a little SSL help?

Jake McHenry linux at nittanytravel.com
Tue Jun 21 17:01:55 UTC 2005 

----- Original Message ----- 
From: "Jake McHenry" <linux at nittanytravel.com>
To: <fedora-list at redhat.com>
Sent: Tuesday, June 21, 2005 12:19 PM
Subject: a little SSL help?


> Hi everyone,
>
> my RH9 server just blew up, hard drive failure, so I installed FC3.
>
> I am in the middle of setting up httpd, trying to get our ssl cert 
> installed and working, but having some problems.
>
> If I issue a self signed cert, it works fine, but when I put in the valid 
> signed cert, httpd fails startup.
>
> Here is what's in the logs:
>
>
>
>
> [root at ntlh httpd]# cat error_log
> [Tue Jun 21 12:13:36 2005] [notice] suEXEC mechanism enabled (wrapper: 
> /usr/sbin/suexec)
>
> [root at ntlh httpd]# cat secure.ssl_error_log
> [Tue Jun 21 12:13:36 2005] [error] Init: Private key not found
> [Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218710120 
> error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
> [Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218529960 
> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> [Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218595386 
> error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> [Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218734605 
> error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
>
>
>
>
> I'm searching for this on google now, I need this up, my boss isn't happy. 
> If anyone knows what I should do, please let me know!
>
>
>
>
> Thanks,
> Jake McHenry
>
> Nittany Travel MIS Coordinator
> http://www.nittanytravel.com
> (570) 748-6611 x108
>
>
>
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>




The original signed valid certificate is server.crt, server.key and 
server.csr


As I said, it works with the new.crt and new.key which was just created, 
self signed certificate.


The files are in the right places. Here are the directory listings:




[root at ntlh conf]# ls -laFR ssl.*
ssl.crl:
total 24
drwxr-xr-x  2 root root 4096 Jun 20 12:27 ./
drwxr-xr-x  8 root root 4096 Jun 21 12:04 ../
-rw-r--r--  1 root root 1569 Oct 15  2004 Makefile.crl

ssl.crt:
total 48
drwxr-xr-x  2 root root 4096 Jun 21 12:36 ./
drwxr-xr-x  8 root root 4096 Jun 21 12:04 ../
-rw-------  1 root root 1720 Jun 21 12:36 ca-bundle.crt
-rw-r--r--  1 root root 1522 Oct 15  2004 Makefile.crt
-rw-------  1 root root 1903 Jun 21 12:37 new.crt
-rw-------  1 root root 1456 Jun 21 11:58 server.crt

ssl.csr:
total 24
drwxr-xr-x  2 root root 4096 Jun 21 12:04 ./
drwxr-xr-x  8 root root 4096 Jun 21 12:04 ../
-rw-------  1 root root  838 Jun 21 12:37 new.csr

ssl.key:
total 32
drwxr-xr-x  2 root root 4096 Jun 21 12:52 ./
drwxr-xr-x  8 root root 4096 Jun 21 12:04 ../
-rw-------  1 root root  899 Jun 21 12:51 new.key
-rw-------  1 root root  887 Jun 21 12:51 server.key

ssl.prm:
total 16
drwxr-xr-x  2 root root 4096 Oct 15  2004 ./
drwxr-xr-x  8 root root 4096 Jun 21 12:04 ../
[root at ntlh conf]#
























Here is my ssl.conf file:


LoadModule ssl_module modules/mod_ssl.so
Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache         shm:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

NameVirtualHost *:443

<VirtualHost *:443>
ServerName secure.nittanytravel.com:443
ServerAdmin admin at nittanytravel.com
DocumentRoot "/var/www/secure"
ErrorLog logs/secure.ssl_error_log
TransferLog logs/secure.ssl_access_log
LogLevel warn
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

SSLCertificateFile /etc/httpd/conf/ssl.crt/new.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/new.key
#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
#SSLCACertificatePath /etc/httpd/conf/ssl.crt
#SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /etc/httpd/conf/ssl.crl
#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
#SSLVerifyDepth  10
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

More information about the fedora-list mailing list