SOLVED: Re: Named seems to have broken SSL
A. Rick Anderson
a_rick at earthlink.net
Fri Jan 21 06:38:37 UTC 2005
A. Rick Anderson wrote:
> A. Rick Anderson wrote:
>
>> Alexander Dalloz wrote:
>>
>>>Am Fr, den 21.01.2005 schrieb A. Rick Anderson um 4:19:
>>>
>>>
>>>>While trying to get a canonical version of chooted 'named' running,
>>>>something I did seems to have broken SSL. The certificate being
>>>>presented for every https site is claims to be from "localhost.localdomain".
>>>>
>>>>
>>>I really doubt one has to do with the other. SSL cert issued from
>>>"localhost.localdomain" (this is "hardcoded" information in the cert
>>>file) is the default certificate, to be found under
>>>/etc/httpd/conf/ssl.crt/. For a custom cert you will have to explicitly
>>>give it the real service hostname as CN.
>>>
>>>
>>>>Any idea which file I broke that would be messing up SSL? Could this be
>>>>related to rndc.key configuation?
>>>>
>>>>
>>>To the last question: no, hardly.
>>>
>>>
>> The part that confuses me is that named and dhcpd are the only
>> services I have been meddling with, and obviously, the site
>> https://www6.software.ibm.com/developerworks/education/l-lpndns/l-lpndns-3-1.html
>> is not really presenting my browsers (both mozilla and firefox) with
>> a certificate from localhost.localdomain.
>>
>> What would be causing my browsers to grab the wrong certificate for
>> https sites?
>>
>>-- A. Rick Anderson
>>
>>
> Ok, I found an oddity.
> [root at Anar etc]# ping www6.software.ibm.com
> PING www6.software.ibm.com (127.0.0.1) 56(84) bytes of data.
> 64 bytes from localhost (127.0.0.1): icmp_seq=0 ttl=64 time=0.026 ms
>
> For some reason, certain external routes, particularly https routes,
> are being resolved to localhost. Then my browsers are attempting to
> open an SSL connection with localhost. Since the only certificate
> that local host has is the default certificate, that is the
> certificate presented, and the communication fails, since local host
> doesn't have the URI that the browser is attempting to load.
>
> So, my DNS configuration is now resolving external hosts locally, but
> it still can't resolve local dynamic workstations. <sigh>
Would you believe that the fix was as simple as changing the order of
the name servers in my /etc/resolve.conf file? Why would it hang up on
the first name server for some of the hosts, but not all of them? Too
much freking magic!
TBL: Don't list your local name server first in /etc/resolv.conf.
-- A. Rick Anderson
************************************************************************
When I'm feeling down, I like to whistle.
It makes the neighbor's dog run to the end of his chain and gag himself.
************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20050121/3c861d67/attachment-0002.html
More information about the users
mailing list