Trouble on setting SSL certificates for Virtual Hosts using Apache\Phusion Passenger in localhost
I am using Ruby on Rails 3 and I would like to make to work HTTPS connections on localhost.
I am using:
- Apache v2 + Phusion Passenger
- Mac OS + Snow Leopard v10.6.6
My Ruby on Rails installation use the Typhoeus gem (it is possible to use the Ruby net\http library but the result doesn't change) to make HTTP requests over HTTPS.
I created self-signed ca.key, pjtname.crt and pjtname.key as detailed on the Apple website.
Notice: Following instruction from the Apple website, on running the openssl req -new -key server.key -out server.csr command (see the link) at this point
Common Name (eg, YOUR name) []: (this is the important one)
I entered *pjtname.com so that is valid for all sub_domain of that site.
In my Apache httpd.conf I have two virtual hosts configured in this way:
# Secure (SSL/TLS) connections
#Include /private/etc/apache2/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Include /private/etc/apache2/other/*.conf
# Passenger configuration
LoadModule passenger_module /Users/<my_user_name>/.rvm/gems/ruby-1.9.2-p136/gems/passenger-3.0.2/ext/apache2/mod_passenger.so
PassengerRoot /Users/<my_user_name>/.rvm/gems/ruby-1.9.2-p136/gems/passenger-3.0.2
PassengerRuby /Users/<my_user_name>/.rvm/wrappers/ruby-1.9.2-p136/ruby
# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
# Ensure that Apache listens on port 443
Listen 443
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:80
NameVirtualHost *:443
#
# PJTNAME.COM and subdomains SETTING
#
<VirtualHost *:443>
# Because this virtual host is defined first, it will
# be used as the default if the hostname is not received
# in the SSL handshake, e.g. if the browser doesn't support
# SNI.
ServerName pjtname.com:443
DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public"
ServerAdmin you@example.com
ErrorLog "/private/var/log/apache2/error_log"
TransferLog "/private/var/log/apache2/开发者_StackOverflowaccess_log"
RackEnv development
<Directory "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public">
Order allow,deny
Allow from all
</Directory>
# SSL Configuration
SSLEngine on
# Self Signed certificates
# Server Certificate
SSLCertificateFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.crt
# Server Private Key
SSLCertificateKeyFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.key
# Server Intermediate Bundle
SSLCertificateChainFile /private/etc/apache2/ssl/wildcard.certificate/ca.crt
</VirtualHost>
# HTTP Setting
<VirtualHost *:80>
ServerName pjtname.com
DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public"
RackEnv development
<Directory "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public">
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName users.pjtname.com:443
DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public"
ServerAdmin you@example.com
ErrorLog "/private/var/log/apache2/error_log"
TransferLog "/private/var/log/apache2/access_log"
RackEnv development
<Directory "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public">
Order allow,deny
Allow from all
</Directory>
# SSL Configuration
SSLEngine on
# Self Signed certificates
# Server Certificate
SSLCertificateFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.crt
# Server Private Key
SSLCertificateKeyFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.key
# Server Intermediate Bundle
SSLCertificateChainFile /private/etc/apache2/ssl/wildcard.certificate/ca.crt
</VirtualHost>
# HTTP Setting
<VirtualHost *:80>
ServerName users.pjtname.com
DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public"
RackEnv development
<Directory "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public">
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
In the host file I have:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
# PJTNAME.COM SETTING
127.0.0.1 pjtname.com
127.0.0.1 users.pjtname.com
All seems to work properly because I have already set everything (I think correctly):
- I generated a wildcard certificate for my domains and sub-domains (in this example: *.pjtname.com)
- I have set base-named virtualhosts in the
http.conffile listening on port:433and:80 - My browser accept certificates also if it alerts me that those aren't safe (notice: I must accept certificates for each domain\sub-domain; that is, [only] at the first time I access a domain or sub-domain over HTTPS I must do the same procedure for acceptance) and I can have access to pages using HTTPS
After all this work, when I make a request using Typhoeus (I can use also the Ruby Net::Http library and the result doesn't change) from the pjtname.com RoR application:
# Typhoeus request
Typhoeus::Request.get("https://users.pjtname.com/")
I get something like a warning about the certificate:
--- &id001 !ruby/object:Typhoeus::Response
app_connect_time: 0.0
body: ""
code: 0
connect_time: 0.000625
# Here is the warning
curl_error_message: Peer certificate cannot be authenticated with known CA certificates
curl_return_code: 60
effective_url: https://users.pjtname.com/
headers: ""
http_version:
mock: false
name_lookup_time: 0.000513
pretransfer_time: 0.0
request: !ruby/object:Typhoeus::Request
after_complete:
auth_method:
body:
...
All this means that something is wrong. So, what I have to do to avoid the "Peer certificate cannot be authenticated with known CA certificates" warning and make the HTTPS request to work? Where is\are the error\errors (I think in the Apache configuration, but where?!)?
P.S.: if you need some more info, let me know.
I think your Apache configuration is OK, it's just that since you're using a self-signed cert, you need to specify on the client side that you're trusting the certifying authority.
It looks like Typhoeus uses curl, which has it's own certificate store, independent of OS X's Keychain (which is what would be used by your browser)
On my box, it's at /opt/local/share/curl/curl-ca-bundle.crt, and is just a concatenated list of certifying authorities. To get rid of the warning, you should be able to add your CA that you created to the end of that file:
cat /path/to/ca.crt >> /path/to/curl-ca-bundle.crt
(or you can edit it manually to put it some comment about what that cert is)
However, at the next curl update, you might very well lose those changes, so it might be better to have curl simply not verify the peer's certificate. (might be good to have different prod/dev settings for that in your app). I've never used Typhoeus, but it looks like you can specify the following:
:disable_ssl_peer_verification => true
when you make calls:
Typhoeus::Request.get("https://mail.google.com/mail", :disable_ssl_peer_verification => true).
Curl has a verify_peer and a verify_host setting. If I remember well, verify_peer checks that the certificate is signed by a trusted authority, and verify_host checks that the certificate was issued to the host you're connecting to.
There's some info about using self-signed certs in the readme: https://github.com/dbalatero/typhoeus
加载中,请稍侯......
精彩评论