World: r3wp

thanks

How does it work with virtual hosts?  Do you need a certificate for 
each host?

I think you need a certificate per domain (more than one subdomains 
can be handeled by 1 so called wildcard cert.)

I got response from them on my mail with company data.. they couldn't 
validate me yet because I bought the domain on my personal name and 
cert is on company .. I need to change that in whois info (I hope 
it's even possible)

so does stunnel handle multiple certificates?  Anyone know?

Graham, TLS allows for "virtual hosting" so that you can have multiple 
certificates on the same IP address. however, older clients (SSL) 
don't know about that, so in general, it's "one IP address for each 
certificate".

Stunnel can provide both SSL and TLS ... not clear though if it will 
do the job

I got the comodo certificate now .. I got my crt and 4 immediate 
crts and 1 root crt .. got to figure out how to use this with stunnel 
now .. the example shows that you have .pem file

Looks like stunnel supports multiple certificates.

I read here .. I concatenated them together accordingly , now I get 
---

2009.08.23 10:51:23 LOG3[17421:139883801568992]: SSL_CTX_use_RSAPrivateKey_file: 
B080074: error:0B080074:x509 certificate routines:X509_check_private_key:key 
values mismatch

according to this: http://www.aprelium.com/forum/viewtopic.php?p=57622

I concated all these cerst + put private key at the top but it seems 
it doesn't work... anyone knows more about this, should I use just 
one intermeddiate CA or all of them , is the order important?
    *  Root CA Certificate - AddTrustExternalCARoot.crt
    * Intermediate CA Certificate - UTNAddTrustSGCCA.crt
    * Intermediate CA Certificate - ComodoUTNSGCCA.crt

    * Intermediate CA Certificate - ComodoHighAssuranceSecureServerCA.crt
    * Your Comodo InstantSSL Certificate - www_cebelca_biz.crt

I keep getting key values missmatch nomatter what I tried so far... 
I found out this.. the key/cert/CAfile in conf doesn't seem to matter 
as it checks /etc/stunnel/stunnel.pem anyway .. so I commented them 
out. 


If I delete the pem file I get appropriate erros , so it checks for 
this file.. 

If I remove RSA PRIV KEY from first line I get Error saying something 
about RSA KEY no start line

If I remove CA certificates below I det Error saying SSL CERT  no 
start line .. 
If I concat them all like this 


>> cat myserver.key AddTrustExternalCARoot.crt UTNAddTrustSGCCA.crt 
ComodoUTNSGCCA.crt ComodoHighAssuranceSecureServerCA.crt www_cebelca_biz.crt 
>> stunnel.pem 

(first the PRIV KEY ALL THE CERTS in same order as they are listed 
in email to me.. with cebelca.biz.crt as last I get the "key values 
missmatch" which I think means that the priv key and certs don't 
match

I tried using the pem file I can generate on stunnel page and I see 
that it's certs and privkey are half shorter... maybe I don't have 
tre right version type or something of encription setup?

I got it working with that sample pem .. the stupid mistake is that 
if you uncomment it like this 
; [https]
accept  = 443
connect = 80
TIMEOUTclose = 0

instead of like this 

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0


you get some strange errors ... now I need to make those bought certs 
work somehow 

( I WILL WRITE A TUTORIAL ABOUT THIS .. how to setup cheyenne with 
stunnel)

where did my last message go?

(messages are here after restart .. sorry)

I compared the modulus and public exponent of key and cert and they 
are the same, but I saw another thing.. related to "half length" 
of the key that worked.

When stunnel starts it says "Wrote 1024 new random bytes to /root/.rnd" 
.. the certs are 2048 bit .. do you think this the problem could 
be that stunnel expects the 1024 byte cert/key ? (the sample cert/key 
taht worked was 1024 byte)

I use apache2-MPM as a reverse proxy in front of Cheyenne for the 
same reasons (static serving, ssl), works flawlessly, but now is 
time to move to nginx. Looking at MacPorts variants for nginx, there 
are many options that I see interestings:
root/trunk/build alpha% port variants nginx
nginx has the variants:
	dav: Add WebDAV support to server
	flv: Add FLV (Flash Video) streaming support to server
	mail: Add IMAP4/POP3 mail proxy support

 ssl: Add SSL (HTTPS) support to the server, and also to the mail 
 proxy if that is enabled
	status: Add /nginx_status support to the server

 perl5: Add perl support to the server directly within nginx and call 
 perl via SSI
	realip: Using nginx as a backend
	addition: Append text to pages
	substitution: Replace text in pages

 gzip_static: Avoids compressing the same file each time it is requested

 google_perftools: Enable Google Performance Tools profiling for workers

 upload: Enable Valery Kholodkov's upload module (http://grid.net.ru/nginx/upload.en.html)
	universal: Build for multiple architectures

I will try intalling nginx too now... I was trying this with stunnel 
for 3 hours and google all I could think of without much luck.. I 
learned a lot more about certs, that is good

Probably it's soemthign about how I create the pem .. maybe I didn't 
position them right (baceuse I see nothing related to 1024 2048 that 
I suspected)

some benchmarks http://blog.mudy.info/tag/nginx/interesting performances! 
8)

Tryed stunnel once, had stability issues, but that may have been 
me or OSX implementation..

Wel I am afraid it won't be so easy with nginx either.. I need to 
take a break , I will try again in the evening.. if anyone succesfully 
setup chained ssl certs with stunnel .. any hint is more than welcome

I got the nginx running with my cert ... I got the same error as 
stunnel , but then I found that my cert must be first and other in 
chan are later .. reverse to some examples on net and to stunnel 
examples (maybe there is the same thing?)

now I need to make it reverse proxy to cebelca

Yay it works !!!

screenshot of latest version of cebelca btw: http://www.refaktor.si/blog/img/cebelca.biz.norm.png

I wrote a how to on setting up stunnel with cheyenne a couple of 
years ago ... it was easy.  Now i just have to find where I published 
it!

Could be useful to have on the cheyenne site.

Graham .. did you have multiple certificates (root intermediatte 
and yours) ?

nginx rules!

no.

SVN revision 12: Response/redirect default code changed to 302 (issuing 
a 303 could cause unwanted effect on HEAD requests). /TEMP option 
replaced by /STRICT for sending back code 303. RSP API documentation 
updated accordingly.

I use lighttpd and reverse proxy to Cheyenne. Works great.

Has anyone created a RSP site where every page can be edited via 
the browser?  I think rebol.com is like that ...

SVN r13, minor fixes :

 o RSP: fix for scripts not returning any data (test.rsp: <% 1 %>)	

 o RSP: words in sandbox context renamed to lower the risk of collision 
 with user script words.

Maybe a rebol-to-json function couldl be included into Cheyenne  
...

If we can get one that works!

:-)

working on it  ;-)

yess... done !

JSON built in Cheyenne: (replying in javascript channel)

I thought I'd just mention it here... a it's a bit odd, and perhaps 
not entirely reproducible.  But I got my JS calendar working.  But 
I could not see any data coming in from my rsp script that was pulling 
data from the db and sending it back as json until I put some debugging 
statements in .. and then it works.  Bizarre.  Or some browser cache 
issue.

Just using a few ?? to log to the trace.log file so it wouldn't even 
be seen by the calling script ...

You can test if it's a browser cache issue by requesting the script 
using the READ function from REBOL console. Can you make a small 
standalone RSP script that  shows this issue?

heh ..  I don't think 'read evaluates JS :)

the docs say you can set the timeout to whatever in the webapp httpd.cfg 
but when I set it to 2:00:00, it still times out well before that.

Where's the curecode for Cheyenne?