Hello: I am trying to set-up apache 2.0.43 using ssl on RedHat 8.0.
Here is the sequence of commands I typed: cd /usr/local rpm -e apache httpd mod_ssl mod_perl mod_dav redhat-config-httpd rm -rf /var/www/html /var/www /var/log/httpd /etc/httpd/conf lynx http://www.apache.org/dist/httpd/httpd-2.0.43.tar.gz tar zxf httpd-2.0.43.tar.gz cd httpd-2.0.43 ./configure --prefix=/usr/local/apache --enable-ssl make make install cd /usr/local/apache/conf openssl genrsa -des3 -out ca.key 1024 openssl req -new -x509 -days 365 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 1024 mv server.key server.key.secure openssl rsa -in server.key.secure -out server.key openssl req -new -days 365 -key server.key -out server.csr lynx http://lamps.efactory.de/sign.sh chmod 744 sign.sh ./sign.sh server.csr At this point, I got this output with an error message: CA signing: server.csr -> server.crt: Using configuration from ca.config Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'Texas' localityName :PRINTABLE:'Plano' organizationName :PRINTABLE:'JAMM Consulting, Inc.' organizationalUnitName:PRINTABLE:'Web Services' commonName :PRINTABLE:'dsl.JAMMConsulting.com' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Oct 16 05:58:07 2003 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: /C=US/ST=Texas/L=Plano/O=JAMM Consulting, Inc./OU=Web [EMAIL PROTECTED] error 18 at 0 depth lookup:self signed certificate /C=US/ST=Texas/L=Plano/O=JAMM Consulting, Inc./OU=Web [EMAIL PROTECTED] error 7 at 0 depth lookup:certificate signature failure Looking around the net, I saw one page that said that I need to examine the verify call in the sign.sh script, but that seems to be fine to me. Here is the contents of the sign.sh script: #!/bin/sh ## ## sign.sh -- Sign a SSL Certificate Request (CSR) ## Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved. ## # argument line handling CSR=$1 if [ $# -ne 1 ]; then echo "Usage: sign.sign <whatever>.csr"; exit 1 fi if [ ! -f $CSR ]; then echo "CSR not found: $CSR"; exit 1 fi case $CSR in *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;; * ) CERT="$CSR.crt" ;; esac # make sure environment exists if [ ! -d ca.db.certs ]; then mkdir ca.db.certs fi if [ ! -f ca.db.serial ]; then echo '01' >ca.db.serial fi if [ ! -f ca.db.index ]; then cp /dev/null ca.db.index fi # create an own SSLeay config cat >ca.config <<EOT [ ca ] default_ca = CA_own [ CA_own ] dir = . certs = \$dir new_certs_dir = \$dir/ca.db.certs database = \$dir/ca.db.index serial = \$dir/ca.db.serial RANDFILE = \$dir/ca.db.rand certificate = \$dir/ca.crt private_key = \$dir/ca.key default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional EOT # sign the certificate echo "CA signing: $CSR -> $CERT:" openssl ca -config ca.config -out $CERT -infiles $CSR echo "CA verifying: $CERT <-> CA cert" openssl verify -CAfile ca.crt $CERT # cleanup after SSLeay rm -f ca.config rm -f ca.db.serial.old rm -f ca.db.index.old # die gracefully exit 0 A different page told me that the message was no problem and to continue. So, I tried it. I did these commands: chmod 400 server.key chmod 400 server.key.secure vi /usr/local/apache/conf/ssl.conf and set these values: ServerAdmin [EMAIL PROTECTED] ServerName dsl.JAMMConsulting.com:80 SSLCertificateFile /usr/local/apache/conf/server.crt SSLCertificateKeyFile /usr/local/apache/conf/server.key vi /usr/local/apache/conf/httpd.conf and set these values: ServerAdmin [EMAIL PROTECTED] ServerName dsl.JAMMConsulting.com:80 /usr/local/apache/bin/apachctl startssl Everything seemed OK so far, but when I opened Mozilla and tried to connect to https://dsl.JAMMConsulting.com I got an error message that stated: Could not establish and encrypted connection because certificate presented by dsl.jammconsulting.com is invalid or corrupted. Error Code: -8182 In the error_log for apache, I see this error: [Wed Oct 16 01:07:12 2002] [error] SSL handshake failed (server dsl.JAMMConsulting.com:443, client 127.0.0.1) [Wed Oct 16 01:07:12 2002] [error] SSL Library Error: 336151570 error:14094412:lib(20):func(148):reason(1042) Any ideas what this means and how I fix it? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc. (972) 612-6056, http://www.JAMMConsulting.com Custom Internet Development Websites, Ecommerce, Java, databases ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
