Hi,
Does anyone have a pointer to correct documantation for generating and installing a self signed ssl cert for use on httpd on a C-5 machine?
The docs say to use genkey but AFAIK upstream rm'd crypto-utils from the distro and as such it is not available. I tried generating the cert on a C-4 machine using genkey and installing on the C-5 machine but I get the following error when I try to connect:
[Thu Oct 25 12:48:03 2007] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSLv3 read client certificate B [Thu Oct 25 12:48:03 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client certificate B [Thu Oct 25 12:48:03 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client certificate B [Thu Oct 25 12:48:03 2007] [info] [client 192.168.0.25] SSL library error 1 in handshake (server roadrunner.tntechs.com:443) [Thu Oct 25 12:48:03 2007] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:func(137):reason(199) [Thu Oct 25 12:48:03 2007] [info] [client 192.168.0.25] Connection closed to child 0 with abortive shutdown (server roadrunner.tntechs.com:443)
Can anyone tell me where I am going wrong here? Google is not being helpful and I am getting frustrated. I wish I better understood open ssl. :-(
Regards,
On Thu, 25 Oct 2007, Tom Diehl wrote:
Hi,
Does anyone have a pointer to correct documantation for generating and installing a self signed ssl cert for use on httpd on a C-5 machine?
Generating:
http://www.madboa.com/geek/openssl/#cert-self
As for installing, you'll want to follow the paths in your local httpd configuration, often defined in /etc/httpd/conf.d/ssl.conf.
On 10/25/07, Tom Diehl tdiehl@rogueind.com wrote:
Hi,
Does anyone have a pointer to correct documantation for generating and installing a self signed ssl cert for use on httpd on a C-5 machine?
The docs say to use genkey but AFAIK upstream rm'd crypto-utils from the distro and as such it is not available. I tried generating the cert on a C-4 machine using genkey and installing on the C-5 machine but I get the following error when I try to connect:
[...]
Can anyone tell me where I am going wrong here? Google is not being helpful and I am getting frustrated. I wish I better understood open ssl. :-(
Regards,
-- Tom Diehl tdiehl@rogueind.com Spamtrap address mtd123@rogueind.com
You might find a bunch of guides online that give you ways to do it using openssl, but C5 has a Makefile already set up to do this for you. Steps: 1. cd /etc/pki/tls/certs 2. make testcert 3. restart apache
The default ssl.conf file points to the localhost.* files that are generated by this command.
On Thu, 25 Oct 2007, Brian Mathis wrote:
On 10/25/07, Tom Diehl tdiehl@rogueind.com wrote:
Hi,
Does anyone have a pointer to correct documentation for generating and installing a self signed ssl cert for use on httpd on a C-5 machine?
The docs say to use genkey but AFAIK upstream rm'd crypto-utils from the distro and as such it is not available. I tried generating the cert on a C-4 machine using genkey and installing on the C-5 machine but I get the following error when I try to connect:
[...]
Can anyone tell me where I am going wrong here? Google is not being helpful and I am getting frustrated. I wish I better understood open ssl. :-(
Regards,
-- Tom Diehl tdiehl@rogueind.com Spamtrap address mtd123@rogueind.com
You might find a bunch of guides online that give you ways to do it using openssl, but C5 has a Makefile already set up to do this for you. Steps:
- cd /etc/pki/tls/certs
- make testcert
- restart apache
The default ssl.conf file points to the localhost.* files that are generated by this command.
Ok, So I changed the Makefile from localhost to match the actual hostname of the machine. I then ran "make testcert" as suggested above and answered the questions as appropriate. It then generated the cert without errors. I then modified ssl.conf to point to the .key file and the .crt file, restarted apache.
Everything looked OK in the logs. I then pointed a browser at the machine and I got the following errors in the ssl error log:
[Thu Oct 25 14:31:25 2007] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSLv3 read client certificate B [Thu Oct 25 14:31:25 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client certificate B [Thu Oct 25 14:31:25 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client certificate B [Thu Oct 25 14:31:25 2007] [info] [client 192.168.0.3] SSL library error 1 in handshake (server roadrunner.example.com:443) [Thu Oct 25 14:31:25 2007] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification? [Thu Oct 25 14:31:25 2007] [info] [client 192.168.0.3] Connection closed to child 0 with abortive shutdown (server roadrunner.example.com:443)
In addition I catted the key and crt together to make a .pem and ran verify on the cert. I got the following output:
(roadrunner pts1) # openssl verify roadrunner.example.com.pem roadrunner.example.com.pem: /C=US/ST=Pennsylvania/L=Mytown/O=TN Techs LLC/CN=roadrunner.example.com/emailAddress=support@example.com error 18 at 0 depth lookup:self signed certificate OK (roadrunner pts1) #
Am I correct that the above error is normal for a self signed cert?
Obviously I am missing something. Can anyone point me at a solution to this problem?
Regards,
On Thu, 25 Oct 2007, Tom Diehl wrote:
Ok, So I changed the Makefile from localhost to match the actual hostname of the machine. I then ran "make testcert" as suggested above and answered the questions as appropriate. It then generated the cert without errors. I then modified ssl.conf to point to the .key file and the .crt file, restarted apache.
Everything looked OK in the logs. I then pointed a browser at the machine and I got the following errors in the ssl error log:
[Thu Oct 25 14:31:25 2007] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSLv3 read client certificate B [Thu Oct 25 14:31:25 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client certificate B [Thu Oct 25 14:31:25 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client certificate B
Is SELinux enabled? Does your cert have the correct security context type (probably httpd_config_t)?
On Thu, 25 Oct 2007, Paul Heinlein wrote:
On Thu, 25 Oct 2007, Tom Diehl wrote:
Ok, So I changed the Makefile from localhost to match the actual hostname of the machine. I then ran "make testcert" as suggested above and answered the questions as appropriate. It then generated the cert without errors. I then modified ssl.conf to point to the .key file and the .crt file, restarted apache.
Everything looked OK in the logs. I then pointed a browser at the machine and I got the following errors in the ssl error log:
[Thu Oct 25 14:31:25 2007] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSLv3 read client certificate B [Thu Oct 25 14:31:25 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client certificate B [Thu Oct 25 14:31:25 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client certificate B
Is SELinux enabled? Does your cert have the correct security context type (probably httpd_config_t)?
I set SELinux to permissive to be sure it was out of the way before I posted. In addition the context on the certs is root:object_r:cert_t which looks correct to me.
Regards,
Tom Diehl wrote on Thu, 25 Oct 2007 14:54:19 -0400 (EDT):
error 18 at 0 depth lookup:self signed certificate OK (roadrunner pts1) #
Am I correct that the above error is normal for a self signed cert?
Seems so, yes. I get the same. I think your cert is okay. Your errors are all about *client* certificates, so the problem is with the certificate the client presents, not with the one you configured for the server. You seem to require a client certificate and either the client doesn't present you one or one that can't get verified. My knowledge about client certificates is limited, so I'm not sure about the exact reason.
Kai
On Thu, 25 Oct 2007, Kai Schaetzl wrote:
Tom Diehl wrote on Thu, 25 Oct 2007 14:54:19 -0400 (EDT):
error 18 at 0 depth lookup:self signed certificate OK (roadrunner pts1) #
Am I correct that the above error is normal for a self signed cert?
Seems so, yes. I get the same. I think your cert is okay. Your errors are all about *client* certificates, so the problem is with the certificate the client presents, not with the one you configured for the server. You seem to require a client certificate and either the client doesn't present you one or one that can't get verified. My knowledge about client certificates is limited, so I'm not sure about the exact reason.
I do not understand this either. I have done this a bunch of times on el3 and el4 machines and it "just works". Something seems to be fubar on the el5 machine. I even tried several different client machines and browsers with the same result. FWIW, the machine is a new install, so this is the first time I tried to activate ssl. rpm -V on mod_ssl shows nothing.
Could this be some kind of multiarch problem? FWIW, I have the following openssl packages installed on the machine:
(roadrunner pts1) # yum list openssl* ... Installed Packages openssl.x86_64 0.9.8b-8.3.el5_0.2 installed openssl-devel.x86_64 0.9.8b-8.3.el5_0.2 installed openssl-perl.x86_64 0.9.8b-8.3.el5_0.2 installed openssl097a.x86_64 0.9.7a-9 installed
Available Packages openssl.i686 0.9.8b-8.3.el5_0.2 updates openssl-devel.i386 0.9.8b-8.3.el5_0.2 updates (roadrunner pts1) #
I am really at a loss on this one.
Regards,
--On Thursday, October 25, 2007 2:54 PM -0400 Tom Diehl tdiehl@rogueind.com wrote:
SSL3_GET_CLIENT_CERTIFICATE
Isn't that for when you need the client to prove who he his? Are you requiring client SSL certs? It looks like the client is failing to provide a good cert.
On Thu, 25 Oct 2007, Kenneth Porter wrote:
--On Thursday, October 25, 2007 2:54 PM -0400 Tom Diehl tdiehl@rogueind.com wrote:
SSL3_GET_CLIENT_CERTIFICATE
Isn't that for when you need the client to prove who he his? Are you requiring client SSL certs? It looks like the client is failing to provide a good cert.
Well not on purpose!! I set SSLVerifyClient to optional and it now works. It looks like the default is different between c-4 and c-5. I looked at my ssl.conf on a c-4 machine and the line is commented out. It was also commented out on the c-5 machine and I was getting the errors above. When I changed it to optional things started working.
The documentation states that the default is none but it looks like the default is require. Is there a way to verify what the defaults are?
Thanks for the help.
Regards,
-
Brian Mathis -
Kai Schaetzl -
Kenneth Porter -
Paul Heinlein -
Tom Diehl