Could that be changed? Maybe by parsing only files smaller than 10Kbytes containing the text CERTIFICATE?
The goal for my feature request was to create some zero-admin -----Original message----- From:Joe Gooch <[email protected]> Sent:Fri 08-03-2013 22:54 Subject:RE: [Pound Mailing List] Re: Certificates in a folder To:‘[email protected]‘ <[email protected]>; It only looks for files with a .pem or .crt extension… Joe From: Jean-Pierre van Melis [mailto:[email protected]] Sent: Friday, March 08, 2013 4:22 PM To: '[email protected]' Subject: AW: [Pound Mailing List] Re: Certificates in a folder OK... The quotes was definitely the culprit. But it's still not working as it doesn't accept the files in that folder. I'm now getting different error-messages.... Including Certs from Dir /usr/local/psa/var/certificates/ /etc/pound/pound.cfg line 102: ListenHTTPS missing Address, Port or Certificate - aborted Maybe the reason can be found when some more parameter checking is done during the reading of these files???? The folder contains serveral files with certificates.... # ls -altr /usr/local/psa/var/certificates/ total 48 -r-------- 1 root root 3017 2012-02-25 13:34 certPzNB5En -r-------- 1 psaadm psaadm 3722 2012-02-25 14:57 cert-26GwHt -r-------- 1 psaadm psaadm 3718 2012-11-06 16:03 cert-SlHUBx drwxr-xr-x 12 psaadm psaadm 4096 2012-11-07 00:37 .. -r-------- 1 root root 3714 2012-11-08 13:05 cert-AY4qNk -r-------- 1 root root 3714 2012-11-08 13:12 cert-badYff -r-------- 1 root root 3198 2012-11-08 13:12 cert-21Snze -r-------- 1 psaadm psaadm 3198 2012-11-08 13:59 cert-NwF9LO -r-------- 1 psaadm psaadm 3714 2012-11-08 13:59 cert-i0kVwM -r-------- 1 psaadm psaadm 3722 2012-11-08 22:29 cert-QkxgPB -r-------- 1 psaadm psaadm 3198 2012-11-08 22:29 cert-NXRyFH dr-x------ 2 root root 4096 2012-11-08 22:29 . Here's one certificate: # cat /usr/local/psa/var/certificates/certPzNB5En -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAzoxUw4WpL1iGjrP+JxyKHF+8VR/G0X699aDwPg0Y+rJ/HhuM kZI9p4giFqoJeTnR+zHEc+PjOew9ya+HVf7gA/AxeU2B5PMxlpRXlf2WpZZKBF46 caWrF1tDY0r9zWSEAoSxmSZz4xL+4Yo+NRVWUP1WXgoZO0wLAelJh2AkDlk481vS 6CmOK9LM64YaDca4vBLOWdyKa2Pr7KsySk0Gdjh6Gn/32e0ThEf6od1xsyxUusef 6pxhjsPoun5GpC7uZbuvmdEtVdHn7SLtm4C3Asv1kB+v2DVJU9eW04l8msN9y/aE EP0YUG1av6cF/7/yUsplYNLMEqa1qCvRtAheiwIDAQABAoIBAFM7N1kGvnNmv+o3 W94U4Q6oAXNn960p3pBhhw3qJzu2vAS84zsx7AhbkikB4glopFYN6vUsSr9nlEp2 ohmkOE899iHEeuhwm3XrVxQI+TDGzBLQicqMENK7ov8bFAU1UQDWyd5GIYLKf80Q 8Rpg+8RtIeWJOjur2++sO0YDFuR0k7oJ2jqr6LLcE0zbhDXrZ7N23jNbPi2y56SI RiSb1CpIgbuxC/5/H7qhXoMDqQnJyTlvPMk9MMis36HNln1zsdXP7bSsVze3fao0 /dbBHGDXOGvQLl93NnnXWinlm/KkgLyL456UwTp05Gzh0MhSXxXQb3XtrVgO9s5z nA+bbjECgYEA+sVwre59nJJ6W3PRCLaoRz7SVmQItFM9cthgUZVufXoQAYzoeGzO h32HE09tKQww4rUAa+34r0t8VBoJIpQC/+5bNHJUdNf120ppg9yAqxyz79yPn2QQ lOIxN+ZTN4AJMsn2p41WeflwXUrd4ix6n0j9HuzuucAx4dJFheSGNQNWLaG15yYk C/7yXrHtKi8MnHo85v9NwfD1uk3FqblzFcgzMGBknABZoe4QbA/mJf05CTeimVVs s7o/DFcsoldEzcUKvmC0bQbJQPOnjOw+F0l56gUXtTpMXmjWyHi9CIMCgYEA0trW hZlnNzayzCmY/qnL3OBahZdf5fZo81IxJ6N3o1kCgYBX35nliP3BQN7ZbxMfv4nm NVBVb4ZRUh3lQYc272shUwWK1YqcsFwKxGTx0lJJIPl8Z7q3F1OecZAmlF0BHeaT nxG2fIRbQAuExa4F37E16wKBgEBJIjUgRVtCqMp6CdPnSYFKETx89WosIjwLzZL0 wN+F4z7UvyCXaETrKJPPIZ4l+Hyx3zmdEC4Y1zMORy0KA7l1yzI/EdwsTAB0Hwdc E2dDbEk3vhwlpfIcYtHgQ1xxDuzq43xUCekGjzq50ACMqi/8Yvzp6v4Ew3iz7XKl Mj4Jecq4ivifGEszJrB7xXoUIjC9xL3JjQkM1PtSA8ybYmGqZo6y6b7aIMdkrV/w Xxt5AoGBAMbUkr1AJwd7veiVRRLktmwmloNBVZEyGHFEEtOHY2bx47+piFH6bb7/ EDJtYRil18EdMnoLVlku7oWfJAPyOEXQDp10kfn706GdZOwPOleV3mv5U+IxPYyF eB2z0QYCsR/SikWCn8F/nzs8XvHd6eBsmcLzKDFPjPRPtfL/2D3w -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDszCCApsCBE9I1QAwDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMREw DwYDVQQIEwhWaXJnaW5pYTEQMA4GA1UEBxMHSGVybmRvbjESMBAGA1UEChMJUGFy YWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMgUGFuZWwxGDAWBgNVBAMTD1BhcmFs bGVscyBQYW5lbDEhMB8GCSqGSIb3DQEJARYSaW5mb0BwYXJhbGxlbHMuY29tMB4X DTEyMDIyNTEyMzMwNFoXDTEzMDIyNDEyMzMwNFowgZ0xCzAJBgNVBAYTAlVTMREw DwYDVQQIEwhWaXJnaW5pYTEQMA4GA1UEBxMHSGVybmRvbjESMBAGA1UEChMJUGFy YWxsZWxzMRgwFgYDVQQLEw9QYXJhbGxlbHMgUGFuZWwxGDAWBgNVBAMTD1BhcmFs bGVscyBQYW5lbDEhMB8GCSqGSIb3DQEJARYSaW5mb0BwYXJhbGxlbHMuY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzoxUw4WpL1iGjrP+JxyKHF+8 VR/G0X699aDwPg0Y+rJ/HhuMkZI9p4giFqoJeTnR+zHEc+PjOew9ya+HVf7gA/Ax eU2B5PMxlpRXlf2WpZZKBF46caWrF1tDY0r9zWSEAoSxmSZz4xL+4Yo+NRVWUP1W XgoZO0wLAelJh2AkDlk481vS6CmOK9LM64YaDca4vBLOWdyKa2Pr7KsySk0Gdjh6 Gn/32e0ThEf6od1xsyxUusef6pxhjsPoun5GpC7uZbuvmdEtVdHn7SLtm4C3Asv1 kB+v2DVJU9eW04l8msN9y/aEEP0YUG1av6cF/7/yUsplYNLMEqa1qCvRtAheiwID AQABMA0GCSqGSIb3DQEBBQUAA4IBAQBPvuf/3JDFcSZioc8VCCxzkV6vjbuCHzmz rmJeAXFCRZE75zZPEf0+jAvo9TGNYHC1XsHIdWLfdXev6GFlI0tc6lCYf+0WGLyi GKa46KD/DoF/FLcycU5RxNguzv3qFiWhT6pRYKfxYF5DjpsvZfN5xr/62Fvu7gOw ICxTOJC3c2VDvaknR+r4nrsu7jckAsBhwIqJUm317PHfwyBo+5WTS1NtDBx6ptNr LsgCbECKzazyrOZEEKedhNgLXT/cotUfTFnU1CMdoK/kkh1yvgJqccliSsujTCxl Bv3C5iyNAu0d17PBHDzxDO/i5ZM8apVpjx3MKRvQ8zZg+cnjftPU -----END CERTIFICATE----- -----Oorspronkelijk bericht----- Afzender: Joe Gooch <[email protected] <mailto:[email protected]> > Verstuurd: Woensdag 6 Maart 2013 15:42 Aan: '[email protected]' <[email protected] <mailto:[email protected]> > Onderwerp: RE: [Pound Mailing List] Re: Certificates in a folder You compiled source from the git link I posted? If so grep CertDir config.c should return a bunch of stuff. You need to specify the path in double quotes too. CertDir “/etc/certs.d/” (if you c&p make sure to fix the silly MS smart quotes) Joe From: Jean-Pierre van Melis [mailto:[email protected] <mailto:[email protected]> ] Sent: Monday, March 04, 2013 8:03 AM To: '[email protected]' Subject: AW: [Pound Mailing List] Re: Certificates in a folder If I use the directive CertDir, it says this directive is not supported... I would love to have this working... Joe Gooch's comment about being able to create a file with all CA's in it is of course a valid statement, but the reason I'm asking for these features is to use pound with zero-administration in a Plesk environment. -----Oorspronkelijk bericht----- Afzender: Joe Gooch <[email protected] <mailto:[email protected]> > Verstuurd: Vrijdag 14 December 2012 15:42 Aan: '[email protected]' <[email protected] <mailto:[email protected]> > Onderwerp: RE: [Pound Mailing List] Re: Certificates in a folder I had thought the use case for CertDir was to use SNI… CAList and VerifyList have to do with client certificates… so it wouldn’t seem to match the use case. If you’re talking about CAList and VerifyList… Those calls look different. Looks like it sets the list with a single call to SSL_CTX_set_client_CA_list or SSL_CTX_load_verify_locations… It’s not a linked list like SNI certs are. Inherently the CAList and VerifyList directives take a file with multiple certificates in it, so you could easily create such a combined file (i.e. cas.pem) with cat (cat ca.d/*.pem > cas.pem) or similar. Joe From: Jean-Pierre van Melis [mailto:[email protected] <mailto:[email protected]> ] Sent: Friday, December 14, 2012 7:02 AM To: '[email protected]' Subject: AW: [Pound Mailing List] Re: Certificates in a folder That's great.... Thanks!!! But is an equivalent for CA's not required? -----Oorspronkelijk bericht----- Afzender: Joe Gooch <[email protected] <mailto:[email protected]> > Verstuurd: Donderdag 13 December 2012 20:59 Aan: '[email protected]' <[email protected] <mailto:[email protected]> > Onderwerp: RE: [Pound Mailing List] Re: Certificates in a folder https://github.com/goochjj/pound/commits/stage_for_upstream/v2.7b Now has a CertDir directive. Joe From: Jean-Pierre van Melis [mailto:[email protected] <mailto:[email protected]> ] Sent: Tuesday, December 11, 2012 5:14 AM To: [email protected] <mailto:[email protected]> Subject: FW: [Pound Mailing List] Re: Certificates in a folder > Pound doesn't have information which certificate should use on which listener. I don't want to specify a global folder, but I want to specify a folder for each listener. One folder for the CA's and one for the certificates. There I can place all the different certificates. I am using SNI (Server Name Indication), which means I can have more than 1 certificate on 1 listener. Because you might not need it, you are not thinking of that. Cheers -----Oorspronkelijk bericht----- Afzender: Andrzej Dopierała <[email protected] <mailto:[email protected]> > Verstuurd: Zondag 9 December 2012 18:04 Aan: [email protected] <mailto:[email protected]> Onderwerp: Re: [Pound Mailing List] Re: Certificates in a folder W dniu 09.12.2012 14:52, Jean-Pierre van Melis pisze: Can't we get an update on this? If this is possible I don't have to write a script for this. what do you mean? do you want to use default path to certificates to specify only: Cert "cert1.pem" in config? if yes - it's enough to run pound from this directory: wwwlb:/etc/ssl/certs# grep test.pem /etc/pound/pound.cfg #Cert "/etc/ssl/certs/test.pem" Cert "test.pem" wwwlb:/etc/ssl/certs# /usr/sbin/pound starting... wwwlb:/etc/ssl/certs# ps auxwwf |grep -i pound www-data 27745 0.0 0.0 4180 644 ? Ss 16:49 0:00 /usr/sbin/pound www-data 27746 0.0 0.0 4692 632 ? Sl 16:49 0:00 \_ /usr/sbin/pound but - if you wish to just put directory and you want to pound select certificates himself - it's impossible. Pound doesn't have information which certificate should use on which listener. -------- Oorspronkelijk bericht -------- Van: Jean-Pierre van Melis <[email protected]> <mailto:[email protected]> Datum: Aan: "'[email protected]'" <mailto:'[email protected]'> <[email protected]> <mailto:[email protected]> Onderwerp: Certificates in a folder AFAIK we need to specify the full path of certificates in the pound.cfg using multiple directives called "Cert". For management purposes it would be great if we could specify a folder there and all certificates are parsed and used. -- Regards, Andrzej 'The Undefined' Dopierała http://andrzej.dopierala.name/ <http://andrzej.dopierala.name/>
