Re: a little SSL help?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

----- Original Message ----- From: "Jake McHenry" <linux@xxxxxxxxxxxxxxxxx>
To: <fedora-list@xxxxxxxxxx>
Sent: Tuesday, June 21, 2005 12:19 PM
Subject: a little SSL help?


Hi everyone,

my RH9 server just blew up, hard drive failure, so I installed FC3.

I am in the middle of setting up httpd, trying to get our ssl cert installed and working, but having some problems.

If I issue a self signed cert, it works fine, but when I put in the valid signed cert, httpd fails startup.

Here is what's in the logs:




[root@ntlh httpd]# cat error_log
[Tue Jun 21 12:13:36 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

[root@ntlh httpd]# cat secure.ssl_error_log
[Tue Jun 21 12:13:36 2005] [error] Init: Private key not found
[Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib




I'm searching for this on google now, I need this up, my boss isn't happy. If anyone knows what I should do, please let me know!




Thanks,
Jake McHenry

Nittany Travel MIS Coordinator
http://www.nittanytravel.com
(570) 748-6611 x108



--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list





The original signed valid certificate is server.crt, server.key and server.csr


As I said, it works with the new.crt and new.key which was just created, self signed certificate.


The files are in the right places. Here are the directory listings:




[root@ntlh conf]# ls -laFR ssl.*
ssl.crl:
total 24
drwxr-xr-x  2 root root 4096 Jun 20 12:27 ./
drwxr-xr-x  8 root root 4096 Jun 21 12:04 ../
-rw-r--r--  1 root root 1569 Oct 15  2004 Makefile.crl

ssl.crt:
total 48
drwxr-xr-x  2 root root 4096 Jun 21 12:36 ./
drwxr-xr-x  8 root root 4096 Jun 21 12:04 ../
-rw-------  1 root root 1720 Jun 21 12:36 ca-bundle.crt
-rw-r--r--  1 root root 1522 Oct 15  2004 Makefile.crt
-rw-------  1 root root 1903 Jun 21 12:37 new.crt
-rw-------  1 root root 1456 Jun 21 11:58 server.crt

ssl.csr:
total 24
drwxr-xr-x  2 root root 4096 Jun 21 12:04 ./
drwxr-xr-x  8 root root 4096 Jun 21 12:04 ../
-rw-------  1 root root  838 Jun 21 12:37 new.csr

ssl.key:
total 32
drwxr-xr-x  2 root root 4096 Jun 21 12:52 ./
drwxr-xr-x  8 root root 4096 Jun 21 12:04 ../
-rw-------  1 root root  899 Jun 21 12:51 new.key
-rw-------  1 root root  887 Jun 21 12:51 server.key

ssl.prm:
total 16
drwxr-xr-x  2 root root 4096 Oct 15  2004 ./
drwxr-xr-x  8 root root 4096 Jun 21 12:04 ../
[root@ntlh conf]#
























Here is my ssl.conf file:


LoadModule ssl_module modules/mod_ssl.so
Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache         shm:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

NameVirtualHost *:443

<VirtualHost *:443>
ServerName secure.nittanytravel.com:443
ServerAdmin admin@xxxxxxxxxxxxxxxxx
DocumentRoot "/var/www/secure"
ErrorLog logs/secure.ssl_error_log
TransferLog logs/secure.ssl_access_log
LogLevel warn
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

SSLCertificateFile /etc/httpd/conf/ssl.crt/new.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/new.key
#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
#SSLCACertificatePath /etc/httpd/conf/ssl.crt
#SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /etc/httpd/conf/ssl.crl
#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
#SSLVerifyDepth  10
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
   SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
   SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux