Trouble on setting SSL certificates for Virtual Hosts using Apache\Phusion Passenger in localhost
- by user502052
I am using Ruby on Rails 3 and I would like to make to work HTTPS connections on localhost.
I am using:
Apache v2 + Phusion Passenger
Mac OS + Snow Leopard v10.6.6
My Ruby on Rails installation use the Typhoeus gem (it is possible to use the Ruby net\http library but the result doesn't change) to make HTTP requests over HTTPS.
I created self-signed ca.key, pjtname.crt and pjtname.key as detailed on the Apple website.
Notice: Following instruction from the Apple website, on running the openssl req -new -key server.key -out server.csr command (see the link) at this point
Common Name (eg, YOUR name) []: (this is the important one)
I entered *pjtname.com so that is valid for all sub_domain of that site.
In my Apache httpd.conf I have two virtual hosts configured in this way:
# Secure (SSL/TLS) connections
#Include /private/etc/apache2/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Include /private/etc/apache2/other/*.conf
# Passenger configuration
LoadModule passenger_module /Users/<my_user_name>/.rvm/gems/ruby-1.9.2-p136/gems/passenger-3.0.2/ext/apache2/mod_passenger.so
PassengerRoot /Users/<my_user_name>/.rvm/gems/ruby-1.9.2-p136/gems/passenger-3.0.2
PassengerRuby /Users/<my_user_name>/.rvm/wrappers/ruby-1.9.2-p136/ruby
# Go ahead and accept connections for these vhosts
# from non-SNI clients
SSLStrictSNIVHostCheck off
# Ensure that Apache listens on port 443
Listen 443
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:80
NameVirtualHost *:443
#
# PJTNAME.COM and subdomains SETTING
#
<VirtualHost *:443>
# Because this virtual host is defined first, it will
# be used as the default if the hostname is not received
# in the SSL handshake, e.g. if the browser doesn't support
# SNI.
ServerName pjtname.com:443
DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public"
ServerAdmin [email protected]
ErrorLog "/private/var/log/apache2/error_log"
TransferLog "/private/var/log/apache2/access_log"
RackEnv development
<Directory "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public">
Order allow,deny
Allow from all
</Directory>
# SSL Configuration
SSLEngine on
# Self Signed certificates
# Server Certificate
SSLCertificateFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.crt
# Server Private Key
SSLCertificateKeyFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.key
# Server Intermediate Bundle
SSLCertificateChainFile /private/etc/apache2/ssl/wildcard.certificate/ca.crt
</VirtualHost>
# HTTP Setting
<VirtualHost *:80>
ServerName pjtname.com
DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public"
RackEnv development
<Directory "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public">
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName users.pjtname.com:443
DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public"
ServerAdmin [email protected]
ErrorLog "/private/var/log/apache2/error_log"
TransferLog "/private/var/log/apache2/access_log"
RackEnv development
<Directory "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public">
Order allow,deny
Allow from all
</Directory>
# SSL Configuration
SSLEngine on
# Self Signed certificates
# Server Certificate
SSLCertificateFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.crt
# Server Private Key
SSLCertificateKeyFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.key
# Server Intermediate Bundle
SSLCertificateChainFile /private/etc/apache2/ssl/wildcard.certificate/ca.crt
</VirtualHost>
# HTTP Setting
<VirtualHost *:80>
ServerName users.pjtname.com
DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public"
RackEnv development
<Directory "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public">
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
In the host file I have:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
# PJTNAME.COM SETTING
127.0.0.1 pjtname.com
127.0.0.1 users.pjtname.com
All seems to work properly because I have already set everything (I think correctly):
I generated a wildcard certificate for my domains and sub-domains (in this example: *.pjtname.com)
I have set base-named virtualhosts in the http.conf file listening on port :433 and :80
My browser accept certificates also if it alerts me that those aren't safe (notice: I must accept certificates for each domain\sub-domain; that is, [only] at the first time I access a domain or sub-domain over HTTPS I must do the same procedure for acceptance) and I can have access to pages using HTTPS
After all this work, when I make a request using Typhoeus (I can use also the Ruby Net::Http library and the result doesn't change) from the pjtname.com RoR application:
# Typhoeus request
Typhoeus::Request.get("https://users.pjtname.com/")
I get something like a warning about the certificate:
--- &id001 !ruby/object:Typhoeus::Response
app_connect_time: 0.0
body: ""
code: 0
connect_time: 0.000625
# Here is the warning
curl_error_message: Peer certificate cannot be authenticated with known CA certificates
curl_return_code: 60
effective_url: https://users.pjtname.com/
headers: ""
http_version:
mock: false
name_lookup_time: 0.000513
pretransfer_time: 0.0
request: !ruby/object:Typhoeus::Request
after_complete:
auth_method:
body:
...
All this means that something is wrong. So, what I have to do to avoid the "Peer certificate cannot be authenticated with known CA certificates" warning and make the HTTPS request to work? Where is\are the error\errors (I think in the Apache configuration, but where?!)?
P.S.: if you need some more info, let me know.