RHCE Series: Implementing HTTPS through TLS using Network Security Service (NSS) for Apache – Part 8

Page 1 of 212

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Gabriel Cánepa

Gabriel Cánepa is a GNU/Linux sysadmin and web developer from Villa Mercedes, San Luis, Argentina. He works for a worldwide leading consumer product company and takes great pleasure in using FOSS tools to increase productivity in all areas of his daily work.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

10 Responses

  1. Amit says:

    whenever I come across this step, I get the below error. I am running a VM, and tried creating 3 different VMs and loading fresh OS, but still no luck. Any help on this?

    SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: The certificate was signed using a signature algorithm that is disabled because it is not secure.
    certutil: unable to create cert (The certificate was signed using a signature algorithm that is disabled because it is not secure.)
    =======================================

    The below output is when I run the connectivity test
    ———————
    —–END CERTIFICATE—–
    subject=/C=US/O=example.com/CN=tecmint.linuxnewz.com
    issuer=/C=US/O=example.com/CN=Certificate Shack

    No client certificate CA names sent
    Server Temp Key: ECDH, P-256, 256 bits

    SSL handshake has read 2136 bytes and written 315 bytes

    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1
    Cipher : ECDHE-RSA-AES256-SHA
    Session-ID: 064C3C977F424BBB10EAFF2AF8012D243F517B9AB8B235DC8BE4EF7C1EF81E65
    Session-ID-ctx:
    Master-Key: F99E9AE9C79952C4AB875DB2C8039F1AB3F8A93195607F6118491EBDB4EB261645B1A6E1E3F28EA81B691325D741E63E
    Key-Arg : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1526052089
    Timeout : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

  2. Tanveer says:

    Does the NSS work for keys from Letsencrypt. If yes, then how can we place the key file, as the file /etc/httpd/alias is looked for the certificate.

  3. Tanveer says:

    In the last step, this asks me for a password. I did not set any password, infact setting it now.

    # certutil -W -d /etc/httpd/alias/
    Enter Password or Pin for "NSS Certificate DB":
    Invalid password.  Try again.
    Enter Password or Pin for "NSS Certificate DB":
    

    Can you please help. I followed the steps mentioned here.

  4. Tomas says:

    Just a quick tip, you can pass multiple services:

    # firewall-cmd –permanent –add-service={http,https}

    It does save you time during the exam.

  5. Harmon20 says:

    I’m using this as a step by step recipe and ran into some problems. I’ll post them as I found them to help anyone else that ran into difficulty because of being as ignorant of what they were doing as I was.

    In the step where specifying listening ports in the nss.conf file, the Virtual host line is in gt and lt brackets, XML style. Leave the gt/lt brackets in place; do not remove them so that the line in your nss.conf file looks exactly like the line shown on this page.

    In step 5 of NSS Config, when running certutil I was prompted for a password. I tried for a couple days to get it right and it was always invalid. I discovered after trial-and-much-error that the first time through I had to just hit Enter for a blank password, then I was prompted for the new one. I then entered the password from step 2(b).

    Regarding step 2(b): It should be stated that after step 2(a) is accomplished the editor should be exited to save nss.conf, then proceed to step 2(b).

    After I created my cert my server still handed out the default cert rather than the one I’d generated. It was not stated in the instructions, but I had to go back into nss.conf, find the virutal host section, find the line that starts “NSSNickname” and replace it with the name of the cert I’d generated. In this example it was named “box1”. (ignore all quotes, in practice)

    • @Harmon20,
      Please know how much we appreciate your involvement and your time to point this out. Thank you for sharing your findings with the rest of the community.

      • Aidin says:

        Hi Gabriel
        Can you please add this NSSNickname to article, I didn’t check comments and like Harmon20 had to check nss.conf file to find it.

        Thanks for your great effort.

        Regards,
        Aidin

  6. Jalal Hajigholamali says:

    Hi,
    Very useful article
    thanks a lot

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.