annoying SSL

Discussion in 'General' started by torontob, Jul 30, 2009.

  1. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    Hi everyone,

    I searched and followed a few tutorials on how to self sign ssl certificate in order to avoid receiving those annoying "accept certificate" or "add exception" in firefix but they dont seem to work. Is it even possible to get rid of those without buying an ssl certificate and still keeping ssl on?

    Some clients trying to reach main sign up page for a2billing and encounter this annoying msg. What can be done if anything?

    Thanks
     
  2. sasben2

    Joined:
    Jul 24, 2009
    Messages:
    14
    Likes Received:
    0
    a self signed cert will always display a warning message unless you or your clients add the cert into their root certificate authority store.

    If you really want to service clients, look to get your SSL certified.
     
  3. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    Thanks for the clarificatoin.

    1- who provides the cheapest and the easiest to install certificate?
    2- Also what is involved in the procedure of certifying?
    3- Do you have to prove your address?
    4- is it a time taking process?
    4- Can I temporarily use the server without SSL?
    6- How to turn off SSL temporarily?


    Thanks again
     
  4. rejil.rajan

    Joined:
    Apr 8, 2007
    Messages:
    154
    Likes Received:
    0
    You can disable SSL by placing the line

    "RewriteEngine Off"

    in the httpd.conf file
     
  5. ramoncio

    Joined:
    May 12, 2010
    Messages:
    1,663
    Likes Received:
    0
    For 1, 2, 3 and 4: Search google. You can get different type of certificates depending on your needs. The process time and requirements depends on your certificate provider, but it's quite fast usually.

    For 5 and 6: yes, you can use the server without SSL certificate, but if you access the Elastix box from the outside without https or a a vpn it would be quite easy for a hacker to get your passwords. If you need remote access using the internet you should have a look at how to install openvpn or some other vpn server.
    To cancel the https redirection you should comment out or delete the latest 6 lines in /etc/httpd/conf.d/elastix.conf
    Or you can do as rejil.rajan tells you, the results are the same.
     
  6. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0
    you can sign your SSL certificate at http://www.cacert.org

    It's a free Certification Authority.

    Their root certificate is not in all browser yet, but you can import it yourself as many servers are using them.

    It's an open source alternative to paid SSL services.
     
  7. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    Thanks for the input guys. I thought that getting a certificate is a time taking process as u have to fax ur documents,address,corporation papers,etc.......?

    I have checked cacert.org already. What do u mean by its not in all browser? So even if I do cacert imy clients still get the same result? Then what is the point of cacert?

    Thanks again
     
  8. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0
    If you use your self-signed certificate (or the one created during the install), all your clients will have to authorize this cert the first time that they go to your web page. Their browser will download it and that's it.


    If you use a cert that is signed by a CA whose root cert but that is not on your browser already, you will have to download the root cert once, and then you can access all the website that are using this CA, not only the Elastix server. There is also a chance that your browser already downloaded it before for another website using this CA.

    If you use a CA that is in your browser, you will have nothing to download as it will be recognized already.

    However, if you use a CA you will have to prove your identity. It takes times and money.

    It costs money for a CA to have its roots included in a browser. CAcert is free, they are in the audit process to have it in Mozilla, but I don't think that IE will come soon. http://wiki.cacert.org/wiki/InclusionStatus
     
  9. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    Thanks for the responce Patrick_elx;

    You see, I am forwarding my domain to http://serverip/A2Billing_UI/signup.

    I have modified the Signup page a bit so it's my main page as well as signup page for customers. If the main is not reachable immediately by the customer they might be detered. In fact lots of people think it's a broken link when there is a certificate error.

    I kind of get what you explained but now I am wondering which CA are available on all browsers? would the certificates from GoDaddy do? or do you mean that the CA is something that can be downloaded per computer and is independent of the browser but specific to the computer. For example, if I have a cert from cacert.org and my client accepts it and then goes to your website and you are using cacert.org as well then they won't see the notification again?

    Thanks for bearing with me. :)
     
  10. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0
    No if they accept/download your website certificate (not the cacert root), it will only be valid for your website.

    However, if you put a link to ask them to download/install the CAcert root certificate, it will work for your site and mine and all others cert signed by the CAcert root.
     
  11. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0
    I forgot to mention also http://www.startssl.com that is providing free ssl cert and their root cert is included in IE.
     
  12. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    Thanks again for the clarification. This is fro CACERT and just pointing to it requires a certifiate acceptance:

    https://www.cacert.org/index.php?id=1

    I guess I will turn off SSL for now with a server that is on Amazon Ec2 which should be fine because I have ssh private key. I am hoping accessing the GUI wouldn't be really unsecure by not using SSL until I figure out all the SSL stuff?!

    Thanks again
     
  13. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    Hello,

    Doing the following didn't turn off the SSL. Is there any other config I have to change in order to turn of SSL?


    "RewriteEngine Off"
    in the httpd.conf file


    Above didn't work.

    Thanks
     
  14. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0
    it's not in the httpd.conf anymore, but in one of the subfolder. I think it's call elastix.conf or something approaching (sorry I'm on vacations far away from my server)...

    after changing the file, you need to do a
    httpd -k restart
     
  15. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    hmm....no elastix.conf found either.

    Can anyone confirm where RewriteEngine Off should go in order to turn off SSL support?

    Thanks
     
  16. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    grep -Hir rewrite /etc/httpd/*conf*

    should give you a clue.
     
  17. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    /etc/httpd/conf.d/ssl-redirect.conf is the key file. Thanks Dicko and Patric_elx.
     
  18. leungda

    Joined:
    Sep 12, 2010
    Messages:
    19
    Likes Received:
    0
    You can have StartSSL and it is free. The question is how to install SSL cert into the elastix box
     

Share This Page