Date: Wed, 01 Feb 2006 18:10:28 +0100 From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= <gabor.kovesdan@t-hosting.hu> To: Charles Swiger <cswiger@mac.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: Upgrading apache form 2.0.x to 2.2.x Message-ID: <43E0EB84.1000009@t-hosting.hu> In-Reply-To: <43DFA79A.4080707@t-hosting.hu> References: <43DF7CE2.2050408@t-hosting.hu> <6C8140DB-6E12-4C35-97C1-62931D7A2BAD@mac.com> <43DFA79A.4080707@t-hosting.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
Kövesdán Gábor wrote:
> Charles Swiger wrote:
>
>> On Jan 31, 2006, at 10:06 AM, Kövesdán Gábor wrote:
>>
>>> I've upgradde today, but SSL doesn't work with the old settings. I
>>> suspect something's wrong with my self-signed certificates. If I
>>> set SSLEngine On globally, I get this:
>>>
>>> [Tue Jan 31 14:11:09 2006] [warn] RSA server certificate is a CA
>>> certificate (BasicConstraints: CA certificate (BasicConstraints: CA
>>> == TRUE !?)
>>
>>
>>
>> Yeah, the RSA cert you use for your CA to sign other certs should
>> not be used as a host cert for SSL. Generate a new RSA cert,
>> generate a CSR, and use the CA cert to sign your new RSA cert for
>> the webserver:
>>
>>
>> openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -
>> days 365
>> openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out
>> tmp.pem
>> openssl ca -policy policy_anything -out newcert.pem -infiles tmp.pem
>> # (newcert.pem contains signed certificate, newreq.pem still
>> contains
>> # unsigned certificate and private key)
>>
> Thanks, I see the point, but I don't really experienced in generating
> certs. The lines you wrote lead me to the following:
>
> root@server# openssl req -nodes -new -x509 -keyout newreq.pem -out
> newreq.pem -days 365
> Generating a 1024 bit RSA private key
> .........++++++
> ..........................++++++
> writing new private key to 'newreq.pem'
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or
> a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:HU
> State or Province Name (full name) [Some-State]:Budapest
> Locality Name (eg, city) []:Budapest
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:T-Hosting.Hu
> Organizational Unit Name (eg, section) []:HTTP Server
> Common Name (eg, YOUR name) []:server.t-hosting.hu
> Email Address []:postmaster@t-hosting.hu
> root@server# openssl x509 -x509toreq -in newreq.pem -signkey
> newreq.pem -out tmp.pem
> Getting request Private Key
> Generating certificate request
> root@server# openssl ca -policy policy_anything -out newcert.pem
> -infiles tmp.pem
> Using configuration from /etc/ssl/openssl.cnf
> Error opening CA private key ./demoCA/private/cakey.pem
> 46641:error:0E06D06C:configuration file routines:NCONF_get_string:no
> value:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_lib.c:329:group=CA_default
> name=unique_subject
> 46641:error:02001002:system library:fopen:No such file or
> directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:276:fopen('./demoCA/private/cakey.pem','r')
>
> 46641:error:20074002:BIO routines:FILE_CTRL:system
> lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:278:
>
> unable to load CA private key
> Segmentation fault (core dumped)
>
> Could you tell me what's wrong?
>
> Thanks,
>
> Gabor Kovesdan
>
>
Hi again,
since then I've found a howto about certs:
http://www.debian-administration.org/articles/284
I followed the steps, and now I have three separate files:
1, the ca cert, called cacert.pem
2, the signed cert, called cert.pem
3, the private key, called key.pem
My httpd.conf contains this about SSL configuration:
<IfModule mod_ssl.c>
NameVirtualHost 217.20.133.7:443
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLCertificateFile /usr/local/etc/apache22/cert.pem
SSLCertificateKeyFile /usr/local/etc/apache22/key.pem
SSLCACertificateFile /usr/local/etc/apache22/cacert.pem
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
SSLEngine Off
</IfModule>
Now, if I globally set SSLEngine On apache doesn't start and writes
nothing to the error log. If I only set SSLEngine On is a VirtualHost
section, I get the same Invalid method in request message.
Does somebody have any idea?
Thanks,
Gabor Kovesdan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43E0EB84.1000009>