did you fix problem?
----- Original Message -----
From: "Peter Honegger" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, January 13, 2001 6:13 AM
Subject: Unable to generate certificate
> Hello!
>
> I have on to Maschines the self Problem (1 SuSE 7.0, no own packages
> installed and Solaris 2.6 with Apache 1.3.14 + openssl 0.9.6 + modssl
> 2.7.1)
>
> I have use this documentation:
> http://www.modssl.org/docs/2.7/ssl_faq.html#ToC29
> But my certificate is always "your server has a invalid certificate,
> you will not be able to connect to this site securly" You can look at:
> https://mogli.homeip.net
> The logifiles are from the solaris 2.6 Maschines. On the SuSE 7.0 it
> looks same.
>
> What is here wrong?
>
>
> [root@mogli apache]# openssl genrsa -des3 -out server.key 1024
> warning, not much extra random data, consider using the -rand option
> Generating RSA private key, 1024 bit long modulus
> ................++++++
> ................................++++++
> e is 65537 (0x10001)
> Enter PEM pass phrase:
> Verifying password - Enter PEM pass phrase:
> [root@mogli apache]# openssl req -new -key server.key -out server.csr
> Using configuration from /usr/local/ssl/openssl.cnf
> Enter PEM pass phrase:
> You are about to be asked to enter information that will be
> incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a
> DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:CH
> State or Province Name (full name) [Some-State]:Zurich
> Locality Name (eg, city) []:Au (ZH)
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:Legends
> Organizational Unit Name (eg, section) []:.
> Common Name (eg, YOUR name) []:mogli.homeip.net
> Email Address []:[EMAIL PROTECTED]
>
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:
> [root@mogli apache]# openssl genrsa -des3 -out ca.key 1024
> warning, not much extra random data, consider using the -rand option
> Generating RSA private key, 1024 bit long modulus
> ...............++++++
> ................++++++
> e is 65537 (0x10001)
> Enter PEM pass phrase:
> Verifying password - Enter PEM pass phrase:
> [root@mogli apache]# openssl req -new -x509 -days 365 -key ca.key -out
> ca.crt
> Using configuration from /usr/local/ssl/openssl.cnf
> Enter PEM pass phrase:
> You are about to be asked to enter information that will be
> incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a
> DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:CH
> State or Province Name (full name) [Some-State]:Zurich
> Locality Name (eg, city) []:Au (ZH)
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
> Organizational Unit Name (eg, section) []:^C
> [root@mogli apache]# openssl req -new -x509 -days 365 -key ca.key -out
> ca.crt
> Using configuration from /usr/local/ssl/openssl.cnf
> Enter PEM pass phrase:
> You are about to be asked to enter information that will be
> incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a
> DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:CH
> State or Province Name (full name) [Some-State]:Zurich
> Locality Name (eg, city) []:Au (ZH)
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:Legends
> Organizational Unit Name (eg, section) []:mogli.homeip.net
> Common Name (eg, YOUR name) []:^C
> [root@mogli apache]# openssl req -new -x509 -days 365 -key ca.key -out
> ca.crt
> Using configuration from /usr/local/ssl/openssl.cnf
> Enter PEM pass phrase:
> You are about to be asked to enter information that will be
> incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a
> DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:CH
> State or Province Name (full name) [Some-State]:Zurich
> Locality Name (eg, city) []:Au (ZH)
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:Legends
> Organizational Unit Name (eg, section) []:.
> Common Name (eg, YOUR name) []:mogli.homeip.net
> Email Address []:[EMAIL PROTECTED]
> [root@mogli apache]# ./sign.sh server.csr
> CA signing: server.csr -> server.crt:
> Using configuration from ca.config
> Enter PEM pass phrase:
> Check that the request matches the signature
> Signature ok
> The Subjects Distinguished Name is as follows
> countryName :PRINTABLE:'CH'
> stateOrProvinceName :PRINTABLE:'Zurich'
> localityName :PRINTABLE:'Au (ZH)'
> organizationName :PRINTABLE:'Legends'
> commonName :PRINTABLE:'mogli.homeip.net'
> emailAddress :IA5STRING:'[EMAIL PROTECTED]'
> Certificate is to be certified until Jan 9 14:39:36 2002 GMT (365
> days)
> Sign the certificate? [y/n]:y
>
>
> 1 out of 1 certificate requests certified, commit? [y/n]y
> Write out database with 1 new entries
> Data Base Updated
> CA verifying: server.crt <-> CA cert
> server.crt: /C=CH/ST=Zurich/L=Au
> (ZH)[EMAIL PROTECTED]
> error 18 at 0 depth lookup:self signed certificate
> /C=CH/ST=Zurich/L=Au
> (ZH)[EMAIL PROTECTED]
> error 7 at 0 depth lookup:certificate signature failure
> [root@mogli apache]# ll
> total 410
> drwxr-xr-x 8 root other 1024 Jan 9 15:39 ./
> drwxr-xr-x 34 root sys 4096 Jan 9 15:33 ../
> -rw-r--r-- 1 root other 348 Nov 16 22:06 access.conf
> -rw-r--r-- 1 root other 348 Nov 16 22:06
> access.conf.default
> -rw-r--r-- 1 root other 1220 Jan 9 15:39 ca.crt
> drwxr-xr-x 2 root other 512 Jan 9 15:39 ca.db.certs/
> -rw-r--r-- 1 root other 109 Jan 9 15:39 ca.db.index
> -rw-r--r-- 1 root other 3 Jan 9 15:39 ca.db.serial
> -rw-r--r-- 1 root other 963 Jan 9 15:37 ca.key
> -rw-r--r-- 1 root other 33965 Dec 20 16:49 httpd.conf
> -rw-r--r-- 1 root other 42882 Nov 16 23:07
> httpd.conf.default
> -rw-r--r-- 1 root other 12441 Nov 16 22:06 magic
> -rw-r--r-- 1 root other 12441 Nov 16 22:06 magic.default
> -rw-r--r-- 1 root other 10785 Nov 16 22:06 mime.types
> -rw-r--r-- 1 root other 10785 Nov 16 22:06
> mime.types.default
> -rw-r--r-- 1 root other 43189 Nov 17 23:26 old.conf
> -rw-r--r-- 1 root other 2627 Jan 9 15:39 server.crt
> -rw-r--r-- 1 root other 684 Jan 9 15:37 server.csr
> -rw-r--r-- 1 root other 963 Jan 9 15:36 server.key
> -rwxr-xr-x 1 root other 1784 Jan 9 15:30 sign.sh*
> -rw-r--r-- 1 root other 357 Nov 16 22:06 srm.conf
> -rw-r--r-- 1 root other 357 Nov 16 22:06 srm.conf.default
> drwxr-xr-x 2 root other 512 Nov 16 22:06 ssl.crl/
> drwxr-xr-x 2 root other 512 Jan 9 15:35 ssl.crt/
> drwxr-xr-x 2 root other 512 Jan 9 10:44 ssl.csr/
> drwx------ 2 root other 512 Jan 9 15:33 ssl.key/
> drwxr-xr-x 2 root other 512 Nov 16 22:06 ssl.prm/
> -rw-r--r-- 1 root other 36 Dec 20 16:27 users
> -rw-r--r-- 1 root other 1987 Dec 10 16:29 virtual.conf
> -rw-r--r-- 1 root other 8168 Dec 20 16:49 virtualssl.conf
> [root@mogli apache]# /etc/init.d/apache stop
> /usr/local/sbin/apachectl stop: httpd stopped
> [root@mogli apache]# /etc/init.d/apache start
> Apache/1.3.14 mod_ssl/2.7.1 (Pass Phrase Dialog)
> Some of your private key files are encrypted for security reasons.
> In order to read them you have to provide us with the pass phrases.
>
> Server mogli:443 (RSA)
> Enter pass phrase:
>
> Ok: Pass Phrase Dialog successful.
> /usr/local/sbin/apachectl startssl: httpd started
> [root@mogli apache]#
>
>
>
>
> [root@mogli apache]# tail -20 ssl_engine.log
> [09/Jan/2001 15:47:42 08676] [info] Server: Apache/1.3.14, Interface:
> mod_ssl/2.7.1, Library: OpenSSL/0.9.6
> [09/Jan/2001 15:47:42 08676] [info] Init: 1st startup round (still not
> detached)
> [09/Jan/2001 15:47:42 08676] [info] Init: Initializing OpenSSL library
> [09/Jan/2001 15:47:42 08676] [info] Init: Loading certificate &
> private
> key of SSL-aware server mogli.homeip.net:443
> [09/Jan/2001 15:47:42 08676] [info] Init: Requesting pass phrase via
> builtin terminal dialog
> [09/Jan/2001 15:47:46 08676] [info] Init: Wiped out the queried pass
> phrases from memory
> [09/Jan/2001 15:47:46 08676] [info] Init: Seeding PRNG with 136 bytes
> of entropy
> [09/Jan/2001 15:47:46 08676] [info] Init: Generating temporary RSA
> private keys (512/1024 bits)
> [09/Jan/2001 15:48:02 08676] [info] Init: Configuring temporary DH
> parameters (512/1024 bits)
> [09/Jan/2001 15:48:02 08677] [info] Init: 2nd startup round (already
> detached)
> [09/Jan/2001 15:48:02 08677] [info] Init: Reinitializing OpenSSL
> library
> [09/Jan/2001 15:48:02 08677] [info] Init: Seeding PRNG with 136 bytes
> of entropy
> [09/Jan/2001 15:48:02 08677] [info] Init: Configuring temporary RSA
> private keys (512/1024 bits)
> [09/Jan/2001 15:48:02 08677] [info] Init: Configuring temporary DH
> parameters (512/1024 bits)
> [09/Jan/2001 15:48:02 08677] [info] Init: Initializing (virtual)
> servers for SSL
> [09/Jan/2001 15:48:02 08677] [info] Init: Configuring server
> mogli.homeip.net:443 for SSL protocol
> [09/Jan/2001 15:48:05 08678] [info] Connection to child 0 established
> (server mogli.homeip.net:443, client 212.249.3.162)
> [09/Jan/2001 15:48:05 08678] [info] Seeding PRNG with 1160 bytes of
> entropy
> [09/Jan/2001 15:48:05 08678] [error] SSL handshake failed (server
> mogli.homeip.net:443, client 212.249.3.162) (OpenSSL library error
> follows)
> [09/Jan/2001 15:48:05 08678] [error] OpenSSL: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
> in certificate not server name or identical to CA!?]
> [root@mogli apache]#
>
> [root@mogli apache]# tail www_error.log
> could not get keyboard type US keyboard assumed
> could not open /dev/kbd to get keyboard type US keyboard assumed
> could not get keyboard type US keyboard assumed
> [Mon Jan 8 22:35:40 2001] [error] [client 192.168.10.10] File does not
> exist: /export/www/htdocs/gifs/navbar.gif
> could not open /dev/kbd to get keyboard type US keyboard assumed
> could not get keyboard type US keyboard assumed
> [Tue Jan 9 15:41:30 2001] [error] mod_ssl: SSL handshake failed
> (server
> mogli:443, client 212.249.3.162) (OpenSSL library error follows)
> [Tue Jan 9 15:41:30 2001] [error] OpenSSL: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
> in certificate not server name or identical to CA!?]
> [Tue Jan 9 15:48:05 2001] [error] mod_ssl: SSL handshake failed
> (server
> mogli.homeip.net:443, client 212.249.3.162) (OpenSSL library error
> follows)
> [Tue Jan 9 15:48:05 2001] [error] OpenSSL: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
> in certificate not server name or identical to CA!?]
>
> [root@mogli apache]# grep -i ServerName *
> httpd.conf:ServerName mogli.homeip.net
> virtual.conf: ServerName mogli.homeip.net
> virtual.conf: ServerName mogli.homeip.net
> virtualssl.conf: ServerName mogli.homeip.net
>
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
