Trouble on setting SSL certificates for Virtual Hosts using Apache\Phusion Passenger in localhost

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by user502052 on Stack Overflow See other posts from Stack Overflow or by user502052
Published on 2011-02-28T06:46:32Z Indexed on 2011/02/28 7:24 UTC
Read the original article Hit count: 452

Filed under:
|
|
|
|

I am using Ruby on Rails 3 and I would like to make to work HTTPS connections on localhost.

I am using:

  • Apache v2 + Phusion Passenger
  • Mac OS + Snow Leopard v10.6.6

My Ruby on Rails installation use the Typhoeus gem (it is possible to use the Ruby net\http library but the result doesn't change) to make HTTP requests over HTTPS.

I created self-signed ca.key, pjtname.crt and pjtname.key as detailed on the Apple website.

Notice: Following instruction from the Apple website, on running the openssl req -new -key server.key -out server.csr command (see the link) at this point 

Common Name (eg, YOUR name) []: (this is the important one)

I entered *pjtname.com so that is valid for all sub_domain of that site.

In my Apache httpd.conf I have two virtual hosts configured in this way:

# Secure (SSL/TLS) connections
#Include /private/etc/apache2/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Include /private/etc/apache2/other/*.conf



# Passenger configuration
   LoadModule passenger_module /Users/<my_user_name>/.rvm/gems/ruby-1.9.2-p136/gems/passenger-3.0.2/ext/apache2/mod_passenger.so
   PassengerRoot /Users/<my_user_name>/.rvm/gems/ruby-1.9.2-p136/gems/passenger-3.0.2
   PassengerRuby /Users/<my_user_name>/.rvm/wrappers/ruby-1.9.2-p136/ruby




# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off


# Ensure that Apache listens on port 443
Listen 443

# Listen for virtual host requests on all IP addresses
NameVirtualHost *:80
NameVirtualHost *:443



#
# PJTNAME.COM and subdomains SETTING
#



<VirtualHost *:443>
  # Because this virtual host is defined first, it will
  # be used as the default if the hostname is not received
  # in the SSL handshake, e.g. if the browser doesn't support
  # SNI.

  ServerName pjtname.com:443
  DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public"

  ServerAdmin [email protected]
  ErrorLog "/private/var/log/apache2/error_log"
  TransferLog "/private/var/log/apache2/access_log"

  RackEnv development

  <Directory "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public">
    Order allow,deny
    Allow from all
  </Directory>

  # SSL Configuration
  SSLEngine on

  # Self Signed certificates
  # Server Certificate
  SSLCertificateFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.crt
  # Server Private Key
  SSLCertificateKeyFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.key
  # Server Intermediate Bundle
  SSLCertificateChainFile /private/etc/apache2/ssl/wildcard.certificate/ca.crt
</VirtualHost>

# HTTP Setting
<VirtualHost *:80>
  ServerName pjtname.com
  DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public"

  RackEnv development

  <Directory "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public">
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>




<VirtualHost *:443>
  ServerName users.pjtname.com:443
  DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public"

  ServerAdmin [email protected]
  ErrorLog "/private/var/log/apache2/error_log"
  TransferLog "/private/var/log/apache2/access_log"

  RackEnv development

  <Directory "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public">
    Order allow,deny
    Allow from all
  </Directory>

  # SSL Configuration
  SSLEngine on

  # Self Signed certificates
  # Server Certificate
  SSLCertificateFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.crt
  # Server Private Key
  SSLCertificateKeyFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.key
  # Server Intermediate Bundle
  SSLCertificateChainFile /private/etc/apache2/ssl/wildcard.certificate/ca.crt
</VirtualHost>

# HTTP Setting
<VirtualHost *:80>
  ServerName users.pjtname.com
  DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public"

  RackEnv development

  <Directory "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public">
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

In the host file I have:

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1   localhost
255.255.255.255 broadcasthost
::1             localhost 
fe80::1%lo0 localhost

# PJTNAME.COM SETTING

127.0.0.1 pjtname.com
127.0.0.1 users.pjtname.com

All seems to work properly because I have already set everything (I think correctly):

  • I generated a wildcard certificate for my domains and sub-domains (in this example: *.pjtname.com)
  • I have set base-named virtualhosts in the http.conf file listening on port :433 and :80
  • My browser accept certificates also if it alerts me that those aren't safe (notice: I must accept certificates for each domain\sub-domain; that is, [only] at the first time I access a domain or sub-domain over HTTPS I must do the same procedure for acceptance) and I can have access to pages using HTTPS

After all this work, when I make a request using Typhoeus (I can use also the Ruby Net::Http library and the result doesn't change) from the pjtname.com RoR application:

# Typhoeus request
Typhoeus::Request.get("https://users.pjtname.com/")

I get something like a warning about the certificate:

--- &id001 !ruby/object:Typhoeus::Response 
app_connect_time: 0.0
body: ""
code: 0
connect_time: 0.000625

# Here is the warning
curl_error_message: Peer certificate cannot be authenticated with known CA certificates

curl_return_code: 60
effective_url: https://users.pjtname.com/
headers: ""
http_version: 
mock: false
name_lookup_time: 0.000513
pretransfer_time: 0.0
request: !ruby/object:Typhoeus::Request 
  after_complete: 
  auth_method: 
  body: 
  ...

All this means that something is wrong. So, what I have to do to avoid the "Peer certificate cannot be authenticated with known CA certificates" warning and make the HTTPS request to work? Where is\are the error\errors (I think in the Apache configuration, but where?!)?

P.S.: if you need some more info, let me know.

© Stack Overflow or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about ruby-on-rails

Related posts about ruby

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle