koldfront

https on all my websites, finally

🕥︎ - 2011-02-19

After the successful upgrade to the latest release of Debian, the openssl and Apache packages are finally new enough that it worked when I created a self-signed certificate combined for all the websites on the machine, using subjectAltNames, and configured Apache to use it.

The openssl-users mailinglist has a thread on how to configure openssl to create a certificate with subjectAltNames.

... and the Apache Wiki has a page describing SSL with Virtual Hosts using SNI (Server Name Indication).

If Apache says that SSL was initialized twice and that that should never happen, it might be because you have forgotten to put "SSLEngine on" in your port 443 VirtualHosts. At least that helped in my case.

As an experiment, I have set kammeratadam.dk up so it redirects all http pages to https.

The only annoying thing is the browsers animosity towards self-signed certificates. Three cheers for the certificate mafia! (Ok, the sale of Thawte made it possible for Ubuntu to exists, so it isn't all bad, but still...)

The certificate I use to self-sign with can be found on http://koldfront.dk/cacert.pem - so you can import it into your browser and have it shut the hell up.

Update: I have installed a certificate signed by cacert.org instead. At least users of Debian GNU/Linux, and a handful of other Linux-distributions, don't have to do anything now.

Add comment

To avoid spam many websites make you fill out a CAPTCHA, or log in via an account at a corporation such as Twitter, Facebook, Google or even Microsoft GitHub.

I have chosen to use a more old school method of spam prevention.

To post a comment here, you need to:

¹ Such as Thunderbird, Pan, slrn, tin or Gnus (part of Emacs).

Or, you can fill in this form:

+=