Steve Price wrote:
> On Fri, 5 May 2000, Kris Kennaway wrote:
> # I'm suspecting it might be something missing in the ASN.1 encoding of the
> # certificate, which netscape requires but IE permits. This would be
> # consistent with a missing openssl.cnf file at the time of certificate
> # generation. Could one of you try copying the openssl.cnf file from
> # crypto/openssl/apps/ to /etc/ssl (editing as appropriate) and see if that
> # fixes it (i.e. make a new certificate and test it in the same way)?
> It didn't help here.  I rebuilt the port and re-installed from
> a clean WRKDIR and I get the same error message.  If I do a
> 'make certificate', copy those files over, and try to start
> apache it just hangs definitely until I ^C it.  After I kill
> it I see this in the apache error logs.
> [error] mod_ssl: Init: Private key not found (OpenSSL library
>  error follows)
> [error] OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:
> header too long
> Methinks it has something to do with key generation as well, but
> I'll be darned if I know what.

        Ok, here are some silly questions. Did you create a private key for
this server, did you encrypt your cert with it, and is that .key file
pointed to in your httpd.conf config file? SSLCertificateKeyFile is what
you're looking for. has some really good
resources for this, and their FAQ has step by step instructions for
creating and testing keys and certs that may help you track down where
in the process it's getting lost. 

        Also, did you install the openssl port, or are you using the openssl
that is part of the base in 4.0+? I vaguely remember you saying that you
were using the port. If so, cd to /usr/local/openssl and cp
openssl.cnf.sample to openssl.cnf. 

        I'm currently hip deep in certificate generation problems myself, so I
sympathize with your plight there Steve. Kris, I was going to let you
know about the openssl.cnf problem, but I wanted to wait till I had more
data. But, since the cat's out of the bag here, yes, we do need an
openssl.cnf file in /etc/ssl for the system version. I attached a patch
(not that you couldn't have done it yourself...). The only problem with
this is that from the mergemaster standpoint, there is no $FreeBSD/$Id
tag in that file. mm will still work (doing a complete comparison with
diff) but it speeds things up and hides local mods if there is a CVS


        "Live free or die"
                - State motto of my ancestral homeland, New Hampshire

        Do YOU Yahoo!?
Index: Makefile
RCS file: /usr/ncvs/src/etc/Makefile,v
retrieving revision 1.221
diff -u -r1.221 Makefile
--- Makefile    2000/04/15 16:48:41     1.221
+++ Makefile    2000/05/07 19:20:41
@@ -26,6 +26,10 @@
+.if exists(${.CURDIR}/../crypto) && !defined(NO_OPENSSL)
+SSL=   ${.CURDIR}/../crypto/openssl/apps/openssl.cnf
 # -rwxr-xr-x root.wheel, for the new cron root.wheel
 BIN2=  netstart pccard_ether rc.suspend rc.resume
@@ -76,6 +80,10 @@
 .if exists(${.CURDIR}/../crypto) && !defined(NO_OPENSSH)
        (cd ${.CURDIR}; ${INSTALL} -c -o ${BINOWN} -g ${BINGRP} -m 644 ${SSH} \
            ${DESTDIR}/etc/ssh )
+.if exists(${.CURDIR}/../crypto) && !defined(NO_OPENSSL)
+       (cd ${.CURDIR}; ${INSTALL} -c -o ${BINOWN} -g ${BINGRP} -m 644 ${SSL} \
+           ${DESTDIR}/etc/ssl )
 .if !defined(NO_MAKEDEV)
        (cd ${DESTDIR}/dev; sh MAKEDEV all)

Reply via email to