[AOLSERVER] nsopenssl, new certificate not loading, yet old one does

Thu, 05 Jan 2006 01:30:05 -0800 

Hi,
I'm migrating an aolserver site from one domain on a freebsd4.x system to another on apple Xserve 10.4. The old non-self signed certificate works in the new site, but the new one does not. 


During startup, aolserver reports "certificate file is not readable or 
does not exist" (see log lines below).



The files *do* exist. Using identical filename and permissions, I was 
able to use the previous domain (still valid) certificate without errors.


The certificate file is suspect, since the other certificate worked.

Other things checked:

  Verified that the key file has the password removed.

  config.tcl params are using absolute file references.



Suspecting there may be encoding issues with copy/pasting the new 
certificate, I tried transferring the certificate using various methods. 
The variations were tested where differences in the certificate 
appearance exists. Also, CA has supplied the certificates another way to 
confirm them.



Key and cert files only contain ascii. Verified because following 
results in no errors:


iconv -c -t ascii domain-name.crt.pem
iconv -c -t ascii domain-name.key.pem



Checking the certificates via openssl fails the same for both the domain 
cert that works and the new domain, so this has no diagnostic value, 
unless there is a way to get "openssl verify" to work:


openssl verify -purpose sslserver -verbose certfile.pem
(certificate info)
error 20 at 0 depth lookup:unable to get local issuer certificate


Also, the various CA self signed certificates fail when I check them 
this way:


root# openssl verify -purpose any -verbose root-ca-crt.pem
(CA info)... Secure Server Certification Authority
error 18 at 0 depth lookup:self signed certificate
OK


Might some of the characters in the certificate get somehow 
pre-processed when loading in nsopenssl, such as with forward slashes or 
plus signs or some other character sequence etc?



I found the error message in just one place in the nsopenssl code, but I 
lack the C skills to answer the question myself:


http://cvs.sourceforge.net/viewcvs.py/aolserver/nsopenssl/sslcontext.c?rev=1.10&only_with_tag=v3_0beta26&view=markup

What else should I check for?


Thanks in advance,

Torben

Log lines:


[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: modload: 
loading '/usr/local/aolserver/bin/nsopenssl.so'
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl: 
generating 512-bit temporary RSA key ...
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl: 
generating 1024-bit temporary RSA key ...
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl 
(openacs-5.1.5): loading SSL context 'users'
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl 
(openacs-5.1.5): 'users' ciphers loaded successfully
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl 
(openacs-5.1.5): 'users' using SSLv2 protocol
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl 
(openacs-5.1.5): 'users' using SSLv3 protocol
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl 
(openacs-5.1.5): 'users' using TLSv1 protocol
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Debug: KeyFile = 
/usr/local/www/service0/openacs-5.1.5/etc/certs2006/domain-name.key.pem; 
CertFile = 
/usr/local/www/service0/openacs-5.1.5/etc/certs2006/domain-name.crt.pem
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Error: nsopenssl 
(openacs-5.1.5): 'users' certificate file is not readable or does not exist
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Error: nsopenssl 
(openacs-5.1.5): SSL context 'users' left uninitialized
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl 
(openacs-5.1.5): loading SSL context 'client'
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl 
(openacs-5.1.5): 'client' ciphers loaded successfully
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl 
(openacs-5.1.5): 'client' using SSLv2 protocol
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl 
(openacs-5.1.5): 'client' using SSLv3 protocol
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl 
(openacs-5.1.5): 'client' using TLSv1 protocol
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Debug: KeyFile = 
/usr/local/www/service0/openacs-5.1.5/etc/certs2006/domain-name.key.pem; 
CertFile = 
/usr/local/www/service0/openacs-5.1.5/etc/certs2006/domain-name.crt2.pem
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Error: nsopenssl 
(openacs-5.1.5): 'client' certificate file is not readable or does not exist
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Error: nsopenssl 
(openacs-5.1.5): SSL context 'client' left uninitialized
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl 
(openacs-5.1.5): default SSL context for server is users
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: default server 
SSL context: users
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl 
(openacs-5.1.5): default SSL context for client is client
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: default client 
SSL context: client
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Notice: nsopenssl 
(openacs-5.1.5): loading 'users' SSL driver



--
AOLserver - http://www.aolserver.com/

To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> 
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: 
field of your email blank.






















					Reply via email to