From owner-freebsd-questions@FreeBSD.ORG Wed Feb 1 17:10:37 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A6D516A420 for ; Wed, 1 Feb 2006 17:10:37 +0000 (GMT) (envelope-from gabor.kovesdan@t-hosting.hu) Received: from server.t-hosting.hu (server.t-hosting.hu [217.20.133.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F47443D49 for ; Wed, 1 Feb 2006 17:10:33 +0000 (GMT) (envelope-from gabor.kovesdan@t-hosting.hu) Received: from localhost (localhost [127.0.0.1]) by server.t-hosting.hu (Postfix) with ESMTP id 872DE99834D; Wed, 1 Feb 2006 18:10:32 +0100 (CET) Received: from server.t-hosting.hu ([127.0.0.1]) by localhost (server.t-hosting.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 27220-07-3; Wed, 1 Feb 2006 18:10:28 +0100 (CET) Received: from [80.98.231.227] (catv-5062e7e3.catv.broadband.hu [80.98.231.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by server.t-hosting.hu (Postfix) with ESMTP id 8DE4D998320; Wed, 1 Feb 2006 18:10:28 +0100 (CET) Message-ID: <43E0EB84.1000009@t-hosting.hu> Date: Wed, 01 Feb 2006 18:10:28 +0100 From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Charles Swiger References: <43DF7CE2.2050408@t-hosting.hu> <6C8140DB-6E12-4C35-97C1-62931D7A2BAD@mac.com> <43DFA79A.4080707@t-hosting.hu> In-Reply-To: <43DFA79A.4080707@t-hosting.hu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at t-hosting.hu Cc: freebsd-questions Subject: Re: Upgrading apache form 2.0.x to 2.2.x X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2006 17:10:37 -0000 Kövesdán Gábor wrote: > Charles Swiger wrote: > >> On Jan 31, 2006, at 10:06 AM, Kövesdán Gábor wrote: >> >>> I've upgradde today, but SSL doesn't work with the old settings. I >>> suspect something's wrong with my self-signed certificates. If I >>> set SSLEngine On globally, I get this: >>> >>> [Tue Jan 31 14:11:09 2006] [warn] RSA server certificate is a CA >>> certificate (BasicConstraints: CA certificate (BasicConstraints: CA >>> == TRUE !?) >> >> >> >> Yeah, the RSA cert you use for your CA to sign other certs should >> not be used as a host cert for SSL. Generate a new RSA cert, >> generate a CSR, and use the CA cert to sign your new RSA cert for >> the webserver: >> >> >> openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem - >> days 365 >> openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out >> tmp.pem >> openssl ca -policy policy_anything -out newcert.pem -infiles tmp.pem >> # (newcert.pem contains signed certificate, newreq.pem still >> contains >> # unsigned certificate and private key) >> > Thanks, I see the point, but I don't really experienced in generating > certs. The lines you wrote lead me to the following: > > root@server# openssl req -nodes -new -x509 -keyout newreq.pem -out > newreq.pem -days 365 > Generating a 1024 bit RSA private key > .........++++++ > ..........................++++++ > writing new private key to 'newreq.pem' > ----- > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or > a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [AU]:HU > State or Province Name (full name) [Some-State]:Budapest > Locality Name (eg, city) []:Budapest > Organization Name (eg, company) [Internet Widgits Pty Ltd]:T-Hosting.Hu > Organizational Unit Name (eg, section) []:HTTP Server > Common Name (eg, YOUR name) []:server.t-hosting.hu > Email Address []:postmaster@t-hosting.hu > root@server# openssl x509 -x509toreq -in newreq.pem -signkey > newreq.pem -out tmp.pem > Getting request Private Key > Generating certificate request > root@server# openssl ca -policy policy_anything -out newcert.pem > -infiles tmp.pem > Using configuration from /etc/ssl/openssl.cnf > Error opening CA private key ./demoCA/private/cakey.pem > 46641:error:0E06D06C:configuration file routines:NCONF_get_string:no > value:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_lib.c:329:group=CA_default > name=unique_subject > 46641:error:02001002:system library:fopen:No such file or > directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:276:fopen('./demoCA/private/cakey.pem','r') > > 46641:error:20074002:BIO routines:FILE_CTRL:system > lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:278: > > unable to load CA private key > Segmentation fault (core dumped) > > Could you tell me what's wrong? > > Thanks, > > Gabor Kovesdan > > Hi again, since then I've found a howto about certs: http://www.debian-administration.org/articles/284 I followed the steps, and now I have three separate files: 1, the ca cert, called cacert.pem 2, the signed cert, called cert.pem 3, the private key, called key.pem My httpd.conf contains this about SSL configuration: NameVirtualHost 217.20.133.7:443 SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/urandom 512 Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLCertificateFile /usr/local/etc/apache22/cert.pem SSLCertificateKeyFile /usr/local/etc/apache22/key.pem SSLCACertificateFile /usr/local/etc/apache22/cacert.pem SSLSessionCache dbm:/var/run/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/var/run/ssl_mutex SSLEngine Off Now, if I globally set SSLEngine On apache doesn't start and writes nothing to the error log. If I only set SSLEngine On is a VirtualHost section, I get the same Invalid method in request message. Does somebody have any idea? Thanks, Gabor Kovesdan