Hello
I've completely lost the plot with this public key thing and the Moodle network thing.
Can someone give me an overview of what is supposed to happen as I think I know where mine is going wrong, but then again I'm not sure and sinking in a sea of ideas.
I have a Windows 2003 server but I'm using Apache.
My php didn't come with a sample openssl.cnf I do however have a file called openssl with no extension which looks like it probably can be turned into a sample openssl.cnf. I'm presuming you have to have a 'proper' openssl.cnf rather than a sample one.
I can add an environment variable to Windows. However I'm going to assume that Moodle can't generate the certificate - am I supposed to generate the certificate manually, put it somewhere and then hope the system can cope with it?
If I do this what happens if I have multiple moodles on one server, each with its own sub domain - can you have more than one certificate on a server?
As you can see I have a major flaw in my understanding of public keys and where they come from or go to. If anyone can point me in the right direction as to where to be looking for guidance it would be wonderful. I'm thinking I actually have a php issue rather than a Moodle one, but I don't really know.
Thanks.
Heather
Hi Heather,
I think you're looking at the apache openssl configuration. Apache can serve you webpages on https://
Moodle does not depend on https.
Each moodle generates its own public/private keypair. When you've enabled mnet, this happens automatically.
When you tell two nodes to connect to one another, they (hopefully) exchange public keys, and you click the button to say "yes, trust that this public key came unmodified from the remote node"
Then when the moodles are exchanging information, the sender signs the message it's sending (using their private key).
The sender then encrypts the result (message+signature) using their record of the remote peer's public key. The result (encrypted(message+signature)) is sent to the remote node.
The remote node decrypts the message using their private key, then using their record of the sender's public key, checks the signature on the message, if it checks out, they process the message.
That's a pretty tough read, but the summary is this:
Signing a message is so that the remote end knows the message is from you. You need a private key to generate a signature, but you only the corrosponding public key to verify that the signature is genuine - this is how you know the message is genuine, only someone with the private key could have generated a valid signature.
Encrypting a message is so that only the designated destination can read it. You only need a public key to encrypt a message, but once you've done this, only the corresponding private key can decrypt it. This is how you know that only the destination can read the message - nobody else has their private key to decrypt it.
Hmm... my summary is long enough to need a summary;
Keep your private key private to your site, and give out your public key to anyone who wants it.
I think you're looking at the apache openssl configuration. Apache can serve you webpages on https://
Moodle does not depend on https.
Each moodle generates its own public/private keypair. When you've enabled mnet, this happens automatically.
When you tell two nodes to connect to one another, they (hopefully) exchange public keys, and you click the button to say "yes, trust that this public key came unmodified from the remote node"
Then when the moodles are exchanging information, the sender signs the message it's sending (using their private key).
The sender then encrypts the result (message+signature) using their record of the remote peer's public key. The result (encrypted(message+signature)) is sent to the remote node.
The remote node decrypts the message using their private key, then using their record of the sender's public key, checks the signature on the message, if it checks out, they process the message.
That's a pretty tough read, but the summary is this:
Signing a message is so that the remote end knows the message is from you. You need a private key to generate a signature, but you only the corrosponding public key to verify that the signature is genuine - this is how you know the message is genuine, only someone with the private key could have generated a valid signature.
Encrypting a message is so that only the designated destination can read it. You only need a public key to encrypt a message, but once you've done this, only the corresponding private key can decrypt it. This is how you know that only the destination can read the message - nobody else has their private key to decrypt it.
Hmm... my summary is long enough to need a summary;
Keep your private key private to your site, and give out your public key to anyone who wants it.
Hi
thanks for taking the time to respond. I think I know what is supposed to happen now.
I think therefore that my issue must be the sample openssl file, as my moodle just says the key expired in 1970 which isn't much help. All the threads I found, I tried the solutions and none fixed it for me. Hence I think it must be the cnf file.
Many thanks
Heather
thanks for taking the time to respond. I think I know what is supposed to happen now.
I think therefore that my issue must be the sample openssl file, as my moodle just says the key expired in 1970 which isn't much help. All the threads I found, I tried the solutions and none fixed it for me. Hence I think it must be the cnf file.
Many thanks
Heather
I really am quite convinced that openssl.cnf has nothing to do with Moodle networking.
What version of Moodle are you using?
What version of Moodle are you using?
Time for a retraction, I'm told that in windows openssl.cnf is the config file for open ssl in general, not openssl for apache. So my statement about it having nothing to do with Moodle networking is incorrect. Sorry for any confusion.
Hi
No problem. No confusion. I've managed to get a key to generate on my local PC for the Moodle installed there using the openssl thing in PHP.
However, I've done the same on the server and no key yet. I have a suspicion I'm going to have to reboot it to make the changes to the openssl.cnf and environment variables take effect, but that isn't terribly convenient on a server. I've tried restarting Apache, but that didn't work either. Still hunting.
Good luck with your networking.
PS I've got the key to generate. for some reason if you include the file extension .cnf on the end of the file name the key does not generate. As soon as you take it off the key generates. In my mind this makes absolutely no sense whatsoever, but at least I have a key now so progress and I'll worry about understanding it all later!
No problem. No confusion. I've managed to get a key to generate on my local PC for the Moodle installed there using the openssl thing in PHP.
However, I've done the same on the server and no key yet. I have a suspicion I'm going to have to reboot it to make the changes to the openssl.cnf and environment variables take effect, but that isn't terribly convenient on a server. I've tried restarting Apache, but that didn't work either. Still hunting.
Good luck with your networking.
PS I've got the key to generate. for some reason if you include the file extension .cnf on the end of the file name the key does not generate. As soon as you take it off the key generates. In my mind this makes absolutely no sense whatsoever, but at least I have a key now so progress and I'll worry about understanding it all later!