Good Morning
Well, I was just reading the wiki entry for Outside Access (http://wiki.linuxmce.com/index.php/Outside_Access (http://wiki.linuxmce.com/index.php/Outside_Access)), and it mentioned that setting up an SSL certificate would be costly and complicated. So I Googled "buy SSL secure certificate", and found that GoDaddy.com offers several different SSL certificates, starting at $12.99 (http://www.godaddy.com/gdshop/compare/gdcompare_ssl.asp?isc=sslqgo008b (http://www.godaddy.com/gdshop/compare/gdcompare_ssl.asp?isc=sslqgo008b)) So my questions:
- Would the $12.99 certificate be sufficient, or what kind of certificate is needed?
- How would it be complicated?
- Does anybody have this sort of setup? Would you be willing to explain what you did?
Bryce
There is absolutely no need to purchase a signed ssl cert for this, since all that does is get rid of the warning in the web browser. A self signed cert is free and you can make it yourself. how to add it to the system is a bit harder though, but there are quite a few guides out there for adding ssl certs to apache.
merkur2k is right, the only thing a "proper" cert gives you is a chain of trust back to a root authority that everyone trusts... thus means that someone else coming to your site, not only gets encryption but also trusts that your site is what it says it is. I assume that you won't have randoms accessing your site, and that you trust yourself! So you can just create a self-signed cert and use that...
Quote from: colinjones on May 31, 2009, 12:07:03 AM
I assume that....you trust yourself!
For the most part. ;D
Has anybody done this? I have no problem Googling for how-to guides, but I don't want to break anything LMCE specific/special if I can avoid it.
Bryce
it should be safe to add a ssl cert to apache (when you know what you are doing). Backup the config files first. AFAIK lmce does not touch those parts of the system at all.
br, Hari
Quote from: hari on May 31, 2009, 01:52:15 PM
it should be safe to add a ssl cert to apache (when you know what you are doing)...
Gee, had to add that last part, huh? :P I'm thinking that'll be something to add to the list of 'things-to-learn'. Good to know it's not incredibly LMCE sensitive, so I might have some room to 'bumble about'.
Thanks
Bryce
Hi brake16,
Here's a little help for your list.
http://www.tc.umn.edu/~brams006/selfsign.html
Cheers.
can somebody:
(1) make a feature request in trac?
(2) work on making this feature work out of the box with the system and submit a patch?
Thanks,
-Thom
QuoteHere's a little help for your list.
You are the man. I wish I could give you a karma bump.
brake16, please read Thom's post and react accordingly... Thanks!
I should have time today to take a poke at this.
Quote from: tschak909 on June 01, 2009, 04:27:19 PM
can somebody:
(1) make a feature request in trac?
(2) work on making this feature work out of the box with the system and submit a patch?
Thanks,
-Thom
Feature request in trac has been made (http://trac.linuxmce.org/trac.cgi/ticket/226 (http://trac.linuxmce.org/trac.cgi/ticket/226)).
First time using trac. Took me a bit to find it and figure out how to do it. Feel free to offer thwapping corrections as needed.
Bryce
Having spent some time with this this morning, I have come to the conclusion that this will never be possible since apache requires ssl sites to use static ip.
you could certainly work at it enough to do your own implementation, but it will not be possible to do an automated install that works on every setup.
Quote from: merkur2k on June 01, 2009, 08:18:18 PM
Having spent some time with this this morning, I have come to the conclusion that this will never be possible since apache requires ssl sites to use static ip.
you could certainly work at it enough to do your own implementation, but it will not be possible to do an automated install that works on every setup.
Forgive the newbiness most likely apparent in this quesiton, but will DynDNS help? I have DSL, and therefore, no static ip.
Bryce
Well on a second look it may be possible, but i have hosed up my apache so badly at this point that its gonna hafta wait until i do a reinstall of the core i think.
A first draft of the script has been attached to the trac ticket linked above.
I've tried to test it as best I can on a freshly installed system, but of course I could have missed something. It would be a good idea to backup the contents of /etc/apache2/ before running this script.
Just download it to your core somewhere and fire it off, its fully automated.
Hi merkur2k. Would it be possible for you to update the wiki to give instructions (other than what you've already given) for newbies like me to go through the setup process? I think that would be appreciated by many users.
its just a matter of downloading it to the core and running it like you would any other shell script.
I do need to revisit this at some time though, it gets clobbered at the next system upgrade.
Quote from: merkur2k on September 05, 2009, 12:23:16 AM
its just a matter of downloading it to the core and running it like you would any other shell script.
I do need to revisit this at some time though, it gets clobbered at the next system upgrade.
OK, I'm a bit slow getting anything to work but anyway... I tried the wiki approach (http://wiki.linuxmce.org/index.php/HTTPS) and get these errors in the end when restarting apache:
[Fri Jan 08 17:15:48 2010] [error] VirtualHost *:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Fri Jan 08 17:15:48 2010] [error] VirtualHost *:80 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Fri Jan 08 17:15:48 2010] [warn] NameVirtualHost *:0 has no VirtualHosts
The result when trying to access using https is: SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
Any advice what might go wrong in 'mixing ports' etc?
-Kooma
Well, I'm not only slow but slobby.. Got it working, I had omitted one '#' from the instructions in wiki.
Very interesting to access the server with secure(?) https. Now to add some environmental logging data that can be viewed outside the house. That ought to be cool and satisfying once working.
BTW, what log file indicates device status of each Z-wave unit?
-Kooma