Skip to first unread message
Keith Planer
Jan 16, 2014, 1:09:57 PM1/16/14
to web...@googlegroups.com
I'm trying to get remote admin working for my web2py server. I followed instructions from here which didn't work for me, I got "Error opening metabse: 0x80040154" when I tried running the selfssl command in the first step. Then I tried creating the certificate in IIS Manager, but I'm not sure how to make the certificate associate with my app, which I still have running from the web2py server.
Keith Planer
Jan 16, 2014, 2:12:57 PM1/16/14
to web...@googlegroups.com
I understand this link might have some guidance for me, but the link is down: http://www.web2py.com/AlterEgo/default/show/140
Richard Vézina
Jan 16, 2014, 4:07:32 PM1/16/14
to web2py-users
Except if you need SSL only for your own (as a developper) needs I suggest you to walk the extra miles and create your own CA and sign you SSL certificate then you then deploy CA througt GPO with AD and you will not be bother again about self-signed SSL certificate...
The link "here" you refer too, seems to talk about what I said... Deploy self-signed root certificate or CA, not self-signed SSL certificate...
What is important is that your CA be in p12 or PKCS#12 format that containt the key and the certificate...
To generate certificate you can use these command :
# Create key of root certificate for Certification Authority
openssl genrsa -des3 -out root_certificate.key 2048 -config /etc/ssl/openssl.cnf
chmod 400 root_certificate.key
cp root_certificate.key /etc/ssl/private/root_certificate.key
# Self-signing of the root certificate key
openssl req -x509 -new -nodes -key root_certificate.key -days 3650 -out root_certificate.crt -config /etc/ssl/openssl.cnf
cp root_certificate.crt /etc/ssl/certs/root_certificate.crt
# In order to windows and IE to understand the root certificate it needs a .p12 file that containt key and certificate of the CA
# Here we create a PEM file containing the key and the certificate for our root CA certificate
cat root_certificate.key root_certificate.crt >> root_certificate_key_crt.pem
# Then we create the .p12 file
openssl pkcs12 -export -out root_certificate.p12 -in root_certificate_key_crt.pem -name "SUBDOMAIN CA Certificate PKCS#12"
# Create a SSL certifcate
openssl genrsa -out SUBDOMAIN.key 2048
chmod 400 SUBDOMAIN.key
# For self-signing certificate (uncomment the lines below if required)
# openssl req -new -x509 -nodes -sha1 -days 3650 -key SUBDOMAIN.key > SUBDOMAIN.crt
# openssl x509 -noout -fingerprint -text < SUBDOMAIN.crt > SUBDOMAIN.info
# For SSL signed certificate by Certification Authority you need to issue a "certificate signing request" from it
openssl req -new -key SUBDOMAIN.key -out SUBDOMAIN.csr
# NOTE : Don't use A challenge password because you will be prompted for password each time webserver reboot...
# Sign other SSL key with the root certificate key
# openssl x509 -req -in SUBDOMAIN.csr -CA root_certificate.crt -CAkey root_certificate.key -CAcreateserial -out SUBDOMAIN.crt -days 3650
# NOTE : This command should work but to make sure the database get update and a copy of the key with the serial number is create the command below is better after customize /etc/ssl/openssl.cnf
sudo touch /etc/ssl/CA/index.txt
sudo nano /etc/ssl/CA/serial # and enter "1000"
openssl ca -config /etc/ssl/openssl.cnf -out SUBDOMAIN.crt -infiles SUBDOMAIN.csr
# Deployment
sudo mkdir /etc/ssl/CA
sudo mkdir /etc/ssl/newcerts
sudo mkdir /etc/ssl/crl
# Then set the config required in /etc/ssl/openssl.cnf in order to the root certificate and the SSL certificate get created in place
cat SUBDOMAIN.crt root_certificate.crt >> server.crt
cat SUBDOMAIN.key root_certificate.key >> server.key
chmod 400 server.key
sudo cp server.* /etc/nginx/ssl/
You need to configure OpenSSL (/etc/ssl/openss.cnf) before most execute most command since it will reduce the typing and error in the process to create a correct valid root certificate...
Ref.:
You can also buy a CA for LAN here, but it is not going to continue for very long, Goddady stop recently to emit new certificate for LAN : http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-intranetssl.html?ap=ce046
Ref.:http://support.godaddy.com/help/article/6935/phasing-out-intranet-names-and-ip-addresses-in-ssls
Hope it helps
:)
Richard
On Thu, Jan 16, 2014 at 2:12 PM, Keith Planer <kwpl...@gmail.com> wrote:
I understand this link might have some guidance for me, but the link is down: http://www.web2py.com/AlterEgo/default/show/140
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Keith Planer
Jan 17, 2014, 11:57:45 AM1/17/14
to web...@googlegroups.com
Thank you for the detailed explanation, I will take time to make this work, thanks.
Michele Comitini
Jan 17, 2014, 12:37:34 PM1/17/14
to web...@googlegroups.com
I do not think you need a CA, but if you do, there is a PKI (and CA) for web2py, I created for personal needs.
It allows you to create server certificate and manage client certificates.
https://code.google.com/p/simpatica/
No instructions, the code is simple as it is the interface, and there are just 2 requirements besides web2py:It allows you to create server certificate and manage client certificates.
https://code.google.com/p/simpatica/
Richard Vézina
Jan 17, 2014, 1:17:15 PM1/17/14
to web2py-users
That is really nice Michele, thanks for sharing this...
Richard
Reply all
Reply to author
Forward
0 new messages