Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
02-03-2006, 11:01 PM
|
#16
|
Member
Registered: Jan 2006
Location: Albany, NY
Distribution: CentOS 6.3
Posts: 159
Original Poster
Rep:
|
yea im at a complete loss myself
::sighs::
i know the cert is there, i know it can read the file from the dir, i know the cert isnt empty
wtf is going wrong here... i dont have to set anything special in the httpd.conf do i? the mod_ssl is already setup within by default when i installed...
something about that not enough data error.. idk man this is wierd
Last edited by scrupul0us; 02-03-2006 at 11:12 PM.
|
|
|
02-03-2006, 11:15 PM
|
#17
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep: 
|
Installing the mod_ssl package should have done it. In your httpd.conf, there's probably something like:
Code:
<IfModule mod_ssl.c>
Include conf/ssl.conf
</IfModule>
And in ssl.conf, there should be:
Code:
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/log/httpd/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
<VirtualHost _default_:443>
# Various host specific stuff including, for example:
<Directory "/var/www/html">
SSLRequireSSL
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
</VirtualHost>
</IfDefine>
|
|
|
02-03-2006, 11:52 PM
|
#18
|
Member
Registered: Jan 2006
Location: Albany, NY
Distribution: CentOS 6.3
Posts: 159
Original Poster
Rep:
|
heres my mod_ssl.conf
Code:
LoadModule ssl_module libexec/apache/libssl.so
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/log/apache/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/log/apache/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog /var/log/apache/ssl_engine_log
SSLLogLevel info
</IfModule>
<IfDefine SSL>
<VirtualHost _default_:443>
#General setup for the virtual host
DocumentRoot "/var/www/htdocs"
ServerName www.ironchefbadass.com
ServerAdmin scrupul0us@nycap.rr.com
ErrorLog /var/log/apache/error_log
TransferLog /var/log/apache/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache/ssl.key/server.key
<Files ~ "\.(cgi|shtml|phtml|html|php?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
<Directory "/var/www/htdocs">
SSLRequireSSL
Options Followsymlinks
Allowoverride None
Order Aloow,Deny
Allow from all
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
as for httpd.conf
Code:
Include /etc/apache/mod_ssl.conf
Last edited by scrupul0us; 02-03-2006 at 11:54 PM.
|
|
|
02-04-2006, 02:07 AM
|
#19
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep: 
|
If I change my cert (overwrite some characters) and stop/start the server my https breaks in a similar way to yours.
Code:
[Sat Feb 04 16:39:43 2006] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Sat Feb 04 16:39:43 2006] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
Although it's not the same error, it makes me wonder if openssl (or the args to it) caused something incompatible to happen. What do you get if you type:
Code:
# openssl verify /etc/apache/ssl.crt/server.crt
It should show you the info you typed in when you created the cert. The only error I get is:
Code:
error 18 at 0 depth lookup:self signed certificate
|
|
|
02-04-2006, 12:23 PM
|
#20
|
Member
Registered: Jan 2006
Location: Albany, NY
Distribution: CentOS 6.3
Posts: 159
Original Poster
Rep:
|
Code:
root@server:~# openssl verify /etc/apache/ssl.crt/server.crt
unable to load certificate
3341:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: TRUSTED CERTIFICATE
|
|
|
02-04-2006, 03:33 PM
|
#21
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep: 
|
OK, so it's still the cert. Do you mind copy pasting the commands you used to create the key & cert? I'll try them here and see what happens.
|
|
|
02-04-2006, 11:26 PM
|
#22
|
Member
Registered: Jan 2006
Location: Albany, NY
Distribution: CentOS 6.3
Posts: 159
Original Poster
Rep:
|
i did as your posted
Code:
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -x509 -days 365 -out server.crt
|
|
|
02-05-2006, 01:12 AM
|
#23
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep: 
|
I did't expect the command not to work, just trying to figure out what could have gone wrong with it. When I run the `openssl verify` command on an ordinary file, I get the same error that you do:
Code:
$ openssl verify ./.mozilla/firefox/7whyx1s4.default/bookmarks.html
unable to load certificate
6419:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: TRUSTED CERTIFICATE
It seems that something went wrong on the cert generation and although you must be getting sick of this - can you regenerate the key/cert, verify it, stop apache, deploy the key/cert and start apache (don't just restart apache)?
|
|
|
02-05-2006, 11:50 AM
|
#24
|
Member
Registered: Jan 2006
Location: Albany, NY
Distribution: CentOS 6.3
Posts: 159
Original Poster
Rep:
|
how do i deploy the key/cert?
|
|
|
02-05-2006, 02:12 PM
|
#25
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep: 
|
A straight copy is fine as long as they end up with permissions so that the web server can access them - I'm assuming it was created on the same Linux box that it will be used on.
The problems with creating the cert that I saw on google seemed to be grouped into 2 areas. The first was format, ie DOS line endings because it spent time on a windows box and was ftp'ed in the wrong mode. The second was content - errors during creation due to lack of entropy or permission, both of which would cause errors you'd see.
Since you've already gone through pretty much the same steps I have, this is just a double check.
|
|
|
02-05-2006, 11:43 PM
|
#26
|
Member
Registered: Jan 2006
Location: Albany, NY
Distribution: CentOS 6.3
Posts: 159
Original Poster
Rep:
|
well it is being created on the box it is being used on... and im using the root account to create them... the permissions on the cert are:
Code:
root@server:/etc/apache/ssl.crt# ls -al
total 452
drwxr-xr-t 2 scrupul0us root 4096 2006-02-03 22:51 ./
drwxr-xr-x 8 root root 4096 2006-02-04 00:05 ../
-rw-r--r-T 1 scrupul0us root 1522 2001-10-16 08:05 Makefile.crt
-rw-r--r-T 1 scrupul0us root 1386 2001-10-16 08:05 README.CRT
-rw-r--r-T 1 scrupul0us root 418567 2005-07-06 04:32 ca-bundle.crt
-rw-r--r-T 1 scrupul0us root 68 2001-10-16 08:05 server.crt
-rw------- 1 root root 0 2006-02-03 22:51 session_mm_apache0.sem
-rw-r--r-T 1 scrupul0us root 1472 2001-10-16 08:05 snakeoil-ca-dsa.crt
-rw-r--r-T 1 scrupul0us root 1192 2001-10-16 08:05 snakeoil-ca-rsa.crt
-rw-r--r-T 1 scrupul0us root 1452 2001-10-16 08:05 snakeoil-dsa.crt
-rw-r--r-T 1 scrupul0us root 1176 2001-10-16 08:05 snakeoil-rsa.crt
|
|
|
02-05-2006, 11:54 PM
|
#27
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep: 
|
68 bytes is too small for server.crt - mine is 1387 bytes, similar to the snakeoil*crt files. Am I looking at the wrong file?
|
|
|
02-06-2006, 07:49 PM
|
#28
|
Member
Registered: Jan 2006
Location: Albany, NY
Distribution: CentOS 6.3
Posts: 159
Original Poster
Rep:
|
ok... well the dir i created the key and crt in wasnt the one they were supposed to be in... so i moved the crt to the crt dir and the key to the key dir
Code:
root@server:/etc/apache/ssl.crt# ls -al
total 452
drwxr-xr-t 2 scrupul0us root 4096 2006-02-06 19:58 ./
drwxr-xr-x 8 root root 4096 2006-02-04 00:05 ../
-rw-r--r-T 1 scrupul0us root 1522 2001-10-16 08:05 Makefile.crt
-rw-r--r-T 1 scrupul0us root 1386 2001-10-16 08:05 README.CRT
-rw-r--r-T 1 scrupul0us root 418567 2005-07-06 04:32 ca-bundle.crt
-rw-r--r-T 1 scrupul0us root 1359 2006-02-06 19:53 server.crt
-rw------- 1 root root 0 2006-02-06 19:58 session_mm_apache0.sem
-rw-r--r-T 1 scrupul0us root 1472 2001-10-16 08:05 snakeoil-ca-dsa.crt
-rw-r--r-T 1 scrupul0us root 1192 2001-10-16 08:05 snakeoil-ca-rsa.crt
-rw-r--r-T 1 scrupul0us root 1452 2001-10-16 08:05 snakeoil-dsa.crt
-rw-r--r-T 1 scrupul0us root 1176 2001-10-16 08:05 snakeoil-rsa.crt
Code:
root@server:/etc/apache/ssl.key# ls -al
total 32
drwxr-xr-t 2 scrupul0us root 4096 2006-01-02 08:31 ./
drwxr-xr-x 8 root root 4096 2006-02-04 00:05 ../
-rw-r--r-T 1 scrupul0us root 1207 2001-10-16 08:05 README.KEY
-rw-r--r-T 1 scrupul0us root 963 2006-02-06 19:57 server.key
-rw-r--r-T 1 scrupul0us root 668 2001-10-16 08:05 snakeoil-ca-dsa.key
-rw-r--r-T 1 scrupul0us root 887 2001-10-16 08:05 snakeoil-ca-rsa.key
-rw-r--r-T 1 scrupul0us root 668 2001-10-16 08:05 snakeoil-dsa.key
-rw-r--r-T 1 scrupul0us root 891 2001-10-16 08:05 snakeoil-rsa.key
did a hard stop and start of apache and still no luck
|
|
|
02-06-2006, 07:51 PM
|
#29
|
Member
Registered: Jan 2006
Location: Albany, NY
Distribution: CentOS 6.3
Posts: 159
Original Poster
Rep:
|
wait.. got it!!!
had todo apachectl startssl.. and fix one error
now... how to start with ssl by default and not ask for a passphrase
|
|
|
02-06-2006, 08:05 PM
|
#30
|
Member
Registered: Jan 2006
Location: Albany, NY
Distribution: CentOS 6.3
Posts: 159
Original Poster
Rep:
|
ok..i tried to remove the passphrase using:
Code:
openssl rsa -in server.key -out server.pem
but when i restart apache with ssl it still asks... i made sure the run this on the key in the .key and .csr dir's
|
|
|
All times are GMT -5. The time now is 11:09 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|