RE: [Pound Mailing List] Follow-Up to help with Pound, Web browsers and Certificates

Thu, 03 Aug 2017 10:30:22 -0700 

Hi D,

I tried it your way but I was unsuccessful. 
I'll explain what I am trying to do. 

My first question is to you and everyone else. Why can't I create a
secondary pem just like I did the pem for the Cert and have Pound only
recognize the secondary certificate and ignore the primary certificate?

I am trying to ignore the pem that Pound needs and only have Pound accept
the certificate that I sign by a privately created CA of mine. I am trying
to get away from outside signing and want to go self signed. 
Essentially, I want to be able to create a Certificate Authority of my own
and then use that authority to sign certificates which I distribute out to
the people who I want to access the server and information and have pound
verify the certificate I signed using the Certificate Authority to either
grant or deny access depending on if the certificate is correct. 

I want to first verify I am doing this right. 

I create the CA key
Then create the CA cert and sign it using the CA key to create the CA
certificate.

Then I create the client key.
Then create the client certificate signed by the client key.

I place that CA.pem or the CA certificate I created in step 2 on my server
in Pounds VerifyList folder and section.

I then place the certificate in my browser certificate and the ca
certificate in the authority section of my browser. 

Then I save and reopen Firefox for example and try to go to my server and no
matter how I create the Certificate Directive and cat keys and certs
together I get the following error. 

"An error occurred during a connection to xxx.xxx.xxx.xxx. Peer does not
recognize and trust the CA that issued your certificate. Error code:
SSL_ERROR_UNKNOWN_CA_ALERT"

I am not sure if I am structuring my CA directive properly. 

This thing is kicking me to death. My server is running embedded Linux. It
has SSL installed and running. And Pound runs with no error. 

Would you have any suggestions on how to make this work? I am trying to
finish this and get it tested and pushed over to review before the end of
August. 

Warren



-----Original Message-----
From: D. Hampton Finger [mailto:[email protected]] 
Sent: Tuesday, August 01, 2017 10:35 AM
To: [email protected]
Subject: RE: [Pound Mailing List] Follow-Up to help with Pound, Web browsers
and Certificates

I Have had this issue over several refreshes, and finally just broke it out
into a more manageable setup.

     Cert    "/etc/pki/tls/certs/quest-pound.pem"
     VerifyList "/etc/pki/tls/certs/incommon_interm.pem"
     CAlist "/etc/pki/tls/certs/incommon_interm.pem"

I am running 2.6 and keep the cert/key pem as one, and the other certs in
the order provided by my issuer.  chain order with the CA last in the
interim.  I put the key first, then the cert in the Cert directive suggested
file.

I hope this helps, as it did make my setup much more manageable.

----------------------------------------------------------------
D. Hampton Finger                       [email protected]
Sr. Systems Administrator                      PH:  512-636-1701
College of Natural Sciences    The University of Texas at Austin
----------------------------------------------------------------

On Tue, 1 Aug 2017, Warren Perdue wrote:

> *** UPDATE **
>
> Hey guys,
>
> I need your help. I am trying to create a Cert Directive for my server and
no matter what I try I cannot get the sequence right.
> Do you all know the order in which I have to place the keys and certs
being private, intermediate, chain and server?
>
> I have:
> ca.key.pem
> ca.cert.pem
> intermediate.key.pem
> intermediate.cert.pem
> ca-chain.pem (above CA chain)
> server.key.pem
> server.cert.pem
>
> What is the correct order do I have to place these in in order to create a
CA directive to place in my CAList directory on my server so that my server
will recognize server.cert.pem?
>
> I have tried every combination there is and no luck and I was wondering if
any of you could help. What am I forgetting to do or what I need to do.
>
> Warren
>
>
>
> -----Original Message-----
> From: Warren Perdue [mailto:[email protected]]
> Sent: Tuesday, July 25, 2017 9:13 AM
> To: [email protected]
> Subject: [Pound Mailing List] Follow-Up to help with Pound, Web 
> browsers and Certificates
>
> Hi Joe and anyone else that can help,
>
> I have a question and hopefully you can answer it.
>
> I have my CA set up and the Key and Pem for it. I also created my
certificate and signed it with the CA.
> I loaded the CA.pem to the VerifyList and have ClientCert 2 2 but I 
> still get the error message : SSL_ERROR_HANDSHAKE_FAILURE_ALERT
>
> What am I doing wrong?
>
> I used the procedures you gave me, I also follow this link step by 
> step http://www.octaldream.com/scottm/talks/ssl/opensslca.html , and 
> even used this web app https://makoserver.net/download/linux-x86/ to 
> create the CA and Sign my cert and I still get the
>
> SSL_ERROR_HANDSHAKE_FAILURE_ALERT
>
> I have gotten this to work on Mac, Windows, and Linux machines but not my
server which is embedded server running BOA and Pound with OPenSSL support
and need Pound for load balancing.
>
> I have my cakey.pem, cacert.pem so what else do I have to include in my
Cert Directive. I am a little confused as to how to construct the Cert
Directive to work with pound. I can make my plan work on other software and
OS's and do not understand what I am doing wrong to get it work with Pound.
>
> If any of you can help me, I could surely use your help.
>
> Warren
>
>
> -----Original Message-----
> From: Joe Gooch [mailto:[email protected]]
> Sent: Thursday, June 01, 2017 4:13 PM
> To: [email protected]
> Subject: Re: [Pound Mailing List] Limit amount of Processes Pound can 
> create using fork()
>
> Uhm... Doesn't that just mean you want
>
> ThreadModel pool
> Threads 5
>
> ------
>
> Joe
>
>
>
>
>
> From:  Warren Perdue <[email protected]>
> Organization:  Valcom, Inc.
> Reply-To:  "[email protected]" <[email protected]>
> Date:  Thursday, June 1, 2017 at 4:06 PM
> To:  "[email protected]" <[email protected]>
> Subject:  [Pound Mailing List] Limit amount of Processes Pound can 
> create using fork()
>
>
> Hey guys,
>
> I have been wrecking my brain on how to limit Pound from creating
additional processes. I want pound to accept only one input at a time and
only allow one process to run beyond its current 4 processes. Do any of you
have any idea on how  I can accomplish that.
>
> I have tried setrlimit, limiting the number of forks Pound can do, add
additional code to track the processes and kill any additional processes
over 6. I have also tried running it as a Daemon and limit the threads but
nothing works.
>
>
> So do any of you have any ideas on how I can get Pound to limit the number
of processes that are created by Pound with incoming commands?
>
> Warren
>
> N   r z u    +  y?? m?u   >W  ? z +    *
>
>
>
> --
> To unsubscribe send an email with subject unsubscribe to [email protected].
> Please contact [email protected] for questions.
>
>
>
> --
> To unsubscribe send an email with subject unsubscribe to [email protected].
> Please contact [email protected] for questions.
>
>

--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.



--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.

Reply via email to