[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: a little SSL help?



----- Original Message ----- From: "Jake McHenry" <linux nittanytravel com>
To: "For users of Fedora Core releases" <fedora-list redhat com>
Sent: Tuesday, June 21, 2005 1:01 PM
Subject: Re: a little SSL help?



----- Original Message ----- From: "Jake McHenry" <linux nittanytravel com>
To: <fedora-list redhat com>
Sent: Tuesday, June 21, 2005 12:19 PM
Subject: a little SSL help?



Hi everyone,

my RH9 server just blew up, hard drive failure, so I installed FC3.

I am in the middle of setting up httpd, trying to get our ssl cert installed and working, but having some problems.

If I issue a self signed cert, it works fine, but when I put in the valid signed cert, httpd fails startup.

Here is what's in the logs:




[root ntlh httpd]# cat error_log
[Tue Jun 21 12:13:36 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)


[root ntlh httpd]# cat secure.ssl_error_log
[Tue Jun 21 12:13:36 2005] [error] Init: Private key not found
[Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib





I'm searching for this on google now, I need this up, my boss isn't happy. If anyone knows what I should do, please let me know!





Thanks, Jake McHenry

Nittany Travel MIS Coordinator
http://www.nittanytravel.com
(570) 748-6611 x108



--
fedora-list mailing list
fedora-list redhat com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list





The original signed valid certificate is server.crt, server.key and server.csr


As I said, it works with the new.crt and new.key which was just created, self signed certificate.



The files are in the right places. Here are the directory listings:




[root ntlh conf]# ls -laFR ssl.* ssl.crl: total 24 drwxr-xr-x 2 root root 4096 Jun 20 12:27 ./ drwxr-xr-x 8 root root 4096 Jun 21 12:04 ../ -rw-r--r-- 1 root root 1569 Oct 15 2004 Makefile.crl

ssl.crt:
total 48
drwxr-xr-x  2 root root 4096 Jun 21 12:36 ./
drwxr-xr-x  8 root root 4096 Jun 21 12:04 ../
-rw-------  1 root root 1720 Jun 21 12:36 ca-bundle.crt
-rw-r--r--  1 root root 1522 Oct 15  2004 Makefile.crt
-rw-------  1 root root 1903 Jun 21 12:37 new.crt
-rw-------  1 root root 1456 Jun 21 11:58 server.crt

ssl.csr:
total 24
drwxr-xr-x  2 root root 4096 Jun 21 12:04 ./
drwxr-xr-x  8 root root 4096 Jun 21 12:04 ../
-rw-------  1 root root  838 Jun 21 12:37 new.csr

ssl.key:
total 32
drwxr-xr-x  2 root root 4096 Jun 21 12:52 ./
drwxr-xr-x  8 root root 4096 Jun 21 12:04 ../
-rw-------  1 root root  899 Jun 21 12:51 new.key
-rw-------  1 root root  887 Jun 21 12:51 server.key

ssl.prm:
total 16
drwxr-xr-x  2 root root 4096 Oct 15  2004 ./
drwxr-xr-x  8 root root 4096 Jun 21 12:04 ../
[root ntlh conf]#
























Here is my ssl.conf file:


LoadModule ssl_module modules/mod_ssl.so Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache         shm:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

NameVirtualHost *:443

<VirtualHost *:443>
ServerName secure.nittanytravel.com:443
ServerAdmin admin nittanytravel com
DocumentRoot "/var/www/secure"
ErrorLog logs/secure.ssl_error_log
TransferLog logs/secure.ssl_access_log
LogLevel warn
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

SSLCertificateFile /etc/httpd/conf/ssl.crt/new.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/new.key
#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
#SSLCACertificatePath /etc/httpd/conf/ssl.crt
#SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /etc/httpd/conf/ssl.crl
#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
#SSLVerifyDepth  10
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
   SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
   SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>



--
fedora-list mailing list
fedora-list redhat com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list




woops,


got that backwards, but u get the idea, the files are there. The original good signed certificate is new.csr, new.key, and new.crt




the self signed ones that work are the new.key and new.crt


the files are there, what is wrong??


Thanks, Jake McHenry

Nittany Travel MIS Coordinator
http://www.nittanytravel.com
(570) 748-6611 x108





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]