Unable to generate certificate

Peter Honegger Sat, 13 Jan 2001 04:01:23 -0800
Hello!

I have on to Maschines the self Problem (1 SuSE 7.0, no own packages
installed and Solaris 2.6 with Apache 1.3.14 + openssl 0.9.6 + modssl
2.7.1)

I have use this documentation:
http://www.modssl.org/docs/2.7/ssl_faq.html#ToC29
But my certificate is always "your server has a invalid certificate,
you will not be able to connect to this site securly" You can look at:
https://mogli.homeip.net
The logifiles are from the solaris 2.6 Maschines. On the SuSE 7.0 it
looks same.

What is here wrong?


[root@mogli apache]# openssl genrsa -des3 -out server.key 1024
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
................++++++
................................++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
[root@mogli apache]# openssl req -new -key server.key -out server.csr
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Zurich
Locality Name (eg, city) []:Au (ZH)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Legends
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:mogli.homeip.net
Email Address []:[EMAIL PROTECTED]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@mogli apache]# openssl genrsa -des3 -out ca.key 1024
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
...............++++++
................++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
[root@mogli apache]# openssl req -new -x509 -days 365 -key ca.key -out
ca.crt
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Zurich
Locality Name (eg, city) []:Au (ZH)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:^C
[root@mogli apache]# openssl req -new -x509 -days 365 -key ca.key -out
ca.crt
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Zurich
Locality Name (eg, city) []:Au (ZH)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Legends
Organizational Unit Name (eg, section) []:mogli.homeip.net
Common Name (eg, YOUR name) []:^C
[root@mogli apache]# openssl req -new -x509 -days 365 -key ca.key -out
ca.crt
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Zurich
Locality Name (eg, city) []:Au (ZH)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Legends
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:mogli.homeip.net
Email Address []:[EMAIL PROTECTED]
[root@mogli apache]# ./sign.sh server.csr
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'CH'
stateOrProvinceName   :PRINTABLE:'Zurich'
localityName          :PRINTABLE:'Au (ZH)'
organizationName      :PRINTABLE:'Legends'
commonName            :PRINTABLE:'mogli.homeip.net'
emailAddress          :IA5STRING:'[EMAIL PROTECTED]'
Certificate is to be certified until Jan  9 14:39:36 2002 GMT (365
days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: /C=CH/ST=Zurich/L=Au
(ZH)[EMAIL PROTECTED]
error 18 at 0 depth lookup:self signed certificate
/C=CH/ST=Zurich/L=Au
(ZH)[EMAIL PROTECTED]
error 7 at 0 depth lookup:certificate signature failure
[root@mogli apache]# ll
total 410
drwxr-xr-x   8 root     other       1024 Jan  9 15:39 ./
drwxr-xr-x  34 root     sys         4096 Jan  9 15:33 ../
-rw-r--r--   1 root     other        348 Nov 16 22:06 access.conf
-rw-r--r--   1 root     other        348 Nov 16 22:06
access.conf.default
-rw-r--r--   1 root     other       1220 Jan  9 15:39 ca.crt
drwxr-xr-x   2 root     other        512 Jan  9 15:39 ca.db.certs/
-rw-r--r--   1 root     other        109 Jan  9 15:39 ca.db.index
-rw-r--r--   1 root     other          3 Jan  9 15:39 ca.db.serial
-rw-r--r--   1 root     other        963 Jan  9 15:37 ca.key
-rw-r--r--   1 root     other      33965 Dec 20 16:49 httpd.conf
-rw-r--r--   1 root     other      42882 Nov 16 23:07
httpd.conf.default
-rw-r--r--   1 root     other      12441 Nov 16 22:06 magic
-rw-r--r--   1 root     other      12441 Nov 16 22:06 magic.default
-rw-r--r--   1 root     other      10785 Nov 16 22:06 mime.types
-rw-r--r--   1 root     other      10785 Nov 16 22:06
mime.types.default
-rw-r--r--   1 root     other      43189 Nov 17 23:26 old.conf
-rw-r--r--   1 root     other       2627 Jan  9 15:39 server.crt
-rw-r--r--   1 root     other        684 Jan  9 15:37 server.csr
-rw-r--r--   1 root     other        963 Jan  9 15:36 server.key
-rwxr-xr-x   1 root     other       1784 Jan  9 15:30 sign.sh*
-rw-r--r--   1 root     other        357 Nov 16 22:06 srm.conf
-rw-r--r--   1 root     other        357 Nov 16 22:06 srm.conf.default
drwxr-xr-x   2 root     other        512 Nov 16 22:06 ssl.crl/
drwxr-xr-x   2 root     other        512 Jan  9 15:35 ssl.crt/
drwxr-xr-x   2 root     other        512 Jan  9 10:44 ssl.csr/
drwx------   2 root     other        512 Jan  9 15:33 ssl.key/
drwxr-xr-x   2 root     other        512 Nov 16 22:06 ssl.prm/
-rw-r--r--   1 root     other         36 Dec 20 16:27 users
-rw-r--r--   1 root     other       1987 Dec 10 16:29 virtual.conf
-rw-r--r--   1 root     other       8168 Dec 20 16:49 virtualssl.conf
[root@mogli apache]# /etc/init.d/apache stop
/usr/local/sbin/apachectl stop: httpd stopped
[root@mogli apache]# /etc/init.d/apache start
Apache/1.3.14 mod_ssl/2.7.1 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.

Server mogli:443 (RSA)
Enter pass phrase:

Ok: Pass Phrase Dialog successful.
/usr/local/sbin/apachectl startssl: httpd started
[root@mogli apache]#




[root@mogli apache]# tail -20  ssl_engine.log
[09/Jan/2001 15:47:42 08676] [info]  Server: Apache/1.3.14, Interface:
mod_ssl/2.7.1, Library: OpenSSL/0.9.6
[09/Jan/2001 15:47:42 08676] [info]  Init: 1st startup round (still not
detached)
[09/Jan/2001 15:47:42 08676] [info]  Init: Initializing OpenSSL library
[09/Jan/2001 15:47:42 08676] [info]  Init: Loading certificate &
private
key of SSL-aware server mogli.homeip.net:443
[09/Jan/2001 15:47:42 08676] [info]  Init: Requesting pass phrase via
builtin terminal dialog
[09/Jan/2001 15:47:46 08676] [info]  Init: Wiped out the queried pass
phrases from memory
[09/Jan/2001 15:47:46 08676] [info]  Init: Seeding PRNG with 136 bytes
of entropy
[09/Jan/2001 15:47:46 08676] [info]  Init: Generating temporary RSA
private keys (512/1024 bits)
[09/Jan/2001 15:48:02 08676] [info]  Init: Configuring temporary DH
parameters (512/1024 bits)
[09/Jan/2001 15:48:02 08677] [info]  Init: 2nd startup round (already
detached)
[09/Jan/2001 15:48:02 08677] [info]  Init: Reinitializing OpenSSL
library
[09/Jan/2001 15:48:02 08677] [info]  Init: Seeding PRNG with 136 bytes
of entropy
[09/Jan/2001 15:48:02 08677] [info]  Init: Configuring temporary RSA
private keys (512/1024 bits)
[09/Jan/2001 15:48:02 08677] [info]  Init: Configuring temporary DH
parameters (512/1024 bits)
[09/Jan/2001 15:48:02 08677] [info]  Init: Initializing (virtual)
servers for SSL
[09/Jan/2001 15:48:02 08677] [info]  Init: Configuring server
mogli.homeip.net:443 for SSL protocol
[09/Jan/2001 15:48:05 08678] [info]  Connection to child 0 established
(server mogli.homeip.net:443, client 212.249.3.162)
[09/Jan/2001 15:48:05 08678] [info]  Seeding PRNG with 1160 bytes of
entropy
[09/Jan/2001 15:48:05 08678] [error] SSL handshake failed (server
mogli.homeip.net:443, client 212.249.3.162) (OpenSSL library error
follows)
[09/Jan/2001 15:48:05 08678] [error] OpenSSL: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
in certificate not server name or identical to CA!?]
[root@mogli apache]#

[root@mogli apache]# tail www_error.log
could not get keyboard type US keyboard assumed
could not open /dev/kbd to get keyboard type US keyboard assumed
could not get keyboard type US keyboard assumed
[Mon Jan  8 22:35:40 2001] [error] [client 192.168.10.10] File does not
exist: /export/www/htdocs/gifs/navbar.gif
could not open /dev/kbd to get keyboard type US keyboard assumed
could not get keyboard type US keyboard assumed
[Tue Jan  9 15:41:30 2001] [error] mod_ssl: SSL handshake failed
(server
mogli:443, client 212.249.3.162) (OpenSSL library error follows)
[Tue Jan  9 15:41:30 2001] [error] OpenSSL: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
in certificate not server name or identical to CA!?]
[Tue Jan  9 15:48:05 2001] [error] mod_ssl: SSL handshake failed
(server
mogli.homeip.net:443, client 212.249.3.162) (OpenSSL library error
follows)
[Tue Jan  9 15:48:05 2001] [error] OpenSSL: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
in certificate not server name or identical to CA!?]

[root@mogli apache]# grep -i ServerName *
httpd.conf:ServerName mogli.homeip.net
virtual.conf:    ServerName mogli.homeip.net
virtual.conf:    ServerName mogli.homeip.net
virtualssl.conf:    ServerName mogli.homeip.net


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
Unable to generate certificate

Reply via email to
