RE: [Openca-Users] Chinese vs international
Hi Sergei, Thanks. Yes. I translate the file using UTF-8 encoding. We have tested in OpenCA 0.9.2.5 using part of the file I have translated, and it works well. :) Warmest Regards, -Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergei Vyshenski Sent: Thursday, January 19, 2006 6:54 PM To: openca-users@lists.sourceforge.net Subject: Re: [Openca-Users] Chinese vs international Kevin, 1. Menu.xml is not intended for translation. It contains (English) keys than are used as pointers to translated interfaces, when selected. If you remove or miss keys, you end up with a mess. 2. Once you specify "encoding=UTF-8" in your file, it might be not extremely bright idea to use GB2312 encoding in the field. 3. Here in particular, and in your translation in general, you had better use one of the following Chinese offerings available in UTF-8 tables: 1) Bopomofo 2) Bopomofo extended 3) one of the CJK Otherwise Michael will be having a hard time decoding your translation into one of the 3 options himself. Since release 0.9.2.4, OpenCA supports only UTF-8 encoded translations of user interface. Regards, Sergei Kevin Dong wrote: > Hi, > > Thank you for your answer. I just want to confirm if the menu.xml supports > the other characters. > > For Chinese GB translation, I have sent an email to Michael. We will finish > the translation before 29 Feb. > > > -Kevin Dong >>> >>> ДT-Фv+ >>> cmd=setLanguage;lang=zh_CN;charset=UTF-8 >>> top >>> --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] Chinese vs international
Hi, Thank you for your answer. I just want to confirm if the menu.xml supports the other characters. For Chinese GB translation, I have sent an email to Michael. We will finish the translation before 29 Feb. -Kevin Dong -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergei Vyshenski Sent: Monday, January 16, 2006 7:34 PM To: openca-users@lists.sourceforge.net Subject: [Openca-Users] Chinese vs international 1. If you want to see Chinese among languages supported by OpenCA, then you have to submit your translation to Michael as "i18n" suggests. In this case you have to obey general design approach of the system. In particular, you have to understand, that if a non-chinese user accidentally hits some menu and finds himself around Chinese, then he SHOULD have possibility to navigate away from Chinese. And this possibility implies purely English names of languages in some menus. 2. If you want to hack OpenCA to your personal needs neglecting general design guidelines, then why do you bother OpenCA mailing list at all? Sergei Kejun Dong wrote: > Hi, > > I am so sorry for having not described the problem clearly. > Now according to i18n file, we can deploy the Chinese in to OpenCA > correctly. But in the language tab, all the characters is in English and now > we want to modify the character "Chinese" into the Chinese character "жпнд". > When we add the "жпнд" (The Chinese character of "Chinese") in the > menu.xmlfile, it isn't coded right. Do you think about the problem > before? Thanks a > lot. > > - Kevin Dong & Yihua Zheng > ** > * Kevin Dong (T-©ф+Э) > * Tel:+86-10-58812310 Fax:+86-10-58812306 > * Network Technology and Applications Research Laboratory > * Computer Network Information Center > * Chinese Academy of Sciences > ** > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Sergei > Vyshenski > Sent: Sunday, January 15, 2006 5:18 AM > To: openca-users@lists.sourceforge.net > Subject: Re: [Openca-Users] help: A question about use chinese in menu.xmlfile > > Have you read the file "i18n" from the root of the source distribution? > > > жёрю│L wrote: >> Hi,all >> Yesterday we set up the openca system use openca-0.9.2.5 ,For our >> need,We add the language chinese into this system.we translate the >> openca.po to chinese and add the language chinese item just like below >> shows: >> >> >> жпнд >> cmd=setLanguage;lang=zh_CN;charset=UTF-8 >> top >> >> >> restart the openca daemon,when I want to see the language item жпнд,it >> don't encoding right. >> can you give me some advise for this problem. >> thank you very much! > > > > --- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click > ___ > Openca-Users mailing list > Openca-Users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openca-users --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Confusion over web form fields and associated cert fields (sorry for length)
Hi List- I'm finding myself getting confused about which OpenCA web form fields are associated with which certificate fields as I request a certificate using OpenCA. For example, I just finished requesting a new certificate using the Basic Certificate Request web form (/pub-->User-->Request a Certificate-->Basic Certificate Request). Then I approved it, moved it up to the CA, issued the cert, moved it back down to the RA, then picked up the new cert and examined the web form fields in the request and compared them to the cert fields. Here's what I saw: When requesting pki-last.crt, the following fields were as follows: ==(initial web form with empty fields)= Basic Certificate Request Please enter your data in the following form. Certificate Data E-Mail Name Certificate Request Group alternative email IP address DNS name DNS name User Data Name (first and Last name) Email Department Telephone Level Of Assurance chose the LOA you would like to be authenticated against. Role Registration Authority chose the RA where you will be authenticated. PIN [used to verify the certification request, min 10 chars (please write it down for later usage)] Re-type your PIN for confirmation Choose a keysize ==form filled out and submitted gives Confirm Certificate Request Following are listed data received. Please check carefully information here reported with the ones in your possession. Certificate Data E-Mail [EMAIL PROTECTED] NameTwo Two Certificate Request Group Partners alternative email [EMAIL PROTECTED] IP address 001.002.003.004 DNS namefive.five.com DNS namesix.six.com User Data Name (first and Last name) Seven Seven Email [EMAIL PROTECTED] Department Nine Telephone 101.101-1010 Level Of Assurance (LOA)basic RoleMail Server Registration Authority Help Desk 1 Keysize 1024 finalizing request, I get== Thank you for requesting your certificate from our organization, your request with the serial 3360 it's been successfully archived and it is now waiting for approval by any of our Registration Authorities (if you are unsure about the receiving of your request by this server, you can check the list of new requests). To complete the certification process you have to go to one of our Registration Authority office with one of the following documents: o ID card or passport. o Documnetation asserting your role and authorization for requesting a certificate for your organization. If you still have doubts about the issuing process, just use the links provided in the Information section to learn how to complete all the needed steps. ADDITIONAL_ATTRIBUTE_DEPARTMENT Nine ADDITIONAL_ATTRIBUTE_EMAIL [EMAIL PROTECTED] ADDITIONAL_ATTRIBUTE_REQUESTERCNSeven Seven ADDITIONAL_ATTRIBUTE_TELEPHONE 101.101-1010 LOA 30 NOTBEFORE Thu Sep 30 17:38:43 2004 UTC PIN ef5ceda7b90da75595bb5ec156084140a39d80ef RA Help Desk 1 ROLEMail Server SERIAL 3360 SUBJECT_ALT_NAMEemail: [EMAIL PROTECTED],IP: 001.002.003.004,DNS: five.five.com,DNS: six.six.com TYPEPKCS#10 == And the certificate itself looks like this: == bash-2.05b$ openssl x509 -noout -text -in pki-last.crt Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Folkvang Certification Services, OU=Certification Services, CN=Kevin Ford/[EMAIL PROTECTED] Validity Not Before: Sep 30 17:48:17 2004 GMT Not After : Sep 30 17:48:17 2005 GMT Subject: C=US, O=Folkvang Certification Services, OU=Partners, CN=Two Two/serialNumber=10 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:9f:72:24:73:5a:a2:64:05:01:dc:ab:14:b9:1c: 7a:1b:e9:35:7d:0b:d5:b9:ed:4f:5c:22:ab:bd:31: 04:6c:c0:f9:78:02:9b:96:fa:c5:01:09:5b:f5:a7: fd:1b:5a:d2:8e:38:8a:b4:f2:c9:0d:a5:be:23:08: 72:ba:96:f8:39:f5:2c:06:c5:70:9c:a8:4a:f1:8c: e6:4d:fd:bf:89:62:3f:60:9f:28:c5:57:5d:d8:d1: 24:b5:7d:c6:15:7f:64:fd:b9:6c:59:75:ad:87:16: 23:cc:3c:14:52:d8:da:7a:72:99:68:ad:ec:f3:47: ac:8b:40:c4:0b:23:0f:18:7d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Certificate Policies: Policy: 1.2.3.3.4 Policy: 1.2.3.3.5 Policy: 1.2.3.3.6
RE: [Openca-Users] STILL... OpenCA not sending email messages forCSRs
On Tue, 2004-09-28 at 14:24, Til Obes wrote: > > At what point in the process are your mails getting sent, > > Til? Is it as > > a part of the dataexchange process? > > > > When i import the data on the ra. Huh... Wonder why I'm not seeing that... > After changing the config.xml value, have you run configure_etc.sh? Yes. > And restarted the daemon? Yes. I even revised config.xml again subsequently (to remove the "-n" option on sendmail) and then reran configure_etc.sh and then restarted the daemons, and I saw the impact of that change (/var/log/messages recorded fatal errors when running sendmail -n before, and after revising config.xml and running configure_etc.sh and restarting daemons, sendmail runs with no -n and no errors). But still (even after this second revision of config.xml), I only get mails when I ask for them; not automatically upon import of the data on the RA. And then they come from the CA---not the RA. This seems backwards. The CA would normally be off-line and unable to send mail. Thanks, Til. Anyone else have any ideas? -Kevin --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] STILL... OpenCA not sending email messages for CSRs
On Mon, 2004-09-27 at 13:52, Til Obes wrote: > Didnt find new mails. Hmm i dont know what that means. > Hmm list, what was changed at the email sending thing? > How do you know what num of email to send now? > > Regards til > > Ps: my emails are getting sent. So ist obviously a config fault At what point in the process are your mails getting sent, Til? Is it as a part of the dataexchange process? With additional troubleshooting, I also see the following noteworthy output. When I follow the link in /ra-node: Utilities-->E-Mail new users I get: Sending CRIN-Mail(s) ... (Please wait until operation completes) Sending the Certificate-Information-Mails ... Didn't find new mails. No mails send! Sending the PIN-Mails ... Didn't find new mails. No mails send! When I follow the link in /ra-node: Utilities-->Send a CRIN-mail You need to enter some additional parameters for the requested functionality. Please enter the number of a mail to send a special mail or enter nothing to send all new mails. (I enter nothing to send all) I get: Sending CRIN-Mail(s) ... (Please wait until operation completes) Sending the Certificate-Information-Mails ... Didn't find new mails. No mails send! Sending the PIN-Mails ... Didn't find new mails. No mails send! When I follow the link in /ra-node: Utilities-->Send a CRIN-mail You need to enter some additional parameters for the requested functionality. Please enter the number of a mail to send a special mail or enter nothing to send all new mails. (I enter 8 because I see a message 8.msg in the directory /usr/local/openca/OpenCA/var/mail/crins/) I get: Sending CRIN-Mail(s) ... (Please wait until operation completes) Try to send CRIN-mail 8 ...FAILED. Unkown error. When I look in /usr/local/open[cr]a/OpenCA/var/mail/crins/ I see: ls /usr/local/openca/OpenCA/var/mail/crins/ 1.msg 2.msg 3.msg 4.msg 5.msg 6.msg 7.msg 8.msg mailcounter cat /usr/local/openca/OpenCA/var/mail/crins/mailcounter 1 ls /usr/local/openra/OpenCA/var/mail/crins/ mailcounter serials.dmb cat /usr/local/openra/OpenCA/var/mail/crins/mailcounter 1 Should the *.msg files in /usr/local/openca/OpenCA/var/mail/crins be showing up in /usr/local/openra/OpenCA/var/mail/crins ??? When I use the first link above (Utilities-->E-Mail new users) but doing so from the /ca-node URL (vice the ra-node URL), I get the following: Sending CRIN-Mail(s) ... (Please wait until operation completes) Sending the Certificate-Information-Mails ... send mail /usr/local/openca/OpenCA/var/mail/default/1.msg successful send mail /usr/local/openca/OpenCA/var/mail/default/2.msg successful send mail /usr/local/openca/OpenCA/var/mail/default/3.msg successful send mail /usr/local/openca/OpenCA/var/mail/default/4.msg successful send mail /usr/local/openca/OpenCA/var/mail/default/5.msg successful send mail /usr/local/openca/OpenCA/var/mail/default/6.msg successful send mail /usr/local/openca/OpenCA/var/mail/default/7.msg successful send mail /usr/local/openca/OpenCA/var/mail/default/8.msg successful Sending the PIN-Mails ... send mail /usr/local/openca/OpenCA/var/mail/crins/1.msg successful send mail /usr/local/openca/OpenCA/var/mail/crins/2.msg successful send mail /usr/local/openca/OpenCA/var/mail/crins/3.msg successful send mail /usr/local/openca/OpenCA/var/mail/crins/4.msg successful send mail /usr/local/openca/OpenCA/var/mail/crins/5.msg successful send mail /usr/local/openca/OpenCA/var/mail/crins/6.msg successful send mail /usr/local/openca/OpenCA/var/mail/crins/7.msg successful send mail /usr/local/openca/OpenCA/var/mail/crins/8.msg successful and I also see postfix/sendmail getting invoked in the /var/log/messages file, and I see the messages properly delivered to the users inboxes... However... Shouldn't the RA be sending these emails (not the CA)? After all, the CA is supposedly off-line, right? And the RA would typically be on-line? Is this the way OpenCA is designed to work (CA sending mail vice RA) or have I mixed up my configuration somehow? And am I missing the meaning of the config.xml option: send_mail_automatic yes With this set as above, should the mails be sent automatically (without having to follow the Utilities-->E-Mail new users link)? BTW, this send command initially failed for me because the default sendmail command in config.xml is: sendmail /usr/lib/sendmail -n -t and postfix has no -n option. According to the man page, it is ignored, but when I tried it, there were many failed attempts to invoke it with -n and fatal errors logged in /var/log/message so I removed the -n and then got the above behavior. -Kevin --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them
RE: [Openca-Users] OpenCA not sending email messages for CSRs
BTW, how do I read the email message that would (apparently) be sent? I see from examining the dataexchange import/export messages the filename of the email message that (apparently) would be sent, and I can read it with cat or less, but when I decode the mime with munpack, I get a binary smime.p7m file. It looks like this must be decoded with the certificate itself. Is that true? I presume the CRIN is encoded in this message then? So I have to figure out why the message is not being mailed, and also must use an S/MIME aware email client once I resolve the first problem. True? Just want to make sure. -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] OpenCA not sending email messages for CSRs
On Sat, 2004-09-25 at 04:55, Til Obes wrote: > > I have the > > default settings in config.xml for: > > > > sendmail > > /usr/lib/sendmail -n -t > > > > > > I've tested mailing messages from the command line with: > > "mail -s testSubject [EMAIL PROTECTED] < > > filename.txt" on the > > computer running openca and it works. > > > > Any ideas? > > Some lines later in the config.xml, there are 2 config options. > Ca mail account and sendmail automatic > regards til I changed these settings from the default to what you see below and still no email gets sent. Just to make sure I wasn't missing something, I also mailed something using this machine's sendmail binary (with the command-line /bin/mail client) and then I grepped my mail log. I found only those messages that were sent from the command-line; none that were sent in association with OpenCA certificate generation. I requested a new cert, approved it, issued it, and picked it up. No email messages were sent. The settings now read: sendmail /usr/lib/sendmail -n -t send_mail_automatic yes service_mail_account [EMAIL PROTECTED] I made the changes to config.xml, stopped the openca servers in each directory, then reran configure_etc.sh in OpenCA/open[cr]a/etc after making these changes to config.xml (in each directory), and then restarted the openca servers in each directory before requesting the new certificate. What am I missing? -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] OpenCA not sending email messages for CSRs
On Sat, 2004-09-25 at 04:55, Til Obes wrote: > > I have the > > default settings in config.xml for: > > > > sendmail > > /usr/lib/sendmail -n -t > > > > > > I've tested mailing messages from the command line with: > > "mail -s testSubject [EMAIL PROTECTED] < > > filename.txt" on the > > computer running openca and it works. > > > > Any ideas? > > Some lines later in the config.xml, there are 2 config options. > Ca mail account and sendmail automatic > regards til > Thanks, Til. You mean these, right? send_mail_automatic no service_mail_account [EMAIL PROTECTED] Thanks for mentioning these, Til. I wasn't sure exactly what the guide was referring to in Chapter 1, Section 4.1.1 when it said, "The option send_mail_automatic configures the node interface. If the value is YES then OpenCA sends all incoming mails during an import automatically. This can be nice but it is dangerous too if you make a mistake." Since the guide mentioned that it can be dangerous, I left it off until I was sure I understood it. I didn't realize it was referring to the email messages that I asked about in this thread. Thanks. -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] OpenCA not sending email messages for CSRs
Hi List- Chapter 3 of the OpenCA Guide, Section 1.2.1 reads in part: "Once the user has requested their certificate the Certificate Authority will process the certificate request. This may involve a face to face identification of the user at the Trust Center. When the certificate has been created the user will be informed by email. This email will also include a Certificate Revocation Number (CRIN), this number should be kept in a safe place as it will be required if the user to needs to revoke their own certificate in the future." Using RC6 on Gentoo Linux, I've requested 6 certificates thus far with my test OpenCA installation and issued them all. Now I'd like to revoke one of them. But the problem is, I never received any emails from the OpenCA server at any of the (all valid) email addresses that I used in requesting the certs. Questions: 1) Is there another way to get this CRIN so I can revoke the cert? 2) Why didn't the OpenCA server send out any email messages to the addresses given in my CSRs? How do I fix this? I have postfix installed, and /usr/lib/sendmail does exist (from postfix). I have the default settings in config.xml for: sendmail /usr/lib/sendmail -n -t I've tested mailing messages from the command line with: "mail -s testSubject [EMAIL PROTECTED] < filename.txt" on the computer running openca and it works. Any ideas? -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Root CA certificate is not a signing certificate?
On Fri, 2004-09-24 at 03:22, Michael Bell wrote: > > Shouldn't my first cert have basicConstraints CA:true instead of > > CA:FALSE? > > I think you are a little bit confused. You're right. I was. Thanks for clearing that up. :-) > > 1. A root CA certificate is the self-signed certificate of the CA. This > certificate only signs other certificates and CRLs. CA:FALSE shows me > that you try to download a normal certificate. You must import the CA > certificate as signer (CA) certificate. > > 2. The first certificate is the first certificate signed by the CA. this > certificate must have CA::FALSE because it is usually not the > certificate of sub CA. Yesterday, I used the /pub page, chose Certificates, and then chose Valid and downloaded all 6 certificates that I've generated with this installation of OpenCA going by certificate serial numbers. After reading your reply, I looked for other methods to get the root CA certificate as a signer and this time used the CA Infos and Get CA Certificate links and when I examine this certificate, it does have CA:TRUE, and I see that the serial number for this root CA certificate is serial number 0 (which was not present in the list of certificates that I generated with the previous method---probably by design, I guess). I was thinking that the certificate with serial number 1 was the signer, but now I see that it is serial number 0. Thanks for clearing that up, Michael. -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Root CA certificate is not a signing certificate?
Hi List- I recently set up RC6 more or less according to Kevin Mitcham's cookbook as a two-interface (RA and CA) system on one computer. I've been generating client certificates and learning more about the software, but I've tried importing the root CA certificate (the first cert generated in the cookbook) into a web browser as a signing certificate and it was refused with the error, "...not a signer..." When I look at the cert with: openssl x509 -noout -text -in 1.crt I see: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE However, I read in the OpenCA Guide at 3. OpenSSL; Chapter 2. Configuration: "You must care about three configurationfiles and -directories etc/openssl/openssl.cnf, etc/openssl/openssl and etc/openssl/extfiles. The first file contains the configuration for the CA. This means the file is used for the generation of the initial CA-CSR, the selfsigned certificate (if you setup a Root CA) and the CRLs." and when I look at etc/openssl/openssl.cnf (in both my open[cr]a/etc directories, I see this: === [ req ] default_bits= 1024 default_keyfile = privkey.pem default_md = sha1 distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to # add to the self signed ... [ v3_ca] # Extensions for a typical CA # It's a CA certificate basicConstraints = critical, CA:true === Shouldn't my first cert have basicConstraints CA:true instead of CA:FALSE? TIA. -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Building from CVS sources: no config.xml?
On Tue, 2004-09-21 at 13:52, Rosa Suárez wrote: > Hi list, >I've been trying to install openca-0.9.1-10.tar.gz but it happens > to me the same. > I dont get config files at etc. I removed etc and re-installed, but it > didnt work at all. Any suggestions? > > Thanks I'd suggest that you upgrade to RC6. I just installed it yesterday according to the guidance in http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html and although I had a couple of problems based on those instructions, I did manage to get it working and RC6 definitely does not suffer from the problem you describe here. -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] rc6 install. Errors immediately in xml_cache.log
On Tue, 2004-09-21 at 12:29, Ed Eden wrote: > > > >I don't get it? Fresh install of RC6 and I get the following in the > >xml_cache.log Ed, I just installed RC6 on Gentoo Linux following the guidance at http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html (which I found to almost completely workable), and seem to have everything working. I just generated my first client certificate a couple of hours ago. Perhaps you could provide more information about exactly what you have done and about what the problem is. What exactly is it that you are trying to do that generates the error? If you do, then I may be able to help. -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Success! (was: Two-interface setup: problem with Import Configuration step)
Hi Til and Damon- Many thanks for your replies! I finally made it all the way through Kevin Mitcham's OpenCA Cookbook at http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html In doing so, I think I discovered a few mistakes, and in the near future, I'll be documenting those in some form or another. What would be the best way to do this? Should I generate my own cookbook modeled after his but including the steps that I found to be necessary which were not included in his cookbook? Then post this document to the list? Would that be best or something different? It turns out that my original problem as reported in this thread came about because Kevin apparently left out the step to export the configuration, and Damon explained how to do this. Once I did that, following the rest of Kevin's cookbook worked fine. With an operational two-interface setup with both CA and RA running in different directories on one Gentoo Linux box, I think I'll be much better able to learn all the concepts involved with operating a CA. It is now my intent to read through the entire guide again with extra special attention this time to the concepts part and to actually use the software simultaneously and thus hopefully improve my understanding of everything in the process. Ultimately, I plan to set myself up similarly to what Damon described for himself (two computers, one running the RA functions and connected, the other running CA functions and disconnected) with OpenBSD as the OS for both computers. I tried a two-interface setup on one OpenBSD box already and was stymied by a couple of things but perhaps with a better understanding from experimenting with a working OpenCA installation, I'll have better success next time. To Michael Bell: many thanks to you for your frequent assistance to me and for making the changes in the code that were apparently necessary for proper installation and operation on OpenBSD. Thank you List! -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] Two-interface setup: problem with Import Configuration step
On Mon, 2004-09-20 at 00:32, Til Obes wrote: > > I suppose that some of the initialization steps may have depended upon > > those values being set correctly. What are the implications if they > > were not set correctly during those first init steps? Must I redo > > everything? > > > > It looks from the error message in the browser that there should > > already be a /usr/local/openra/OpenCA/var/tmp/ca-down file (or perhaps > > one in /usr/local/openca/OpenCA/var/tmp), but I find no ca-* or ra-* > > files in either /usr/local/open[rc]a/OpenCA/var/tmp. At what > > step is this archive > > created during the initialization? > > > > The OpenCA guide doesn't go into very much detail on these issues. > > > > Can anyone offer a bit of configuration help? > > > > Normally the backup device is a floppy disc or zip disc. Thanks for your reply, Til, but I'm not sure that I understand. Please pardon my questions (that are probably dumb questions due to my lack of experience with OpenCA): What do you mean by "backup device"? I was talking about these devices: dataexchange_device_up dataexchange_device_down dataexchange_device_local Is one of these the "backup device"? For a two-interface setup, Kevin Mitcham writes to change the default settings as follows (in http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html): = modify the config.xml for the ra (located in /usr/local/openra/openca/etc) Now onto the config.xml, for the ca and the ra. for the CA: < he's apparently writing about changes to the /usr/local/openca/openca/etc/config.xml file as opposed to openra/openca/etc/config.xml. ... (these might not be in config.xml; if not, see below) dataexchange_device_up /usr/local/openca/openca/var/tmp/ca-up dataexchange_device_down /usr/local/openca/openca/var/tmp/ca-down dataexchange_device_local /usr/local/openra/openca/var/tmp/ra-local if the dataexchange device section is not in config.xml, go to /usr/local/openca/openca/servers and look at ca-node.conf.template and ca.conf.template (/usr/local/openca/openca/etc/servers/ca.conf.template) line EXPORT_IMPORT_DOWN_DEVICE "/dev/fd0" to EXPORT_IMPORT_DOWN_DEVICE "/usr/local/openca/openca/var/tmp/ca-down" line EXPORT_IMPORT_LOCAL_DEVICE "/dev/fd0" to EXPORT_IMPORT_LOCAL_DEVICE "/usr/local/openra/openca/var/tmp/ra-local" ra-node.conf.template needs similar updates, as well ra IMPORT UP DEVICE should be the exact same file as the CA IMPORT_DOWN_DEVICE ... = Is that incorrect? > So the entry looks like /floppy or /dev/hda4/openca/export Again, not sure I follow. Should it be /dev/fd0? Or the mount point for /dev/fd0? Or the mount point of some HDD partition (say, /mnt/testing mounted at /dev/hda4 in linux) followed by a path on that partition? Should the entries be identical for the config.xml files in both /usr/local/openra/OpenCA/etc and /usr/local/openca/OpenCA/etc? Or should they be different? Kevin seems to be writing about about changing /usr/local/openca/OpenCA/etc/config.xml *^ when he says to change the dataexchange_device_local to /usr/local/openra/openca/var/tmp/ra-local so I figured that this device should be set identically in both openca and openra config.xml files. Is that incorrect? > For testing you should enter at all entrys at your side I'm sorry. Again, I'm not sure which entries you're referring to here. The three devices above? Or what you mean by, "at your side." > /tmp/openca/export (must be writeable by web server) So, for both config.xml files, set all three (total of 6 devices: 2 files each with three devices?) to the same file (in say the /tmp directory---or wherever the web server user can write to)? > for example. Then you export the conf of the ca and the import on ra. > That should work then ;) > Kevin's cookbook never says to export the configuration of the ca (unless I missed it?). How do I do that? In the guide, I see this: 1.1.5. Final setup The last steps can also be done on the interface for the nodemanagement but it is a good idea to do it during the intialization to get a consistent state. The rebuild of the CA chain is necessary to verify digital signatures correctly. If you want to setup a sub CA then you must add all CA certificates of the CA chain in PEM format to the directory OPENCADIR/var/crypto/chain/ before you rebuild the chain. The really last step is the export of the configuration to the online server(s). The most OpenCA users ignore this step and hand
[Openca-Users] Two-interface setup: problem with Import Configuration step
Hi List- I'm very happy to report that I am farther along in Kevin Mitcham's cookbook than I've ever been before. My real goal is to get a two-interface setup going on an OpenBSD 3.5 box, but I was running into so many problems (with chroot and accessing syslog device et. al.) that I decided to try with a Linux box first (RC6). This is a newly built Gentoo system, and I've worked my way through all of Kevin Mitcham's cookbook with successful results at each step except for when I get to here: == ...initialize the RA database http://myhost.wherever.edu/ra-node Admin->Server Init, initialize DB Admin->Server Init, Import Configuration == When I was modifying config.xml in the open[rc]a/OpenCA/etc directories I wasn't quite sure how to handle this part of the instructions from Kevin's cookbook: == (these might not be in config.xml; if not, see below) dataexchange_device_up /usr/local/openca/openca/var/tmp/ca-up dataexchange_device_down /usr/local/openca/openca/var/tmp/ca-down dataexchange_device_local /usr/local/openra/openca/var/tmp/ra-local if the dataexchange device section is not in config.xml, go to /usr/local/openca/openca/servers and look at ca-node.conf.template and ca.conf.template (/usr/local/openca/openca/etc/servers/ca.conf.template) line EXPORT_IMPORT_DOWN_DEVICE "/dev/fd0" to EXPORT_IMPORT_DOWN_DEVICE "/usr/local/openca/openca/var/tmp/ca-down" line EXPORT_IMPORT_LOCAL_DEVICE "/dev/fd0" to EXPORT_IMPORT_LOCAL_DEVICE "/usr/local/openra/openca/var/tmp/ra-local" ra-node.conf.template needs similar updates, as well ra IMPORT UP DEVICE should be the exact same file as the CA IMPORT_DOWN_DEVICE == In particular, Kevin goes into detail with modifying only the openca/OpenCA/etc/config.xml file; not so for openra/OpenCA/etc/config.xml. I assumed that this last note that he writes, "ra IMPORT UP DEVICE should be the exact same file as the CA IMPORT_DOWN_DEVICE" should apply equally to the config.xml files (although he is writing in particular about the template files when he says this). Could someone tell me how these lines should look in my open[rc]a/OpenCA/etc/config.xml files? Or perhaps even better, share with me a complete copy of working config.xml files for a two-interface system (ideally based on Kevin's cookbook, but if not that's ok too)? dataexchange_device_up /usr/local/openca/openca/var/tmp/ca-up dataexchange_device_down /usr/local/openca/openca/var/tmp/ca-down dataexchange_device_local /usr/local/openra/openca/var/tmp/ra-local The problem that I have encountered at the Import Configuration step of initializing the RA database seems very likely to be related to my improper settings for these lines because the error message in the browser window is: === Importing the configuration from a higher level of the hierarchy ... (Please wait until operation completes) Test the archive ... /bin/tar -tvf /usr/local/openra/OpenCA/var/tmp/ca-down FAILED Testing archive failed! 512 === My initial configuration for these up and down devices was this: ares etc # cat /usr/local/openca/OpenCA/etc/config.xml|grep -C 2 dataexchange_device dataexchange_device_up /usr/local/openca/OpenCA/var/tmp/ca-up dataexchange_device_down /usr/local/openca/OpenCA/var/tmp/ca-down dataexchange_device_local /usr/local/openra/OpenCA/var/tmp/ra-local ares etc # cat /usr/local/openra/OpenCA/etc/config.xml|grep -C 2 dataexchange_device dataexchange_device_up /usr/local/openra/OpenCA/var/tmp/ca-up dataexchange_device_down /usr/local/openra/OpenCA/var/tmp/ca-down dataexchange_device_local /usr/local/openra/OpenCA/var/tmp/ra-local Then based on Kevin's comment, I changed it to this (and naturally reran the magic configure_etc.sh scripts and ran the openca_stop/start scripts): ares etc # cat /usr/local/openra/OpenCA/etc/config.xml|grep -C 2 dataexchange_device dataexchange_device_up /usr/local/openra/OpenCA/var/tmp/ca-down dataexchange_device_down /usr/local/openra/OpenCA/var/tmp/ca-up dataexchange_device_local /usr/local/openra/OpenCA/var/tmp/ra-local ares etc # cat /usr/local/openca/OpenCA/etc/config.xml|gr
Re: [Openca-Users] OpenBSD and config.xml _directory_!? (-d option to /usr/bin/install)
On Fri, 2004-09-17 at 09:59, Michael Bell wrote: > Kevin wrote: > > I just installed RC6 on openbsd again, being very careful about > > configure commands, using egcc (gcc 3.3.2), Makefile.global-vars, and > > using gmake vice make. > > Ok, good luck :) I'd rather use CVS sources, but I'm not getting a config.xml file when I do that (nor many others). Should I just leave my installed RC6 directory structure in place and install CVS sources over that (thus, hopefully preserving my config.xml file from RC6)? > "man install" is your friend. > :-) I did man install... How do you think I learned that OpenBSD install has no -D option (or an analogue to it). Just didn't completely understand the -d option until I saw it in action... :-) > > I'm at a loss here on how to proceed. Reinstalling with the "-d" option > > removed from the INSTALL options in Makefile.global-vars doesn't help > > either. > > If you look at the fresh CVS HEAD files then you will see that I removed > -D -c from Makefile.global-vars(.in). > Right, and I'd like to use your changes, but as I said, something's amiss in the config.xml area. Apparently some others are seeing it too. Did you try installing with no pre-existing directory structure? If so, I don't understand why make install-online and make install-offline are working for you (creating the config.xml file et. al.) and not for me... Thanks again, Michael. -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] OpenBSD: Cannot write to syslogdevice; Chroot httpd issue?
Hi List- I'm still working my way through Kevin's cookbook and have succeeded at these two steps (yeah!): -use the browser to open a page on http://myhost.wherever.edu/openra and you should get a page. -Also check http://myhost.wherever.edu/ra-node But when I visit this page: Also check http://myhost.wherever.edu/pub I get only: Error addMessage failed for log slot sys_syslog (6511070). Cannot write to syslogdevice. General Error. 64510030. In these tests, I tried running httpd both inside and outside of its chroot environment (in the normal root environment) so I don't think that's the problem. Disk space is not a problem. Any ideas? Initially, when I tried running apache in its chroot environment, I got other problems (after copying over files needed in chroot environment): OpenCA Error: Server is not online or does not accept requests (/usr/local/openra/OpenCA/var/tmp/openca_socket - /usr/local/openra/OpenCA/var/tmp/openca_socket ). This arises because the socket "openca_socket" was not copied over to the chroot environment when I copied over the /usr/local/open[rc]a directories. To solve that problem, I modified the openca_start/stop script in /var/www/usr/local/openra/OpenCA/etc to use directories in the chroot environment, and that gets me the openca_socket socket, and it solves the problem with this socket error above, but how do I get the openca_xml_cache socket in /usr/local/openra/OpenCA/var/tmp? Has anyone else done this? -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenBSD: Unknown host new.host.name
Hi List- Please ignore this silly question. I was up late and not thinking clearly. I never changed my httpd.conf file's default ServerName setting in the SSL config section (new.host.name). Sorry for the wasted bandwidth. -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] OpenBSD: Unknown host new.host.name
Hi List- I think I do have RC6 installed on OpenBSD now and think that I configured it properly, but am having problems with https access. In following Kevin Mitcham's cookbook, I've gone through these steps (using gmake and egcc): configure ra make make install-online make distclean configure ca make make install-offline create and test mysql DB edit apache httpd.conf (in OpenBSD this runs chrooted by default and I copied over everything installed by OpenCA into the chroot environment) edit ra and ca config.xml files (no changes necessary to ca-node.xml.template or ca.xml.template or ra-node.xml.template or ra.xml.template. run the "magic script" configure_etc.sh that script makes configuration files from the template(s) then openca_start But when I use the browser to open a page on https://myhost.example.com/ra, I just get the following (exact copy of what I'm seeing): Unknown host new.host.name No idea where this is coming from. It's not in the index.html file that the alias /ra points to, nor is it in the cgi script. I do have correct SSL access to the apache server (I can see the root document via https://...). If I try http access I get: Error Aborting connection - you are using a wrong security protocol (http). General Error. 6251026. I realize that this is due to the settings in ca-node.xml.template, ca.xml.template, ra-node.xml.template, and ra.xml.template, and I'd like to keep connections encrypted, so I've left those as is. Any ideas where this is coming from and how to fix? I get the same error whether I run apache chrooted or not. Many thanks. -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenBSD and config.xml _directory_!? (-d option to /usr/bin/install)
Apparent temporary solution: Remove the "-D" option from the INSTALL line of Makefile.global-vars (don't replace it with -d), then you must mkdir the directory prefix to the one file that install fails on in each of make install-online and make install-offline and then run those make install-online and make install-offline commands again, after creating the directory by hand. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] OpenBSD and config.xml _directory_!? (-d option to /usr/bin/install)
I just installed RC6 on openbsd again, being very careful about configure commands, using egcc (gcc 3.3.2), Makefile.global-vars, and using gmake vice make. This time, after the install-online and install-offline commands, I see the following in the etc files: /usr/local/openra/OpenCA/etc # ls -al /usr/local/openra/OpenCA/etc total 84 drwxr-xr-x 21 www www 512 Sep 16 20:10 . drwxr-xr-x 5 root wheel512 Sep 16 20:11 .. drwxr-xr-x 7 www www 512 Sep 16 20:13 access_control drw-r--r-- 2 _openca _openca 512 Sep 16 20:10 backup.xml.template drwxr-xr-x 6 www www 512 Sep 16 20:10 bp drw-r--r-- 2 _openca _openca 512 Sep 16 20:10 config.xml drwxr-xr-x 2 _openca _openca 512 Sep 16 20:10 configure_etc.sh drwxr-xr-x 4 www www 512 Sep 16 20:10 database drwxr-xr-x 2 www www 512 Sep 16 20:10 init.d drw-r--r-- 2 _openca _openca 512 Sep 16 20:10 ldap.xml.template drw-r--r-- 2 _openca _openca 512 Sep 16 20:10 loa.xml drw-r--r-- 2 _openca _openca 512 Sep 16 20:10 log.xml drw-r--r-- 2 _openca _openca 512 Sep 16 20:10 menu.xml.template drwxr-xr-x 2 _openca _openca 512 Sep 16 20:10 openca_rc drwxr-xr-x 2 _openca _openca 512 Sep 16 20:10 openca_start.template drwxr-xr-x 2 _openca _openca 512 Sep 16 20:10 openca_stop.template drwxr-xr-x 7 www www 512 Sep 16 20:10 openssl drwxr-xr-x 6 www www 512 Sep 16 20:10 rbac drwxr-xr-x 2 www www 512 Sep 16 20:10 scep drwxr-xr-x 7 www www 512 Sep 16 20:13 servers drw-r--r-- 2 _openca _openca 512 Sep 16 20:10 token.xml /usr/local/openra/OpenCA/etc # ls -al /usr/local/openca/OpenCA/etc total 84 drwxr-xr-x 21 www www 512 Sep 16 20:41 . drwxr-xr-x 5 root wheel512 Sep 16 20:42 .. drwxr-xr-x 5 www www 512 Sep 16 20:43 access_control drw-r--r-- 2 _openca _openca 512 Sep 16 20:41 backup.xml.template drwxr-xr-x 6 www www 512 Sep 16 20:41 bp drw-r--r-- 2 _openca _openca 512 Sep 16 20:41 config.xml drwxr-xr-x 2 _openca _openca 512 Sep 16 20:41 configure_etc.sh drwxr-xr-x 4 www www 512 Sep 16 20:41 database drwxr-xr-x 2 www www 512 Sep 16 20:41 init.d drw-r--r-- 2 _openca _openca 512 Sep 16 20:41 ldap.xml.template drw-r--r-- 2 _openca _openca 512 Sep 16 20:41 loa.xml drw-r--r-- 2 _openca _openca 512 Sep 16 20:41 log.xml drw-r--r-- 2 _openca _openca 512 Sep 16 20:41 menu.xml.template drwxr-xr-x 2 _openca _openca 512 Sep 16 20:41 openca_rc drwxr-xr-x 2 _openca _openca 512 Sep 16 20:41 openca_start.template drwxr-xr-x 2 _openca _openca 512 Sep 16 20:41 openca_stop.template drwxr-xr-x 7 www www 512 Sep 16 20:41 openssl drwxr-xr-x 6 www www 512 Sep 16 20:41 rbac drwxr-xr-x 2 www www 512 Sep 16 20:41 scep drwxr-xr-x 5 www www 512 Sep 16 20:43 servers drw-r--r-- 2 _openca _openca 512 Sep 16 20:41 token.xml Notice that config.xml and configure_etc.sh are directories! Not regular files! In fact, every file in each of those directories is a subdirectory, not a regular file. I guess this must have happened because I replaced the "-D" option to install in the Makefile.global-vars file with "-d". I did this because OpenBSD /usr/bin/install has no "-D" option. And there is apparently no analogue of that option at all in OpenBSD install. Michael, you said that you got OpenCA to install on OpenBSD (apparently using OpenBSD gcc (2.95) vice egcc (3.3?), but did you manage to create the node directory structures from scratch with these installs or did the install steps just copy files into a directory structure that was pre-existing? If the former, how did you do it? When I try it (without the -d option to install), I get make install-online and make install-offline failing with many errors about not being able to copy files into non-existing directories (this is what -D does for you on Linux, but as I said, there is no such option for OpenBSD install and -d apparently just causes all files to be made into directories---also not what I want). I'm at a loss here on how to proceed. Reinstalling with the "-d" option removed from the INSTALL options in Makefile.global-vars doesn't help either. Anyone? -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Building from CVS sources: no config.xml?
Hi List- Since Michael was kind enough to make some changes to improve installation on OpenBSD systems, I'd like to use the most current sources in building my test system. So I rm -rf'd my /usr/local/open[rc]a directories and started over using the CVS module openca-0.9. The thing is, after ./configure and make and make install-online, I have no config.xml file in /usr/local/openra/openca/etc. Just to make sure this wasn't an OpenBSD install problem, I tried the same thing with CVS sources on a Gentoo Linux box and got the same result. On Linux: cvs -d:pserver:[EMAIL PROTECTED]:/cvsroot/openca login cvs -z3 -d:pserver:[EMAIL PROTECTED]:/cvsroot/openca co openca-0.9 ./configure \ --prefix=/usr/local/openra \ --with-httpd-user=apache \ --with-httpd-group=apache \ --with-openca-prefix=/usr/local/openra/openca \ --with-etc-prefix=/usr/local/openra/openca/etc \ --with-httpd-fs-prefix=/usr/local/openra/httpd \ --with-module-prefix=/usr/local/openra/modules \ --with-node-prefix=ra-node \ --with-engine=no \ --with-web-host=ares.folkvang.org \ --enable-dbi \ --enable-rbac \ --with-hierarchy-level=ra\ --with-openca-user=_openca\ --with-openca-group=_openca\ --enable-ocspd \ --with-openldap-prefix=/usr/local/lib make make install-online ares openca-0.9 # ls -al /usr/local/openra/openca/etc/ total 20 drwxr-xr-x 5 apache apache 4096 Sep 16 18:40 . drwxr-xr-x 5 apache apache 4096 Sep 16 18:38 .. drwxr-xr-x 2 _openca _openca 4096 Sep 16 18:40 access_control drwxr-xr-x 3 apache apache 4096 Sep 16 12:42 openssl drwxr-xr-x 2 _openca apache 4096 Sep 16 18:40 servers On OpenBSD: ./configure \ --with-engine=no \ --with-httpd-user=www \ --with-httpd-group=www \ --with-openca-user=_openca \ --with-openca-group=_openca \ --with-httpd-fs-prefix=/usr/local/openra/httpd \ --with-web-host=mandible.example.com \ --with-ca-organization="Certification Services" \ --with-ca-country=US \ --with-ca-locality="Rhode Island" \ --with-ldap-port=389 \ --with-ldap-root="cn=Manager,dc=example,dc=com" \ --with-ldap-root-pwd="secret" \ --with-module-prefix=/usr/local/openra/modules \ --with-openssl-prefix=/usr/local/ssl \ --with-openldap-prefix=/usr/local --enable-ocspd \ --enable-dbi \ --enable-rbac \ --prefix=/usr/local/openra \ --with-service-mail-account="[EMAIL PROTECTED]" \ --with-node-prefix=ra-node \ --with-hierarchy-level=ra make make install-online /usr/local/src/OpenCA/openca-0.9 # ls -al /usr/local/openra/OpenCA/etc/ total 28 drwxr-xr-x 7 root wheel 512 Sep 16 11:52 . drwxr-xr-x 5 root wheel 512 Sep 16 11:46 .. drwxr-xr-x 7 root wheel 512 Sep 16 11:48 access_control drwxr-xr-x 2 www www512 Sep 16 11:52 bp drwxr-xr-x 2 www www512 Sep 16 11:52 database drwxr-xr-x 3 www www512 Sep 16 11:43 openssl drwxr-xr-x 6 root wheel 512 Sep 16 11:48 servers When I did an RC6 install on Linux (same configure command), the content of that directory was: ares openca-0.9.2-RC6 # ls -al /usr/local/openra/openca/etc total 180 drwxr-xr-x 10 apache apache 4096 Sep 16 08:54 . drwxr-xr-x 5 apache apache 4096 Sep 16 08:54 .. drwxr-xr-x 2 apache apache 4096 Sep 16 08:56 access_control -rw-r--r-- 1 _openca _openca 2665 Sep 16 08:54 backup.xml.template drwxr-xr-x 3 apache apache 4096 Sep 16 08:54 bp -rw-r--r-- 1 _openca _openca 29819 Sep 16 08:54 config.xml -rwxr-xr-x 1 _openca _openca 1224 Sep 16 08:54 configure_etc.sh drwxr-xr-x 2 apache apache 4096 Sep 16 08:54 database drwxr-xr-x 2 apache apache 4096 Sep 16 08:54 init.d -rw-r--r-- 1 _openca _openca 24459 Sep 16 08:54 ldap.xml.template -rw-r--r-- 1 _openca _openca 10874 Sep 16 08:54 loa.xml -rw-r--r-- 1 _openca _openca 842 Sep 16 08:54 log.xml -rw-r--r-- 1 _openca _openca 31239 Sep 16 08:54 menu.xml.template -rwxr-xr-x 1 _openca _openca 383 Sep 16 08:54 openca_rc -rwxr-xr-x 1 _openca _openca 1893 Sep 16 08:54 openca_start.template -rwxr-xr-x 1 _openca _openca 206 Sep 16 08:54 openca_stop.template drwxr-xr-x 4 apache apache 4096 Sep 16 08:54 openssl drwxr-xr-x 3 apache apache 4096 Sep 16 08:54 rbac drwxr-xr-x 2 apache apache 4096 Sep 16 08:54 scep drwxr-xr-x 2 apache apache 4096 Sep 16 08:56 servers -rw-r--r-- 1 _openca _openca 12399 Sep 16 08:54 token.xml Shouldn't I have a config.xml and a configure_etc.sh (and others) as I do here? I do get these when I install RC6 in Linux, but not OpenBSD. I am working towards a single computer installation for both the online and offline components as Kevin Mitcham writes about in his Cookbook. Do I need to check out another module from CVS in addition to openca-0.9? Or has the configuration of OpenCA changed recently so as not to use a config.xml file? Thanks for any suggestions. -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins t
Re: [Openca-Users] 0.9.2-RC6 won't install on OpenBSD 3.5
On Mon, 2004-09-13 at 07:12, Michael Bell wrote: > Hi Kevin, > > I don't use ocsp too but I checked the ocspd. > Thank you Michael and Ives. I decided that I don't really need ocsp either. However, I'm still having difficulties with installation on OBSD3.5. the ./configure and make steps worked: CPP=/usr/local/bin/ecpp CC=/usr/local/bin/egcc ./configure \ --prefix=/usr/local/openra \ --with-httpd-user=www \ --with-httpd-group=www \ --with-openca-prefix=/usr/local/openra/openca \ --with-etc-prefix=/usr/local/openra/openca/etc \ --with-httpd-fs-prefix=/usr/local/openra/httpd \ --with-module-prefix=/usr/local/openra/modules \ --with-node-prefix=ra-node \ --with-engine=no \ --with-web-host=mandible \ --enable-dbi \ --enable-rbac \ --with-hierarchy-level=ra\ --with-openca-user=_openca\ --with-openca-group=_openca\ --with-openldap-prefix=/usr/local/lib make But... The first problem is that the "-D" option to install is not supported in OpenBSD 3.5 /usr/bin/install. After reading man install on a linux box, I decided that it probably was not necessary since the "-d" option was being called. So I removed it from the definition of $INSTALL in Makefile.global-vars (make install-online was failing with a complaint about -D being unrecognized). Unfortunately, I still cannot make install-online. Now the problem is this: /usr/local/src/OpenCA/openca-0.9.2-RC6 # make install-online installing common components because it is not a package build make docssrc SUBTARGET=install-common cd docs && make install-common cd src && make install-common make common SUBTARGET=install cd common && make install make etc lib var SUBTARGET=install cd etc && make install /usr/local/openra/openca/etc already exists, skipping configuration cd lib && make install make: don't know how to make /usr/local/openra/openca/lib/bp. Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/common/lib. *** Error code 2 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/common (line 22 of Makefile). *** Error code 1 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/common (line 25 of Makefile). *** Error code 1 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src (line 35 of Makefile). *** Error code 1 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src (line 38 of Makefile). *** Error code 1 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 87 of Makefile). *** Error code 1 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 75 of Makefile). *** Error code 1 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 84 of Makefile). = It looks like these Makefiles have not been ported to OpenBSD, but I thought the manual said that OpenCA had been successfully installed on OBSD. Has anyone on the list installed OpenCA on OpenBSD? If so, have you done so on release 3.5 of OBSD? I would greatly appreciate any tips on tweaking the Makefiles (and if any other tweaks are needed). Thanks! -Kevin --- This SF.Net email is sponsored by: thawte's Crypto Challenge Vl Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam Camcorder. More prizes in the weekly Lunch Hour Challenge. Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] 0.9.2-RC6 won't make on OpenBSD 3.5
On Sat, 2004-09-11 at 19:02, dalini wrote: > Kevin wrote: > > Hi All- > > > > I'm not sure if I've found a bug in the code or if there is an > > incompatibility, but can anyone comment on this? > > > > i386/OpenBSD3.5 (most current) > > /usr/local/src/OpenCA/openca-0.9.2-RC6 # gcc -v > > Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd3.5/2.95.3/specs > > gcc version 2.95.3 20010125 (prerelease, propolice) >^^ > > thats 'the problem' - it should compile with a newer gcc > i havn't checked out what is the exact problem with 2.95 and > apps.c but a newer gcc works with the code > Thanks, dalini. I installed lang/egcs from OBSD ports which gives me gcc 3.3.2 and tried again. This time I get a failure with a different message: ... `openca-xml-cache/Makefile' is up to date. perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LC_ALL = "de_AT", LANG = (unset) are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). cd openca-sv && make Making all in src Making all in docs cd scripts && make cd web-interfaces && make make batch ca ldapnode pub ra scep cd batch && make cd ca && make cd ldap && make cd node && make cd pub && make cd ra && make cd scep && make cd ocspd && make Making all in src if /usr/local/bin/egcc -DPACKAGE_VERSION=\"0.5.1\\x0\" -D_USE_SEMAPHORES=1 -I. -I. -I../include -g -O2 -MT ocspd.o -MD -MP -MF ".deps/ocspd.Tpo" -c -o ocspd.o `test -f 'ocspd.c' || echo './'`ocspd.c; then mv ".deps/ocspd.Tpo" ".deps/ocspd.Po"; else rm -f ".deps/ocspd.Tpo"; exit 1; fi In file included from ocspd.c:25: general.h:38: error: redefinition of `union semun' *** Error code 1 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/ocspd/src. *** Error code 1 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/ocspd (line 301 of Makefile). *** Error code 1 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src (line 35 of Makefile). *** Error code 1 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 87 of Makefile). My configure command was: CPP=/usr/local/bin/ecpp CC=/usr/local/bin/egcc ./configure \ --prefix=/usr/local/openra \ --with-httpd-user=www \ --with-httpd-group=www \ --with-openca-prefix=/usr/local/openra/openca \ --with-etc-prefix=/usr/local/openra/openca/etc \ --with-httpd-fs-prefix=/usr/local/openra/httpd \ --with-module-prefix=/usr/local/openra/modules \ --with-node-prefix=ra-node \ --with-engine=no \ --with-web-host=mandible \ --enable-ocspd \ --enable-dbi \ --enable-rbac \ --with-hierarchy-level=ra\ --with-openca-user=_openca\ --with-openca-group=_openca\ --with-openldap-prefix=/usr/local/lib and then just a plain 'make' The newly installed gcc is egcc with version: /usr/local/src/OpenCA/openca-0.9.2-RC6 # /usr/local/bin/egcc -v Reading specs from /usr/local/lib/gcc-lib/i386-unknown-openbsd3.5/3.3.2/specs Configured with: /usr/ports/lang/egcs/stable/w-gcc-3.3.2/gcc-3.3.2/configure --verbose --program-transform-name=s,^,e, --disable-nls --with-system-zlib --enable-cpp --enable-languages=c,c++,f77,objc,java --enable-sjlj-exceptions --with-gnu-as --with-gnu-ld --enable-shared --prefix=/usr/local --sysconfdir=/etc Thread model: single gcc version 3.3.2 A newly built updatedb database shows only the following general.h files on my system: /usr/local/src/OpenCA/openca-0.9.2-RC6 # locate general.h /usr/include/dev/raidframe/rf_general.h /usr/local/src/OpenCA/openca-0.9.2-RC6/src/ocspd/src/general.h /usr/local/src/OpenCA/openca-0.9.2-RC6/src/openca-sv/include/openca/general.h /usr/src/sys/dev/raidframe/rf_general.h /usr/src/usr.bin/tn3270/general/general.h I see only one definition of union semun in that. Is it defined elsewhere in the OpenCA code? Has anyone else built RC6 on an OBSD3.5 box? TIA! -Kevin --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] 0.9.2-RC6 won't make on OpenBSD 3.5
Hi All- I'm not sure if I've found a bug in the code or if there is an incompatibility, but can anyone comment on this? i386/OpenBSD3.5 (most current) /usr/local/src/OpenCA/openca-0.9.2-RC6 # gcc -v Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd3.5/2.95.3/specs gcc version 2.95.3 20010125 (prerelease, propolice) Configure line from the Cookbook with a couple of additions: ./configure \ --prefix=/usr/local/openra \ --with-httpd-user=www \ --with-httpd-group=www \ --with-openca-prefix=/usr/local/openra/openca \ --with-etc-prefix=/usr/local/openra/openca/etc \ --with-httpd-fs-prefix=/usr/local/openra/httpd \ --with-module-prefix=/usr/local/openra/modules \ --with-node-prefix=ra-node \ --with-engine=no \ --with-web-host=mandible \ --enable-ocspd \ --enable-dbi \ --enable-rbac \ --with-hierarchy-level=ra\ --with-openca-user=_openca\ --with-openca-group=_openca\ --with-openssl-prefix=/usr/sbin/openssl\ --with-openldap-prefix=/usr/local/lib make fails with: perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LC_ALL = "de_AT", LANG = (unset) are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LC_ALL = "de_AT", LANG = (unset) are supported and installed on your system. perl: warning: Falling back to the standard locale ("C"). Manifying blib/man3/OpenCA::XML::Cache.3p Use of uninitialized value in string eq at /usr/libdata/perl5/Pod/Man.pm line 418. Use of uninitialized value in string eq at /usr/libdata/perl5/Pod/Man.pm line 419. cd openca-sv && make Making all in src source='apps.c' object='apps.o' libtool=no depfile='.deps/apps.Po' tmpdepfile='.deps/apps.TPo' depmode=gcc /bin/sh ../build/depcomp gcc -DPACKAGE_VERSION=\"1.0.1\\x0\" -I. -I. -I../include -I/usr/sbin/openssl/include -g -O2 -c `test -f 'apps.c' || echo './'`apps.c apps.c: In function `load_engine': apps.c:1036: syntax error before `*' apps.c:1037: `e' undeclared (first use in this function) apps.c:1037: (Each undeclared identifier is reported only once apps.c:1037: for each function it appears in.) *** Error code 1 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/openca-sv/src. *** Error code 1 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/openca-sv (line 293 of Makefile). *** Error code 1 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src (line 35 of Makefile). *** Error code 1 Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 87 of Makefile). /usr/local/src/OpenCA/openca-0.9.2-RC6 # TIA. -Kevin PS. My perl is: /usr/local/src/OpenCA/openca-0.9.2-RC6 # perl -v This is perl, v5.8.2 built for i386-openbsd Copyright 1987-2003, Larry Wall Perl may be copied only under the terms of either the Artistic License or the GNU General Public License, which may be found in the Perl 5 source kit. Complete documentation for Perl, including FAQ lists, should be found on this system using `man perl' or `perldoc perl'. If you have access to the Internet, point your browser at http://www.perl.com/, the Perl Home Page. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] Error 700 in attempting to initialize database
On Wed, 2004-08-18 at 19:02, Tiller, Robert wrote: > here is the config file for ca > > Thanks, Robert. I see a binary attachment named winmail.dat and when I less through it, I see what looks like a ./configure line for openca hidden in amongst alot of binary stuff. Should I take that to mean that you think I should start over with this as a set of configure options to use? Thanks for your reply. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Error 700 in attempting to initialize database
On Wed, 2004-08-18 at 16:37, Ives Steglich wrote: > Tiller, Robert wrote: > > I don't know if this is the same error I had, but some earlier versions of > > openca had a permission error on the db files. Mainly DBM files not > > SQL. You might check the file permissions. > > > but this would not be good - i thought we solved those problems before > rc6... could be it was afterwards... but acutally it shouldn't happend > anymore - at least with cvs ,o) > > yes - check file permissions in var/db/ if its not your > apacheuser:apachegroup just delete the files (there should be none > before initialization) or change the ownerchip to the apache stuff > I have no files in /usr/local/open[cr]a/openca/var/db, and the ownership of each directory itself is apacheuser:apachegroup. Based on the error message, I was thinking that this error would be a code problem, no? Perhaps related to configuration? But I'm really without a clue. I had to make some adjustments to the aliases that I used in httpd.conf because I configured with --with-node-prefix=online-ra-node and --with-node-prefix=offline-ca-node instead of the cookbook recommended --with-node-prefix=[cr]a-node. I just did it to help me keep straight in my mind which was online and which was offline, but I found that it threw a couple of small wrenches into my configuration. I think I ferreted them all out, but perhaps this problem is another result of that minor change I made. Thanks dalani and Robert for your replies though. Any other thoughts? Should I simply start over from scratch? Perhaps with a new SuSE 9.0 or 9.1 box? I'm trying to compile OpenCA on Gentoo, but seem to have a problem with my perl setup (see thread, Problem compiling: XML::Parser-2.23 important vice 2.34?) so I can't make a comparison there either---I can't even complete the make step. Again, thanks for being so patient with an OpenCA newbie. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA Cookbook
On Wed, 2004-08-18 at 12:03, Kevin Mitcham wrote: > I'm sorry if the cookbook mislead you, or was incomplete. I wrote it to > make the install procedure overall a little easier, providing a worked > example. By the time I wrote it down, I had installed OpenCA several > times, and some of the items were already committed to memory, and > didn't get written down. I did try to write out several of the problems > that came up in my experience, and the solutions to them. > > Kevin Hi Kevin- Please don't apologize. I meant what I said when I said that this was my _lame_ excuse. The cookbook was a big help to me; of that I'm quite certain. But I should not have relied on it exclusively. That's a lesson for me. Your cookbook was very helpful to me. Thanks very much for writing it. Once I have completed my installation and configuration of OpenCA, I hope to be able to add my experience to what you've written and perhaps improve upon it somewhat, but there's certainly no cause to apologize. Thanks very kindly for helping me out a great deal by writing it. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Error 700 in attempting to initialize database
At the risk of getting yelled at, I have another question... (sorry...) This time I've read both the cookbook and the relevant portions of the guide. As usual, I've also searched the list archives, searched through the entire guide for this particular error, and double-checked the steps I performed in the cookbook. I'm not finding anything to help me solve this. That said, however, it's true that I have not read the guide from cover to cover. If I'm wrong for asking a question here in such circumstances, someone please feel free to correct me. I promise I won't take offense. I'm following the steps exactly in the cookbook: Series of tabs should be visible. Select General->Initialization Phase I Initialize the Certification Authority Initialize Database initialize-> intialize DB .(reports sucess, but a slurry of error messages about table not found may appear on the console) Anyway, when I attempt to initialize the database, I get this error: Error 700 General Error. The compilation of the command cmdGenDB failed. Can't call method "prepare" on an undefined value at /usr/local/openca/modules/perl5/OpenCA/DBI.pm line 2518. When I look at line 2518 of said file, I see: 2515 ## prepare 2516 $self->debug ("doQuery: prepare statement"); 2517 $self->debug ("doQuery: statement nr.: ".(scalar (@ 2517 {$self->{STH}}) +1)); 2518 $self->{STH}[scalar (@{$self->{STH}})] = $self->{DB 2518 H}->prepare ($query); 2519 if ( (my $h = $self->{STH}[scalar (@{$self->{STH}}) 2519 -1]->state) != 0) { 2520 $self->debug ("doQuery: prepare failed"); 2521 $self->debug ("doQuery: query: $query"); 2522 $self->debug ("doQuery: returned errorcode: $h"); 2523 $self->errno ( $OpenCA::DBI::ERROR->{PREPARE_FAIL 2523 ED} ); 2524 return undef; 2525 } Not being very clueful on perl in general, I'm definitely out of my league trying to interpret perl code. Can anyone offer suggestions on how to resolve this? I suppose I must have screwed up something in my config files. Should I post those? If so, just say so and I will. Sorry to be such a pain, guys. Thanks for any help. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA Cookbook
I'm sorry if the cookbook mislead you, or was incomplete. I wrote it to make the install procedure overall a little easier, providing a worked example. By the time I wrote it down, I had installed OpenCA several times, and some of the items were already committed to memory, and didn't get written down. I did try to write out several of the problems that came up in my experience, and the solutions to them. Kevin Please read the docs in the OpenCA guide... Thanks Martin, Til, and Johannes for pointing this out. Guess I should've read all of the docs in their entirety before posting but my lame excuse is that I was misled by the cookbook. I had the impression from reading it that it was self-contained and that I could use it as a shortcut for installation and then read the full docs afterwards as I experimented with OpenCA. Sorry for the unnecessary question/time/bandwidth. -Kevin smime.p7s Description: S/MIME Cryptographic Signature
Re: [Openca-Users] problems initializing openca (Error Login failed: 6273120.)
On Wed, 2004-08-18 at 10:48, Martin Bartosch wrote: > Hi Kevin, > > just some quick notes: > > The initial user/password is root/root. Of course you do not need > to open the database from the outside. > The initialization steps can be performed using the /ca/ frontend > after logging in. > Public frontend is for issuing requests and picking up certs only. > > Please read the docs in the OpenCA guide... Thanks Martin, Til, and Johannes for pointing this out. Guess I should've read all of the docs in their entirety before posting but my lame excuse is that I was misled by the cookbook. I had the impression from reading it that it was self-contained and that I could use it as a shortcut for installation and then read the full docs afterwards as I experimented with OpenCA. Sorry for the unnecessary question/time/bandwidth. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] problems initializing openca (Error Login failed: 6273120.)
Hi List- Many thanks to Oliver Welter for helping me resolve my problem with SSLOptions +StdEnvVars that was causing my "too short symmetric keylength" error. Now that I have that solved, I've encountered another problem in trying to follow the guidelines in the OpenCA cookbook from Kevin Mitcham. I do get pages when visiting all of the following: https://myhost.wherever.edu/ra https://myhost.wherever.edu/ra-node https://myhost.wherever.edu/pub https://myhost.wherever.edu/ca https://myhost.wherever.edu/ca-node What I get is as follows: https://myhost.wherever.edu/ra A purple login screen https://myhost.wherever.edu/ra-node A white login screen https://myhost.wherever.edu/pub A series of tabs labeled: General (Logout) CA Infos (Policy Get CA certificate Certificate Revocation Lists) User (Request a Certificate Get Requested Certificate Test Certificate Revoke Certificate) Certificates (Valid Expired Suspended Revoked Search) Requests (Certificate Requests Certificate Revocation Requests) Language (English German Spanish French Italian Japanese Polish) https://myhost.wherever.edu/ca A purple login screen https://myhost.wherever.edu/ca-node A white login screen In the cookbook, Kevin Mitcham says: connect to the ca: http://myhost.wherever.edu/openca Series of tabs should be visible. Select General->Initialization Phase I Initialize the Certification Authority Initialize Database initialize-> intialize DB .(reports sucess, but a slurry of error messages about table not found may appear on the console) Based upon the changes he recommends for httpd.conf, I assume he means to connect to http://myhost.wherever.edu/ca because that's what he makes an Alias for. With what username/password credentials should I login? The ones that I set up in my config.xml files? I assumed that these were the username/password of the mysql openca database administrator that I created when creating the databases themselves, but these aren't working. When I try it I get a login failed message. Must I permit access to port 3306 over the network? I can connect to the mysql server using the mysql command-line client program running on the server machine when using these credentials, but cannot do so through the web interface of OpenCA. The only place I see a series of tabs is at /pub and while there is a General tab, there is no Initialization item in it. Am I missing something? Any suggestions? I checked the list archives but didn't see anything that helped me out. Someone reported a problem with the cookie directory being created, but I'm not seeing the same symptoms he was. The exact error message is: Error Login failed. General Error. 6273120. Thanks again. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA cookbook
I know this won't show up in the thread of the same subject because I don't have the original or any of the follow-ups to that message in my own email archive, but I just thought I'd try to get this point somehow associated with the OpenCA Cookbook, thus this message. Other changes to make to httpd.conf (aside from those already listed in the OpenCA Cookbook): SSLOptions +StdEnvVars Thanks to Oliver Welter for pointing this out to me. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] too short symmetric keylength: General Error. 6251043.
On Wed, 2004-08-18 at 02:49, Oliver Welter wrote: > Hi Kevin, > > I had the same problem :) > Its likely that you have not exportet your SSL-Vars to Perl... > Add > SSLOptions +StdEnvVars > to your SSL-Config in apache and it sould work > > Oliver Hi Oliver- Yes, you were right. This solved my problem. Thanks very much. I think I'll add it to the OpenCA Cookbook thread on the list for other changes to make to httpd.conf as a part of a first installation. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] too short symmetric keylength: General Error. 6251043.
Hi List- Many thanks for suggestions relating to my other posts here (some of which I'm still trying to resolve), but I did get a successful configure/make/make install of OpenCA according to the OpenCA Cookbook that Johnny Gonzalez referred me to on a SuSE 9.0 box. I'm still struggling with this part on a Gentoo system, but with the SuSE system, I may be suffering from a configuration problem, and that's what I'm trying to resolve with this message. I have the following error upon accessing https://localhost/ra Error Aborting connection - you are using a too short symmetric keylength (). General Error. 6251043. I saw in the archives in May where someone else had this problem and Michael pointed out the solution by explaining that the keylength in etc/access_control/ra.xml file was appraently the problem. In my etc/access_control/ra.xml, I have the following: mod_ssl ssl .* .* 0 .* 128 ... And when I use Mozilla Firefox to view https://localhost/ra and click the lock, it reports that the connection is encrypted with High-grade Encryption (AES-256 256 bit). Perhaps OpenCA doesn't know about the AES cipher? Or is it this other thing that Michael mentioned in his reply to that poster: "The empty () at the end of the errormessage looks like a general problem with your SSL" I have no problems viewing other content over the https protocol. Only OpenCA stuff. Any help here? -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Problem compiling: XML::Parser-2.23 important vice 2.34?
On Tue, 2004-08-17 at 10:37, Michael Bell wrote: > Hi Kevin, > > you are missing some files from Expat: > > /usr/lib/perl5> find . -name "*xpat*" > ./site_perl/5.8.0/i586-linux-thread-multi/XML/Parser/Expat.pm > ./site_perl/5.8.0/i586-linux-thread-multi/auto/XML/Parser/Expat > ./site_perl/5.8.0/i586-linux-thread-multi/auto/XML/Parser/Expat/Expat.bs > ./site_perl/5.8.0/i586-linux-thread-multi/auto/XML/Parser/Expat/Expat.so > > The important thing is the auto area which must be linked too. > > Michael Hi Michael- Here's what I have when doing the same thing: tombstone openca-0.9.2-RC6 # find /usr/lib/perl5/vendor_perl/5.8.4/ -name "*xpat*" /usr/lib/perl5/vendor_perl/5.8.4/i686-linux/auto/XML/Parser/Expat /usr/lib/perl5/vendor_perl/5.8.4/i686-linux/auto/XML/Parser/Expat/Expat.so /usr/lib/perl5/vendor_perl/5.8.4/i686-linux/auto/XML/Parser/Expat/Expat.bs /usr/lib/perl5/vendor_perl/5.8.4/i686-linux/XML/Parser/Expat.pm tombstone openca-0.9.2-RC6 # Looks pretty much the same as yours, but... When I run the perl program "inside" (as mentioned earlier in this thread), I get the following (abbreviated): i686-linux::XML::GDOME (version 0.85) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::GDOME::SAX::Builder (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::GDOME::SAX::Generator (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::GDOME::SAX::Parser (version 1.00) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::LibXML (version 1.58) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::LibXML::Boolean (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::LibXML::Common (version 0.13) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::LibXML::Literal (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::LibXML::NodeList (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::LibXML::Number (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::LibXML::SAX (version 1.00) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::LibXML::SAX::Builder (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::LibXML::SAX::Generator (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::LibXML::SAX::Parser (version 1.50) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::LibXML::XPathContext (version 0.05) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::LibXSLT (version 1.57) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Parser (version 2.34) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Parser::Expat (version 2.34) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Parser::Style::Debug (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Parser::Style::Objects (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Parser::Style::Stream (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Parser::Style::Subs (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Parser::Style::Tree (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Sablotron (version 0.98) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Sablotron::DOM (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Sablotron::DOM::DOMHandler (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Sablotron::Processor (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Sablotron::SAXBuilder (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Sablotron::SXP (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Sablotron::Situation (version unknown) found in /usr/lib/perl5/vendor_perl/5.8.4 i686-linux::XML::Sablotron::Situation::DOMHandlerDispatcher (version unknown) found in /usr/lib/perl5/vendor_ perl/5.8.4 Is the i686-linux:: prefix in front of the Expat module somehow preventing openca/perl from seeing that module as XML::Parser::Expat? What output do you get on your system from Inside? I see that your Expat modules are located in a directory prefixed with ...i586-linux-thread-multi... Is this directory prefix on my system (i686-linux) causing the module to be prefixed with the i686-linux:: string (and thus, perhaps preventing it from being seen as XML::Parser::Expat by perl/OpenCA)? The head of my /usr/lib/perl5/vendor_perl/5.8.4/i686-linux/XML/Parser/Expat.pm file reads as follows: = package XML::Parser::Expat; require 5.004; use strict; ... = Seems to me that inside should be detecting this module as written here: XML::Parser::Expat; but instead it seems to be finding it as i686-linux::XML::Parser::Expat; I'm thinking that's the
Re: [Openca-Users] Problem compiling: XML::Parser-2.23 important vice 2.34?
I think I've found the problem now, but not sure about the best way to fix it. I used Tom Phoenix's perl module Inside to discover that, for some reason, XML::Parser::Expat is installed on my system as: i686-linux::XML::Parser::Expat (version 2.34) found in /usr/lib/perl5/vendor_perl/5.8.4 I suppose one very difficult way to resolve the problem would be to change all instances of XML::Parser::Expat in the OpenCA code to i686-linux::XML::Parser::Expat, but that seems awfully silly. Anyone have a suggestion on the best way to resolve this one? Thanks. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Problem compiling: XML::Parser-2.23 important vice 2.34?
On Fri, 2004-08-13 at 03:11, Michael Bell wrote: > Kevin wrote: > > > Or is this the problem? > > "Can't locate XML/Parser.pm in @INC (@INC contains: > > ..." > > > > I don't see XML/Parser.pm in @INC either. How do I get it there given > > that I do have this module installed on my system? > > You can link it to a directory in you @INC array. Simply run find and > then create an appropriate link from one of your directories in @INC to > the file or a directory in the path of this file. The path must look > exactly like for the original file. > Hi again Michael and thanks for your suggestion here. I tried it with the following steps: tombstone root # cat test.perl #!/usr/bin/perl print "[EMAIL PROTECTED] is @INC\n"; tombstone root # ./test.perl @INC is /etc/perl /usr/lib/perl5/site_perl/5.8.4/i686-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.4/i686-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.4/i686-linux-thread-multi /usr/lib/perl5/5.8.4 /usr/local/lib/site_perl /usr/lib/perl5/site_perl/5.8.2 . tombstone root # cd /usr/local/lib/site_perl tombstone site_perl # ln -s \ /usr/lib/perl5/vendor_perl/5.8.4/i686-linux/XML XML tombstone site_perl # ls -l total 0 lrwxrwxrwx1 root root 47 Aug 17 08:50 XML -> /usr/lib/perl5/vendor_perl/5.8.4/i686-linux/XML tombstone site_perl # cd XML tombstone XML # ls -l total 156 drwxr-xr-x4 root root 4096 Aug 10 13:41 GDOME -r--r--r--1 root root12554 Aug 10 13:41 GDOME.pm -r--r--r--1 root root 2862 Aug 10 13:41 GDOME.pod drwxr-xr-x3 root root 4096 Aug 10 13:54 LibXML -r--r--r--1 root root31844 Aug 10 09:29 LibXML.pm -r--r--r--1 root root 5338 Aug 10 09:29 LibXML.pod -r--r--r--1 root root11061 Aug 10 09:29 LibXSLT.pm drwxr-xr-x4 root root 4096 Aug 10 08:25 Parser -r--r--r--1 root root27103 Aug 10 08:25 Parser.pm drwxr-xr-x4 root root 4096 Aug 10 09:28 Sablotron -r--r--r--1 root root29538 Aug 10 09:28 Sablotron.pm -r--r--r--1 root root 7889 Aug 10 09:29 benchmark.pl tombstone XML # ls -l Parser total 48 drwxr-xr-x2 root root 4096 Aug 10 08:25 Encodings -r--r--r--1 root root33917 Aug 10 08:25 Expat.pm -r--r--r--1 root root 1571 Aug 10 08:25 LWPExternEnt.pl drwxr-xr-x2 root root 4096 Aug 10 08:25 Style So I'm thinking I've successfully linked the perl modules in /usr/lib/perl5/vendor_perl/5.8.4/i686-linux/XML to a directory that is in @INC. However, when I run the ./configure and make commands now, I get a slightly different error: XML-Twig-3.09/MANIFEST make[4]: Entering directory `/mnt/tmp/working/openca-0.9.2-RC6/src/modules' Checking if your kit is complete... Looks good Warning: prerequisite XML::Parser 2.23 not found. Writing Makefile for XML::Twig make[4]: Leaving directory `/mnt/tmp/working/openca-0.9.2-RC6/src/modules' make[4]: Entering directory `/mnt/tmp/working/openca-0.9.2-RC6/src/modules/XML-Twig-3.09' /usr/bin/perl5.8.4 speedup Twig.pm.slow > Twig.pm Can't locate loadable object for module XML::Parser::Expat in @INC (@INC contains: ../Digest-SHA1-2.02/blib/lib ../IO-Socket-SSL-0.92/blib/lib /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.4/i686-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.4/i686-linux-thread-multi /usr/lib/perl5/5.8.4 /usr/local/lib/site_perl /usr/lib/perl5/site_perl/5.8.2 .) at /usr/local/lib/site_perl/XML/Parser.pm line 14 Compilation failed in require at /usr/local/lib/site_perl/XML/Parser.pm line 14. BEGIN failed--compilation aborted at /usr/local/lib/site_perl/XML/Parser.pm line 18. Compilation failed in require at speedup line 5. BEGIN failed--compilation aborted at speedup line 5. make[4]: *** [Twig.pm] Fehler 255 make[4]: Leaving directory `/mnt/tmp/working/openca-0.9.2-RC6/src/modules/XML-Twig-3.09' make[3]: *** [XML-Twig-3.09] Error 2 make[3]: Leaving directory `/mnt/tmp/working/openca-0.9.2-RC6/src/modules' make[2]: *** [modules] Error 2 make[2]: Leaving directory `/mnt/tmp/working/openca-0.9.2-RC6/src/modules' make[1]: *** [modules] Error 2 make[1]: Leaving directory `/mnt/tmp/working/openca-0.9.2-RC6/src' make: *** [src] Error 2 Strangely, when I run make a second time, immediately after getting this error, it does complete successfully. I'm not sure if it's skipping over the portions that caused the failure initially or if it's including them and getting it right the second time or what, but I'd still like to resolve the problem with XML::Parser just on general principle---perha
[Openca-Users] Problem compiling: XML::Parser-2.23 important vice 2.34?
Hi List- Thanks very kindly to Johnny Gonzalez for pointing it out to me, and to Kevin Mitcham for writing it, I've been using the OpenCA Cookbook to get myself started. Unfortunately, I'm having problems already. Perhaps I need a different perl module installed. make gives me the following error message: == ... XML-Twig-3.09/MANIFEST make[4]: Entering directory `/mnt/tmp/working/openca-0.9.2-RC6/src/modules' Checking if your kit is complete... Looks good Warning: prerequisite XML::Parser 2.23 not found. Writing Makefile for XML::Twig make[4]: Leaving directory `/mnt/tmp/working/openca-0.9.2-RC6/src/modules' make[4]: Entering directory `/mnt/tmp/working/openca-0.9.2-RC6/src/modules/XML-Twig-3.09' /usr/bin/perl5.8.4 speedup Twig.pm.slow > Twig.pm Can't locate XML/Parser.pm in @INC (@INC contains: ../Digest-SHA1-2.02/blib/lib ../IO-Socket-SSL-0.92/blib/lib ../IO-stringy-2.108/blib/lib ../MIME-tools-5.411/blib/lib ../MailTools-1.58/blib/lib ../Net-Server-0.86/blib/lib ../XML-Twig-3.09/blib/lib ../libintl-perl-1.10/blib/lib ../openca-ac/blib/lib ../openca-configuration/blib/lib ../openca-crl/blib/lib ../openca-crypto/blib/lib ../openca-db/blib/lib ../openca-dbi/blib/lib ../openca-ldap/blib/lib ../openca-log/blib/lib ../openca-openssl/blib/lib ../openca-pkcs7/blib/lib ../openca-req/blib/lib ../openca-session/blib/lib ../openca-statemachine/blib/lib ../openca-tools/blib/lib ../openca-tristatecgi/blib/lib ../openca-ui-html/blib/lib ../openca-x509/blib/lib ../openca-xml-cache/blib/lib ../perl-ldap-0.28/blib/lib ../Digest-SHA1-2.02/blib/arch ../IO-Socket-SSL-0.92/blib/arch ../IO-stringy-2.108/blib/arch ../MIME-tools-5.411/blib/arch ../MailTools-1.58/blib/arch ../Net-Server-0.86/blib/arch ../XML-Twig-3.09/blib/arch ../libintl-perl-1.10/blib/arch ../openca-ac/blib/arch ../openca-configuration/blib/arch ../openca-crl/blib/arch ../openca-crypto/blib/arch ../openca-db/blib/arch ../openca-dbi/blib/arch ../openca-ldap/blib/arch ../openca-log/blib/arch ../openca-openssl/blib/arch ../openca-pkcs7/blib/arch ../openca-req/blib/arch ../openca-session/blib/arch ../openca-statemachine/blib/arch ../openca-tools/blib/arch ../openca-tristatecgi/blib/arch ../openca-ui-html/blib/arch ../openca-x509/blib/arch ../openca-xml-cache/blib/arch ../perl-ldap-0.28/blib/arch /etc/perl /usr/lib/perl5/site_perl/5.8.4/i686-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.4/i686-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.4/i686-linux-thread-multi /usr/lib/perl5/5.8.4 /usr/local/lib/site_perl /usr/lib/perl5/site_perl/5.8.2 .) at speedup line 5. BEGIN failed--compilation aborted at speedup line 5. make[4]: *** [Twig.pm] Fehler 2 make[4]: Leaving directory `/mnt/tmp/working/openca-0.9.2-RC6/src/modules/XML-Twig-3.09' make[3]: *** [XML-Twig-3.09] Error 2 make[3]: Leaving directory `/mnt/tmp/working/openca-0.9.2-RC6/src/modules' make[2]: *** [modules] Error 2 make[2]: Leaving directory `/mnt/tmp/working/openca-0.9.2-RC6/src/modules' make[1]: *** [modules] Error 2 make[1]: Leaving directory `/mnt/tmp/working/openca-0.9.2-RC6/src' make: *** [src] Error 2 tombstone openca-0.9.2-RC6 # epm -q XML-Parser XML-Parser-2.34 == It looks like make wants XML::Parser 2.23 and I have XML::Parser-2.34. Is this an important dependency? I mean, does 2.34 lose something that 2.23 has? If not, can someone offer any hints as to how to get around this? I configured with Kevin's configure line (or very near to it): tombstone openca-0.9.2-RC6 # ./configure --prefix=/usr/local/openra --with-httpd-user=apache --with-httpd-group=apache --with-openca-prefix=/usr/local/openra/openca --with-etc-prefix=/usr/local/openra/openca/etc --with-httpd-fs-prefix=/usr/local/openra/httpd --with-module-prefix=/usr/local/openra/modules --with-node-prefix=ra-node --with-engine=no --with-web-host=gnosys.gnosys.us --enable-ocspd --enable-dbi --enable-rbac --with-hierarchy-level=ra Or is this the problem? "Can't locate XML/Parser.pm in @INC (@INC contains: ..." I don't see XML/Parser.pm in @INC either. How do I get it there given that I do have this module installed on my system? Any thoughts? Thanks! -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Re: images in openca-guide.pdf (was Re: Typo in openca-guide?)
On Thu, 2004-08-12 at 11:32, Michael Bell wrote: > Hi Kevin, > > I finally found a solution. I installed JAI into my Apache FOP and now I > can compile working PDF files by using JPEG and PNG. Actually I'm > commiting new versions of the openca guide. > > Michael Cool! Thanks for letting me know. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Re: images in openca-guide.pdf
On Thu, 2004-08-12 at 10:18, Kevin wrote: > On Thu, 2004-08-12 at 09:29, Michael Bell wrote: > > BTW if I look at openca-guide.pdf with gv then I see the images. If > > somebody can explain this then this would help a lot to fix the problems > > with acrobat reader. > > ... > I'm gonna upgrade to the latest available in Gentoo portage right now to > see if that helps: > [ebuild U ] app-text/gv-3.5.8-r4 [3.5.8-r2] 0 kB > [ebuild U ] app-text/xpdf-3.00-r1 [2.03] -cjk +motif 522 kB > [ebuild U ] app-text/acroread-5.09 [5.08] -cjk 9,066 kB > > I'll post my results. > After the upgrades, I get the same results as before. Not sure what else it could be... -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Re: images in openca-guide.pdf (was Re: Typo in openca-guide?)
On Thu, 2004-08-12 at 09:29, Michael Bell wrote: > Kevin wrote: > > > "The data exchange between such isolated databases can be handled > > automatically if you use a distributed database system but in the sense > > of OpenCA such a distributed database system is only on database in our > > tree." ^^ > > > > Is this word, "on" supposed to be "one"? > > You are right. "one" is correct. > Thanks. > BTW if I look at openca-guide.pdf with gv then I see the images. If > somebody can explain this then this would help a lot to fix the problems > with acrobat reader. > I used xpdf and acrobat reader and saw no images (using the guide from openca-0.9.2-RC6). When I used gv, I saw the black-and-white line drawings, but not the color drawing of the life-cycle of objects that I see in the .html file with a web browser. Actually, when I turned to the page for the life-cycle of objects in gv, I saw a very brief (<1 second) flash of the color drawing but then it disappeared and the page was blank. I'm using the following versions of the pdf viewers: acroread-5.08 xpdf-2.03 gv-3.5.8-r2 I'm gonna upgrade to the latest available in Gentoo portage right now to see if that helps: [ebuild U ] app-text/gv-3.5.8-r4 [3.5.8-r2] 0 kB [ebuild U ] app-text/xpdf-3.00-r1 [2.03] -cjk +motif 522 kB [ebuild U ] app-text/acroread-5.09 [5.08] -cjk 9,066 kB I'll post my results. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Single computer installation of OpenCA
At the Dartmouth PKI lab, we spent a good bit of time working on an very easy intial setup for single-server OpenCA. We eventually generated a CD image with a script to help set up the initial versions. It generates a minimal (and not secure) CA that should be enough to get people started. You can learn more at http://www.dartmouth.edu/%7Edeploypki/CA/InstallOpenCALiveCD.html Hope this helps. I've been mostly moved on to other projects, and so haven't been following the list as closely as I'd like to. Kevin smime.p7s Description: S/MIME Cryptographic Signature
Re: [Openca-Users] Single computer installation of OpenCA
On Thu, 2004-08-12 at 08:01, Johnny Gonzalez wrote: > Hello Kevin, > > I suggest you to read a document made by another Kevin, "Kevin > Mitcham", He wrote a document called OpenCA Cookbook, this document > covers all the steps to configure and install OpenCA versions 0.9.2.X, > read it and all of your questions, related to the instalation > process, will be solved. > > The link to Kevin Mitcham's Posting to the mail archive is: > > http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html > > Hope this will help you, > > > Johnny Gonzalez L. Hi Johnny- This looks very helpful! Thanks, I'll study it in detail before posting again. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Single computer installation of OpenCA
On Wed, 2004-08-11 at 19:34, Kevin wrote: > On Wed, 2004-08-11 at 18:52, Ives Steglich wrote: > > Kevin wrote: > > > Hi List- > > > > > > I've been studying the openca-guide.pdf file in the openca-SNAP-20040730 > > > tarball (Is this the latest non-CVS source? If not, where's the best ... > > > of complexity. Is there some way to get the full functionality of > > > OpenCA in a test environment by installing everything on one computer? > > > > > yes you can simply install everything on one system > > just use different directories for ca and pub stuff > > > > Sorry if I'm being dense here, but how does this translate into > ./configure options and/or make targets? > > By "use different directories" do you mean while setting the configure > options? (ie. --with-ca-prefix=DIR, --with-node-prefix=NODEPREFIX, > --with-ra-prefix=DIR, etc.) or something else. It looks like these all > default to different values anyway... Am I missing something? > I'm reading the guide again with the benefit of the images, and it occurs to me that my question here may not be clear so I'll try to clarify. Section 4.2.1 (How to setup two management interfaces on one server?---Online Components) of the guide reads as follows: "The first installation uses only the normal steps - ./configure --with-node-prefix=online_node --with-your-options, make, make test, make install-online, edit OPENCADIR/etc/config.xml and OPENCADIR/etc/configure_etc.sh. Please use your options to configure the software and use the hierarchy level ra." I have a better understanding of the word "node" in this context, but I'm still not sure I have a complete understanding of it. Michael explained that "management interface" and "node interface" are the same, and it is used for data exchange, and I see the images depicting the node in the design part of the guide, but I'd like to ask some questions to confirm my understanding (or correct it). The configure options above use the literal string, "online_node", and below in section 4.2.2 (Offline Components) the literal string "offline_node". If a node is a management interface, can the string be any arbitary string in this "--with-node-prefix" configure option? Or must it match the hostname of the computer or some other parameter? How are these node-prefixes used later by the software? If I install everything on one server computer, is the node-prefix "online_node" (as used in the configure step above) associated with a TCP port or a unix domain socket that is open on the computer (and perhaps another TCP port or socket for the string "offline_node") (this is what I think of when I read, "interface") or is it just a hyperlink by the name of "online_node" in a web page generated by the software for doing management/data exchange tasks with a browser or what? If the node-prefix can be any arbitrary string, is there a typical value that is used for it? Are the strings "online_node" and "offline-node" ok for that? Do these strings become part of the certificates issued by OpenCA? > > you will then have full functionality as if both parts where on separate > > systems - the only thing thats different - the dataexchange between them > > would happen at the local filesystem (you have to change the path at > > config.xml usaly set to /dev/fd0) > > > > you can even install ca and pub components to the same directory, then > > you don't have to do dataexchange for the first testing steps... (so no > > node interfaces is actually used) > > > > Again, how does this translate into ./configure options and/or make > targets? Would I just run: > ./configure (but what options... or are there any special options for a > single-computer installation?... I realize of course that there are many > options that relate to my httpd and so forth, but I mean those that are > specifically for OpenCA related to a single-computer installation... or > are there any?) > make > make test > make install-ca > make install-ext > any others? > > What about: > install-ldap > install-node > etc. > > And exactly what is meant by "node" here (a computer?)? > > > i will send some scripts tomorrow - which can be used > > to setup a simple testing system and also generates the necessary > > apache.conf entries - which can be simply included then > > > > Thank you, dalani! > > -Kevin > I guess my other questions still stand. Please pardon me if I'm being dense here. At first blush, installing OpenCA looks a bit more complicated than the typical server s
[Openca-Users] Typo in openca-guide?
Hi List- Really quick question: Section 1 of the guide "Basic Heirarchy" reads in part... "The data exchange between such isolated databases can be handled automatically if you use a distributed database system but in the sense of OpenCA such a distributed database system is only on database in our tree." ^^ Is this word, "on" supposed to be "one"? I can make sense of either sentence but in my first read of this, I assumed it was supposed to be a "one" and also assumed that the images in openca-guide.pdf were missing because they had yet to be added. Michael Bell pointed me to the openca-guide.html and now I see the images, but just thought I would double-check this typo, if that's what it is. Thanks. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Single computer installation of OpenCA
On Thu, 2004-08-12 at 02:47, Oliver Welter wrote: > Hi Kevin, Hi Oliver. > have a look at the "openca-guide.pdf" in the docs directory. There is a > chapter about installation and a brief description how to install both > interfaces onto one directory Yes, I studied that pretty thoroughly, and my questions actually arose from doing so. Thanks for your reply, Oliver. > Oliver > > > On Thu, 2004-08-12 at 03:24, Michael Bell wrote: > Kevin wrote: > > ... and it's becoming clear that a typical test > > installation of the OpenCA software involves two separate server > > computers: one connected to a network (CA?) and the other NOT connected > > to a network (RA?). > > Small security warning - the CA is OFFLINE and the RA stuff is online. > Ah! Ok. Thanks for pointing that out. > > 4.2 How to setup two management interfaces on one server? > > > > Exactly what is meant by "management interface" here? Probably not > > "Network Interface" (as in Network Interface Card)... perhaps "Web > > Interface"? (as in, a different TCP port for each management function)? > > I'm guessing that if I can learn this part, my first question will be > > moot. > > The management interface is the node interface. It is used for > dataexchange. Please take a look at the pictures in the DEsign part of > the OpenCA guide. BTW if the images in openca-guide.pdf are still broken > then please use the HTML version of the guide. It looks like I have a > problem with Apache FOP. > Yes, the images are still broken in openca-guide.pdf. I saw the references to them, but assumed that they were meant to be added later. Thanks for explaining this. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Single computer installation of OpenCA
On Wed, 2004-08-11 at 18:52, Ives Steglich wrote: > Kevin wrote: > > Hi List- > > > > I've been studying the openca-guide.pdf file in the openca-SNAP-20040730 > > tarball (Is this the latest non-CVS source? If not, where's the best > > place to get the tarballs with openca.org down?) and looking at the > > README and INSTALL files, and it's becoming clear that a typical test > > installation of the OpenCA software involves two separate server > > computers: one connected to a network (CA?) and the other NOT connected > > to a network (RA?). Since this will be my first installation and > > strictly for my own testing purposes, I don't need (or want) that degree > > of complexity. Is there some way to get the full functionality of > > OpenCA in a test environment by installing everything on one computer? > > > yes you can simply install everything on one system > just use different directories for ca and pub stuff > Sorry if I'm being dense here, but how does this translate into ./configure options and/or make targets? By "use different directories" do you mean while setting the configure options? (ie. --with-ca-prefix=DIR, --with-node-prefix=NODEPREFIX, --with-ra-prefix=DIR, etc.) or something else. It looks like these all default to different values anyway... Am I missing something? > you will then have full functionality as if both parts where on separate > systems - the only thing thats different - the dataexchange between them > would happen at the local filesystem (you have to change the path at > config.xml usaly set to /dev/fd0) > > you can even install ca and pub components to the same directory, then > you don't have to do dataexchange for the first testing steps... (so no > node interfaces is actually used) > Again, how does this translate into ./configure options and/or make targets? Would I just run: ./configure (but what options... or are there any special options for a single-computer installation?... I realize of course that there are many options that relate to my httpd and so forth, but I mean those that are specifically for OpenCA related to a single-computer installation... or are there any?) make make test make install-ca make install-ext any others? What about: install-ldap install-node etc. And exactly what is meant by "node" here (a computer?)? > i will send some scripts tomorrow - which can be used > to setup a simple testing system and also generates the necessary > apache.conf entries - which can be simply included then > Thank you, dalani! -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Single computer installation of OpenCA
Hi List- I've been studying the openca-guide.pdf file in the openca-SNAP-20040730 tarball (Is this the latest non-CVS source? If not, where's the best place to get the tarballs with openca.org down?) and looking at the README and INSTALL files, and it's becoming clear that a typical test installation of the OpenCA software involves two separate server computers: one connected to a network (CA?) and the other NOT connected to a network (RA?). Since this will be my first installation and strictly for my own testing purposes, I don't need (or want) that degree of complexity. Is there some way to get the full functionality of OpenCA in a test environment by installing everything on one computer? A possibly-related question is about the guide itself. It reads as follows: 4.2 How to setup two management interfaces on one server? Exactly what is meant by "management interface" here? Probably not "Network Interface" (as in Network Interface Card)... perhaps "Web Interface"? (as in, a different TCP port for each management function)? I'm guessing that if I can learn this part, my first question will be moot. I browsed the list archives for this question but didn't see it. Apologies if it's been asked before. Thanks. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] How to reach Massimiliano Pala
Hi All- I've been trying to send a non-list-type (ie. personal) email to Massimiliano Pala (at [EMAIL PROTECTED]), but my MTA is reporting that the destination MTA is refusing the message. Here's the error: Hi. This is the qmail-send program at smtpout01-04.mesa1.secureserver.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <[EMAIL PROTECTED]>: 217.133.34.6 does not like recipient. Remote host said: 550 5.7.1 <[EMAIL PROTECTED]>... Relaying denied Giving up on 217.133.34.6. Does anyone here know how I can reach him via email? TIA. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] OpenCA cookbook
I've been working on getting some documents and files together to make an easy installation of OpenCA. Here is what I've got so far. I realize it isn't setting things up in the most secure fashion, but I'm hoping to help folks get past the initial steps before getting more complicated. I'd appreciate any comments or pointers about what might be wrong or unclear in this document. Thanks to install from source (actual commands marked with a "*") (We ran on Debian "unstable") (assumes an apache install using default options) download new tarball from http://prdownloads.sourceforge.net/openca/openca-0.9.2-RC4.tar.gz?use_mirror=unc into a source directory Alternately, get the latest snapshot We are currently running a snapshot from a couple of weeks ago; RC4 actually gave me some problems. * gunzip openca-0.9.2-RC4.tar.gz * tar xvf openca-0.9.2-RC4.tar * make distclean first install the ra (may want to update the web-host value) * ./configure \ --prefix=/usr/local/openra \ --with-httpd-user=www-data \ --with-httpd-group=www-data \ --with-openca-prefix=/usr/local/openra/openca \ --with-etc-prefix=/usr/local/openra/openca/etc \ --with-httpd-fs-prefix=/usr/local/openra/httpd \ --with-module-prefix=/usr/local/openra/modules \ --with-node-prefix=ra-node \ --with-engine=no \ --with-web-host=localhost \ --enable-ocspd \ --enable-dbi \ --enable-rbac \ --with-hierarchy-level=ra \ * make * make install-online Now for the CA (may want to update the web-host value) * make distclean * ./configure \ --prefix=/usr/local/openca \ --with-httpd-user=www-data \ --with-httpd-group=www-data \ --with-openca-prefix=/usr/local/openca/openca \ --with-etc-prefix=/usr/local/openca/openca/etc \ --with-httpd-fs-prefix=/usr/local/openca/httpd \ --with-module-prefix=/usr/local/openca/modules \ --with-node-prefix=ca-node \ --with-engine=no \ --with-web-host=localhost \ --enable-ocspd \ --enable-dbi \ --enable-rbac \ --with-hierarchy-level=ca * make * make install-offline create the DB: *mysql -uroot -p mysql create database openca; create database openra; grant all privileges on openca.* to [EMAIL PROTECTED] identified by "openca"; grant all privileges on openra.* to [EMAIL PROTECTED] identified by "openra"; test the DB * mysql -uopenca -p use openca show tables (should return empty set, as DB is empty) exit; * mysql -uopenra -p use openra show tables (should return empty set, as DB is empty) exit; edit the apache httpd.conf (location varies, but this is the apache config file) in the script aliases section, add: # OpenCA Mods # CA Aliases Alias /ca /usr/local/openca/httpd/htdocs/ca/ Alias /ca-node /usr/local/openca/httpd/htdocs/ca-node/ ScriptAlias /cgi-bin/ca/ /usr/local/openca/httpd/cgi-bin/ca/ ScriptAlias /cgi-bin/ca-node/ /usr/local/openca/httpd/cgi-bin/ca-node/ # OpenCA Mods # RA Aliases Alias /ra /usr/local/openra/httpd/htdocs/ra/ Alias /pub /usr/local/openra/httpd/htdocs/pub/ Alias /ra-node /usr/local/openra/httpd/htdocs/ra-node/ ScriptAlias /cgi-bin/ra/ /usr/local/openra/httpd/cgi-bin/ra/ ScriptAlias /cgi-bin/pub/ /usr/local/openra/httpd/cgi-bin/pub/ ScriptAlias /cgi-bin/ra-node/ /usr/local/openra/httpd/cgi-bin/ra-node/ # OpenCA Mods AllowOverride None Options ExecCGI Order allow,deny Allow from all AllowOverride None Options ExecCGI Order allow,deny Allow from all AllowOverride None Options FollowSymLinks Indexes Order allow,deny Allow from all AllowOverride None Options FollowSymLinks Indexes Order allow,deny Allow from all # OpenCA Mods # adding dir to symlinks following for cert retrieval # not totally clear WHY openca puts a symlink here, but it did. AllowOverride None Options FollowSymLinks Indexes Order allow,deny Allow from all modify the config.xml for the ra (located in /usr/local/openra/openca/etc) Now onto the config.xml, for the ca and the ra. for the CA: general options ca_organization ca_locality ca_country service_mail_account (set to [EMAIL PROTECTED]) dbmodule -> DBI for the mysql database db_type-> mysql db_name -> openca db_host -> localhost (or whatever) db_port -> 3306 (the mysql default port) db_user -> openca db_passwd -> XXX configuration of absolute paths (as needed. once again, looks like some of the work is already done) dataexchange configuration de-activate dfault, by adding comment brackets activate mode 1, node acts as CA only by removing comment brackets configuration of relative paths (as needed. Not done first time through due to error) (these might not be in config.xml; if not, see below) dataexchange_device_up /usr/local/openca/openca/var/tmp/ca-up dataexchange_device_down /usr/loc
[Openca-Users] problem starting openca
Using RC4, I'm having the following problem starting up the server: [EMAIL PROTECTED]:/usr/local/openra/openca/etc# ./openca_start Content-Type: text/html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> http://www.w3.org/1999/xhtml"; lang="C" xml:lang="C">Configuration Error Error 690 Configuration Error. Cannot initialize OpenCA::DBI class! The database returns errorcode 0. (Success (error 10070: __OLD__ERRVAL__)). OpenCA: Error Trapped: Cannot initialize OpenCA::DBI class! The database returns errorcode 0. (Success (error 10070: __OLD__ERRVAL__)) at /usr/local/openra/modules/perl5/OpenCA/UI/HTML.pm line 147, line 88. Compilation failed in require at /usr/local/openra/openca/lib/servers/ra-node/functions/initServer line 207, line 88. Compilation failed in require at ./openca_start line 62, line 88. I've checked and re-checked the Database part of the config.xml, and it all seems good to me. Any hints from the more experienced parts of the world? Kevin --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Problem sending CRIN-Mail
To fix this bug, I replaced line 2576 in OpenSSL.pm $smime->encrypt(CERTIFICATE => $sign_x509) with $smime->encrypt(CERTIFICATE => $enc_x509) I was having the same problem with unreadable CRIN-mail, and so I updated the file with this fix and re-installed OpenCA. Unfortunately, now the RA won't send email at all. I have confirmed that send_mail_automatic is set to yes, and that sendmail is configured correctly. I can send the generated crin mails (from var/temp/mail/crins) by hand, but they are still unreadable. The problem is mostly just an annoyance at this point, as we have another (later) version of OpenCA running, and generating CRIN-mail correctly. Are the CRIN-mail messages the only way to revoke certificates? Is there a way for the admin to revoke a certificate without having the CRIN code: [ revocation pin ]? Or to find out the CRIN code? For example, to revoke the certificate of a user who is no longer affiliated with the CA orginization. Kevin --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Certificate Renewal
I'm unclear on how OpenCA handles renewing User certificates. Is it even possible? Where is it handled in the GUI? Thanks Kevin smime.p7s Description: S/MIME Cryptographic Signature
Re: [Openca-Users] RA CSR upload problesm
The best part about stupid problems is that the solutions are often easy and quick. Fixing the config.xml file solved the problem immediately, thank you very much. Kevin Michael Bell wrote: Kevin Mitcham wrote: I'm having trouble uploading CSRs from my RA to the CA. I submit the request, and approve it without signing, and everything seems to work. However, when I go to the RA-Node/dataexchange to "upload data to a higher level" the export file is empty (except for the directory structure and module.id file)- no certificate requests are exported. I'm trying to run it down in the source code myself, and failing. Any suggestions? I am running a snapshot from CVS as of April 18th-essentially RC4. Did you correctly choose the appropriate configuration template for the dataexchange in config.xml before you are running configure_etc.sh on the RA and on the CA? OpenCA's dataexchange does not export or import anything if you don't change the used template in config.xml. We must do this for security reasons to avoid impacts into the infrastructure of the CA. Best regards Michael smime.p7s Description: S/MIME Cryptographic Signature
[Openca-Users] RA CSR upload problesm
I'm having trouble uploading CSRs from my RA to the CA. I submit the request, and approve it without signing, and everything seems to work. However, when I go to the RA-Node/dataexchange to "upload data to a higher level" the export file is empty (except for the directory structure and module.id file)- no certificate requests are exported. I'm trying to run it down in the source code myself, and failing. Any suggestions? I am running a snapshot from CVS as of April 18th-essentially RC4. Kevin smime.p7s Description: S/MIME Cryptographic Signature
Re: [Openca-Users] Re: Re: Phase II - Error 'Cannot encrypt PIN-mail' - Issue the certificate
Kevin Mitcham wrote: I've got a complete new CVS snapshot, and I'm still getting the same error message. Error 6794 General Error. Cannot encrypt PIN-mail! Aborting! OpenCA::OpenSSL returns errorcode 8012006 (OpenCA::OpenSSL::SMIME->encrypt: unknown problem encrypting (11). ).. Michael Bell wrote: This looks definitly like an OpenSSL crash. Errorcode 11 means crypto lib failed. This is a direct errorcode from OpenSSL. Can you downgrade to 0.9.7c please and try it with this version? We reinstalled with 0.9.7c, and seem to have moved past this problem. Hopefully we will get a little more along before we need more help. Thanks for the advice. Kevin Mitcham smime.p7s Description: S/MIME Cryptographic Signature
Re: [Openca-Users] Re: Re: Phase II - Error 'Cannot encrypt PIN-mail' - Issue the certificate
It is necessary to install at minimum the whole stuff from src/modules/openca-openssl again. The better way is to replace the two files in the source and then to make and install again. Usually such an update does not overwrite any existing data or configuration. BTW we moved our deadline to 13 o'clock CEST but then I tag RC4 on CVS. So I think there will be a new RC available via CVS and SourceForge at 15 o'clock CEST. This is GMT/UTC+2. I've got a complete new CVS snapshot, and I'm still getting the same error message. Error 6794 General Error. Cannot encrypt PIN-mail! Aborting! OpenCA::OpenSSL returns errorcode 8012006 (OpenCA::OpenSSL::SMIME->encrypt: unknown problem encrypting (11). ).. smime.p7s Description: S/MIME Cryptographic Signature
Re: [Openca-Users] Re: Re: Phase II - Error 'Cannot encrypt PIN-mail' - Issue the certificate
I am getting this same error when I try to generate the intial administrator certificate. The Certificate is being generated, but the error show up. Error 6794 General Error. Cannot encrypt PIN-mail! Aborting! OpenCA::OpenSSL returns errorcode 8012006 (OpenCA::OpenSSL::SMIME->encrypt: unknown problem encrypting: ).. Michael Bell wrote: Can you try CVS versions from OpenSSL.pm and SMIME.pm please? OpenSSL.pm v1.108 and SMIME.pm v1.7 have a better errordetection. They can detect installation problems so that we can reduce the number of possible errors. I think this is the only way to solve your problem. Is that a simple file replace, or is there more to updating the files than that? Should I get an entirely new snapshot? I tried the simple file replace, and generated errors when I tried to restart openca (output slightly modfied to hide path info): # ./openca_start OpenCA::OpenSSL object version 0.9.103 does not match bootstrap parameter 0.9.108 at /usr/lib/perl/5.8/XSLoader.pm line 91. Compilation failed in require at /modules/perl5/OpenCA/AC.pm line 557. BEGIN failed--compilation aborted at /modules/perl5/OpenCA/AC.pm line 557. Compilation failed in require at /openca/lib/servers/node/functions/initServer line 23. BEGIN failed--compilation aborted at /openca/lib/servers/node/functions/initServer line 23. Compilation failed in require at ./openca_start line 49. smime.p7s Description: S/MIME Cryptographic Signature
Re: [Openca-Users] Re: Re: Phase II - Error "Cannot encrypt PIN-mail" - Issue the certificate
Kevin Mitcham wrote: I am getting this same error when I try to generate the intial administrator certificate. The Certificate is being generated, but the error show up. Error 6794 General Error. Cannot encrypt PIN-mail! Aborting! OpenCA::OpenSSL returns errorcode 8012006 (OpenCA::OpenSSL::SMIME->encrypt: unknown problem encrypting: ).. I can't seem to find the correct place to add the suggested debug lines. Michael Bell wrote: Perhaps you have this problem too because of an installation bug. The tool openca-sv was installed to exec_prefix but the path in token.xml was set to prefix. Please check that the path to openca-sv is correct in token.xml. We updated OpenSSL.pm and SMIME.pm to return better errormessages. RC4 will report a wrong path correctly. Michael We have updated/patched the local OpenSSL (0.9.7d 17 Mar 2004) as per the earlier not, and I checked the token.xml path to openca-sv. So far as I can tiell, it is correct. The values point to the actual location of openca-sv. -rwxr-xr-x1 root root 321762 Apr 8 14:30 /usr/local/openca.0.9.2/bin/openca-sv Restarting the server, apache and the entire machine after the patch didn't resolve the issue either. Kevin smime.p7s Description: S/MIME Cryptographic Signature
Re: [Openca-Users] Re: Re: Phase II - Error "Cannot encrypt PIN-mail" - Issue the certificate
I am getting this same error when I try to generate the intial administrator certificate. The Certificate is being generated, but the error show up. Error 6794 General Error. Cannot encrypt PIN-mail! Aborting! OpenCA::OpenSSL returns errorcode 8012006 (OpenCA::OpenSSL::SMIME->encrypt: unknown problem encrypting: ).. I can't seem to find the correct place to add the suggested debug lines. I am running openca-0.9.2-RC3: Module Version OpenSSL 0.9.103 Tools 0.4.3 DB 0.9.99 Configuration 1.5.3 TRIStateCGI 1.5.5 REQ 0.9.54 X5090.9.52 CRL 0.9.22 PKCS7 0.9.17 and the config is as follows: ./configure \ --prefix=${PREFIX} \ --with-httpd-user=www-data \ --with-httpd-group=www-data \ --with-openca-prefix=${PREFIX}/openca \ --with-etc-prefix=${PREFIX}/openca/etc \ --with-httpd-fs-prefix=${PREFIX}/httpd \ --with-module-prefix=${PREFIX}/modules \ --with-engine=no \ --with-web-host=openca.dartmouth.edu \ --with-ca-organization="Dartmouth" \ --with-ca-country=US \ --with-ca-locality=Hanover \ --enable-ocspd \ --enable-dbi \ --with-db-host=openca.dartmouth.edu \ --with-db-port=3306 \ --with-db-user=openca \ --with-db-passwd=Wah7Eegh \ --disable-rbac \ --with-hierarchy-level=ra \ --with-service-mail-account="[EMAIL PROTECTED]" \ --enable-update-ldap-automatic Any hints/clues? Thanks. Kevin Mitcham Dartmouth PKI Lab smime.p7s Description: S/MIME Cryptographic Signature
[Openca-Users] online.conf file
I"m having trouble finding the online.conf file, which is referenced in several of the documents as part of the configuartion of the ldap. I'm looking in the servers/ directory, and the online.conf file is not present. Do I need to create it manually, or should it have been generated by the install? Kevin Mitcham Dartmouth PKI Lab --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] HSM with OpenCA
Has anyone used the ncipher devices with openca? --- Adam Tresch <[EMAIL PROTECTED]> wrote: > Hi Chris, > > i have tested the OpenCA with Luna SA on Solaris and > received success. > This version of HSM can be used with all of the > OpenCA components as a > WEB Server accelerator/key store and of course as a > Root key stroe. > This devices are fast enough to handle a lot of > transactions per second > and possible to use in HA environment also if > needed. > > i have planned to test the luna 2 device also, but > it is not a root key > store token, because is secure enough for a > production system, but for > testing and some small medium level security is good > enough. > > The Luna SA installation is almost the same as the > luna CA3 > installation, only some commands are different. > > If you have additional questions do not hesitate... > :-) > > Adam > > > > On Mon, 2003-10-20 at 17:45, Chris Covell wrote: > > Hello there, > > > > we are keen to use an HSM with OpenCA, looking > back through the archives it > > seems that some people say they have the Chrisalis > Luna CA3 working and also > > ChrysalisITS LunaSA. There has been mention of the > Luna 2 token also. > > > > I am keen to learn more about these devices before > we go and buy one !!! So am > > keen to talk with someone with some real world > expirence of using these > > devices. My questions are ... > > > > * Which devices have people really got working ? > > > > * What platforms are they using (SUN/Solaris, > Linux etc) ? > > > > * Are there any gotchas or undocumented problems ? > > > > * OpenCA version. I am running 0.9.1-1 in > production do these devices only > > work with v0.9.2 ? > > > > Chris... > > > > > > > > > > > --- > > This SF.net email sponsored by: Enterprise Linux > Forum Conference & Expo > > The Event For Linux Datacenter Solutions & > Strategies in The Enterprise > > Linux in the Boardroom; in the Front Office; & in > the Server Room > > http://www.enterpriselinuxforum.com > > ___ > > Openca-Users mailing list > > [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/openca-users > > > > > --- > This SF.net email is sponsored by OSDN developer > relations > Here's your chance to show off your extensive > product knowledge > We want to know what you know. Tell us and you have > a chance to win $100 > http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 > ___ > Openca-Users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/openca-users --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Smartcard Logon to Windows 2000 domain using OpenCA certification authority
I ran into this problem with one client. Unfortunately, AD made it so difficult, even using something as broad as a standard issues DoD certificate some work had to be done by hand. If you hoping for an automated approach check out this a product named simplesync ( http://www.cps-systems.com/products/default.asp ) . It works great for syncing up data between ldap and AD and I know at one point had worked with them to do Windows Single Sign on with smartcard and CAC cards, so it may do the trick for you. I think the product is about $10k or so but well worth the money. kb ps- if you mention I sent you that way they may get you a better price, but feel free to email me privately if you have any further questions. Gambin Dejan <[EMAIL PROTECTED]> wrote: Hello,I would like to explain and share with you my problems regardingSmartcard logon to Windows 2000 domain using OpenCA.There is a document in Microsoft knowledge base defining therequirements a Domain Controller (DC) has to have to be able to acceptsmartcard users logon to domain. The problem is that DC certificate musthave some specific extensions and/or their values, the most importantare:1. A DC certificate must have the subject alternative name extensionwith other name=GUID of CD and DNS name=DNS name of DC.2. It must have a specific "Certificate template" extension with bmpvalue "DomainController"Now, the problem is that I didn't know how to incorporate it in OpenCAext file, so I had to use ASN.1 OIDS for this. I have exported a DCcertificate issued by Microsoft CA, parsed it with asn1parse utility andexported the required extension into DER file. Then I did a hex dump ofthe DER file and copied the result in the OpenCA ext file afterthe:subjectAltName=DER: and 1.3.6.1.4.1.311.20.2=DER: (the last is theOID of certificate template extension)The second and bigger problem is in issuing the certificate for thesmartcard user. This certificate is also specific:1. It must have the subject alternative name extension with other name =principal name = prinicpal_name_of_the _user (for example[EMAIL PROTECTED]).2. It must have a specific "Certificate template" extension with bmpvalue "SmartcardUser" (or "SmartcardLogon").I have solved this problem in a similar way to the one described above,but the problem remains: How can I automate this for issuingcertificates to many different users? Obviously, something has tobe doneon OpenCA side to simplify this such that administrator can choose theDomain user and generate a certificate from him. Since OpenCA uses LDAP,there must be some kind of integration between LDAP and ActiveDirectory, and subjectAltName parameter in OpenCA ext file has to befilled automatically with the principal name of the chosen user.I would like to know is there anyone who has been playing with this andmaybe solved the problem in some practical manner? Is there any plans oracitivities for doing it in the future?I would appreciate any suggestion I can getBest regardsDejan Gambin---This SF.net email is sponsored by OSDN developer relationsHere's your chance to show off your extensive product knowledgeWe want to know what you know. Tell us and you have a chance to win $100http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54___Openca-Users mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] RedHat Installation Issue
out of curiosity... what is the output of your "perl -V" ? Christopher Harrington <[EMAIL PROTECTED]> wrote: On Fri, 2003-10-10 at 10:43, Kevin Blanchard wrote:> I having been doing some work with openca on RH9, my first> recommendation is to download a version of apache from their site and> recompile it before going any further. My exp. with RH is that many of> the compiled binaries are incomplete. Try downloading it, recompile> and then try it again, and let me know if you still get the same> error, and make sure you install apache in a NEW directory, now the> same :)I removed the RH9 Apache install and compiled from source. I get thesame error in the logs:[Fri Oct 10 15:55:08 2003] [error] [client 127.0.0.1] Undefinedsubroutine &main::configError called at /usr/local/apache2/cgi-bin/ca/caline 86., referer: http://localhost/ca/index.htmlconfigError is not defined somewhere. My guess is it is defined in apackage or module that I dont have or have the wrong version of.Is there a way to find out where this file is defined?--Chris---This SF.net email is sponsored by: SF.net Giveback Program.SourceForge.net hosts over 70,000 Open Source Projects.See the people who have HELPED US provide better services:Click here: http://sourceforge.net/supporters.php___Openca-Users mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] RedHat Installation Issue
I having been doing some work with openca on RH9, my first recommendation is to download a version of apache from their site and recompile it before going any further. My exp. with RH is that many of the compiled binaries are incomplete. Try downloading it, recompile and then try it again, and let me know if you still get the same error, and make sure you install apache in a NEW directory, now the same :)Kevin BlanchardPresident / CEONykon Systemshttp://www.nykon-systems.net"Making Linux a little less scary since 2001"
[Openca-Users] OpenCA-0.9.1, Windows XP, IE 6, svc pack 1
I looked in the archives and found something close but not my exact problem. When I go and try to request a certificate and click on the ‘auto-dectect’ I go through the first step of putting in all the information. And then I get the confirmation page, and I get the ‘Default’ cryptographic device (‘ve selected 1024 as the key size). When I click on the ‘Continue’ button at the bottom of the page, I get nothing. I can’t find anything in the error logs either. Now, I’m able to request a certificate using Netscape and it works. But I’m really hoping to get it working with Internet Explorer as well. Any information or suggestions would be greatly appreciated! Kevin
[Openca-Users] Web mail with certificates?
Ok...this might be a little off topic. But I'm hoping since everyone here is running certificate servers maybe someone knows. I'd like to get a web based e-mail system running, but it needs to be able to sign and encrypt e-mails and vice versa just like outlook and Netscape can do. Does anyone know if this is possible in a Web based e-mail system? I've found one or two that say they can do PGP, but that's about as far as I've gotten. Since I don't know how to program myself obviously it would need to be something that's pretty much already put together. Thanks! Kevin --- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Invalid expiry date
I'm getting closer!! I was finally able to reverse engineer the backup process and import all my old certs, along with my old cacert. And they all list now in the database. So I'm VERY happy. How-ever it seems I keep running into stops, and this is my latest. I'm trying to sign a certificate, and at the very last step, where I'm trying to issue the certificate, I get this error Using configuration from /usr/local/OpenCA/etc/openssl/openssl/User.conf entry 2: invalid expiry date unable to write 'random state' General Error Trapped 6757: Error while storing the request's serial in cert-object at /usr/local/OpenCA/lib/functions/misc-utils.lib line 38. Compilation failed in require at /usr/local/OpenCA/apache/cgi-bin/ca/ca line 194. My cacert is valid until 2007 (I think I picked like 5 years or something). Is it possible thats getting picked up as being invalid? And so therefore it won't issue any other certs? Thanks again for your helpand patience. Kevin smime.p7s Description: S/MIME Cryptographic Signature
RE: [Openca-Users] Upgrading
Let me first just say thanks for the feedback! My problem was a little less complicated than that. I was using a much earlier version, like 0.2.0 I think. All I really needed was to import the old certs, not the old database or anything like that. The fix was, to go to the Registration Authority server, then the Registration Authority Admin page. Next click on Input and Output. From there I clicked on Export All. I then found the tar file in /tmp/openca-outca.tar. I untarred it, went to the CERTIFICATE directory, then the VALID directory. I copied all of my valid certificates into there. Once that was done, went to the Import all screen. Once I did that, it then loaded up all my old certificates into the current database. Kinda kludgy, but I think it works. Again, THANKS! Just thought I'd post my follow-up in case anyone else has the same kind of problem. Kevin --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Upgrading
I ran a old version of OpenCA and am now forced to upgrade. I downloaded the RC2 candidate, and after much puzzling and tweaking I've got the basics working. Now, what I REALLY need is to be able to import all my old certificates. I never backed them up to disk, so I don't have a tar file or anything. How-ever I've got the old OpenCA directory with all the files. I already got the certificate keys over and all, and can sign new certificates with no problem. How-ever I've tried copying over the old certificates, with no success. I've tried the openca-importcerts several times with no success. Since this version uses a database, I really need to get these imported since there seems to be no other alternative. Any assistance would be GREATLY appreciated Thanks Kevin smime.p7s Description: S/MIME Cryptographic Signature
[Openca-Users] Approving a Requested Certificate
I am unable to approve certificates in IE, since the crypto signing functionality has not been built out. I may attempt to build that soon... But first, I am unable to approve in Netscape either. Nothing happens, and occasionally I can see a small box pop up and then disappear quickly. I have tried with Netscape 4.72 and 4.78. Also, I am unable to import the CA cert from IE or Netscape. IE can SAVE the file as a .cer DER x.509, but it is unable to import it. Netscape pops up a box saying No Data, or something to that effect. Anyone know how to solve either of these situations? Much Regards, Kevin Elliott ___ Openca-Users mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] Newer Versions
Robert, Thanks for the clarification, that helped very much. -Kevin Elliott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert Hannemann Sent: Wednesday, August 01, 2001 9:03 PM To: [EMAIL PROTECTED] Subject: Re: [Openca-Users] Newer Versions Kevin Elliott wrote: > Good Morning, you have to use the openssl-SNAP-20010307.tar.gz e.g. from ftp://ftp.dti.ad.jp/pub/net/OpenCA/tools/ please take a look at the openssl user mailing list, there are infoamtions about the used libraries. Regards, Robert > In response to my own message, I did some more research, and looked in my > web server's error log, and found: > > unknown option -subj > req [options] outfile > where options are > -inform arginput format - DER or PEM > -outform arg output format - DER or PEM > -in arginput file > -out arg output file > -text text form of request > -noout do not output REQ > -verifyverify signature on REQ > -modulus RSA modulus > -nodes don't encrypt the output key > -key file use the private key contained in file > -keyform arg key file format > -keyout argfile to send the key to > -rand file:file:... > load the file (or the files in the directory) into > the random number generator > -newkey rsa:bits generate a new RSA key of 'bits' in size > -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file' > -[digest] Digest to sign with (md5, sha1, md2, mdc2) > -config file request template file. > -new new request. > -x509 output a x509 structure instead of a cert. req. > -days number of days a x509 generated by -x509 is valid for. > -newhdroutput "NEW" in the header lines > -asn1-kludge Output the 'request' in a format that is wrong but some CA's > have been reported as requiring > -extensions .. specify certificate extension section (override value in > config file) > -reqexts ..specify request extension section (override value in config > file) > Can't call method "getTXT" on an undefined value at cmds/genCAReq line 70, > line 32. > Compilation failed in require at /home/apache/cgi-bin/ca/ca line 160, > line 32. > > This tells me that I'm probably using the wrong OpenSSL version since a flag > does not exist for the current one installed. I have OpenSSL 0.9.6 24 Sep > 2000 installed, but I updated it to a 2001Jul30 snapshot, and I still get > the same error. > > -Kevin Elliott > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Kevin > Elliott > Sent: Wednesday, August 01, 2001 4:57 PM > To: Openca-Users > Subject: [Openca-Users] Newer Versions > > Greetings, > > Just like to let everyone know that OpenCA 0.8.0 branch is working _MUCH_ > better for me. Congrats! Much cleaner install using configure too. I'm > having problems generating the CA request though. I have no problem using > the interface to create the Key, which i confirmed is at > /usr/local/OpenCA/private/cakey.pem. But, when I generate the CA request, I > get a blank screen, and view source shows that the html was completed, just > no content in the middle of the source. The file careq.pem is not created. > > Any ideas? > > Also, maybe it's time to put the PRE-0.8.0 stuff at the top of the distro > pages so people don't get confused, like I did ;] > > -Kevin Elliott > > ___ > Openca-Users mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/openca-users > > ___ > Openca-Users mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/openca-users ___ Openca-Users mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/openca-users ___ Openca-Users mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] Newer Versions
In response to my own message, I did some more research, and looked in my web server's error log, and found: unknown option -subj req [options] outfile where options are -inform arginput format - DER or PEM -outform arg output format - DER or PEM -in arginput file -out arg output file -text text form of request -noout do not output REQ -verifyverify signature on REQ -modulus RSA modulus -nodes don't encrypt the output key -key file use the private key contained in file -keyform arg key file format -keyout argfile to send the key to -rand file:file:... load the file (or the files in the directory) into the random number generator -newkey rsa:bits generate a new RSA key of 'bits' in size -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file' -[digest] Digest to sign with (md5, sha1, md2, mdc2) -config file request template file. -new new request. -x509 output a x509 structure instead of a cert. req. -days number of days a x509 generated by -x509 is valid for. -newhdroutput "NEW" in the header lines -asn1-kludge Output the 'request' in a format that is wrong but some CA's have been reported as requiring -extensions .. specify certificate extension section (override value in config file) -reqexts ..specify request extension section (override value in config file) Can't call method "getTXT" on an undefined value at cmds/genCAReq line 70, line 32. Compilation failed in require at /home/apache/cgi-bin/ca/ca line 160, line 32. This tells me that I'm probably using the wrong OpenSSL version since a flag does not exist for the current one installed. I have OpenSSL 0.9.6 24 Sep 2000 installed, but I updated it to a 2001Jul30 snapshot, and I still get the same error. -Kevin Elliott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kevin Elliott Sent: Wednesday, August 01, 2001 4:57 PM To: Openca-Users Subject: [Openca-Users] Newer Versions Greetings, Just like to let everyone know that OpenCA 0.8.0 branch is working _MUCH_ better for me. Congrats! Much cleaner install using configure too. I'm having problems generating the CA request though. I have no problem using the interface to create the Key, which i confirmed is at /usr/local/OpenCA/private/cakey.pem. But, when I generate the CA request, I get a blank screen, and view source shows that the html was completed, just no content in the middle of the source. The file careq.pem is not created. Any ideas? Also, maybe it's time to put the PRE-0.8.0 stuff at the top of the distro pages so people don't get confused, like I did ;] -Kevin Elliott ___ Openca-Users mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/openca-users ___ Openca-Users mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Newer Versions
Greetings, Just like to let everyone know that OpenCA 0.8.0 branch is working _MUCH_ better for me. Congrats! Much cleaner install using configure too. I'm having problems generating the CA request though. I have no problem using the interface to create the Key, which i confirmed is at /usr/local/OpenCA/private/cakey.pem. But, when I generate the CA request, I get a blank screen, and view source shows that the html was completed, just no content in the middle of the source. The file careq.pem is not created. Any ideas? Also, maybe it's time to put the PRE-0.8.0 stuff at the top of the distro pages so people don't get confused, like I did ;] -Kevin Elliott ___ Openca-Users mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] No Net::LDAPapi necessary
I downloaded OpenCA-0.2.0-5.tar.gz 26 Jan 2001 0.2.0 patch 5 (Unstable - Release Info) . Whatever versions come in that package, is the one I've been using. They are the "stable" distributions. I believe a new package should be release under the stable from pre 0.8.0 then, because it's clear those releases are much more stable than the existing ones which have had numerous problems. Is there CVS access? -Kevin Elliott > Kevin Elliott wrote: > > > > Michael, > > > > Thanks for the clarification. Although, the cgi still requires > Net::LDAPapi > > so I'm assuming you have sub/includes still? > > I can't find Net::LDAPapi on my machine (I search via find / -name > "*LDAP*" -print). What do you mean with "the cgi"? it looks like you two are speaking about very different openca versions, the very old 0.2.0 and the bleeding edge, resp. when i grep in the versions i've got installed here, i get: /usr/local/apache-1.3.20/cgi-bin/openca-0.2.0-5/ra/RAServer:#use Net::LDAPapi; /usr/local/apache-1.3.20/cgi-bin/openca-0.2.0-5/ra/RAServer:if( ($ldap = new Net::LDAPapi($LDAP_Server,$LDAP_Port)) == -1) { /usr/local/apache-1.3.20/cgi-bin/openca-0.2.0-5/ra/RAServer:if( ($ldap = new Net::LDAPapi($LDAP_Server,$LDAP_Port)) == -1) { /usr/local/apache-1.3.20/cgi-bin/openca-0.2.0-5/ra/RAServer:if( ($ldap = new Net::LDAPapi($LDAP_Server,$LDAP_Port)) == -1) { /usr/local/apache-1.3.20/cgi-bin/openca-0.8.0-20010610/ra/RAServer:use Net::LDAP; /usr/local/apache-1.3.20/cgi-bin/openca-20010309/ra/RAServer:use Net::LDAP; /usr/local/apache-1.3.20/cgi-bin/openca-20010326/ra/RAServer:use Net::LDAP; /usr/local/apache-1.3.20/cgi-bin/openca-20010427/ra/RAServer:use Net::LDAP; rj ___ Openca-Users mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/openca-users ___ Openca-Users mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] ie_enroll.scp
Robert, Sorry for my confusion, but are you developing an IE interface to the CAPI with Javascript or VBScript in order to successfully generate a certificate request and install the cert using CryptoAPI in Windows? Best Regards, Kevin Elliott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert Hannemann Sent: Tuesday, July 31, 2001 6:30 AM To: [EMAIL PROTECTED] Subject: [Openca-Users] ie_enroll.scp Hello, in the ie_enroll.scp there are the following lines if( checkField( myForm.locality, "Organization" )) { szName += ", L=" + myForm.locality.value; and if( checkField( myForm.state, "Organization" )) { szName += ", S=" + myForm.organization.value; is it o.k. to check against "Organization" and in the second part to append the organization value ? Also i get an error (in the browser bottom-line ) when i confirm the ie-cert request with an IE - nothing happens when i press "continue" . How can i watch those errors ( any log files ) ? Thanks for your help, Robert ___ Openca-Users mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/openca-users ___ Openca-Users mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] Net::LDAPapi Module compile fails
I'm still not able to APPROVE certificates. It just redraws the screen with no edittable fields, and the same buttons. I'm guessing it is suppose to ask the browser to sign the request? Any ideas? Thanks in advance... Kevin Elliott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kevin Elliott Sent: Monday, July 30, 2001 10:12 AM To: [EMAIL PROTECTED] Subject: RE: [Openca-Users] Net::LDAPapi Module compile fails To all regarding this issue, that perl problem was solved 20 minutes after I faced the problem by simply relinking /usr/local/bin/perl to a 5.003 version as I stated before. The "na" problem went away. There were still pointer dereferencing issues that showed up everywhere. It was finally solved by using OpenLDAP 1.2.2 instead of 2.0.1. I'm guessing there are some changes in 2.0.1 from 1.2.2, more specifically, things like void pointers in front of integer definitions, and the like, instead of raw integers. So, I thankfully got that part working. Only thing now, is I can't get a certificate approved now. I click the approve, and then it shows me the same page with no fields, and just text for the cert details, and has the approve button. Very odd. -Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of root Sent: Monday, July 30, 2001 3:31 AM To: [EMAIL PROTECTED] Subject: Re: [Openca-Users] Net::LDAPapi Module compile fails Kevin Elliott wrote: > > Robert, > > Thanks for the assistance. Unfortunately, that post did not help and was > slightly > unrelated. In that post, a variable "na" was not defined. In my particular > case, > it's very different. I've tried 1.42 and 1.43 of Net::LDAPapi as well. Both > with > the same results. I have also tried using just Perl 5.003, and 5.6. > > Anyone else know what's wrong? > > -Kevin Elliott > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Robert > Hannemann > Sent: Friday, July 27, 2001 3:03 AM > To: [EMAIL PROTECTED] > Subject: Re: [Openca-Users] Net::LDAPapi Module compile fails > > Hi Kevin, > > i´ve found a mail in the openssl mailinglist - hope this will help ... > > http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-software/28/msg00 > 377.html > > Regards, > > Robert > > Kevin Elliott wrote: > > > > Greetings, > > > > I've been attempting to install the Net::LDAPapi perl module, but there > are > > some conflicts > > and problems with the libs and includes for OpenLDAP 2.0.1. Any ideas? I'm > > including the compile log. > > > > Thanks, > > > > Kevin > > > > Net::LDAPapi Perl5 Module - by Clayton Donley <[EMAIL PROTECTED]> > > > > Enter How I Should Run Perl5 (ex. /usr/bin/perl, c:\perl\bin\perl), > > (default: /usr/local/bin/perl)? > > > > Select your Development Kit: > > 1. Netscape (default) > > 2. University of Michigan > > 3. ISODE (compiled with LDAP) > > Choose: 2 > > Location of LDAP Include Files (default: /usr/include): > > Location of LDAP Library Files (default: /usr/lib): > > Using Kerberos for Authentication (default: n)? > > Checking if your kit is complete... > > Looks good > > Writing Makefile for Net::LDAPapi > > mkdir blib > > mkdir blib/lib > > mkdir blib/lib/Net > > mkdir blib/arch > > mkdir blib/arch/auto > > mkdir blib/arch/auto/Net > > mkdir blib/arch/auto/Net/LDAPapi > > mkdir blib/lib/auto > > mkdir blib/lib/auto/Net > > mkdir blib/lib/auto/Net/LDAPapi > > mkdir blib/man3 > > cp LDAPapi.pm blib/lib/Net/LDAPapi.pm > > AutoSplitting blib/lib/Net/LDAPapi.pm (blib/lib/auto/Net/LDAPapi) > > /usr/local/bin/perl constant.gen >constant.h > > > /usr/bin/perl -I/usr/local/lib/perl5/5.6.0/i686-linux -I/usr/local/lib/perl5 > > /5.6.0 /usr/local/lib/perl5/5.6.0/ExtUtils/xsubpp -typemap > > /usr/local/lib/perl5/5.6.0/ExtUtils/typemap -typemap typemap LDAPapi.xs > > > LDAPapi.xsc && mv LDAPapi.xsc LDAPapi.c > > cc -c -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 > >-DVERSION=\"1.42\" -DXS_VERSION=\"1.42\" -fpic -I/usr/local/lib/perl5/5 > .6 > > .0/i686-linux/CORE -Dbool=char -DHAS_BOOL LDAPapi.c > > In file included from LDAPapi.xs:21: > > ldap_compat.h:14: warning: `LDAP_OPT_DEREF' redefined > > /usr/include/ldap.h:88: warning: this is the location of the previous > > definition > > ldap_compat.h:15: warning: `LDAP_OPT_SIZELIMIT' redefined > > /usr/include/ldap.h:89: warning: this is the location of
RE: [Openca-Users] No Net::LDAPapi necessary
The perl that gets executed from Apache is CGI. It sits in a cgi directory, and gets executed like a cgi would. Hence, it's a cgi. So, with that in mind, without Net::LDAPapi installed, you will not be able to execute these cgis. Perl will exit saying it can't find the module you are trying to include. Puzzles me how you dont have a file with that name. [root@web1 cgi-bin]# grep Net * RAServer:use Net::LDAPapi; RAServer:if( ($ldap = new Net::LDAPapi($LDAP_Server,$LDAP_Port)) == -1) { RAServer:if( ($ldap = new Net::LDAPapi($LDAP_Server,$LDAP_Port)) == -1) { RAServer:if( ($ldap = new Net::LDAPapi($LDAP_Server,$LDAP_Port)) == -1) { -Kevin Elliott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Bell Sent: Tuesday, July 31, 2001 4:43 AM To: [EMAIL PROTECTED] Subject: Re: [Openca-Users] No Net::LDAPapi necessary Kevin Elliott wrote: > > Michael, > > Thanks for the clarification. Although, the cgi still requires Net::LDAPapi > so I'm assuming you have sub/includes still? I can't find Net::LDAPapi on my machine (I search via find / -name "*LDAP*" -print). What do you mean with "the cgi"? Cheers, Michael -- Michael Bell Email: [EMAIL PROTECTED] Rechenzentrum - DatacenterEmail (work): [EMAIL PROTECTED] Humboldt-University of Berlin Tel.(work): +49 (0)30-2093 2482 Unter den Linden 6 Fax.(work): +49 (0)30-2093 2959 10099 Berlin Germany [OpenCA Core Developer] http://openca.sourceforge.net ___ Openca-Users mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] No Net::LDAPapi necessary
Michael, Thanks for the clarification. Although, the cgi still requires Net::LDAPapi so I'm assuming you have sub/includes still? -Kevin Elliott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Bell Sent: Monday, July 30, 2001 5:31 AM To: [EMAIL PROTECTED] Subject: [Openca-Users] No Net::LDAPapi necessary Hi, I have to apologize me to all people who ask for Net::LDAPapi for the complete wrong answers. There is a big different between Net::LDAP and Net::LDAPapi. OpenCA uses Net::LDAP and NOT Net::LDAPapi. So please install Net::LDAP (>=v0.22) and all should work fine. (I realize my mistake only when I saw the versionnumbers of Net::LDAPapi.) Sorry for wasting your time :-( Cheers, Michael -- Michael Bell Email: [EMAIL PROTECTED] Rechenzentrum - DatacenterEmail (work): [EMAIL PROTECTED] Humboldt-University of Berlin Tel.(work): +49 (0)30-2093 2482 Unter den Linden 6 Fax.(work): +49 (0)30-2093 2959 10099 Berlin Germany [OpenCA Core Developer] http://openca.sourceforge.net ___ Openca-Users mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] Net::LDAPapi Module compile fails
To all regarding this issue, that perl problem was solved 20 minutes after I faced the problem by simply relinking /usr/local/bin/perl to a 5.003 version as I stated before. The "na" problem went away. There were still pointer dereferencing issues that showed up everywhere. It was finally solved by using OpenLDAP 1.2.2 instead of 2.0.1. I'm guessing there are some changes in 2.0.1 from 1.2.2, more specifically, things like void pointers in front of integer definitions, and the like, instead of raw integers. So, I thankfully got that part working. Only thing now, is I can't get a certificate approved now. I click the approve, and then it shows me the same page with no fields, and just text for the cert details, and has the approve button. Very odd. -Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of root Sent: Monday, July 30, 2001 3:31 AM To: [EMAIL PROTECTED] Subject: Re: [Openca-Users] Net::LDAPapi Module compile fails Kevin Elliott wrote: > > Robert, > > Thanks for the assistance. Unfortunately, that post did not help and was > slightly > unrelated. In that post, a variable "na" was not defined. In my particular > case, > it's very different. I've tried 1.42 and 1.43 of Net::LDAPapi as well. Both > with > the same results. I have also tried using just Perl 5.003, and 5.6. > > Anyone else know what's wrong? > > -Kevin Elliott > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Robert > Hannemann > Sent: Friday, July 27, 2001 3:03 AM > To: [EMAIL PROTECTED] > Subject: Re: [Openca-Users] Net::LDAPapi Module compile fails > > Hi Kevin, > > i´ve found a mail in the openssl mailinglist - hope this will help ... > > http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-software/28/msg00 > 377.html > > Regards, > > Robert > > Kevin Elliott wrote: > > > > Greetings, > > > > I've been attempting to install the Net::LDAPapi perl module, but there > are > > some conflicts > > and problems with the libs and includes for OpenLDAP 2.0.1. Any ideas? I'm > > including the compile log. > > > > Thanks, > > > > Kevin > > > > Net::LDAPapi Perl5 Module - by Clayton Donley <[EMAIL PROTECTED]> > > > > Enter How I Should Run Perl5 (ex. /usr/bin/perl, c:\perl\bin\perl), > > (default: /usr/local/bin/perl)? > > > > Select your Development Kit: > > 1. Netscape (default) > > 2. University of Michigan > > 3. ISODE (compiled with LDAP) > > Choose: 2 > > Location of LDAP Include Files (default: /usr/include): > > Location of LDAP Library Files (default: /usr/lib): > > Using Kerberos for Authentication (default: n)? > > Checking if your kit is complete... > > Looks good > > Writing Makefile for Net::LDAPapi > > mkdir blib > > mkdir blib/lib > > mkdir blib/lib/Net > > mkdir blib/arch > > mkdir blib/arch/auto > > mkdir blib/arch/auto/Net > > mkdir blib/arch/auto/Net/LDAPapi > > mkdir blib/lib/auto > > mkdir blib/lib/auto/Net > > mkdir blib/lib/auto/Net/LDAPapi > > mkdir blib/man3 > > cp LDAPapi.pm blib/lib/Net/LDAPapi.pm > > AutoSplitting blib/lib/Net/LDAPapi.pm (blib/lib/auto/Net/LDAPapi) > > /usr/local/bin/perl constant.gen >constant.h > > > /usr/bin/perl -I/usr/local/lib/perl5/5.6.0/i686-linux -I/usr/local/lib/perl5 > > /5.6.0 /usr/local/lib/perl5/5.6.0/ExtUtils/xsubpp -typemap > > /usr/local/lib/perl5/5.6.0/ExtUtils/typemap -typemap typemap LDAPapi.xs > > > LDAPapi.xsc && mv LDAPapi.xsc LDAPapi.c > > cc -c -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 > >-DVERSION=\"1.42\" -DXS_VERSION=\"1.42\" -fpic -I/usr/local/lib/perl5/5 > .6 > > .0/i686-linux/CORE -Dbool=char -DHAS_BOOL LDAPapi.c > > In file included from LDAPapi.xs:21: > > ldap_compat.h:14: warning: `LDAP_OPT_DEREF' redefined > > /usr/include/ldap.h:88: warning: this is the location of the previous > > definition > > ldap_compat.h:15: warning: `LDAP_OPT_SIZELIMIT' redefined > > /usr/include/ldap.h:89: warning: this is the location of the previous > > definition > > ldap_compat.h:16: warning: `LDAP_OPT_TIMELIMIT' redefined > > /usr/include/ldap.h:90: warning: this is the location of the previous > > definition > > ldap_compat.h:17: warning: `LDAP_OPT_REFERRALS' redefined > > /usr/include/ldap.h:92: warning: this is the location of the previous > > definition > > ldap_compat.h:19: warning: `LDAP_OPT_ON' redefined > > /usr/inc
RE: [Openca-Users] Net::LDAPapi Module compile fails
Robert, Thanks for the assistance. Unfortunately, that post did not help and was slightly unrelated. In that post, a variable "na" was not defined. In my particular case, it's very different. I've tried 1.42 and 1.43 of Net::LDAPapi as well. Both with the same results. I have also tried using just Perl 5.003, and 5.6. Anyone else know what's wrong? -Kevin Elliott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert Hannemann Sent: Friday, July 27, 2001 3:03 AM To: [EMAIL PROTECTED] Subject: Re: [Openca-Users] Net::LDAPapi Module compile fails Hi Kevin, i´ve found a mail in the openssl mailinglist - hope this will help ... http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-software/28/msg00 377.html Regards, Robert Kevin Elliott wrote: > > Greetings, > > I've been attempting to install the Net::LDAPapi perl module, but there are > some conflicts > and problems with the libs and includes for OpenLDAP 2.0.1. Any ideas? I'm > including the compile log. > > Thanks, > > Kevin > > Net::LDAPapi Perl5 Module - by Clayton Donley <[EMAIL PROTECTED]> > > Enter How I Should Run Perl5 (ex. /usr/bin/perl, c:\perl\bin\perl), > (default: /usr/local/bin/perl)? > > Select your Development Kit: > 1. Netscape (default) > 2. University of Michigan > 3. ISODE (compiled with LDAP) > Choose: 2 > Location of LDAP Include Files (default: /usr/include): > Location of LDAP Library Files (default: /usr/lib): > Using Kerberos for Authentication (default: n)? > Checking if your kit is complete... > Looks good > Writing Makefile for Net::LDAPapi > mkdir blib > mkdir blib/lib > mkdir blib/lib/Net > mkdir blib/arch > mkdir blib/arch/auto > mkdir blib/arch/auto/Net > mkdir blib/arch/auto/Net/LDAPapi > mkdir blib/lib/auto > mkdir blib/lib/auto/Net > mkdir blib/lib/auto/Net/LDAPapi > mkdir blib/man3 > cp LDAPapi.pm blib/lib/Net/LDAPapi.pm > AutoSplitting blib/lib/Net/LDAPapi.pm (blib/lib/auto/Net/LDAPapi) > /usr/local/bin/perl constant.gen >constant.h > /usr/bin/perl -I/usr/local/lib/perl5/5.6.0/i686-linux -I/usr/local/lib/perl5 > /5.6.0 /usr/local/lib/perl5/5.6.0/ExtUtils/xsubpp -typemap > /usr/local/lib/perl5/5.6.0/ExtUtils/typemap -typemap typemap LDAPapi.xs > > LDAPapi.xsc && mv LDAPapi.xsc LDAPapi.c > cc -c -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 >-DVERSION=\"1.42\" -DXS_VERSION=\"1.42\" -fpic -I/usr/local/lib/perl5/5 .6 > .0/i686-linux/CORE -Dbool=char -DHAS_BOOL LDAPapi.c > In file included from LDAPapi.xs:21: > ldap_compat.h:14: warning: `LDAP_OPT_DEREF' redefined > /usr/include/ldap.h:88: warning: this is the location of the previous > definition > ldap_compat.h:15: warning: `LDAP_OPT_SIZELIMIT' redefined > /usr/include/ldap.h:89: warning: this is the location of the previous > definition > ldap_compat.h:16: warning: `LDAP_OPT_TIMELIMIT' redefined > /usr/include/ldap.h:90: warning: this is the location of the previous > definition > ldap_compat.h:17: warning: `LDAP_OPT_REFERRALS' redefined > /usr/include/ldap.h:92: warning: this is the location of the previous > definition > ldap_compat.h:19: warning: `LDAP_OPT_ON' redefined > /usr/include/ldap.h:151: warning: this is the location of the previous > definition > ldap_compat.h:20: warning: `LDAP_OPT_OFF' redefined > /usr/include/ldap.h:152: warning: this is the location of the previous > definition > LDAPapi.xs: In function `av2modvals': > LDAPapi.xs:95: `na' undeclared (first use in this function) > LDAPapi.xs:95: (Each undeclared identifier is reported only once > LDAPapi.xs:95: for each function it appears in.) > LDAPapi.xs: In function `parse1mod': > LDAPapi.xs:197: `na' undeclared (first use in this function) > LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_set_option': > LDAPapi.xs:385: dereferencing pointer to incomplete type > LDAPapi.xs:386: dereferencing pointer to incomplete type > LDAPapi.xs:387: dereferencing pointer to incomplete type > LDAPapi.xs:389: dereferencing pointer to incomplete type > LDAPapi.xs:390: dereferencing pointer to incomplete type > LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_get_option': > LDAPapi.xs:407: dereferencing pointer to incomplete type > LDAPapi.xs:408: dereferencing pointer to incomplete type > LDAPapi.xs:409: dereferencing pointer to incomplete type > LDAPapi.xs:410: dereferencing pointer to incomplete type > LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_search': > LDAPapi.xs:578: `na' undeclared (first use in this function) > LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_search_s': > LDAPapi.xs:614: `na'
[Openca-Users] Net::LDAPapi Module compile fails
Greetings, I've been attempting to install the Net::LDAPapi perl module, but there are some conflicts and problems with the libs and includes for OpenLDAP 2.0.1. Any ideas? I'm including the compile log. Thanks, Kevin Net::LDAPapi Perl5 Module - by Clayton Donley <[EMAIL PROTECTED]> Enter How I Should Run Perl5 (ex. /usr/bin/perl, c:\perl\bin\perl), (default: /usr/local/bin/perl)? Select your Development Kit: 1. Netscape (default) 2. University of Michigan 3. ISODE (compiled with LDAP) Choose: 2 Location of LDAP Include Files (default: /usr/include): Location of LDAP Library Files (default: /usr/lib): Using Kerberos for Authentication (default: n)? Checking if your kit is complete... Looks good Writing Makefile for Net::LDAPapi mkdir blib mkdir blib/lib mkdir blib/lib/Net mkdir blib/arch mkdir blib/arch/auto mkdir blib/arch/auto/Net mkdir blib/arch/auto/Net/LDAPapi mkdir blib/lib/auto mkdir blib/lib/auto/Net mkdir blib/lib/auto/Net/LDAPapi mkdir blib/man3 cp LDAPapi.pm blib/lib/Net/LDAPapi.pm AutoSplitting blib/lib/Net/LDAPapi.pm (blib/lib/auto/Net/LDAPapi) /usr/local/bin/perl constant.gen >constant.h /usr/bin/perl -I/usr/local/lib/perl5/5.6.0/i686-linux -I/usr/local/lib/perl5 /5.6.0 /usr/local/lib/perl5/5.6.0/ExtUtils/xsubpp -typemap /usr/local/lib/perl5/5.6.0/ExtUtils/typemap -typemap typemap LDAPapi.xs > LDAPapi.xsc && mv LDAPapi.xsc LDAPapi.c cc -c -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -DVERSION=\"1.42\" -DXS_VERSION=\"1.42\" -fpic -I/usr/local/lib/perl5/5.6 .0/i686-linux/CORE -Dbool=char -DHAS_BOOL LDAPapi.c In file included from LDAPapi.xs:21: ldap_compat.h:14: warning: `LDAP_OPT_DEREF' redefined /usr/include/ldap.h:88: warning: this is the location of the previous definition ldap_compat.h:15: warning: `LDAP_OPT_SIZELIMIT' redefined /usr/include/ldap.h:89: warning: this is the location of the previous definition ldap_compat.h:16: warning: `LDAP_OPT_TIMELIMIT' redefined /usr/include/ldap.h:90: warning: this is the location of the previous definition ldap_compat.h:17: warning: `LDAP_OPT_REFERRALS' redefined /usr/include/ldap.h:92: warning: this is the location of the previous definition ldap_compat.h:19: warning: `LDAP_OPT_ON' redefined /usr/include/ldap.h:151: warning: this is the location of the previous definition ldap_compat.h:20: warning: `LDAP_OPT_OFF' redefined /usr/include/ldap.h:152: warning: this is the location of the previous definition LDAPapi.xs: In function `av2modvals': LDAPapi.xs:95: `na' undeclared (first use in this function) LDAPapi.xs:95: (Each undeclared identifier is reported only once LDAPapi.xs:95: for each function it appears in.) LDAPapi.xs: In function `parse1mod': LDAPapi.xs:197: `na' undeclared (first use in this function) LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_set_option': LDAPapi.xs:385: dereferencing pointer to incomplete type LDAPapi.xs:386: dereferencing pointer to incomplete type LDAPapi.xs:387: dereferencing pointer to incomplete type LDAPapi.xs:389: dereferencing pointer to incomplete type LDAPapi.xs:390: dereferencing pointer to incomplete type LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_get_option': LDAPapi.xs:407: dereferencing pointer to incomplete type LDAPapi.xs:408: dereferencing pointer to incomplete type LDAPapi.xs:409: dereferencing pointer to incomplete type LDAPapi.xs:410: dereferencing pointer to incomplete type LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_search': LDAPapi.xs:578: `na' undeclared (first use in this function) LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_search_s': LDAPapi.xs:614: `na' undeclared (first use in this function) LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_search_st': LDAPapi.xs:660: `na' undeclared (first use in this function) LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_msgid': LDAPapi.xs:747: dereferencing pointer to incomplete type LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_msgtype': LDAPapi.xs:757: dereferencing pointer to incomplete type LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_get_lderrno': LDAPapi.xs:769: dereferencing pointer to incomplete type LDAPapi.xs:770: dereferencing pointer to incomplete type LDAPapi.xs:771: dereferencing pointer to incomplete type LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_set_lderrno': LDAPapi.xs:787: dereferencing pointer to incomplete type LDAPapi.xs:788: dereferencing pointer to incomplete type LDAPapi.xs:789: dereferencing pointer to incomplete type LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_set_rebind_proc': LDAPapi.xs:1016: warning: passing arg 2 of `ldap_set_rebind_proc' from incompatible pointer type LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_url_parse': LDAPapi.xs:1137: `sv_undef' undeclared (first use in this function) make: *** [LDAPapi.o] Error 1 ___ Openca-Users mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/openca-users