etc/httpd/conf.d/ssl.conf
  • Restart the web server using the command:
service httpd restart 

NOTE: This issue is often run into when you setup a NST system using a static IP Address, or when using the NetworkManager service instead of the network service.

Automatically Configuring SSL

If your NST system is configured to use DHCP and the network service, the "/etc/dhcp/dhclient-exit-hooks" script will automatically set the ServerName in your "/etc/httpd/conf.d/ssl.conf". You won't need to do any manual configuration.

However, there are some situations where you may not want your SSL configuration file updated. If you would like to disable the automatic SSL configuration, do the following:

  • Editing the file: "/etc/dhcp/dhclient-exit-hooks"
vi /etc/dhcp/dhclient-exit-hooks
  • Set the ENABLE_AUTO_SSL variable near the top of the file to false.
  • Restart the network service.
service network restart

Configuring SSL For A Host Name

If you would like to configure SSL so that users can connect using a host name (like: "mysvn") instead of a IP address, you must:

  • Set the ServerName parameter in "/etc/httpd/conf.d/ssl.conf" to the new name ("mysvn").
  • Make sure that "mysvn" resolves to the proper IP address. There are many ways to accomplish this. In the worst case scenario, you can edit the "/etc/hosts" file on ALL systems involved.
  • Restart the web server.