annoying SSL

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#1
Hi everyone,

I searched and followed a few tutorials on how to self sign ssl certificate in order to avoid receiving those annoying "accept certificate" or "add exception" in firefix but they dont seem to work. Is it even possible to get rid of those without buying an ssl certificate and still keeping ssl on?

Some clients trying to reach main sign up page for a2billing and encounter this annoying msg. What can be done if anything?

Thanks
 

sasben2

Joined
Jul 24, 2009
Messages
14
Likes
0
Points
0
#2
a self signed cert will always display a warning message unless you or your clients add the cert into their root certificate authority store.

If you really want to service clients, look to get your SSL certified.
 

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#3
Thanks for the clarificatoin.

1- who provides the cheapest and the easiest to install certificate?
2- Also what is involved in the procedure of certifying?
3- Do you have to prove your address?
4- is it a time taking process?
4- Can I temporarily use the server without SSL?
6- How to turn off SSL temporarily?


Thanks again
 

rejil.rajan

Joined
Apr 8, 2007
Messages
154
Likes
0
Points
0
#4
You can disable SSL by placing the line

"RewriteEngine Off"

in the httpd.conf file
 

ramoncio

Joined
May 12, 2010
Messages
1,663
Likes
0
Points
0
#5
For 1, 2, 3 and 4: Search google. You can get different type of certificates depending on your needs. The process time and requirements depends on your certificate provider, but it's quite fast usually.

For 5 and 6: yes, you can use the server without SSL certificate, but if you access the Elastix box from the outside without https or a a vpn it would be quite easy for a hacker to get your passwords. If you need remote access using the internet you should have a look at how to install openvpn or some other vpn server.
To cancel the https redirection you should comment out or delete the latest 6 lines in /etc/httpd/conf.d/elastix.conf
Or you can do as rejil.rajan tells you, the results are the same.
 

Patrick_elx

Joined
Dec 14, 2008
Messages
1,120
Likes
0
Points
0
#6
you can sign your SSL certificate at http://www.cacert.org

It's a free Certification Authority.

Their root certificate is not in all browser yet, but you can import it yourself as many servers are using them.

It's an open source alternative to paid SSL services.
 

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#7
Thanks for the input guys. I thought that getting a certificate is a time taking process as u have to fax ur documents,address,corporation papers,etc.......?

I have checked cacert.org already. What do u mean by its not in all browser? So even if I do cacert imy clients still get the same result? Then what is the point of cacert?

Thanks again
 

Patrick_elx

Joined
Dec 14, 2008
Messages
1,120
Likes
0
Points
0
#8
If you use your self-signed certificate (or the one created during the install), all your clients will have to authorize this cert the first time that they go to your web page. Their browser will download it and that's it.


If you use a cert that is signed by a CA whose root cert but that is not on your browser already, you will have to download the root cert once, and then you can access all the website that are using this CA, not only the Elastix server. There is also a chance that your browser already downloaded it before for another website using this CA.

If you use a CA that is in your browser, you will have nothing to download as it will be recognized already.

However, if you use a CA you will have to prove your identity. It takes times and money.

It costs money for a CA to have its roots included in a browser. CAcert is free, they are in the audit process to have it in Mozilla, but I don't think that IE will come soon. http://wiki.cacert.org/wiki/InclusionStatus
 

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#9
Thanks for the responce Patrick_elx;

You see, I am forwarding my domain to http://serverip/A2Billing_UI/signup.

I have modified the Signup page a bit so it's my main page as well as signup page for customers. If the main is not reachable immediately by the customer they might be detered. In fact lots of people think it's a broken link when there is a certificate error.

I kind of get what you explained but now I am wondering which CA are available on all browsers? would the certificates from GoDaddy do? or do you mean that the CA is something that can be downloaded per computer and is independent of the browser but specific to the computer. For example, if I have a cert from cacert.org and my client accepts it and then goes to your website and you are using cacert.org as well then they won't see the notification again?

Thanks for bearing with me. :)
 

Patrick_elx

Joined
Dec 14, 2008
Messages
1,120
Likes
0
Points
0
#10
torontob said:
Thanks for the responce Patrick_elx;

If the main is not reachable immediately by the customer they might be detered. In fact lots of people think it's a broken link when there is a certificate error.
[\quote]

I know, we have to educate them about it.
Usually I'm making an help page to explain basics of CA and how to download the CAcert root.

I kind of get what you explained but now I am wondering which CA are available on all browsers?
[\quote]
The most expensive ones...
For example here's the Mozilla list:
http://www.mozilla.org/projects/security/certs/


would the certificates from GoDaddy do?
[\quote]
Yes, I think they are include in almost all browsers.

or do you mean that the CA is something that can be downloaded per computer and is independent of the browser but specific to the computer.
[\quote]
A root certificate is browser agnostic, the problem is that each browser has is own way of storing certificate (different file, db, etc...).
You will have probably to download the certificate in each browser individually.


For example, if I have a cert from cacert.org and my client accepts it and then goes to your website and you are using cacert.org as well then they won't see the notification again?
No if they accept/download your website certificate (not the cacert root), it will only be valid for your website.

However, if you put a link to ask them to download/install the CAcert root certificate, it will work for your site and mine and all others cert signed by the CAcert root.
 

Patrick_elx

Joined
Dec 14, 2008
Messages
1,120
Likes
0
Points
0
#11
I forgot to mention also http://www.startssl.com that is providing free ssl cert and their root cert is included in IE.
 

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#12
Thanks again for the clarification. This is fro CACERT and just pointing to it requires a certifiate acceptance:

https://www.cacert.org/index.php?id=1

I guess I will turn off SSL for now with a server that is on Amazon Ec2 which should be fine because I have ssh private key. I am hoping accessing the GUI wouldn't be really unsecure by not using SSL until I figure out all the SSL stuff?!

Thanks again
 

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#13
Hello,

Doing the following didn't turn off the SSL. Is there any other config I have to change in order to turn of SSL?


"RewriteEngine Off"
in the httpd.conf file


Above didn't work.

Thanks
 

Patrick_elx

Joined
Dec 14, 2008
Messages
1,120
Likes
0
Points
0
#14
it's not in the httpd.conf anymore, but in one of the subfolder. I think it's call elastix.conf or something approaching (sorry I'm on vacations far away from my server)...

after changing the file, you need to do a
httpd -k restart
 

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#15
hmm....no elastix.conf found either.

Can anyone confirm where RewriteEngine Off should go in order to turn off SSL support?

Thanks
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#16
grep -Hir rewrite /etc/httpd/*conf*

should give you a clue.
 

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#17
/etc/httpd/conf.d/ssl-redirect.conf is the key file. Thanks Dicko and Patric_elx.
 

leungda

Joined
Sep 12, 2010
Messages
19
Likes
0
Points
0
#18
You can have StartSSL and it is free. The question is how to install SSL cert into the elastix box
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,915
Messages
130,920
Members
17,595
Latest member
feparra121
Top