Setting up an SSL certificate, discussion

Using applications, configuring, problems
Post Reply
Message
Author
User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

Setting up an SSL certificate, discussion

#1 Post by 01micko »

Hi web gurus

This started out as a question but now lets turn it into a discussion :)


Original post
I have set up a web server at home using hiawatha-8.6, followed the docs and have set up SSL. It's good except that I get the "this server is untrusted" spiel by the browser. I followed the instructions from hiawatha. Pretty simple, didn't take long to set up.

Is there a way to generate the certificate myself and avoid the warning? Or is there some place where I have to register the certificate? Am I better of getting a certificate from Thawte or Comodo (suggested by the linked manual) or elsewhere?

TIA

EDIT :

I'm thinking I don't even need SSL. The fact is I'll only be hosting files. Clients won't be sending any critical data and no critical data will be hosted. The only advantage is that Port 80 can be closed (me thinks) as SSL uses 443. The server will be running headless controlled remotely vis SSH. There will be no need of a browser at all. Only Ports 443 and 21,20 (? ftp for adding files) and the SSH ports (forget the numbers) will need to be open. It's also behind a hardware firewall.
Last edited by 01micko on Sat 12 Jan 2013, 06:14, edited 2 times in total.
Puppy Linux Blog - contact me for access

User avatar
pemasu
Posts: 5474
Joined: Wed 08 Jul 2009, 12:26
Location: Finland

#2 Post by pemasu »

It has been several years when I created self signed certificate for mail server usage with webmail interface. Then I fed it to the browsers inside our organization. It worked at that time. I dont know how the nowadays browsers accept those selfsigned certificates. I found the instructions from the net. Years ago.

If you use google with: self signed certificate, you will find several guides how to do it.

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#3 Post by 01micko »

Yeah, the only other web servers I have set up have used IIS (2003, 2008 in college) and we just used self-signed.

Sure seems like that a purchased certificate is needed.

I just want my server to be secure 8) . Yeah well running Puppy may have it's disadvantages in that department but the web-server doesn't run as root. It is intended to be run headless too, so no X vulnerabilities. Also, if users peruse the certificate they can see it is mine, whether that offers them peace of mind or not is up to them.

Thanks for reply.

EDIT: an interesting read :

http://www.networkworld.com/news/tech/2 ... 56189.html
Puppy Linux Blog - contact me for access

User avatar
Hotdog
Posts: 134
Joined: Fri 30 Sep 2011, 03:15
Location: Georgia USA

#4 Post by Hotdog »

01micko,

Your second-thought assessment is the correct one - SSL not needed. SSL is for encrypting data between the client browser and the server particularly for transmitting sensitive data such as happens in a financial transaction. So, rest easy and forget the SSL.
[i]Puppy 5.2.8.7, Full Install[/i]

jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

Re: Setting up an SSL certificate

#5 Post by jamesbond »

01micko wrote:I'm thinking I don't even need SSL. The fact is I'll only be hosting files. Clients won't be sending any critical data and no critical data will be hosted.
You've got this right.
The only advantage is that Port 80 can be closed (me thinks) as SSL uses 443.
There is no difference between running web server on port 80 or 443. If you wish, you can configure hiawatha to run on port 443 too *even without SSL*.

Just make sure don't run it as root (you already did that), don't run it as spot, run it as a very limited user ("hiawatha"?) that only has access to one directory - the webroot.
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#6 Post by 01micko »

Yeah I was just being a bit paranoid I guess, with good reason though!

Funny, today my twitter account got compromised, all fixed now. The first thing I did was check the server log !! Only unusual thing there was an IP of 37.34.56.76. That led me to http://leisink.org/, which tells me it's moved and links to leisink.net and some nice photos. I recognised the name "leisink".. sure enough it's Hugo Leisink, author of hiawatha.. so hiawatha must phone home.

Still, on the topic of certificates, I think it can make for interesting discussion, so anyone, still offer opinions. We may be able to build a valuable resource here for novice web masters.

EDIT: BTW, I have now turned off ftp which closes another hole 8) . I use secure copy (scp, uses secure shell, in slacko, probably others too)
Puppy Linux Blog - contact me for access

Post Reply