[cobalt-developers] Raq4: SSL main site certificate and other SSL

["Michelle A. Hoyle" <michelle@xxxxxxxxxxxxx>]

Since I've upgraded from my Raq2 (using Brosoft's drop-in replacement 
adminserv package) to  my Raq4, I've encountered some very 
frustrating and odd problems with my Raq4 once I copied my machine 
certificate from my old Raq2 to my new Raq4 (they have the same 
name).  Here's a summary of the problems experienced and what I want. 
Below that I'll outline things that I've tried and discovered about 
the problems.

Problems:
1) I can't use Netscape anymore to administer my Raq.  It works OK 
with Internet Explorer but not Netscape.

2) When someone tries to access a forbidden or non-existent page, the 
Raq uses https to display those Cobalt graphics because of the 
rewrite rules in the Raq4's httpd.conf (main)

3) If someone goes http://virtualsite.com/siteadmin/, the rewrite 
rules give us 
https://virtualsite.com:81/.cobalt/siteManage/virtualsite.com/index.html. 
Which means that they can't take advantage of *my* machine-wide site 
certificate for managing their account securely and they get a 
certificate mismatch error in Netscape and 60 billion error messages 
in Internet Explorer.



What I'd like:
1) To be able to use Netscape.

2) Forbidden/non-existent page graphics should be referred to using 
the same protocol as the page that's generating them -- normally http 
not https.

3) If someone goes to http://virtualsite.com/siteadmin/ they get
https://myraq.com:81/.cobalt/siteManage/virtualsite.com/index.html 
which allows them to use my certificate.



What's known:

1) This is a really weird problem.  The certificate worked fine for 
administration on my Raq2 with Brosoft's package.  My administration 
module worked fine with Netscape on the Raq4 before I installed the 
certificate.  I've been trying to hash this out with Thawte, the 
certificate authority.  What we've determined is that it's something 
to do with the setup on the Raq and not the certificate.  The 
certificate itself works fine from the main site of my Raq using any 
CGI or PHP generated output from within Netscape.  They think it 
might have to do with the :81 added and then accessed via https. 
Maybe Netscape gets confused?


Here's the set of rewrite rules used (by default) in the Raq4 main httpd.conf:


> if ( ssl_cert_check("/home/sites/home/certs/") =~ /^2/ ) {
>     $proto = 'https';
> } else {
>     $proto = 'http';
> }
>
> # This many seem a little tortured as a way to do this, but the
> # quoting is hell.
>
> $rewrite_rules =
> 'RewriteEngine On
> RewriteCond %{HTTP_HOST}                ^([^:]+)
> RewriteCond %{DOCUMENT_ROOT}            !-d
> RewriteRule .* 
> proto://servername:81/.cobalt/error/forbidden.html [L,R]
> RewriteCond %{HTTP_HOST}                ^([^:]+)
> RewriteRule ^/admin/?$ 
> proto://servername:81/.cobalt/sysManage/index.html [L,R]
> RewriteCond %{HTTP_HOST}                ^([^:]+)
> RewriteRule ^/siteadmin/?$    proto://servername:81/.cobalt/siteManage
> /%1/index.html [L,R]
> RewriteCond %{HTTP_HOST}                ^([^:]+)
> RewriteRule ^/personal/?$ 
> proto://servername:81/.cobalt/personal/i
> ndex.html [L,R]
> RewriteCond %{HTTP_HOST}                ^([^:]+)
> RewriteRule ^/.cobalt/(.+)              proto://servername:81/.cobalt/$1 [L,R]
> RewriteCond %{HTTP_HOST}                ^([^:]+)
> RewriteRule ^/cgi-bin/.cobalt/(.+) 
> proto://servername:81/cgi-bin/.cobalt/$1 [L,R]
> ';
>
> $rewrite_rules =~ s/servername/%1/g;
> $rewrite_rules =~ s/proto/$proto/g;


You can see from the above that if it finds a site certificate, it 
automatically changes the protocol to https and uses the Perl 
match/regexp operator to swap http for https.   This is what causes 
problem #2 with the forbidden images, etc.

3) I tried fixing this problem by changing the first rewrite rule to:
$rewrite_rules =~ s/myraq.com/%1/g;

This solved my problem in terms of everybody's administration 
interface using my machine certificate.  However, if an individual 
site has their own SSL certificate for things, this will break that.




What I propose to do:
1) No idea.  I'm open to suggestions as to what causes the problem 
and how to fix it.  I have a sample site created 
(thawte.transcena.com).  If you want to try it out via Netscape send 
me mail and I'll send you the username/password for the admin 
interface on that site.  I don't feel comfortable posting that to the 
list.

2 & 3): Might be able to fix these both by altering the rewrite rules 
to specifically check for site administration stuff AND the main site 
certificate and rewrite it to the appropriate format.   Any ideas on 
how to safely tinker with the above to accomplish a solution to 
problems 2 & 3?


Personally, I think the method they've used here is a little 
convoluted and if we can come up with a better way, particularly for 
problems 1 & 2, that would be a good thing for everybody overall.

Thanks!

Michelle A. Hoyle






--

----|      TRANSCENA DESIGN  |----------------------------
Michelle A. Hoyle, VP Web Technologies, Canada
#801 T.D. Tower, Edmonton, Alberta, Canada  T5J 2Z1
N. America:  1-888-429-2363  |  UK:  020 7529 1465
International:  +1 780 429 2363
------------------|  internet design architects     |--------