Great!!! That did it. It was in the browser_req.xml. But a funny thing about all this...
When I was trying to troubleshoot this I was looking for the "COUNTRY" within the openca/etc directory (mine is actually /usr/local/etc/openca, but same thing) to see where this might also be found . So, I was grepping like so and would get this message: openCA:/usr/local/etc/openca# grep COUNTRY * grep: unrecognized option `--force-overwrite' Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. openCA:/usr/local/etc/openca# It took me a while to understand exactly what was happening -- there is a file in this directory called "--force-overwrite". And the contents of that file are a RSA Private Key and Cert: -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDKP/12y7feGanwUP+MSlDWZsY2tvmetBcUq6x9q/yt3dw3EzrB 0gjSOrbhOF3WHug0Zhu/nIiHdA0CSF2FgqwOSQsCgo0QSjGO1rTNI2/uf965EJ0N ... OHT1o3XHLUG0Ll+e0kmEJG6uwopKdcAbQT17VrpwVAhzZQ== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIBmTCCAQICCQD9OVfL8ee/azANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZv ... -----END CERTIFICATE----- I have no idea how this got there. Can this be deleted? Is this a bug that would cause this to end up there, especially being named after a parameter of some sort, something must not be being parsed correctly. Thanks for the help (and I hope I was of some help as well). John A. Sullivan III wrote: > > Perhaps it is not using auth_browser_req.xml or the reconfiguration did > not actually update auth_browser_req.xml. Try looking at > browser_req.xml as well. Hope this helps - John > > On Thu, 2009-01-29 at 13:16 -0800, xv wrote: >> Hi, >> >> I did not see anything like this in the servers directory. But I did find >> it >> in the auth_browser_req.xml file as mentioned earlier: >> >> auth_browswer_req.xml: >> >> <input> >> <name>ADDITIONAL_ATTRIBUTE_COUNTRY</name> >> <label>Country</label> >> <type>textfield</type> >> <charset>UTF8_LETTERS</charset> >> <value>$DATA::C</value> >> <minlen>3</minlen> >> <required>NO</required> >> </input> >> >> I did change it to 2 in the template version and ran >> configuration_etc.sh, >> but there is still no change. It is telling me that if I have any entry >> in >> that field, it must be at least 3 chars long. Ironically, I have been >> able >> to get around this by not putting anything since it is set to >> "not-required" >> (you would think this would be required). >> >> Thanks again!!! >> >> >> >> >> >> John A. Sullivan III wrote: >> > >> > They used to be there but I do not think they are there any longer. >> Not >> > 100% sure - John >> > >> > On Thu, 2009-01-29 at 11:24 +0530, Anil Aliyan wrote: >> >> Hi, >> >> >> >> You can set these parameters in the ca.conf file located in the >> >> /opt/openca/etc/openca/servers folder. >> >> and also in some files inside /opt/openca/etc/openca/openssl and >> >> /opt/openca/etc/openca/openssl/openssl >> >> where you can change the required number or characters in a field. >> >> >> >> Regards, >> >> >> >> Anil Aliyan >> >> >> >> >> >> ----- Original Message ----- >> >> From: "John A. Sullivan III" <jsulli...@opensourcedevel.com> >> >> To: "Users' Help and Suggestions" <openca-users@lists.sourceforge.net> >> >> Sent: Thursday, January 29, 2009 11:04 AM >> >> Subject: Re: [Openca-Users] ISO country code length - Conflictingerror >> >> messages >> >> >> >> >> >> > On Wed, 2009-01-28 at 20:58 -0800, xv wrote: >> >> >> I will get this out of the way - I'm using openca-base-1.0.2 and >> >> >> openca-tools-1.1.0 running on Debian (compiled myself - >> painstakingly) >> >> , >> >> >> with MySQL 5.0.51. >> >> >> >> >> >> Im am trying to create the Initial CA Administrtor. I enter in the >> >> >> information as requested and for the users Contact Information I >> give >> >> the >> >> >> Country as "US" (two characters). I click continue and get an error >> >> >> message >> >> >> stating: >> >> >> >> >> >> ⋅ Country - Error (min. 3) >> >> >> >> >> >> 3 characters minimum. Ok, so I use USA and I'm able to move through >> >> the >> >> >> next >> >> >> couple screens. I finally get to the Certificate Request Summary >> page >> >> and >> >> >> click "Generate Request". I now get this error: >> >> >> >> >> >> Error Code: 7211021 >> >> >> Cannot create request! >> >> >> >> >> >> (OpenCA::REQ->new: Cannot create new request. Backend fails with >> >> >> errorcode >> >> >> 7712071. OpenCA::OpenSSL->genReq: Cannot execute command (7777067). >> >> >> problems >> >> >> making Certificate Request >> >> >> 12866:error:0D07A097:asn1 encoding >> routines:ASN1_mbstring_ncopy:string >> >> >> too >> >> >> long:a_mbstr.c:154:maxsize=2 error in req) >> >> >> >> >> >> According to this openca FAQ it is related to the Country Code >> being >> >> to >> >> >> long >> >> >> (see the very last question at the bottom of the page - 2.16): >> >> >> >> >> >> http://www.openca.org/~madwolf/apes02.html >> >> >> >> >> >> I have entered in various country names of different length (US, >> USA, >> >> >> FRANCE, ITALY) and I am always caught in the same catch 22 %-| - >> does >> >> >> anyone have an idea of how to resolve this? >> >> >> >> >> >> Thank you in advance!!! >> >> >> >> >> >> >> >> > Hmm . . . I'm not sure where this is set when initializing. In one >> >> case >> >> > I was migrating an old PKI and so had the keys and certs already and >> in >> >> > the other we used domain components instead of countries so I >> haven't >> >> > encountered this. >> >> > >> >> > I think the setup has changed in 1.0.2 and the initial information >> is >> >> > controlled by etc/openca/auth_browser_req.xml. Look for the >> >> > ADDITIONAL_ATTRIBUTE_COUNTRY input and the <minlen> tag. I bet it >> is >> >> > set to 3 instead of 2. Change it in the template >> >> > (auth_browser_req.xml.template) and rerun configure_etc.sh. That >> may >> >> do >> >> > it for you. >> >> > >> >> > This smells like a simple bug to fix. Would the developers kindly >> take >> >> > note. Then again, they know a thousand times more about this than I >> >> do! >> >> > Hope this helps - John >> >> > -- >> >> > John A. Sullivan III >> >> > Open Source Development Corporation >> >> > >> >> > Street Preacher: Are you SAVED?????!!!!!! >> >> > Educated Skeptic: Saved from WHAT?????!!!!!! >> >> > Educated Believer: From our selfishness that hurts the ones we love >> >> > and condemns us to an eternity of hurting each >> other. >> >> > http://www.spiritualoutreach.com >> >> > Christianity that makes sense >> >> > >> >> > >> >> > >> >> >> ------------------------------------------------------------------------------ >> >> > This SF.net email is sponsored by: >> >> > SourcForge Community >> >> > SourceForge wants to tell your story. >> >> > http://p.sf.net/sfu/sf-spreadtheword >> >> > _______________________________________________ >> >> > Openca-Users mailing list >> >> > Openca-Users@lists.sourceforge.net >> >> > https://lists.sourceforge.net/lists/listinfo/openca-users >> >> > >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> This SF.net email is sponsored by: >> >> SourcForge Community >> >> SourceForge wants to tell your story. >> >> http://p.sf.net/sfu/sf-spreadtheword >> >> _______________________________________________ >> >> Openca-Users mailing list >> >> Openca-Users@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/openca-users >> > -- >> > John A. Sullivan III >> > Open Source Development Corporation >> > +1 207-985-7880 >> > jsulli...@opensourcedevel.com >> > >> > http://www.spiritualoutreach.com >> > Making Christianity intelligible to secular society >> > >> > >> > >> ------------------------------------------------------------------------------ >> > This SF.net email is sponsored by: >> > SourcForge Community >> > SourceForge wants to tell your story. >> > http://p.sf.net/sfu/sf-spreadtheword >> > _______________________________________________ >> > Openca-Users mailing list >> > Openca-Users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/openca-users >> > >> > >> > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsulli...@opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Openca-Users mailing list > Openca-Users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openca-users > > -- View this message in context: http://www.nabble.com/ISO-country-code-length---Conflicting-error-messages-tp21711945p21736661.html Sent from the openca-users mailing list archive at Nabble.com. ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
