Issue With modSSL

scrupul0us · 02-03-2006, 10:01 PM

yea im at a complete loss myself

::sighs::

i know the cert is there, i know it can read the file from the dir, i know the cert isnt empty

wtf is going wrong here... i dont have to set anything special in the httpd.conf do i? the mod_ssl is already setup within by default when i installed...

something about that not enough data error.. idk man this is wierd

gilead · 02-03-2006, 10:15 PM

Installing the mod_ssl package should have done it. In your httpd.conf, there's probably something like:

Code:

<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

And in ssl.conf, there should be:

Code:

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:/var/log/httpd/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
<VirtualHost _default_:443>
# Various host specific stuff including, for example:
<Directory "/var/www/html">
  SSLRequireSSL
  Options FollowSymLinks
  AllowOverride None
  Order allow,deny
  Allow from all
</Directory>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
</VirtualHost>                                  
</IfDefine>

scrupul0us · 02-03-2006, 10:52 PM

heres my mod_ssl.conf

Code:

LoadModule ssl_module libexec/apache/libssl.so

<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>

<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
</IfDefine>

<IfModule mod_ssl.c>
SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:/var/log/apache/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:/var/log/apache/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog      /var/log/apache/ssl_engine_log
SSLLogLevel info

</IfModule>

<IfDefine SSL>
<VirtualHost _default_:443>
#General setup for the virtual host
DocumentRoot "/var/www/htdocs"
ServerName www.ironchefbadass.com
ServerAdmin scrupul0us@nycap.rr.com
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache/ssl.key/server.key

<Files ~ "\.(cgi|shtml|phtml|html|php?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
<Directory "/var/www/htdocs">
    SSLRequireSSL
    Options Followsymlinks
    Allowoverride None
    Order Aloow,Deny
    Allow from all
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog /var/log/apache/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

</IfDefine>

as for httpd.conf

Code:

Include /etc/apache/mod_ssl.conf

gilead · 02-04-2006, 01:07 AM

If I change my cert (overwrite some characters) and stop/start the server my https breaks in a similar way to yours.

Code:

[Sat Feb 04 16:39:43 2006] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Sat Feb 04 16:39:43 2006] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

Although it's not the same error, it makes me wonder if openssl (or the args to it) caused something incompatible to happen. What do you get if you type:

Code:

# openssl verify /etc/apache/ssl.crt/server.crt

It should show you the info you typed in when you created the cert. The only error I get is:

Code:

error 18 at 0 depth lookup:self signed certificate

scrupul0us · 02-04-2006, 11:23 AM

Code:

root@server:~# openssl verify /etc/apache/ssl.crt/server.crt
unable to load certificate
3341:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: TRUSTED CERTIFICATE

gilead · 02-04-2006, 02:33 PM

OK, so it's still the cert. Do you mind copy pasting the commands you used to create the key & cert? I'll try them here and see what happens.

scrupul0us · 02-04-2006, 10:26 PM

i did as your posted

Code:

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -x509 -days 365 -out server.crt

gilead · 02-05-2006, 12:12 AM

I did't expect the command not to work, just trying to figure out what could have gone wrong with it. When I run the `openssl verify` command on an ordinary file, I get the same error that you do:

Code:

$ openssl verify ./.mozilla/firefox/7whyx1s4.default/bookmarks.html
unable to load certificate
6419:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: TRUSTED CERTIFICATE

It seems that something went wrong on the cert generation and although you must be getting sick of this - can you regenerate the key/cert, verify it, stop apache, deploy the key/cert and start apache (don't just restart apache)?

scrupul0us · 02-05-2006, 10:50 AM

how do i deploy the key/cert?

gilead · 02-05-2006, 01:12 PM

A straight copy is fine as long as they end up with permissions so that the web server can access them - I'm assuming it was created on the same Linux box that it will be used on.

The problems with creating the cert that I saw on google seemed to be grouped into 2 areas. The first was format, ie DOS line endings because it spent time on a windows box and was ftp'ed in the wrong mode. The second was content - errors during creation due to lack of entropy or permission, both of which would cause errors you'd see.

Since you've already gone through pretty much the same steps I have, this is just a double check.

scrupul0us · 02-05-2006, 10:43 PM

well it is being created on the box it is being used on... and im using the root account to create them... the permissions on the cert are:

Code:

root@server:/etc/apache/ssl.crt# ls -al
total 452
drwxr-xr-t  2 scrupul0us root   4096 2006-02-03 22:51 ./
drwxr-xr-x  8 root       root   4096 2006-02-04 00:05 ../
-rw-r--r-T  1 scrupul0us root   1522 2001-10-16 08:05 Makefile.crt
-rw-r--r-T  1 scrupul0us root   1386 2001-10-16 08:05 README.CRT
-rw-r--r-T  1 scrupul0us root 418567 2005-07-06 04:32 ca-bundle.crt
-rw-r--r-T  1 scrupul0us root     68 2001-10-16 08:05 server.crt
-rw-------  1 root       root      0 2006-02-03 22:51 session_mm_apache0.sem
-rw-r--r-T  1 scrupul0us root   1472 2001-10-16 08:05 snakeoil-ca-dsa.crt
-rw-r--r-T  1 scrupul0us root   1192 2001-10-16 08:05 snakeoil-ca-rsa.crt
-rw-r--r-T  1 scrupul0us root   1452 2001-10-16 08:05 snakeoil-dsa.crt
-rw-r--r-T  1 scrupul0us root   1176 2001-10-16 08:05 snakeoil-rsa.crt

gilead · 02-05-2006, 10:54 PM

68 bytes is too small for server.crt - mine is 1387 bytes, similar to the snakeoil*crt files. Am I looking at the wrong file?

scrupul0us · 02-06-2006, 06:49 PM

ok... well the dir i created the key and crt in wasnt the one they were supposed to be in... so i moved the crt to the crt dir and the key to the key dir

Code:

root@server:/etc/apache/ssl.crt# ls -al
total 452
drwxr-xr-t  2 scrupul0us root   4096 2006-02-06 19:58 ./
drwxr-xr-x  8 root       root   4096 2006-02-04 00:05 ../
-rw-r--r-T  1 scrupul0us root   1522 2001-10-16 08:05 Makefile.crt
-rw-r--r-T  1 scrupul0us root   1386 2001-10-16 08:05 README.CRT
-rw-r--r-T  1 scrupul0us root 418567 2005-07-06 04:32 ca-bundle.crt
-rw-r--r-T  1 scrupul0us root   1359 2006-02-06 19:53 server.crt
-rw-------  1 root       root      0 2006-02-06 19:58 session_mm_apache0.sem
-rw-r--r-T  1 scrupul0us root   1472 2001-10-16 08:05 snakeoil-ca-dsa.crt
-rw-r--r-T  1 scrupul0us root   1192 2001-10-16 08:05 snakeoil-ca-rsa.crt
-rw-r--r-T  1 scrupul0us root   1452 2001-10-16 08:05 snakeoil-dsa.crt
-rw-r--r-T  1 scrupul0us root   1176 2001-10-16 08:05 snakeoil-rsa.crt

Code:

root@server:/etc/apache/ssl.key# ls -al
total 32
drwxr-xr-t  2 scrupul0us root 4096 2006-01-02 08:31 ./
drwxr-xr-x  8 root       root 4096 2006-02-04 00:05 ../
-rw-r--r-T  1 scrupul0us root 1207 2001-10-16 08:05 README.KEY
-rw-r--r-T  1 scrupul0us root  963 2006-02-06 19:57 server.key
-rw-r--r-T  1 scrupul0us root  668 2001-10-16 08:05 snakeoil-ca-dsa.key
-rw-r--r-T  1 scrupul0us root  887 2001-10-16 08:05 snakeoil-ca-rsa.key
-rw-r--r-T  1 scrupul0us root  668 2001-10-16 08:05 snakeoil-dsa.key
-rw-r--r-T  1 scrupul0us root  891 2001-10-16 08:05 snakeoil-rsa.key

did a hard stop and start of apache and still no luck

scrupul0us · 02-06-2006, 06:51 PM

wait.. got it!!!

had todo apachectl startssl.. and fix one error

now... how to start with ssl by default and not ask for a passphrase

scrupul0us · 02-06-2006, 07:05 PM

ok..i tried to remove the passphrase using:

Code:

openssl rsa -in server.key -out server.pem

but when i restart apache with ssl it still asks... i made sure the run this on the key in the .key and .csr dir's