From owner-freebsd-questions@FreeBSD.ORG Thu Jan 10 20:38:00 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id CBAF2BBA for ; Thu, 10 Jan 2013 20:38:00 +0000 (UTC) (envelope-from paul@kraus-haus.org) Received: from mail-qa0-f42.google.com (mail-qa0-f42.google.com [209.85.216.42]) by mx1.freebsd.org (Postfix) with ESMTP id 8D47F7EF for ; Thu, 10 Jan 2013 20:38:00 +0000 (UTC) Received: by mail-qa0-f42.google.com with SMTP id hg5so2054509qab.1 for ; Thu, 10 Jan 2013 12:37:54 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:subject:mime-version:content-type:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=kqPyVDuLuPXnC28v5/9jJ7TZHBtKfqMB7WJI7FJMCnM=; b=YLLiocPp+6AESU99Kg2Z1wgYvgW+s57Oq6bCjyURFZbz2lN/8KLYB/8J5G4IzU08t9 zXQC/k50WsJHIXD4QZrmzs+VifL0hubyzTKc/OnLV2iVczfTC0kvebF6AJP+xGMuToQ1 wuQNnPOyHyF+eKKWtwpLu4wKA98/E1PJGC8u/4xvSdWReW4i18gsLMvnN9J8wWyx3wVC 2WoDu5xdQ8RMwjXRWc+I21RJraeA10KXtpRgWRV/3YpWkiiVsh6CoIkKRVKdtiM5zQuw FJtWr9XMX3Pqru5VtGb/cRZq3qKHIFh8qZzYGeAfFg2GRYcbaunhg6bq9mDA4LLGkLMB CgPQ== X-Received: by 10.224.116.76 with SMTP id l12mr59381216qaq.4.1357850274410; Thu, 10 Jan 2013 12:37:54 -0800 (PST) Received: from mini1.kraus-haus.org ([96.236.21.119]) by mx.google.com with ESMTPS id gg3sm1749808qeb.5.2013.01.10.12.37.53 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 10 Jan 2013 12:37:53 -0800 (PST) Subject: Re: OpenSSL Certificate issue Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii From: Paul Kraus In-Reply-To: <50EF1152.3010205@FreeBSD.org> Date: Thu, 10 Jan 2013 15:37:52 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <0A197E8B-6F4B-40E4-A642-27F3B4523E7D@kraus-haus.org> References: <23C1DB57-7A56-48DC-A0D0-8CF8B1CC8915@kraus-haus.org> <50EEFC7D.5070706@FreeBSD.org> <50EF087A.50002@FreeBSD.org> <50EF1152.3010205@FreeBSD.org> To: glarkin@FreeBSD.org X-Mailer: Apple Mail (2.1085) X-Gm-Message-State: ALoCoQndKwef+yVkC5Wer3AHPbQA0n3mgTzmPmAkGDtujd+UONQIdI59y7d6LiIAa96+RUMDhQVA Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jan 2013 20:38:00 -0000 On Jan 10, 2013, at 2:06 PM, Greg Larkin wrote: > On 1/10/13 1:38 PM, Paul Kraus wrote: >=20 > I put the certs for my test in /etc/ssl/certs when using the base > system openssl and in /usr/local/openssl/certs when using the openssl > port. >=20 > c_rehash uses a specific openssl binary when invoked like so: >=20 > env OPENSSL=3D/usr/bin/openssl c_rehash /etc/ssl/certs >=20 > You can set the OPENSSL and SSL_CERT_DIR environment variables > permanently, and that would ensure everything is consistent going > forward, even if the openssl port is present. That almost worked, the default directory for certs is /etc/ssl,=20 [root@MailArch /etc/ssl]# pwd /etc/ssl [root@MailArch /etc/ssl]# ls -l total 12 lrwxr-xr-x 1 root wheel 8 Jan 10 15:26 882de061.0 -> cert.pem lrwxr-xr-x 1 root wheel 38 Jan 10 15:22 cert.pem -> = /usr/local/share/certs/ca-root-nss.crt -rw-r--r-- 1 root wheel 9468 Jan 3 2012 openssl.cnf [root@MailArch /etc/ssl]# The clue was in the ca_root_nss port. If you enable etc symlink creation = it creates the link in /etc/ssl. After running c_rehash (using the = correct openssl) in that directory, the other tools that just call the = openssl libraries find the root certs just fine. Thanks for the help. -- Paul Kraus Deputy Technical Director, LoneStarCon 3 Sound Coordinator, Schenectady Light Opera Company