On 2006.01.05, Torben Brosten <[EMAIL PROTECTED]> wrote:
[...]
> During startup, aolserver reports "certificate file is not readable or
> does not exist" (see log lines below).
>
> The files *do* exist. Using identical filename and permissions, I was
> able to use the previous domain (still valid) certificate without errors.
[...]
According to your logfile:
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Debug: KeyFile =
/usr/local/www/service0/openacs-5.1.5/etc/certs2006/domain-name.key.pem;
CertFile =
/usr/local/www/service0/openacs-5.1.5/etc/certs2006/domain-name.crt2.pem
[04/Jan/2006:21:40:53][25144.2684415336][-main-] Error: nsopenssl
(openacs-5.1.5): 'client' certificate file is not readable or does not exist
Looking at the error string and the sslcontext.c source you pointed to:
if ((access(sslcontext->certFile, F_OK) != 0) ||
(access(sslcontext->certFile, R_OK) != 0)) {
Ns_Log(Error, "%s (%s): '%s' certificate file is not readable or does
not exist",
MODULE, sslcontext->server, sslcontext->name);
return NS_ERROR;
}
That's the only place the log message you see in your log could be
generated from. It's very clearly saying it is either failing on F_OK
(file exists) or R_OK (file is readable).
What's the output of this command return:
$ ls -l /usr/local/www/service0/openacs-5.1.5/etc/certs2006/
> Checking the certificates via openssl fails the same for both the domain
> cert that works and the new domain, so this has no diagnostic value,
> unless there is a way to get "openssl verify" to work:
>
> openssl verify -purpose sslserver -verbose certfile.pem
> (certificate info)
> error 20 at 0 depth lookup:unable to get local issuer certificate
This isn't an "error" for a self-signed certificate if you don't specify
the CA you used to self-sign with:
$ openssl verify -verbose certificate.pem
certificate.pem: /C=US/ST=New Jersey/O=Panoptic Computer
Network/CN=www.panoptic.com/[EMAIL PROTECTED]
error 20 at 0 depth lookup:unable to get local issuer certificate
vs:
$ openssl verify -verbose -CAfile /etc/ssl/ca/demoCA/cacert.pem
certificate.pem
certificate.pem: OK
For certificates signed by a real CA, you'll need to get their CA cert
if you want to fully verify/validate.
> What else should I check for?
If "openssl verify" returns the certificate info, then it's parsing it
correctly.
I'm pretty sure the code isn't confused here. The file might exist, but
it might not be readable to the nsd process' user. I'd check and
re-check the permissions on the file. If the owner of the cert file
isn't the same user that the nsd will be running as, then make sure the
file is readable to that other user.
-- Dossy
--
Dossy Shiobara | [EMAIL PROTECTED] | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
"He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on." (p. 70)
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]>
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
