[Eisfair] Probleme mit apache und den Zertifikaten
Marcus Roeckrath
marcus.roeckrath at gmx.de
Mi Sep 20 21:16:05 CEST 2017
Hallo Stefan,
Stefan Puschek wrote:
> im Logfile vom Indianer (wird _NUR_ intern genutzt - von aussen nicht
> erreichbar) finde ich permanent
>
> ...
> 192.168.6.7 - - [20/Sep/2017:20:31:01 +0200] "HEAD /certs/crl.pem
> HTTP/1.1" 404
> - "-" "Wget/1.18 (linux-gnu)" 161 185
> 192.168.6.7 - - [20/Sep/2017:20:31:02 +0200] "HEAD /certs/crl.pem
> HTTP/1.1" 404
> - "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:53.0) Gecko/20100101
> Firefox/
> 53.0" 217 185
> 192.168.6.7 - - [20/Sep/2017:20:31:03 +0200] "GET /certs/crl.pem
> HTTP/1.1" 404 2
> 11 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:53.0) Gecko/20100101
> Firefox
> /53.0" 216 417
> 192.168.6.7 - - [20/Sep/2017:20:32:01 +0200] "HEAD /certs/crl.pem
> HTTP/1.1" 404
> - "-" "Wget/1.18 (linux-gnu)" 161 185
> 192.168.6.7 - - [20/Sep/2017:20:32:02 +0200] "HEAD /certs/crl.pem
> HTTP/1.1" 404
> - "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:53.0) Gecko/20100101
> Firefox/
> 53.0" 217 185
> 192.168.6.7 - - [20/Sep/2017:20:32:02 +0200] "GET /certs/crl.pem
> HTTP/1.1" 404 2
> 11 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:53.0) Gecko/20100101
> Firefox
> /53.0" 216 417
> ...
Vielleicht bin ich blind, aber ich finde daran erstmal nichts auffälliges.
> laut certs-update-crl.log
> ...
> Sep 20 20:37:00 barbrady certs-update-crl[20071]:
> /var/install/bin/certs-update-
> crl --quiet --single http://barbrady.southpark.lan/certs/crl.pem
> Sep 20 20:37:00 barbrady certs-update-crl[20071]: - downloading
> 'http://barbrady
> .southpark.lan/certs/crl.pem' ...
> Sep 20 20:37:02 barbrady certs-update-crl[20071]: - file
> 'http://barbrady.southp
> ark.lan/certs/crl.pem' download failed!
> Sep 20 20:37:02 barbrady certs-update-crl[20071]: - CRL file 'crl.pem'
> doesn't e
> xist, force download!
> Sep 20 20:37:02 barbrady certs-update-crl[20071]: - job '161542'
> (2017-09-19 20:
> 40->2017-09-20 20:40) created.
> Sep 20 20:37:02 barbrady certs-update-crl[20071]: url:
> http://barbrady.southpa
> rk.lan/certs/crl.pem
> Sep 20 20:37:02 barbrady certs-update-crl[20071]: finished.
> ...
Existiert /var/certs/ssl/crl/barbrady.southpark.lan-crl.pem
Ist das vielleicht abgelaufen?
Setup|Service administration|Certs|Manage certificates
1 1
bringt etwa folgende Ausgabe, bitte deine posten:
Certificate generation
Parameters
1 - change/set certificate type: ca
= - change/set certificate name: ca
Certificate Authority (CA) (sha384) (2048bits)
3 - [✓] create a CA key
4 - [✓] create a self-signed CA certificate (valid until: 29.03.2024)
5 - [✓] create .pem CA certificate and copy it to /usr/local/ssl/certs
6 - show CA key and certificate file location
7 - revoke a certificate
8 - update revocation list (valid until: 22.08.2018 18:51h)
Please select (1,3-8), change (b)its/(h)ash, (e)mail certs, (q)uit?
> barbrady _IST_ die 192.168.6.7 von oben
>
> barbrady # pwd
> /var/www/certs
> barbrady # ls -la
> total 16
> drwxr-xr-x 2 root root 4096 Sep 20 20:04 .
> drwxr-xr-x 9 root root 4096 Sep 20 20:07 ..
> lrwxrwxrwx 1 root root 27 Sep 4 19:47 ca.crt ->
> /var/certs/ssl/certs/ca.pem
> lrwxrwxrwx 1 root root 27 Sep 4 19:47 ca.pem ->
> /var/certs/ssl/certs/ca.pem
> lrwxrwxrwx 1 root root 49 Sep 20 20:04 crl.pem ->
> /var/certs/ssl/crl/barbrady.southpark.lan-crl.pem
> lrwxrwxrwx 1 root root 34 Sep 4 19:47 index.html ->
> /var/certs/ssl/web/x509policy.html
> -rw-r--r-- 1 wwwrun nogroup 3291 Jan 7 2008 openssl_logo.png
> -rw-r--r-- 1 wwwrun nogroup 1139 Jan 26 2015 x509policy.html
> barbrady #
>
> also ist die Datei zwar da, aber der Indianer darf wegen root:root wohl
> nicht drauf zugreifen;
Ist das Ziel da?
lrwxrwxrwx 1 root root 49 Sep 20 20:04 crl.pem ->
/var/certs/ssl/crl/barbrady.southpark.lan-crl.pem
Nein root.root ist ok, da Link, der die Rechte 0777 besitzt.
--
Gruss Marcus
Mehr Informationen über die Mailingliste Eisfair