On Sun, Jun 03, 2001 at 11:39:49AM +1200, Carl Bowden wrote:
> hi
>
> I have been working on this for days now (like a blind
> shepard i think)
>
> I hoping some one may be able to point me some where (nice
> that is)
>
> we have our cert signed buy verisign 128bit gsid and this
> with the key etc have the correct paths in the http.conf
> file all paths have been checked with cat (are the
> permissions on these important they are set to root at the
> moment)
this should be ok if you start apache as root. Then the toplevel apache
process should be running UID root (that's the process that does the
init and other central stuff, and forks the children which handle the
actual requests under some UID like 'nobody' or 'wwwuser', etc.).
Also, I assume you have the key/cert-file on the *local* harddisk, not
on some NFS share with root-exportability disabled...
>
> but apachectl startssl refuses to start
>
> this is the /var/log/httpd/ssl_engine_log:
> [03/Jun/2001 10:59:15 06923] [info] Server: Apache/1.3.19,
> Interface: mod_ssl/2.8.3, Library: OpenSSL/0.9.6a
> [03/Jun/2001 10:59:15 06923] [info] Init: 1st startup round
> (still not detached)
> [03/Jun/2001 10:59:15 06923] [info] Init: Initializing
> OpenSSL library
> [03/Jun/2001 10:59:15 06923] [info] Init: Loading
> certificate & private key of SSL-aware server
> secure.macpac.co.nz:443
> [03/Jun/2001 10:59:15 06923] [error] Init: Private key not
> found (OpenSSL library error follows)
> [03/Jun/2001 10:59:15 06923] [error] OpenSSL:
> error:0D084064:asn1 encoding routines:d2i_ASN1_SET:bad class
> [03/Jun/2001 10:59:15 06923] [error] OpenSSL:
> error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing
> [03/Jun/2001 10:59:15 06923] [error] OpenSSL:
> error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib
>
> the key really is there but i cant find any info on this bad
> class error
I think the "Private key not found" is not to be taken literally,
rather meaning something like "An error occured processing the
key-file" -- so we can look at the next messages. In essence,
I would say they indicate a syntax error while parsing the
key-file.
(short background info for those interested: ASN1 stands for
abstract-syntax-notation-one and is the language which is used in
X.509 certificates to describe the data structures. These abstract
descriptions are then encoded in DER (distinguished-encoding-rules)
format. As DER is a binary format, it is often once more encoded
as base64, which gives the PEM-format files)
Now, why could there be a syntax error?
Not exactly sure -- but maybe you have the key-file in the wrong
format. AFAIK, for apache/mod_ssl it has to be in PEM format (DER
not allowed) [anyone correct me if I'm wrong], so a typical key-file
should look somthing like:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B8B837A08071289A
4qG0Zu2/S1YAr0j8zuqycKUmUNwaglwFVf9dTBJp9bKTA+z5iFyvrV7PGAj0Dwoi
<... the base64-encoded content of the key ...>
0uQ5XwbWaFaCOpQvTtWrRfJf2NGOdDGXJ8OkDt4Jw0y4DCmtwje+lw==
-----END RSA PRIVATE KEY-----
You can check the content/readability of the key-file with the command:
openssl rsa -noout -text -in <name>.key
Otherwise, the key-file might be corrupted. This could for example have
happened by accidentally loading/saving a DER file with an editor that
does automatic line endings translations (remember, DER is binary, so
every bit matters).
If that's the case, and you don't have a backup copy of the original
uncorrupted file, then you are more or less out of luck -- at least I
would consider it *way* over my head to poke around in the DER-encoded
ASN.1 descriptions :) -- getting a new certificate would probably be
easier...
Good luck!
- Almut
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
