LinuxQuestions.org - Unable to have SSL Cert generated

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Unable to have SSL Cert generated (https://www.linuxquestions.org/questions/linux-server-73/unable-to-have-ssl-cert-generated-623019/)

Unable to have SSL Cert generated

Hi folks,

Archlinux 86_64 2007-08-2

On running
$ sudo openssl rsa -in server.key -out server.key

Code:

Error opening Private Key server.key

6879:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('server.key','r')

6879:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

unable to load Private Key

Please advise where shall I check and how to fix this problem. Thanks

On runniing;

Code:

$ sudo openssl req -new -x509 -newkey rsa:1024 -days 365 -keyout server,key -out server.crt

/etc/ssl/certs/

What FQDN shall I use on "Common Name"?

On googling I found;
TIP Setup Your FQDN
http://gentoo-wiki.com/TIP_Setup_Your_FQDN

Do I need to do the same on Arch? TIA

B.R.
satimis

What does this report;
hostname --fqdn

Quote:

$ sudo openssl rsa -in server.key -out server.key

The error means that openssl cannot find the server.key. Note also that the output file should have a different name.

Quote:

What FQDN shall I use on "Common Name"?

You should use the FQDN of the server where you're going to use the certificate. I.e if it's a web server known as www.domain.com you should use "www.domain.com" as FQDN. If you're using a dns server, there is no need to specify FQDN in /etc/hosts/

Regards

Quote:

Originally Posted by bathory (Post 3067621)

The error means that openssl cannot find the server.key. Note also that the output
file should have a different name.

Thanks for your advice.

I can't find server.key file,

$ locate server.key
$ sudo find / -name server.key
Without printout

Where can I download the file? TIA

Quote:

hostname is "arch.satimis.com"

On browser both "satimis.com" and "www.satimis.com" works which of them shall I put.

B.R.
satimis

Have alook at something like http://www.xenocafe.com/tutorials/li...ates/index.php There are plenty of sites if you google for them

satimis.com is not a fqdn, www.satimis.com is, so don't use the former. Which of the others to use will depend a bit on the use. If you are wanting to set up ssl for www.satimis.com, use that and you'll get fewer questions from browsers.

Quote:

Originally Posted by billymayday (Post 3067737)

Have alook at something like http://www.xenocafe.com/tutorials/li...ates/index.php There are plenty of sites if you google for them

Thanks for your link.

I followed "SSL certs" on SOHO Postfix on;
http://wiki.archlinux.org/index.php/SOHO_Postfix

to proceed and encountered this problem unable to find "server.key" file.

I'll go through your link and start again.

Quote:

satimis.com is not a fqdn, www.satimis.com is, so don't use the former. Which of the others to use will depend a bit on the use. If you are wanting to set up ssl for www.satimis.com, use that and you'll get fewer questions from browsers.

Noted with thanks

B.R.
satimis

Quote:

Originally Posted by comprookie2000 (Post 3067616)

What does this report;
hostname --fqdn

$ hostname --fqdn

Code:

localhost.localdomain

$ cat /etc/hosts

Code:

#

# /etc/hosts: static lookup table for host names

#



#<ip-address>  <hostname.domain.org>  <hostname>

127.0.0.1      localhost.localdomain  localhost      arch.satimis.com

$ hostname

Code:

arch.satimis.com

$ hostname -f

Code:

localhost.localdomain

Did my make something wrong here? TIA

$ cat /etc/rc.conf | grep -i hostname

Code:

HOSTNAME="arch.satimis.com"

B.R.
satimis

The server.key will be created after you run:

Code:

sudo openssl req -new -x509 -newkey rsa:1024 -days 365 -keyout server.key -out server.crt

For fqdn you must use the name that your server will be known to the public, else you're going to have security warnings: "Unable to verify the identity of server blah.domain.com as a trusted site..."
Then run the 2nd command to remove passphrase:

Code:

sudo openssl rsa -in server.key -out server-no-pass.key

Regards

Quote:

Originally Posted by bathory (Post 3068117)

The server.key will be created after you run:

Code:

sudo openssl req -new -x509 -newkey rsa:1024 -days 365 -keyout server.key -out server.crt

Thanks for your advice.

Edit /etc/hosts

change;

Code:

127.0.0.1 localhost.localdomain localhost arch.satimis.com

as;

Code:

127.0.0.1 arch.satimis.com arch

$ hostname
arch.satimis.com

$ hostname -f
arch.satimis.com

$ hostname --fqdn
arch.satimis.com

All output are the same now. Would there is any problem omitting "localhost.localdomain" and "localhost" on /etc/hosts
???

Quote:

Then run the 2nd command to remove passphrase:

Code:

sudo openssl rsa -in server.key -out server-no-pass.key

Could you please explain "server-no-pass.key"? Whether run the 2nd command exactly as above? TIA

B.R.
satimis

Quote:

127.0.0.1 arch.satimis.com arch

What you've done with the above is to give 127.0.0.1 (by default known as localhost) the name arch.satimis.com. This is not a good idea. Mind that /etc/hosts is only used by your box. A client that is not on your box, when asks for your host will use either his /etc/hosts or a dns server, so your fqdn must resolve to an IP address xx.xx.xx.xx other that 127.0.0.1. I suggest you to use something like the following for your box:

Code:

127.0.0.1              localhost

xx.xx.xx.xx          arch.satimis.com

and make sure that your box's IP resolves to the fqdn you;re going to use, so your clients will not get any warnings about hostname missmatches.

Quote:

Then run the 2nd command to remove passphrase:
Code:

sudo openssl rsa -in server.key -out server-no-pass.key

Could you please explain "server-no-pass.key"? Whether run the 2nd command exactly as above? TIA

The above command uses the file server.key as input and gives the file server-no-pass.key as output (i.e. the same key but with the passphrase removed). You can then rename the file server-no-pass.key to whatever you want.
Read openssl howto for more details and specially this paragraph that explains how to create a self-signe certificate.

Regards

Quote:

Originally Posted by bathory (Post 3068829)

Code:

127.0.0.1              localhost

xx.xx.xx.xx          arch.satimis.com

and make sure that your box's IP resolves to the fqdn you;re going to use, so your clients will not get any warnings about hostname missmatches.
The above command uses the file server.key as input and gives the file server-no-pass.key as output (i.e. the same key but with the passphrase removed). You can then rename the file server-no-pass.key to whatever you want.
Read openssl howto for more details and specially this paragraph that explains how to create a self-signe certificate.

Performed following steps;

Edit /etc/hosts

Make change as follow;

Code:

127.0.0.1      localhost

192.168.0.52    arch.satimis.com

192.168.0.52 is the router IP of Arch

$ hostname --fqdn
arch.satimis.com

$ hostname
arch.satimis.com

$ hostname -f
arch.satimis.com

All having the same output. Thanks

Redo "SSL certs"
http://wiki.archlinux.org/index.php/SOHO_Postfix

$ cd /etc/ssl/certs/
$ sudo openssl req -new -x509 -newkey rsa:1024 -days 365 -keyout server.key -out server.crt

Code:



Password: 

Generating a 1024 bit RSA private key

...++++++

.++++++

writing new private key to 'server.key'

Enter PEM pass phrase:

...

....

Common Name (eg, YOUR name) []:arch.satimis.com

Email Address []:sms@satimis.com

satimis@arch /etc/ssl/certs/ $

$ sudo openssl rsa -in server.key -out server-no-pass.key

Code:

Enter pass phrase for server.key:

writing RSA key

Continued;

$ sudo chown nobody:nobody server.key
$ sudo chmod 600 server.key
$ sudo mv server.key /etc/ssl/private/
All w/o complaint.

That completes this section.

Lot of thanks for your kind help.

B.R.
satimis

Glad to see you've made it.

Regards