SOLVED: Re: Named seems to have broken SSL

A. Rick Anderson a_rick at earthlink.net
Fri Jan 21 06:38:37 UTC 2005 

A. Rick Anderson wrote:

> A. Rick Anderson wrote:
>
>> Alexander Dalloz wrote:
>>
>>>Am Fr, den 21.01.2005 schrieb A. Rick Anderson um 4:19:
>>>  
>>>
>>>>While trying to get a canonical version of chooted 'named' running,
>>>>something I did seems to have broken SSL.  The certificate being
>>>>presented for every https site is claims to be from "localhost.localdomain".
>>>>    
>>>>
>>>I really doubt one has to do with the other. SSL cert issued from
>>>"localhost.localdomain" (this is "hardcoded" information in the cert
>>>file) is the default certificate, to be found under
>>>/etc/httpd/conf/ssl.crt/. For a custom cert you will have to explicitly
>>>give it the real service hostname as CN. 
>>>  
>>>
>>>>Any idea which file I broke that would be messing up SSL?  Could this be
>>>>related to rndc.key configuation?
>>>>    
>>>>
>>>To the last question: no, hardly.
>>>  
>>>
>> The part that confuses me is that named and dhcpd are the only 
>> services I have been meddling with, and obviously, the site 
>> https://www6.software.ibm.com/developerworks/education/l-lpndns/l-lpndns-3-1.html 
>> is not really presenting my browsers (both mozilla and firefox) with 
>> a certificate from localhost.localdomain.
>>
>> What would be causing my browsers to grab the wrong certificate for 
>> https sites?
>>
>>-- A. Rick Anderson
>>  
>>
> Ok, I found an oddity.
> [root at Anar etc]# ping www6.software.ibm.com
> PING www6.software.ibm.com (127.0.0.1) 56(84) bytes of data.
> 64 bytes from localhost (127.0.0.1): icmp_seq=0 ttl=64 time=0.026 ms
>
> For some reason, certain external routes, particularly https routes, 
> are being resolved to localhost.  Then my browsers are attempting to 
> open an SSL connection with localhost.  Since the only certificate 
> that local host has is the default certificate, that is the 
> certificate presented, and the communication fails, since local host 
> doesn't have the URI that the browser is attempting to load.
>
> So, my DNS configuration is now resolving external hosts locally, but 
> it still can't resolve local dynamic workstations.  <sigh>

Would you believe that the fix was as simple as changing the order of 
the name servers in my /etc/resolve.conf file?  Why would it hang up on 
the first name server for some of the hosts, but not all of them? Too 
much freking magic!

TBL: Don't list your local name server first in /etc/resolv.conf.

-- A. Rick Anderson
************************************************************************
When I'm feeling down, I like to whistle. 
It makes the neighbor's dog run to the end of his chain and gag himself.
************************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20050121/3c861d67/attachment-0002.html

More information about the users mailing list