Index: openacs-4/packages/acs-core-docs/www/install-ssl.adp =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/install-ssl.adp,v diff -u -r1.4.2.4 -r1.4.2.5 --- openacs-4/packages/acs-core-docs/www/install-ssl.adp 27 Apr 2022 16:52:20 -0000 1.4.2.4 +++ openacs-4/packages/acs-core-docs/www/install-ssl.adp 13 Jul 2023 12:43:21 -0000 1.4.2.5 @@ -1,11 +1,11 @@ -{/doc/acs-core-docs {ACS Core Documentation}} {Installing SSL Support for an OpenACS service} +{/doc/acs-core-docs/ {ACS Core Documentation}} {Installing SSL Support for an OpenACS service} Installing SSL Support for an OpenACS service

@@ -14,12 +14,14 @@ openssl before proceeding.

  1. Make sure nsopenssl.so is installed for AOLserver.

  2. -

    Uncomment this line from config.tcl.

    #ns_param   nsopenssl       ${bindir}/nsopenssl.so
+
    Uncomment this line from config.tcl.
    +#ns_param   nsopenssl       ${bindir}/nsopenssl.so

  3. Prepare a -certificate directory for the service.

    [$OPENACS_SERVICE_NAME etc]$ mkdir /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs
+certificate directory for the service.
    +[$OPENACS_SERVICE_NAME etc]$ mkdir /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs
 [$OPENACS_SERVICE_NAME etc]$ chmod 700 /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs
 [$OPENACS_SERVICE_NAME etc]$ 
 mkdir /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs
@@ -40,37 +42,46 @@
 in most browsers, albeit with pop-up messages.
    Use an OpenSSL perl script to generate a certificate and
 key.
    Debian users: use /usr/lib/ssl/misc/CA.pl instead of
 /usr/share/ssl/CA
    macOS users: use perl /System/Library/OpenSSL/misc/CA.pl
--newcert instead of /usr/share/ssl/CA
    [$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ cd /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs
+-newcert instead of /usr/share/ssl/CA
    +[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ cd /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/certs
 [$OPENACS_SERVICE_NAME certs]$ perl /usr/share/ssl/misc/CA -newcert
 Using configuration from /usr/share/ssl/openssl.cnf
 Generating a 1024 bit RSA private key
 ...++++++
 .......++++++
 writing new private key to 'newreq.pem'
-Enter PEM pass phrase:
    Enter a pass phrase for the CA certificate. Then, answer the
-rest of the questions. At the end you should see this:
    Certificate (and private key) is in newreq.pem
-[$OPENACS_SERVICE_NAME certs]$
    
+Enter PEM pass phrase:
+
    Enter a pass phrase for the CA certificate. Then, answer the
+rest of the questions. At the end you should see this:
    +Certificate (and private key) is in newreq.pem
+[$OPENACS_SERVICE_NAME certs]$
+
    
 newreq.pem contains our
 certificate and private key. The key is protected by a passphrase,
 which means that we'll have to enter the pass phrase each time
 the server starts. This is impractical and unnecessary, so we
 create an unprotected version of the key. Security implication: if anyone gets
 access to the file keyfile.pem, they effectively own the key as
 much as you do. Mitigation: don't use this key/cert combo for
-anything besides providing ssl for the web site.
    [root misc]# openssl rsa -in newreq.pem -out keyfile.pem
+anything besides providing ssl for the web site.
    +[root misc]# openssl rsa -in newreq.pem -out keyfile.pem
 read RSA key
 Enter PEM pass phrase:
 writing RSA key
-[$OPENACS_SERVICE_NAME certs]$ 
    To create the certificate file, we take the combined file, copy
-it, and strip out the key.
    [$OPENACS_SERVICE_NAME certs]$ cp newreq.pem certfile.pem
+[$OPENACS_SERVICE_NAME certs]$ 
+
    To create the certificate file, we take the combined file, copy
+it, and strip out the key.
    +[$OPENACS_SERVICE_NAME certs]$ cp newreq.pem certfile.pem
 [root misc]# emacs certfile.pem
-
    Strip out the section that looks like
    -----BEGIN RSA PRIVATE KEY-----
+
    Strip out the section that looks like
    +-----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
 DEK-Info: DES-EDE3-CBC,F3EDE7CA1B404997
 S/Sd2MYA0JVmQuIt5bYowXR1KYKDka1d3DUgtoVTiFepIRUrMkZlCli08mWVjE6T
 (11 lines omitted)
 1MU24SHLgdTfDJprEdxZOnxajnbxL420xNVc5RRXlJA8Xxhx/HBKTw==
------END RSA PRIVATE KEY-----
    
+-----END RSA PRIVATE KEY-----
+

  4. If you start up using the etc/daemontools/run script, you will need to edit this script to make sure the ports are bound for SSL. Details of this are in the run script.