Puppy Linux Discussion Forum

[01micko]

Hi web gurus

This started out as a question but now lets turn it into a discussion


Original post
I have set up a web server at home using hiawatha-8.6, followed the docs and have set up SSL. It's good except that I get the "this server is untrusted" spiel by the browser. I followed the instructions from hiawatha. Pretty simple, didn't take long to set up.

Is there a way to generate the certificate myself and avoid the warning? Or is there some place where I have to register the certificate? Am I better of getting a certificate from Thawte or Comodo (suggested by the linked manual) or elsewhere?

TIA

EDIT :

I'm thinking I don't even need SSL. The fact is I'll only be hosting files. Clients won't be sending any critical data and no critical data will be hosted. The only advantage is that Port 80 can be closed (me thinks) as SSL uses 443. The server will be running headless controlled remotely vis SSH. There will be no need of a browser at all. Only Ports 443 and 21,20 (? ftp for adding files) and the SSH ports (forget the numbers) will need to be open. It's also behind a hardware firewall.

[pemasu]

It has been several years when I created self signed certificate for mail server usage with webmail interface. Then I fed it to the browsers inside our organization. It worked at that time. I dont know how the nowadays browsers accept those selfsigned certificates. I found the instructions from the net. Years ago.

If you use google with: self signed certificate, you will find several guides how to do it.

[01micko]

Yeah, the only other web servers I have set up have used IIS (2003, 2008 in college) and we just used self-signed.

Sure seems like that a purchased certificate is needed.

I just want my server to be secure . Yeah well running Puppy may have it's disadvantages in that department but the web-server doesn't run as root. It is intended to be run headless too, so no X vulnerabilities. Also, if users peruse the certificate they can see it is mine, whether that offers them peace of mind or not is up to them.

Thanks for reply.

EDIT: an interesting read :

http://www.networkworld.com/news/tech/2012/021512-ssl-certificates-256189.html

[Hotdog]

01micko,

Your second-thought assessment is the correct one - SSL not needed. SSL is for encrypting data between the client browser and the server particularly for transmitting sensitive data such as happens in a financial transaction. So, rest easy and forget the SSL.

[jamesbond]

[01micko]

Yeah I was just being a bit paranoid I guess, with good reason though!

Funny, today my twitter account got compromised, all fixed now. The first thing I did was check the server log !! Only unusual thing there was an IP of 37.34.56.76. That led me to http://leisink.org/, which tells me it's moved and links to leisink.net and some nice photos. I recognised the name "leisink".. sure enough it's Hugo Leisink, author of hiawatha.. so hiawatha must phone home.

Still, on the topic of certificates, I think it can make for interesting discussion, so anyone, still offer opinions. We may be able to build a valuable resource here for novice web masters.

EDIT: BTW, I have now turned off ftp which closes another hole . I use secure copy (scp, uses secure shell, in slacko, probably others too)