Test an SSL certificate before installation

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Test an SSL certificate before installation

Yves Goergen
Hello,

I'd like to let my users install their own SSL certificates through a
web interface for self-management services. If a user provides a
malicious certificate, the entire server will fail to start and the
whole system is down. This is a bit hard but that's how it is.

So I'll have to make sure the certificate and key are usable by apache
before generating the config that will use it.

I could run basic checks like let openssl parse it. But I've managed to
break my test server by providing it a perfectly working certificate and
key - from an old domain from 2016. The server complained with this message:

 > SSL Library Error: error:140AB18E:SSL
routines:SSL_CTX_use_certificate:ca md too weak

That's from my letsencrypt archives. A newer one of the same domain from
2018 works just fine on the same new dev server. So there are obviously
circumstances that let apache fail on the certificate that I can't fully
analyse.

Is there a method to have apache check that certificate and key in
advance, considering its usual configuration, before I expect it to use
the certificate? I don't want to let it try out the file on a production
system, and learn about an unsupported certificate by a web server
that's down. There has to be a smarter way to handle this.

-Yves

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Test an SSL certificate before installation

Filipe Cifali
Just an idea, run a separate stance locally on a random port (to avoid collisions) with the certificate, if it fails to start bingo, if it doesn't fail you are good to put the cert on the main instance.

On Thu, Jul 2, 2020 at 5:09 PM Yves Goergen <[hidden email]> wrote:
Hello,

I'd like to let my users install their own SSL certificates through a
web interface for self-management services. If a user provides a
malicious certificate, the entire server will fail to start and the
whole system is down. This is a bit hard but that's how it is.

So I'll have to make sure the certificate and key are usable by apache
before generating the config that will use it.

I could run basic checks like let openssl parse it. But I've managed to
break my test server by providing it a perfectly working certificate and
key - from an old domain from 2016. The server complained with this message:

 > SSL Library Error: error:140AB18E:SSL
routines:SSL_CTX_use_certificate:ca md too weak

That's from my letsencrypt archives. A newer one of the same domain from
2018 works just fine on the same new dev server. So there are obviously
circumstances that let apache fail on the certificate that I can't fully
analyse.

Is there a method to have apache check that certificate and key in
advance, considering its usual configuration, before I expect it to use
the certificate? I don't want to let it try out the file on a production
system, and learn about an unsupported certificate by a web server
that's down. There has to be a smarter way to handle this.

-Yves

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



--
[ ]'s

Filipe Cifali Stangler
Reply | Threaded
Open this post in threaded view
|

Re: Test an SSL certificate before installation

@lbutlr
In reply to this post by Yves Goergen
On 02 Jul 2020, at 14:08, Yves Goergen <[hidden email]> wrote:
> I'd like to let my users install their own SSL certificates through a web interface for self-management services.

WOuldn't it be simpler to just get a LE cert for those domains? What is the advantage to having them upload their own certs?

--
"Are you pondering what I'm pondering?"
"I think so, Brain. But will anyone other than Eskimos buy
blubber-flavored chewing gum?"
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Test an SSL certificate before installation

angel Hall-Coulston
I agree… certs are all about trust and giving users carte blanche may not be such a great idea. LE certs are free to my current knowledge, and are building trust.

Angel
Scotland.

> On 3 Jul 2020, at 05:01, @lbutlr <[hidden email]> wrote:
>
> On 02 Jul 2020, at 14:08, Yves Goergen <[hidden email]> wrote:
>> I'd like to let my users install their own SSL certificates through a web interface for self-management services.
>
> WOuldn't it be simpler to just get a LE cert for those domains? What is the advantage to having them upload their own certs?
>
> --
> "Are you pondering what I'm pondering?"
> "I think so, Brain. But will anyone other than Eskimos buy
> blubber-flavored chewing gum?"
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


signature.asc (849 bytes) Download Attachment