TurnKey Linux Virtual Appliance Library

SSL support out of the box?? Are you sure about this?

jonathan_3's picture

So on the description for LAMP stack it says "SSL support out of the box." So I setup up a micro instance and as soon as it was ready I navigated to  https://www.ave2.tklapp.com/ and immediatly I get an SSL error, fail. in Firefox it gives me this information:

www.ave2.tklapp.com uses an invalid security certificate.
The certificate is only valid for the following names:
  hub.turnkeylinux.org , www.hub.turnkeylinux.org  
(Error code: ssl_error_bad_cert_domain)
so can someone explain to me what I need to do to get SSL working? 
I went to my web admin and under Webmin Configuration section I clicked on SSL Encryption everything is enabled. 
do I need to sign up with http://cert.startcom.org/ I tried to do the Domain Name Validation Wizard and I upon typig in www.ave2.tklapp.com I was told "Please enter only the base domain in the text field without any sub domain or domain extension." fail fail fail.
Any thoughts?


Jonathan Stanton's picture


A little update figures out www. subdomain was never part of the deal, I retried but this time without the www and instead got this error:


ave2.tklapp.com uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
The certificate is not valid for any server names.
(Error code: sec_error_untrusted_issuer)
Jeremy's picture

Yes that is expected beahviour with self signed certificates

If you don't want that warning you'll have to buy a certificate signed by a recognised authority.

Jonathan Stanton's picture


ok good I am glad I am not missing something, I thought it came signed by a recognised authority. in that case your other tutorials i've found online makes more sense now. Unfortuantly I already switched to heroku but I intend on switching back, because I get more control with a server I can touch.  Are there any tutorials on how to get a signed recogniesed authority SSL certified and working on a turnkey LAMP machine?

Alon Swartz's picture

This blog post should help...

This blog post should help...

Guest's picture

What if you're on a local intranet?

I understand that it should be easy to use the self-signed certificate, add it to the trusted root certificates of your windows boxes and not have the popup in ppls browsers.

What I don't find is: where do I find the certificate file on the TKL box that the windows GroupPolicy editor will accept?  I tried to copy the the /etc/ssl/cert/cert.pem to a windows share and import it from there, but the group policy editor didn't like that one (win error "the file type is not recognisable. Select another file.").

When I stripped out the area surrounded by and including 


(encrypted content)


from the pem file, the Group Policy editor accepted it, but when applying and pulling the new group policy onto a Windows 8 box, I still got the browser error.

I checked the certificate that the group policy installed, and compared it to the one my browser tells me is not OK. Doing this, I found out that the serial number and SHA1 thumbprints match. However, the CN (Common name) isn't specified, might this be the problem? In any case would very much love to see instructions on how to achieve trust or a TKL's Apache on a Windows domain. 

Guest's picture


... trust For a TKL's Apache ...

Jeremy's picture

TBH I have no idea...

I did a quick google and it looks like your thoughts re CN (Common Name) being the problem was on track. Have a look here: http://stackoverflow.com/questions/21805351/windows-7-not-accepting-self...

If you only want to import it into one Win machine. As far as I understand it should be fairly straight forward. I think you can do it directly through IE (run as admin, browse to the site and add the certificate).

For a full tutorial on start to finish I'm sure you'd find something via google. TurnKey is Debian under the hood, although for something like this I'm sure that info relating to any Debian type distro should be relevant (e.g. Ubuntu). In fact maybe and Linux distro info would be relevant? Also you could include the name of the webserver being used in your search (webserver depends on the specific appliance - although most use Apache).

Good luck and if you find something particularly useful then please post back.

Guest's picture

SSL certificate up and running

I managed to create a CA on my linux box and issue a CSR to generate a certificate and a private key. Installing these in the :433 virtual host in WebMin was fairly easy (I just needed to point to the 2 generated files and after rewstarting Apache, the SSL certificate works when using https://). When something is wrong with one or both of these files, you can't start Apache anymore, which is kinda scary, but when you go back into webmin (which oddly still works; probably not Apache) to set the certificate info for the :433 virtual host back to it's defaults you can restart Apache again.

Explicitly adding a certificate to the trust-zone is indeed straightforward, even thought I still have to investigate how to implicitly make all win-boxes in the domain trust it through a GPO, but I'd like to tackle that problem this week or next. Will keep you posted on the progress!

Jeremy's picture

Good work

FWIW Webmin has it's own built in 'mini'-server (hence why it still works when Apache down - possibly why they did it like that?)

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)