To: "For users of Fedora Core releases" <fedora-list@xxxxxxxxxx>
Sent: Tuesday, June 21, 2005 1:01 PM
Subject: Re: a little SSL help?
----- Original Message ----- From: "Jake McHenry" <linux@xxxxxxxxxxxxxxxxx>
To: <fedora-list@xxxxxxxxxx>
Sent: Tuesday, June 21, 2005 12:19 PM
Subject: a little SSL help?
Hi everyone,
my RH9 server just blew up, hard drive failure, so I installed FC3.
I am in the middle of setting up httpd, trying to get our ssl cert installed and working, but having some problems.
If I issue a self signed cert, it works fine, but when I put in the valid signed cert, httpd fails startup.
Here is what's in the logs:
[root@ntlh httpd]# cat error_log
[Tue Jun 21 12:13:36 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[root@ntlh httpd]# cat secure.ssl_error_log
[Tue Jun 21 12:13:36 2005] [error] Init: Private key not found
[Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
I'm searching for this on google now, I need this up, my boss isn't happy. If anyone knows what I should do, please let me know!
Thanks, Jake McHenry
Nittany Travel MIS Coordinator http://www.nittanytravel.com (570) 748-6611 x108
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
The original signed valid certificate is server.crt, server.key and server.csr
As I said, it works with the new.crt and new.key which was just created, self signed certificate.
The files are in the right places. Here are the directory listings:
[root@ntlh conf]# ls -laFR ssl.* ssl.crl: total 24 drwxr-xr-x 2 root root 4096 Jun 20 12:27 ./ drwxr-xr-x 8 root root 4096 Jun 21 12:04 ../ -rw-r--r-- 1 root root 1569 Oct 15 2004 Makefile.crl
ssl.crt: total 48 drwxr-xr-x 2 root root 4096 Jun 21 12:36 ./ drwxr-xr-x 8 root root 4096 Jun 21 12:04 ../ -rw------- 1 root root 1720 Jun 21 12:36 ca-bundle.crt -rw-r--r-- 1 root root 1522 Oct 15 2004 Makefile.crt -rw------- 1 root root 1903 Jun 21 12:37 new.crt -rw------- 1 root root 1456 Jun 21 11:58 server.crt
ssl.csr: total 24 drwxr-xr-x 2 root root 4096 Jun 21 12:04 ./ drwxr-xr-x 8 root root 4096 Jun 21 12:04 ../ -rw------- 1 root root 838 Jun 21 12:37 new.csr
ssl.key: total 32 drwxr-xr-x 2 root root 4096 Jun 21 12:52 ./ drwxr-xr-x 8 root root 4096 Jun 21 12:04 ../ -rw------- 1 root root 899 Jun 21 12:51 new.key -rw------- 1 root root 887 Jun 21 12:51 server.key
ssl.prm: total 16 drwxr-xr-x 2 root root 4096 Oct 15 2004 ./ drwxr-xr-x 8 root root 4096 Jun 21 12:04 ../ [root@ntlh conf]#
Here is my ssl.conf file:
LoadModule ssl_module modules/mod_ssl.so Listen 443
AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shm:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512
#SSLCryptoDevice builtin #SSLCryptoDevice ubsec
NameVirtualHost *:443
<VirtualHost *:443> ServerName secure.nittanytravel.com:443 ServerAdmin admin@xxxxxxxxxxxxxxxxx DocumentRoot "/var/www/secure" ErrorLog logs/secure.ssl_error_log TransferLog logs/secure.ssl_access_log LogLevel warn SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/ssl.crt/new.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/new.key #SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt #SSLCACertificatePath /etc/httpd/conf/ssl.crt #SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt #SSLCARevocationPath /etc/httpd/conf/ssl.crl #SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl #SSLVerifyClient require #SSLVerifyDepth 10 #<Location /> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location>
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory>
SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
woops,
got that backwards, but u get the idea, the files are there. The original good signed certificate is new.csr, new.key, and new.crt
the self signed ones that work are the new.key and new.crt
the files are there, what is wrong??
Thanks, Jake McHenry
Nittany Travel MIS Coordinator http://www.nittanytravel.com (570) 748-6611 x108
