Setting an https certificate with althttpd webserver

Jose Isaias Cabrera jicman at outlook.com
Tue Aug 15 19:16:49 UTC 2023


Greetings.

Sorry for the long email and newbie question, but I am trying to setup an https certificate using althttpd web server (https://sqlite.org/althttpd/) on an ubuntu (Linux web 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:09 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux) server. I posted a support request on their forum, but, they must be very busy and have gotten no reposonse. I thought I would try to figure it out by myself. By the way, this was working a few weeks ago until I change the certificate from a yearly a 5 years certificate. Here is what I do:

1. run this command,
openssl req -new -newkey rsa:2048 -nodes -keyout pda_net.key -out pda_net.csr

2. I use the content of pda_net.key as the key and place its content on the /etc/ssl/private.key which is going to be passed to the althttpd as the key.

3. I use the content of the pda_net.csr to get the certificate

4. Use  the returned certificate (which is correct by checking it with a certificate and key matcher) from the email, and insert it in my certificate file, /etc/ssl/certificate.crt, and restart xinetd to reload althttpd with the new key and certificate.

That worked before. Now, it does not work. I have done this over 10 times, in the last 10 days, and I always get:

NET::ERR_CERT_AUTHORITY_INVALID

These are the group, user and rights for the certificate and key:

jic at web:~$ ls -l /etc/ssl
total 52
-rw-rw-r-- 1 root root  2333 Aug 14 20:34 ca_bundle.crt
-rw-r--r-- 1 root root  2333 Aug 14 17:39 certificate.crt
drwxr-xr-x 2 root root 20480 May 26 06:40 certs
-rw-r--r-- 1 root root 12419 Jul  4  2022 openssl.cnf
drwx------ 2 root root  4096 May 19  2017 private
-rw-r--r-- 1 root root  1704 Aug 14 17:33 private.key

And this is the group, user and rights for the website files

jic at web:~$ ls -l w/default.website/
total 376
drwxrwxr-x 2 jic www-data   4096 May  5 17:46 d
drwxrwxr-x 2 jic www-data   4096 Dec 30  2021 f
-rwxrwxr-x 1 jic www-data   1888 Apr 26 07:36 index.html
-rwxrwxr-x 1 jic www-data   1710 Apr 25 16:32 index_last.html
-rwxrwxr-x 1 jic www-data   1357 Feb  9  2023 indexorig.html
-rwxrwxr-x 1 jic www-data     15 Aug 15 12:46 Musicos-changes.log
-rwxrwxr-x 1 jic www-data 229376 Aug 13 11:42 _MusicosDB.sqlite
-rwxrwxr-x 1 jic www-data 104889 Aug 11 12:59 Musicos.html
-rwxrwxr-x 1 jic www-data  12288 Jul 24  2022 _Pregoneros-del-amor.sqlite
-rwxrwxr-x 1 jic www-data   1359 Aug 22  2022 save_indexorig.html
-rwxrwxr-x 1 jic www-data    521 May  5 07:24 test.html

These are the xinetd scripts for both http and https:

jic at web:~$ cat /etc/xinetd.d/http*
service http
{
  port = 80
  flags = IPv4
  socket_type = stream
  wait = no
  user = root
  server = /usr/bin/althttpd
  server_args = -ipshun /home/jic/w/blocked -user www-data -logfile /home/jic/w/http.log -root /home/jic/w -jail 0
  bind = 192.168.0.2
}
service https
{
  port = 443
  flags = IPv4
  socket_type = stream
  wait = no
  user = root
  server = /usr/bin/althttpd
  server_args = -root /home/jic/w -user www-data -jail 0 -pkey /etc/ssl/private.key -cert /etc/ssl/certificate.crt 
  bind = 192.168.0.2
}

Any thoughts on what am I doing wrong? Perhaps is a simple right or user change. Thanks.


More information about the openssl-users mailing list