Hello.
As I see I shloud reply to myself ;-)
Both probles were solved:
Running two (or more?) cosignds is no problem - all are working without
problem.
The problem with certificate was with certificates of CA. For Apache
httpd I use PEM with the whole certification chain (3 certificates), but
filter and cosignd need every certificate in separate file. After
c_rehashing is everything working.
Greets,
Lukas
From: Slansky Lukas [mailto:lukas.slan...@upce.cz]
Sent: Tuesday, February 09, 2010 12:52 PM
To: cosign-discuss@lists.sourceforge.net
Subject: [Cosign-discuss] Certificate change
Hi.
I'm just planning change of certificate on our cosign server. The main
issue is that we're changing CA and therefore it will probably affect
the services as well (I suppose).
My scenario is:
- Run the second cosignd with the same configuration - except
new certificates and port 6664 (instead of standard 6663).
- Change services configuration to new port/certificate.
- After porting all services - change certificate on port 6663
and change port to 6663 on services. Finally stop cosignd on port 6664.
Seems this scenario OK? I have already tried it with both certificates
same and it seems to work. But just to be sure...
The second issue is with new certificates. I have changed them on newly
started port and tried to connect to it. But cosign httpd filter errors
with 503 and in the error log is:
mod_cosign: snet_starttls: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
mod_cosign: cosign_cookie_valid: Unable to connect to any Cosign server.
I have tried openssl (as in
http://www.umich.edu/~umweb/software/cosign/cosign-discuss/msg00222.html
) with this output (seems OK to me):
CONNECTED(00000004)
didn't found starttls in server response, try anyway...
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
verify return:1
depth=2 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
verify return:1
depth=1 /C=NL/O=TERENA/CN=TERENA SSL CA
verify return:1
depth=0 /C=CZ/O=University of Pardubice/CN=cas.upce.cz
verify return:1
---
Certificate chain
0 s:/C=CZ/O=University of Pardubice/CN=cas.upce.cz
i:/C=NL/O=TERENA/CN=TERENA SSL CA
1 s:/C=NL/O=TERENA/CN=TERENA SSL CA
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEZjCCA06gAwIBAgIRALOxkiRzuT+kpU54fD3d+a0wDQYJKoZIhvcNAQEFBQAw
...truncated...
qz2Z91L0W9BpfYsfOp9ORSa+W9zWjEcr4Cw=
-----END CERTIFICATE-----
subject=/C=CZ/O=University of Pardubice/CN=cas.upce.cz
issuer=/C=NL/O=TERENA/CN=TERENA SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4783 bytes and written 4221 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
D8EAE48588415B83E404EEF4BC3254114D8864ABA27EAC140F176A645E1EB44E
Session-ID-ctx:
Master-Key:
4D81D07C9E4B44D8D92D2F0E425FD66231CEC7B973CDC67A54258302A61E97979B7AEF95
49589F4924DAC70ABBDDDBBE
Key-Arg : None
Krb5 Principal: None
Start Time: 1265715991
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
500 Command EHLO unregcognized
DONE
Any suggestions concerning the error?
Thanks, Lukas
------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
