Thanks a lot. I really don't know how to appreciate your time and effort. It
really helped me a lot and now it is working. The other problem I found was
that the perl and cgi scripts were not executed on the browser and it led to
other problems. Using this command,
a2enmod cgi
all the cgi and perl scripts start executing on the browser and now it is
working. I really appreciate once more and hope that I can return your favor.
Best,
________________________________
From: Jack D. Pond <jack.p...@psitex.com>
To: 'Users' Help and Suggestions' <openca-users@lists.sourceforge.net>;
'Mohammad khodaei' <m_khod...@yahoo.com>
Cc: 'Mohammad Khodaei' <khod...@kth.se>
Sent: Thursday, May 31, 2012 9:22 PM
Subject: RE: [Openca-Users] Problem with OpenCA Web Interface - with OpenCA
service start instructions.
I apologize in advance for the length of this, but I don't have access to the
wiki to write something more comprehensive and understandable - this time
including how to initiate the OpenCA services.
Mohammed, I spent 3 full days and countless mistakes trying to install this on
Ubuntu 12.04, Apache, MySql (all updated to current) using the OpencCA 1.3.0
versions of both the tools and the base. Here are my notes.
As raw as they are, they may give you some ideas because I know how frustrating
this has been for you. Note, there is a quick guide to scrape the field and
start over again at the bottom - if I wrote this out, you can guess how many
times I screwed up and had to "green field" over again.
Jack D. Pond
"State facts, offer opinions; understand and respect the difference." -- Jack
Pond
--------------------------------------------------------------------------------
-
my offset build directories used below (within the user directory structure)
were:
* [BuildDir] = OpenCa
* [ToolsBuildDir] = [BuildDir]/openca-tools-1.3.0
* [BaseBuildDir] = [BuildDir]/openca-base-1.3.0
<pre>
cd
mkdir [BuildDir]
cd [BuildDir]
wget
http://ftp.openca.org/openca/openca-tools/releases/v1.3.0/sources/openca-tools-1
.3.0.tar.gz
wget
http://ftp.openca.org/openca/openca-tools/releases/v1.3.0/sources/openca-tools-1
.3.0.tar.gz.sha1
wget
http://ftp.openca.org/openca/openca-base/releases/v1.3.0/sources/openca-base-1.3
.0.tar.gz
wget
http://ftp.openca.org/openca/openca-base/releases/v1.3.0/sources/openca-base-1.3
.0.tar.gz.sha1
# Check the checksums to make sure you have good versions
sha1sum openca-tools-1.3.0.tar.gz
more openca-tools-1.3.0.tar.gz.sha1
sha1sum openca-base-1.3.0.tar.gz
more openca-base-1.3.0.tar.gz.sha1
tar -zxvf openca-tools-1.3.0.tar.gz
tar -zxvf openca-base-1.3.0.tar.gz
</pre>
Now make sure you have the set of tools you need to build from source and
execute: You also need to make sure you have the appropriate tool set:
<pre>
sudo apt-get -y install build-essential libssl-dev binutils binutils-dev openssl
# if you haven't already
sudo apt-get -y install libdb-dev libexpat1-dev automake checkinstall
# install apache with perl if you haven't already
sudo apt-get -y install apache2 libapache2-mod-perl2
sudo apt-get -y install libcrypt-ssleay-perl libwww-perl libhtml-parser-perl
libwww-mechanize-perl
# install mysql
sudo apt-get -y install mysql-server libmysqld-dev libdb-dev
# then clean up
sudo apt-get -y update; sudo apt-get -y upgrade;
sudo apt-get -y autoremove
sudo apt-get -y autoremove
# now add the system user/group openca
sudo useradd -rU openca
sudo usermod -a -G openca root
# install postfix (you'll want this later if you use the notification stuff)
sudo apt-get -y install postfix
</pre>
For the apache configuration, I used a new "site available", then added a
symlink to it.
<pre>
sudo vim /etc/apache2/sites-available/051-PKI-CA
#within the new file, added:
<VirtualHost *:80>
ServerAdmin support@[yourdomain].com
ServerName ca.[yourdomain].com
# ServerAlias pki.[yourdomain].com *.[yourdomain].com
DocumentRoot "/var/www"
# <IfModule mpm_itk_module>
# AssignUserId www-data www-data
# </IfModule>
<Directory />
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
</Directory>
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
<Directory "/var/www/cgi-bin/">
AllowOverride None
Options +ExecCGI -Indexes -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog "${APACHE_LOG_DIR}/openca-error.log"
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog "${APACHE_LOG_DIR}/openca.log" combined
</VirtualHost>
# exit editor
sudo ln -s /etc/apache2/sites-available/051-PKI-CA
/etc/apache2/sites-enabled/051-PKI-CA
# test the config before you throw the switch
sudo apache2ctl configtest
sudo service apache2 restart
</pre>
Now start the actual installation
[edit] Database Creation
In order for OpenCA to be able to store data into the database you need to
create a database and a user to manage the database. Following there's an
example for MySQL. Connect to the DBMS:
mysql -u root -p -h localhost
Then, create the database:
mysql> CREATE DATABASE opencadb;
mysql> use opencadb;
mysql> GRANT ALL ON *.* TO 'opencadbuser'@'%' IDENTIFIED BY
'[YourSuperSecretPassword]';
mysql> GRANT ALL ON *.* TO 'opencadbuser'@'localhost' IDENTIFIED BY
'[YourSuperSecretPassword]';
mysql> flush privileges;
mysql> exit;
# Test it:
sudo mysql -u opencadbuser -p opencadb
If you manage to login into the DB, you correctly setup the database. NOTE: You
should use different names for the db and the username. However, the have to
match the ones configured in PREFIX/etc/openca/config.xml
Create the Openca Tools
<pre>
pushd openca-tools-1.3.0/
./configure \
--with-openca-user="openca" \
--with-openca-group="openca"
# now make them
make
# now install them
sudo make install
popd
</pre>
Make and Install the OpenCA Offline (Certificate Authority, CA Server, Ubuntu)
<pre>
pushd openca-base-1.3.0/
# now configure the system for ubuntu 12.04
./configure \
--with-openca-user="openca" \
--with-openca-group="openca" \
--with-htdocs-fs-prefix="/var/www/html/pki" \
--with-htdocs-url-prefix="/html/pki" \
--with-cgi-fs-prefix="/var/www/cgi-bin/pki" \
--with-cgi-url-prefix="/cgi-bin/pki" \
--with-service-mail-account="c...@yourdomain.com" \
--with-support-mail-address="supp...@yourdomain.com" \
--with-ca-organization="Your Organization" \
--with-ca-locality="Philadelphia" \
--with-ca-state="Pennsylvania" \
--with-db-type="mysql" \
--with-db-user="opencadbuser" \
--with-db-name="opencadb" \
--with-db-passwd="[YourSuperSecretPassword]"
make
sudo make install-offline
# If you are using a single-node CA/RA, uncomment and do the following
# sudo make install-offline
popd
</pre>
Now run the configurations - hopefully you'll get no errors:
<pre>
pushd /usr/local/etc/openca
sudo -s
. configure_etc.sh
/usr/local/etc/init.d openca restart
exit
popd
<pre>
Finally, to make sure the service comes up at reboot add the following:
Different systems have different ways to add the scripts to the boot sequence,
in general linking the openca script in your /etc/init.d/ is a good start. You
can do this by executing the following command:
<pre>
cd /etc/init.d/
ln -s /usr/local/etc/init.d/openca .
</pre>
Problems Encountered (I did get errors), but don't do this until you're sure.
You shouldn't have to reconfigure if you're getting them in the openca
configure_etc
Missing XML::Parser
Missing perl modules. I don't know why they didn't compile (but the following
didn't):
XML::Parser
<pre>
sudo cpan
cpan>install CPAN
cpan>reload cpan
cpan>install XML::Parser
cpan>exit
</pre>
[edit] Certificate "fetch" Bombs Out (internal error 500) due to hex serial
number
Fix from http://sourceforge.net/mailarchive/message.php?msg_id=28435810
sudo cp /usr/local/lib/openca/perl_modules/perl5/OpenCA/DBI.pm
Saved/DBI.pm.patched
sudo cp DBI.pm.patched /usr/local/lib/openca/perl_modules/perl5/OpenCA/DBI.pm
my offset build directories used below (within the user directory structure)
were:
* [BuildDir] = OpenCa
* [ToolsBuildDir] = [BuildDir]/openca-tools-1.3.0
* [BaseBuildDir] = [BuildDir]/openca-base-1.3.0
Because I'd updated (using cpan) the DBD, DBI modules, it was necessary to
update the ones used by OpenCA too, otherwise, I got a version conflict. This
may not be necessary
[edit] If You Need the Current DBI Modules
# for this version it was the modules DBI-1.618 and DBD-mysql-4.020
<pre>
pushd [BaseBuildDir]/src/ext-modules/
rm DBI-*
rm DBD-mysql-*
wget http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBI-1.621.tar.gz
wget http://search.cpan.org/CPAN/authors/id/C/CA/CAPTTOFU/DBD-mysql-4.021.tar.gz
wget http://search.cpan.org/CPAN/authors/id/T/TO/TODDR/XML-Parser-2.41.tar.gz
sed -i 's/DBI-1.618/DBI-1.621/g' Makefile
sed -i 's/DBD-mysql-4.020/DBD-mysql-4.021/g' Makefile
popd
</pre>
To remove an old version, you should execute the following:
<pre>
sudo [PREFIX]/etc/init.d/openca stop
pushd [BaseBuildDir]
sudo make distclean
popd
pushd [ToolsBuildDir]
sudo make distclean
popd
sudo rm -r
sudo find / -name openca
sudo find / -name pki
# for each directory returned above:
sudo rm -r [dir from 'find' above]
# to remove the bins:
sudo find / -name "openca*"
# for each file (or set of files, you can use wildcards)
sudo rm [file(s) returned from find above]
mysql -uroot -p
mysql> select user from mysql.user;
mysql> DROP USER opencadbuser; #or whatever you used before
mysql> show databases;
mysql> DROP DATABASE opencadb; #or whatever you used before
mysql> exit;
</pre>------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
