| 2014-12-17 15:42:27 |
Jacob Gustafson |
bug |
|
|
added bug |
| 2014-12-17 15:59:28 |
Peter Matulis |
information type |
Private Security |
Public |
|
| 2014-12-18 16:46:42 |
Jacob Gustafson |
description |
Hello, please consider this a documentation issue and resolve: The page https://help.ubuntu.com/lts/serverguide/certificates-and-security.html does not say which file can be used as a certificate chain, such as for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl -- I can not find any information on this issue, and some browsers apparently block the action not only because it is self-signed, but because the browser also notices that there is not complete information about the server since apache was not given a chain file (PEM format). Apache says it wants it a "pem-encoded" file, so one could blindly add the pem file generated during the "Certification Authority" section, but the ubuntu server guide page on Certificates and Security (first link mentioned) does not say which can be used as a chain file or how to generate a certificate chain file. Following the instructions on that server guide page on the Ubuntu site and assuming the pem file can be given to apache may or may not be a security risk, and it is the only pem file that the server guide page gives instructions on how to generate. Feel free to uncheck this as a security risk if following the server guide page then giving that pem file to apache does not result a security risk, however please update that page to mention that is a chain file or to mention how to generate a chain file. |
Hello, please consider this a documentation issue and resolve: The Ubuntu server guide page "Certificates and Security" at https://help.ubuntu.com/lts/serverguide/certificates-and-security.html does not say which file can be used as a certificate chain, such as for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl.conf -- I can not find any information on this issue, and some browsers apparently block the action not only because it is self-signed, but because the browser also notices that there is not complete information about the server since Apache was not given a chain file (PEM format). Apache says it wants it a "pem-encoded" file, so one could blindly add the pem file generated during the "Certification Authority" section of the page, which does not say whether that is a certificate chain file or how to generate a certificate chain file. Following the instructions and assuming the pem file can be given to Apache may or may not be a security risk, and it is the only pem file that the page gives instructions on how to generate. Feel free to uncheck this as a security risk if following the server guide page then giving that pem file to Apache does not result a security risk, however please update the page to mention that the pem file is a chain file that can be used for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl.conf or to mention how to generate a chain file. |
|
| 2014-12-19 15:15:10 |
Jacob Gustafson |
description |
Hello, please consider this a documentation issue and resolve: The Ubuntu server guide page "Certificates and Security" at https://help.ubuntu.com/lts/serverguide/certificates-and-security.html does not say which file can be used as a certificate chain, such as for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl.conf -- I can not find any information on this issue, and some browsers apparently block the action not only because it is self-signed, but because the browser also notices that there is not complete information about the server since Apache was not given a chain file (PEM format). Apache says it wants it a "pem-encoded" file, so one could blindly add the pem file generated during the "Certification Authority" section of the page, which does not say whether that is a certificate chain file or how to generate a certificate chain file. Following the instructions and assuming the pem file can be given to Apache may or may not be a security risk, and it is the only pem file that the page gives instructions on how to generate. Feel free to uncheck this as a security risk if following the server guide page then giving that pem file to Apache does not result a security risk, however please update the page to mention that the pem file is a chain file that can be used for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl.conf or to mention how to generate a chain file. |
Hello, please consider this a documentation issue and resolve: The Ubuntu server guide page "Certificates and Security" at https://help.ubuntu.com/lts/serverguide/certificates-and-security.html does not say which file can be used as a certificate chain, such as for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl.conf -- I can not find any information on this issue, and some browsers apparently block the action (even though users would normally just store an exception for a self-signed certificate, the browser also notices that there is not complete information about the server since Apache was not given a chain file PEM format--this browser issue is reported by some people on the internet when searching google for "chain file required apache"). Apache says it wants "a file containing the concatenation of PEM encoded CA certificates which form the certificate chain for the server certificate", so one could blindly add the pem file generated during the "Certification Authority" section of the page, which does not say whether that is a certificate chain file or how to generate a certificate chain file. Following the instructions and assuming the pem file can be given to Apache may or may not be a security risk, and it is the only pem file that the page gives instructions on how to generate. Feel free to uncheck this as a security risk if following the server guide page then giving that pem file to Apache does not result a security risk, however please update the page to mention that the pem file is a chain file that can be used for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl.conf or to mention how to generate a chain file. |
|
| 2014-12-19 15:18:11 |
Jacob Gustafson |
description |
Hello, please consider this a documentation issue and resolve: The Ubuntu server guide page "Certificates and Security" at https://help.ubuntu.com/lts/serverguide/certificates-and-security.html does not say which file can be used as a certificate chain, such as for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl.conf -- I can not find any information on this issue, and some browsers apparently block the action (even though users would normally just store an exception for a self-signed certificate, the browser also notices that there is not complete information about the server since Apache was not given a chain file PEM format--this browser issue is reported by some people on the internet when searching google for "chain file required apache"). Apache says it wants "a file containing the concatenation of PEM encoded CA certificates which form the certificate chain for the server certificate", so one could blindly add the pem file generated during the "Certification Authority" section of the page, which does not say whether that is a certificate chain file or how to generate a certificate chain file. Following the instructions and assuming the pem file can be given to Apache may or may not be a security risk, and it is the only pem file that the page gives instructions on how to generate. Feel free to uncheck this as a security risk if following the server guide page then giving that pem file to Apache does not result a security risk, however please update the page to mention that the pem file is a chain file that can be used for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl.conf or to mention how to generate a chain file. |
Hello, please consider this a documentation issue and resolve: The Ubuntu server guide page "Certificates and Security" at https://help.ubuntu.com/lts/serverguide/certificates-and-security.html does not say which file can be used as a certificate chain, such as for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl.conf -- I can not find any information on this issue, and some browsers apparently block the action (even though users would normally just store an exception for a self-signed certificate, the browser also notices that there is not complete information about the server since Apache was not given a chain file PEM format--this browser issue is reported by some people on the internet when searching google for "chain file required apache"). Apache says it wants "a file containing the concatenation of PEM encoded CA certificates which form the certificate chain for the server certificate", so one could blindly add the pem file generated during the "Certification Authority" section of the page, which does not say whether that is a certificate chain file or how to generate a certificate chain file. Following the instructions and assuming the pem file can be given to Apache may or may not be a security risk, and it is the only pem file that the page gives instructions on how to generate (feel free to uncheck this as a security risk if following the server guide page then giving that pem file to Apache does not result a security risk).
Please update the page on ubuntu.com (link above) to clarify that the pem file is a chain file that can be used for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl.conf or to clarify how to generate a chain file. |
|
