a little SSL help?
Jake McHenry
linux at nittanytravel.com
Tue Jun 21 17:11:41 UTC 2005
----- Original Message -----
From: "Jake McHenry" <linux at nittanytravel.com>
To: "For users of Fedora Core releases" <fedora-list at redhat.com>
Sent: Tuesday, June 21, 2005 1:01 PM
Subject: Re: a little SSL help?
> ----- Original Message -----
> From: "Jake McHenry" <linux at nittanytravel.com>
> To: <fedora-list at redhat.com>
> Sent: Tuesday, June 21, 2005 12:19 PM
> Subject: a little SSL help?
>
>
>> Hi everyone,
>>
>> my RH9 server just blew up, hard drive failure, so I installed FC3.
>>
>> I am in the middle of setting up httpd, trying to get our ssl cert
>> installed and working, but having some problems.
>>
>> If I issue a self signed cert, it works fine, but when I put in the valid
>> signed cert, httpd fails startup.
>>
>> Here is what's in the logs:
>>
>>
>>
>>
>> [root at ntlh httpd]# cat error_log
>> [Tue Jun 21 12:13:36 2005] [notice] suEXEC mechanism enabled (wrapper:
>> /usr/sbin/suexec)
>>
>> [root at ntlh httpd]# cat secure.ssl_error_log
>> [Tue Jun 21 12:13:36 2005] [error] Init: Private key not found
>> [Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218710120
>> error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
>> [Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218529960
>> error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
>> [Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218595386
>> error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
>> [Tue Jun 21 12:13:36 2005] [error] SSL Library Error: 218734605
>> error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
>>
>>
>>
>>
>> I'm searching for this on google now, I need this up, my boss isn't
>> happy. If anyone knows what I should do, please let me know!
>>
>>
>>
>>
>> Thanks,
>> Jake McHenry
>>
>> Nittany Travel MIS Coordinator
>> http://www.nittanytravel.com
>> (570) 748-6611 x108
>>
>>
>>
>> --
>> fedora-list mailing list
>> fedora-list at redhat.com
>> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>>
>
>
>
>
> The original signed valid certificate is server.crt, server.key and
> server.csr
>
>
> As I said, it works with the new.crt and new.key which was just created,
> self signed certificate.
>
>
> The files are in the right places. Here are the directory listings:
>
>
>
>
> [root at ntlh conf]# ls -laFR ssl.*
> ssl.crl:
> total 24
> drwxr-xr-x 2 root root 4096 Jun 20 12:27 ./
> drwxr-xr-x 8 root root 4096 Jun 21 12:04 ../
> -rw-r--r-- 1 root root 1569 Oct 15 2004 Makefile.crl
>
> ssl.crt:
> total 48
> drwxr-xr-x 2 root root 4096 Jun 21 12:36 ./
> drwxr-xr-x 8 root root 4096 Jun 21 12:04 ../
> -rw------- 1 root root 1720 Jun 21 12:36 ca-bundle.crt
> -rw-r--r-- 1 root root 1522 Oct 15 2004 Makefile.crt
> -rw------- 1 root root 1903 Jun 21 12:37 new.crt
> -rw------- 1 root root 1456 Jun 21 11:58 server.crt
>
> ssl.csr:
> total 24
> drwxr-xr-x 2 root root 4096 Jun 21 12:04 ./
> drwxr-xr-x 8 root root 4096 Jun 21 12:04 ../
> -rw------- 1 root root 838 Jun 21 12:37 new.csr
>
> ssl.key:
> total 32
> drwxr-xr-x 2 root root 4096 Jun 21 12:52 ./
> drwxr-xr-x 8 root root 4096 Jun 21 12:04 ../
> -rw------- 1 root root 899 Jun 21 12:51 new.key
> -rw------- 1 root root 887 Jun 21 12:51 server.key
>
> ssl.prm:
> total 16
> drwxr-xr-x 2 root root 4096 Oct 15 2004 ./
> drwxr-xr-x 8 root root 4096 Jun 21 12:04 ../
> [root at ntlh conf]#
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Here is my ssl.conf file:
>
>
> LoadModule ssl_module modules/mod_ssl.so
> Listen 443
>
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
>
> SSLPassPhraseDialog builtin
>
> SSLSessionCache shm:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout 300
>
> SSLMutex default
>
> SSLRandomSeed startup file:/dev/urandom 256
> SSLRandomSeed connect builtin
> #SSLRandomSeed startup file:/dev/random 512
> #SSLRandomSeed connect file:/dev/random 512
> #SSLRandomSeed connect file:/dev/urandom 512
>
> #SSLCryptoDevice builtin
> #SSLCryptoDevice ubsec
>
> NameVirtualHost *:443
>
> <VirtualHost *:443>
> ServerName secure.nittanytravel.com:443
> ServerAdmin admin at nittanytravel.com
> DocumentRoot "/var/www/secure"
> ErrorLog logs/secure.ssl_error_log
> TransferLog logs/secure.ssl_access_log
> LogLevel warn
> SSLEngine on
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>
> SSLCertificateFile /etc/httpd/conf/ssl.crt/new.crt
> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/new.key
> #SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
> #SSLCACertificatePath /etc/httpd/conf/ssl.crt
> #SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
> #SSLCARevocationPath /etc/httpd/conf/ssl.crl
> #SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
> #SSLVerifyClient require
> #SSLVerifyDepth 10
> #<Location />
> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> #</Location>
>
> #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> SSLOptions +StdEnvVars
> </Files>
> <Directory "/var/www/cgi-bin">
> SSLOptions +StdEnvVars
> </Directory>
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> </VirtualHost>
>
>
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
woops,
got that backwards, but u get the idea, the files are there. The original
good signed certificate is new.csr, new.key, and new.crt
the self signed ones that work are the new.key and new.crt
the files are there, what is wrong??
Thanks,
Jake McHenry
Nittany Travel MIS Coordinator
http://www.nittanytravel.com
(570) 748-6611 x108
More information about the users
mailing list