[Openca-Users] Open CA confoguration
Hi all, I faced problems in confogruing CA, after configure CA and RA , then I return to the /usr/local/openra/openca/etc and run the script ./configure_etc.sh that located under that directory in order to make the configuration files from the templates, however I faced error which is XML/Twig.pm did not return a true value at /usr/local/openra/modules/perl5/OpenCA/Tools.pm line 439. BEGIN failed--compilation aborted at /usr/local/openra/modules/perl5/OpenCA/Tools.pm line 439. Compilation failed in require at /usr/local/openra/bin/openca-configure line 7. BEGIN failed--compilation aborted at /usr/local/openra/bin/openca-configure line 7. can you help me please ): -- View this message in context: http://www.nabble.com/Open-CA-confoguration-tf3531173.html#a9854497 Sent from the openca-users mailing list archive at Nabble.com. - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] openssl syntax for multi-valued RDNs is unknown from cisco router unstructuredName
Error 700 (General Error The compilation of the command cmdIssueCertificate failed. openssl syntax for multi-valued RDNs is unknown at /usr/lib/perl5/vendor_perl/5.8.7/X500/DN.pm line 104). Hello, when I want to create the certificate in the CA (Issue Button), I get the error message above. I think the reason can be found in the request from the cisco that send only this: - serialNumber=206, unstructuredName=ipsec-cisco-2610..de+serialNumber=87CE1234 Role=Web Server Modulus (key size) 512 Public Key AlgorithmrsaEncryption Public Key Modulus (512 bit): 00:b6:0a:f3:09:3f:49:39:5a:83:42:d0:. Exponent: 65537 (0x10001) Signature Algorithm md5WithRSAEncryption - Are there some people, know what I have to do when I receive the request from cisco ? In RA I can EDIT this data in the request, before I make a export to CA and then import to CA. I found that the Error Message comes from the X500 Module. I think the modul do not know what the cisco request would send to the openssl interface. But what must be change ? In the cisco request I can only say with or without IP address and with or without serial number (crypto ca enroll XXX). In IOS 12.2(17) you can not give Subject (CN,OU,O,..) or Email or so. I think in the formular RA: Edit the request I have do change and/or add some things ? With this data, serialNumber=206, unstructuredName=ipsec-cisco-2610..de+serialNumber=87CE1234 can I not ISSUE the certificate on the CA. --- An other question: Why put the cisco router 2 requests over scep into the RA Interface ? --- Regards Herbert -- 10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail +++ GMX - die erste Adresse für Mail, Message, More +++ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] RE: Certificate for RA and SCEP Cisco Router CRYPTO 6 CERTFAIL
Now I have done exactly these: (I hope you meen this so) cd /usr/src/packages/openca-0.9.2.4/src/scep (the sources) ./configure scep-configure-hd.log 22scep-configure-hd.log make scep-make-hd.log 22scep-make-hd.log make install scep-make-install-hd.log 22scep-make-install-hd.log I look into the log´s - no errors found. A new compiled file found after this: /usr/local/bin/ -rwxr-xr-x 1 root 130436 Dec 23 13:16 openca-scep I dont know, if the the file was here before, it have a actual time stamp now. On cisco router: cisco-2610(config)#no crypto ca identity xxx crypto ca identity xxx enrollment mode ra enrollment url http://ra.xxx.de:80/cgi-bin/scep/scep crypto ca enroll xxx - the same errors Until here also no request found in RA. But I find out that the other files in /usr/local/bin openca-x on 4 places in the filesystem exists: # find . -name openca-dbcreate (as one of them) ./usr/src/packages/openca-0.9.2.4/src/scripts/openca-dbcreate (this are the sources) ./usr/local/bin/openca-dbcreate ./usr/local/openca/bin/openca-dbcreate (for CA installation) ./usr/local/openra/bin/openca-dbcreate (for RA installation) So now I create a link: ln -s /usr/local/bin/openca-scep /usr/local/openra/bin On cisco router: cisco-2610(config)#no crypto ca identity xxx crypto ca identity xxx enrollment mode ra enrollment url http://ra.xxx.de:80/cgi-bin/scep/scep crypto ca enroll xxx Its X-mas ??? cisco now responds: Signing Certificate Reqeust Fingerprint: 12345678 12345678 12345678 12345678 Encryption Certificate Request Fingerprint: 12345678 12345678 12345678 12345678 CRYPTO_PKI: status = 102: certificate request pending There is an enrollment transaction in progress. No enrollment sessions are currently active. CRYPTO-6-CERTFAIL: Certificate enrollment failed. CRYPTO-6-CERT_FATAL_ERR: Certificate, private key or CRL was not found PENDING !!! cisco says So I look to RA: Active CSRs, NEW and I see my cisco request Happy X-mas for the cisco and up until here PLEASE Developers from openca: -- Please check the configure / make / make install for scep. I agree to Pete, there must be some problems that I think helps the next guys for cisco routers: Touch the file that extists a empty CRL (see my list messages before) and take a look why openca_scep (bin) is not in the right directory ? So hope I can now aprove my request... and take this back to my cisco. Thanks Pete ! With new timestamp for openca_scep I find a work around. Regards Herbert -- Have you done the ./configure/make/make install in the src/scep directory? I got a very similar error to this because the openca_scep binary does not get built correctly using the toplevel makefile. The CA and RA certs are served without a problem but processing a CSR fails, returning a zero-length response to the client if this binary is not built and installed. If you have not done this, it can't hurt to try it, it certainly fixed my problem with essentially identical symptoms to yours. -Pete -- 10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail +++ GMX - die erste Adresse für Mail, Message, More +++ --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Bug or Feature or OK CA Certificate CN=WORD
Create new CA - After keygeneration - General - Initiaization - Phase I - Generate new CA Certificate Request Field: Common Name I fill in as example: (second Space was my error) ABCSPACEDEFSPACE seen as ABC DEF The generating Subject then was ...,CN=ABC DEF\ ,OU= If I import over SCEP into Cisco 2600 and make show crypto ca certificates it looks like this: Issuer: EA = [EMAIL PROTECTED] CN = ABC DEF OU = ... O = ... C = DE Subject: EA = [EMAIL PROTECTED] CN = ABC DEF OU = ... O = ... C = DE If my error - to give in a SPACE at last Letter - correct in handling by the openca Software - or was it better, to delete the last SPACE per Software ? Regards Herbert -- Telefonieren Sie schon oder sparen Sie noch? NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Error 700 General Error compilation cmdViewCSR failed
Error 700 General Error The compilation of the command cmdViewCSR failed. Can't use an undefined value as a HASH reference at /usr/local/openra/openca/lib/functions/crypto-utils.lib line 1185. Hi, I use this for install: http://www.openca.info/docs/howto/OpenCA_092_on_debian_dartmouth.txt Until Phase III no Errors. Init RA DB --- ok User - Request a Certificate - Request a certificate with automatic browserdetection --- ok Now approve the request: http: // ra.wherever.edu/ra Active CSRs - New - Search click on submit name/serial number (color link) (1 Number 288) Error 700 General Error The compilation of the command cmdViewCSR failed. Can't use an undefined value as a HASH reference at /usr/local/openra/openca/lib/functions/crypto-utils.lib line 1185. DB ist mysql I delete the following files /usr/local/openca/openca/var/crypto/keys/cakey.pem /usr/local/openca/openca/var/crypto/reqscareq.pem /usr/local/openca/openca/var/crypto/cacerts cacert.pem cacert.txt cacert.der /usr/local/openca/openca/var/crypto/chain cacert.crt f9d30c56.0 I drop table ca_certificate, certificate, crl, crr, request in both openca and openra database, check if no table with show tables and begin all from beginning initialize CA Database. --- The same error at the same point. Regards Herbert -- GMX DSL-Flatrate 1 Jahr kostenlos* + WLAN-Router ab 0,- Euro* Bis 31.12.2005 einsteigen! Infos unter: http://www.gmx.net/de/go/dsl --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] forget password for ca private key testinstallation
Hello, I have made a test Installation 0.9.2.4. I found some thinks, i forgot in configuration. Now I´m back from holidays and I have forgot my password for CA (!) PRIVATE KEY (General - Initialization - Generate new CA secret key) Because it is no productive installation - i can begin from here new. But I dont won´t do delete my work for config.xml and so on. What files must I delete, that I can new begin from here ? One file I think is this /usr/local/openca/openca/var/crypto/keys/cakey.pem and which files also ? Regards to helper Herbert -- Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko! Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Re: [Openca-Users] OpenSSL.xs:201: warning: unused variabl e `str' `buf' `ci'
Hi, from SUSE 9.3 I use: perl-Digest-SHA1 V 2.1.0 (use by other OpenSwan/OpenVPN I think) perl-XML-parser V 2.3.4 (with OpenCA paket per-XML.. give some errors) I can not find prebuild packages with openca in the internet. If some people can help me to set up, I can give back a Docu based of http://openca.oliwel.de/docs/howto/OpenCA_092_on_debian_dartmouth.txt first SUSE 9.3 and then SUSE 10.0 to put at http://openca.oliwel.de/docs/howto/OpenCA.SUSE 9.3 SUSE10.0 If all is working with Cisco IPSEC, I can give you back a Cisco Configuration for http://openca.oliwel.de/docs/howto/OpenCA...cisco I stay in Germany - Braunschweig. The germany developers have my telephone number. cheers Herbert D r a h t Von: Martin Bartosch Betreff: Re: [Openca-Users] OpenSSL.xs:201: warning: unused variable Hi, OpenSSL.c: In function `XS_OpenCA__OpenSSL__X509_fingerprint': OpenSSL.xs:201: warning: unused variable `str' can you help me please ? these are only warnings and can be ignored safely. You should have a close look at all error codes, though. You seem to be having problems with building OpenCA, have you considered building and using SuSE packages? That way you don't have to compile it yourself but you could rely on the package building process. Question to the other developers: do you know if there are prebuilt OpenCA SuSE packages out there? I am in fact building SuSE packages regularly, but unfortunately I am limited to SuSE SLES 8 which is equivalent to SuSE 8.1 (GLIB 2.2) and hence are not suitable for anything after SuSE 8. I have no SuSE 9 system available, so I cannot build the packages here. cheers Martin -- 10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail +++ GMX - die erste Adresse für Mail, Message, More +++ --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Cannot initialize OpenCA::DBI class! The database returns errorcode 10075 The database passphrase is missing error 11111
The password was in config.xml ./configure_etc.sh ... linux:/usr/local/OpenCA/etc #./openca_start locale: cannot read character map directory `/usr/share/i18n/charmaps': No such file or directory Configuration error: Cannot initialize OpenCA::DBI class! The database returns errorcode 10075. (The database passphrase is missing. There must be a database passphrase. (error 1: Do not commit if the database or the module itself fails.)) linux:/usr/local/OpenCA/etc/database # more DBI.conf openca database_config debug0/debug typemysql/type nameopenca/name hostlocalhost/host port3306/port useropenca/user passwdopenca/passwd namespace/namespace . I find this in the List from Martin Bartosch (2005-02-24 05:50): mysql -uopenca -p you are not connecting to the OpenCA DB. Try this: $ mysql -u openca openca -p I check this and this works with the password (both). rpm -qa | grep DB perl-DBI-1.47-3 perl-DBD-mysql-2.9004-3 rpm -qa | grep mys mysql-client-4.1.10a-3 mysql-4.1.10a-3.2 mysql-administrator-1.0.19-3 mysql-shared-4.1.10a-3 perl-DBD-mysql-2.9004-3 rpm -qa | grep perl perl-5.8.6-5 perl-Parse-RecDescent-1.80-247 perl-Config-Crontab-1.03-49 yast2-perl-bindings-2.11.3-3 perl-Data-ShowTable-3.3-572 perl-XML-Parser-2.34-31 perl-Bootloader-0.2-17 perl-gettext-1.01-579 perl-Digest-SHA1-2.10-3 perl-X500-DN-0.28-120 perl-DBI-1.47-3 perl-DBD-mysql-2.9004-3 OpenSSL 0.9.7e 25 Oct 2004 OS is: SUSE 9.3 openca-0.9.2.4 openssl-devel is: 0.9.7e I create the database as here described: http://openca.oliwel.de/docs/howto/OpenCA_092_on_debian_dartmouth.txt create the DB: *mysql -uroot -p mysql password create database openca; create database openra; grant all privileges on openca.* to [EMAIL PROTECTED] identified by openca; grant all privileges on openra.* to [EMAIL PROTECTED] identified by openra; test the DB * mysql -uopenca -p use openca show tables (should return empty set, as DB is empty) exit; * mysql -uopenra -p use openra show tables (should return empty set, as DB is empty) exit; Works fine as decribed here ^^^ Hello, can you help me with other things that I have to check ? With friendly regards Herbert -- Telefonieren Sie schon oder sparen Sie noch? NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Upgrade from 0.9.1-10 to 0.9.2.1
Two questions: What do I need to do to upgrade my CA from 0.9.1-10 to the 0.9.2.1 as far as moving databases, certificates, and configuration files? How do I set up RBAC such that only certificates with the role RA Operator or CA Operator can log into the RA, Data exchange, and CA? Regards JB --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] SSL issue
I get the following when trying to log into my newly built openca server: Configuration Error. Cannot initialize Crypto Shell (/usr/local/ssl/bin/openssl)!. however, when I execute the command /usr/local/ssl/bin/openssl from the comand line - I get: OpenSSL The ca is built with the following parameters: ./configure --prefix=/srv/ca \ --with-web-host=localhost \ --with-httpd-host=localhost\ --with-httpd-user=wwwrun \ --with-httpd-group=nobody \ --with-ca-organization=My Org \ --with-ca-locality=New Jersey \ --with-ca-country=US \ [EMAIL PROTECTED] --with-openssl-prefix=/usr/local/ssl \ --with-sendmail=/usr/sbin/sendmail -t\ --with-hierarchy-level=ca\ --enable-dbi\ --with-db-type=mysql \ --with-db-name=openca \ --with-db-host=localhost \ --with-db-port=3306 \ --with-db-user=openca \ --with-db-passwd=secret The server is running SuSe Linux 9.1 professional, and the openCA version is openca-0.9.1-10 Please HELP JB --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Problems with database
On Fri, 9 Jul 2004, [iso-8859-1] Johnny Gonzalez wrote: this configure command: ./configure --with-openca-user=openca --with-openca-group=openca --with-htdocs-fs-prefix=/var/www/html --with-openssl-prefix=/usr --with-web-host=localhost --with-cgi-fs-prefix=/var/www/cgi-bin --with-httpd-user=48 --with-httpd-group=48 --with-hierarchy-level=ra --with-ca-organization=Ubiquando --with-ca-country=co [EMAIL PROTECTED] --enable-send-mail-automatic --disable-db --enable-dbi --with-db-type=Pg --with-db-name=openca --with-db-port=localhost --with-db-port=5432 ^^^ *** is this really what you want?:) --with-db-user=openca --with-db-passwd=ubiquando Bye Robert Wolf. --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA cookbook
On Thu, 24 Jun 2004, Kevin Mitcham wrote: I've been working on getting some documents and files together to make an easy installation of OpenCA. Here is what I've got so far. I realize it isn't setting things up in the most secure fashion, but I'm hoping to help folks get past the initial steps before getting more complicated. I'd appreciate any comments or pointers about what might be wrong or unclear in this document. *** Hi, It looks like installation all nodes on one machine in one web server. I think it would be better to make installation steps for installing some nodes on separate machines (or at least separate virtual hosts to emulate different machines). I tried to make all nodes (CA, RA, pub and LDAP) in different location (/data/openca-ca, /data/openca-ra etc) and use different hostnames and virtual hosts in apache. In 0.9.1-8 this is a little problem because somethimes there are absolute links on the same machine for different node (eg. on node in navbar.html there are links to /ca/, /ra/, /pub/, /ldap/ without hostname, but if CA, RA and PUB are on different machines, this doesn't work) and somethimes full URL (in confirm_cert_sign.msg.in link to https://@httpd_host@@httpd_port@). The only web server hostname I can enter in --with-web-host= configure switch, but is it web host of CA, RA or PUB node? Maybe there should be more switches for each possible node (CA, RA, PUB, LDAP) and in source HTML and TXT sheets there should be full URL links. I hope I understood every switch correct. I made some mod_rewrite rules in apache virtual hosts to run it correctly (https://openca-ra/ca/ - https://openca-ca/ca/ etc.) and it looks fine, only many click about receiving certificates from apache. I have tested openca-0.9.2 for a while - is there any chance to solve this inside of installation process or have I to do the same URL rewriting? Bye. Robert Wolf. --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] cakey on floppy
On Wed, 23 Jun 2004 [EMAIL PROTECTED] wrote: when i copy my key file on a floppy and link the file cakey.pem to the floppy file, then the ca frontend tells me, that i entered the wrong password. im sure thats the right password. so it must be, that openssl doesnt accept the link. the floppy fs is vfat. is that the problem? how can i solve that? i must have the key file on a floppy. *** can you copy here the error log of apache? maybe there is something interesting. Have you opened the cakey file on windows? Check the mount, and then try to open the link to cakey file with some other program (less) or try to run openssl rsa -in /link/to/cakey/file/on/floppy -text -noout if there is any output (prime{1,2}, exponent{1,2}...) openssl has no problem with symlinks. Check the permission of the mounted floppy (apache user needs to have access to this file, probably use mount -o uid=apache,umask=077 /dev/fd0 /mnt/floppy I hope something will help you. Bye. Robert Wolf. --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] rbac ca_node ra_node CONT.
I have the following error in error-canode-log error to load configuration /usr/local/openca 0.9.1.1/openca/lib/servers/ca_node/functions/misc-utils.lib line 22 the image in the apache is: Error 690 Error de Configuracin. Error al cargar la configuracin (/usr/local/openca.0.9.1.1/openca/etc/rbac/scripts/bm9kZUVucm9sbEFsbA==.conf ). doing dataexchange enroll to lower level all and the script named in the error 690 (bm9kZUVucm9sbEFsbA==.conf )does not exist in that directory *** I solve this and similar problems following way: bm9kZUVucm9sbEFsbA== is nodeEnrollAll (base64 decode as written in guide). this means that you need to create this configuration for this action. 1) CA web UI / Configuration / Operations / Add new operation Operation name: node enroll all Add operation 2) CA web UI / Configuration / Scripts / Add new script Script: nodeEnrollAll Operation: node enroll all Method to get the Owner: access to any role needed Name of the argument for the Method to get the Owner: Create new script 3) CA web UI / Configuration / Rights / Add new right Module: (choose one you need) Operation: node enroll all Operator: (choose role you need) Owner: (choose role you need) I hope this will help. Bye Wolf.
Re: [Openca-Users] Im still having a server error problem :-(
On Fri, 18 Jun 2004, [iso-8859-1] Johnny Gonzalez wrote: [Fri Jun 18 08:11:22 2004] [error] [client 127.0.0.1] Can't locate DB_File.pm in @INC (@INC contains: to look for all packages for perl, and the output is this one: perl-HTML-Parser-3.26-17 perl-XML-Parser-2.31-15 perl-libxml-enno-1.02-29 perl-DBD-MySQL-2.1021-3 perl-Filter-1.29-3 perl-HTML-Tagset-3.03-28 perl-Parse-Yapp-1.05-30 perl-libwww-perl-5.65-6 perl-libxml-perl-0.07-28 perl-XML-Encoding-1.01-23 perl-XML-Grove-0.46alpha-25 perl-5.8.0-88 perl-CPAN-1.61-88 perl-DBI-1.32-5 perl-Parse-RecDescent-1.80-12 perl-DateManip-5.40-30 perl-URI-1.21-7 perl-XML-Dumper-0.4-25 perl-XML-Twig-3.09-3 perl-CGI-2.81-88 *** You do not have DB_File perl library installed and you have selected in openca to use DB_File storage. Probably you should install DB_File from CPAN. Run the command perl -MDB_File -e 'print ${DB_File::VERSION}\n;' If there will be any output (on my system it outputs 1.808), you have installed DB_File and problem is somewhere else. If there will be nothing, install DB_File module. Probably perl-DB_File-X.X-X on RedHat. Bye. Wolf. --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Im still having a server error problem :-(
On Fri, 18 Jun 2004, [iso-8859-1] Johnny Gonzalez wrote: I have installed the package perl-DB_File-1.804-88 *** OK and now appears this error: Error 690 Configuration Error. Cannot initialize OpenCA::DB class! (/usr/local/OpenCA/var/db) Errorcode: 2111041 Errormessage: OpenCA::DB-new: Cannot initialize database (2121021) OpenCA::DB-initDB: Cannot open database with datatype VALID_CA_CERTIFICATE, filename and accessmode (2141021) OpenCA::DB-dbOpen: Cannot initialize DBMS... 1998-2002 by Massimiliano Pala and the OpenCA Group. CA Manager - Version 0.9.1 What's wrong now? *** Hmmm, looks like you haven't initialized DB. On NODE web in Administration use Server Init and then Initialize Database. I think this should help if the problem is that you have not init DB. I'm not going to use any dbms I'm going to use dmb files, so what should I do?? Maybe installing OpenCA after the installation of the package perl-DB_File-1.804-88 ?? *** I think installation order doesn't matter. Maybe check some README or INSTALL file if the version 1.804 is OK. Wolf.
Re: [Openca-Users] Error 6774
On Thu, 17 Jun 2004 [EMAIL PROTECTED] wrote: But I don't know what patches are in deb 0.9.7d-3. I checked the CHANGELOG of debian's openssl 0.9.7d. The PKCS#7 patches are not included. So openca-sv compiled with OpenSSL 0.9.7d will not work. *** OK, it means the only solution is to use older 0.9.7c or newer 0.9.7e-dev version of openssl. Am I right? Robert Wolf. --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Error 6774
On Thu, 17 Jun 2004, Oliver Welter wrote: Hi Jason, please upgrade to the RC5 - much of these problems have been solved Oliver Jason A. Pattie wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 General Error. Cannot encrypt PIN-mail! Aborting! OpenCA::OpenSSL returns errorcode 8012006 (OpenCA::OpenSSL::SMIME-encrypt: unknown problem encrypting: $res).. - - difference). My current version of OpenSSL == 0.9.7d-3 (from Debian *** I'm not sure, if the update of openca will solve this problem. I think this is the same error as I've found and my solution is to use different version of openssl. In OpenSSL 0.9.7d is a bug in S/MIME. OpenSSL 0.9.7c and development 0.9.7e-dev have not this error, so you can use these versions. I have installed the dev version in special directory and no shared and then told openca to use this openssl. I use openca-0.9.1.8 but the same solution can be used for 0.9.2 (I hope). But I don't know what patches are in deb 0.9.7d-3. Bye. Robert Wolf. --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] Request id
On Mon, 14 Jun 2004, Til Obes wrote: Im using 0.9.2 and i cant find that in the manual for that version. But thx anyway ;) Regards til *** Section 4.1.5 module configuration (I found the first paragraph about it, maybe you find more):) I read openca 0.9.2 guide in PS format, but I think the PDF version is the same Robert Wolf. --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Some questions
On Mon, 14 Jun 2004, Til Obes wrote: 1. i have some errors with the mailcounter. How is it organized? For example: Mailcounter was 2. but i have now my 8th cert. Node mgmt wanted to send the mail 2. and now the counter is 3. Should that depend on the real cert serial? Can this maybe depend on disabling the sendmail_automatic. I had it disabled for some time. Now ist activated again. *** I think (from my tests) the mailcounter contains ID of next mail, which should be sent. When you send no emails, there will be 1 (mail number 1 should be sent). After you send 5 mails (1,2,3,4,5), there will be number 6 that mail number 6 should be send. You can have 10 certificates, but only 5 emails sent. But you should sent all emails, because there is CRIN (PID for certificate revokation) for the certificate. Probably the mail number should be same as certificate serial number, but I'm not sure about this (the email can be sent in other situation, I don't know this). 2. I had a signature error on ca interface when viewing a signed request. What is neccessary, that there isnt an error? *** more details? I don't know, what you mean, maybe someone else will know. Robert Wolf. --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] Some questions
On Mon, 14 Jun 2004, Til Obes wrote: The problem is, that the node interface wanted to send the mail number 2, but the mail 8.msg was imported from the ca. This is a bug i think. *** Hmmm, I'm not sure about this. I think when you create certificate, openca creates an email for user. So you can create 5 certificates, openca creates 5 emails (1,2,3,4,5). Mailcounter is 1 (to send email number 1). When you exchange this data to lower hierarchy, it should be the same as on CA. So for example, on RA mailcounter is 1 and there are 5 emails (1,2,3,4,5). The other day you create another certificate (number 6) and openca creates new email (6). When you exchange data, you will see, that email number 6 was imported (or downloaded or how is it called:)). So you got mail number 6 in RA, but you still haven't sent emails number 1,2,3,4,5 so now you should sent email number 1. In openca 0.9.1-8 there are two versions of Send email. The first one sends all unsent emails (the emails with number equal or greater that value from mail counter). The second version reads number of the email you want to send/resend. I hope I understood this functionality correct. Bye. Robert Wolf. --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Rbac openca 0.9.8.1 error 2
On Wed, 9 Jun 2004, Pedro Jossi wrote: I obtain when I try to connect the user error 690 does not have permission. Is able someone to help me? *** Can you COPY your error message? If you get different error message than described below, please, copy it from web browser. If you get Error 690 Configuration Error. Permission Denied. This means that OpenCA cannot read certification data and cannot verify the user. Probably because you have not enabled option in Apache. Add +ExportCertData and +StrictRequire param to SSLOptions in your RA interface apache config. For example, I have SSLOptions +StdEnvVars +ExportCertData +StrictRequire in my virtual host definition for RA web interface. Is it working now? Robert Wolf. --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] RBAC OPENCA 0.9.8.1 error
On Tue, 8 Jun 2004, Pedro Jossi wrote: Hello to all! I configure RBAC continuing the steps: 1-initialize the AC 2-create the ca operator 3-create the ra operator 4-export the configuracin of CA 5-import the configuration in RA 6-in apache configure SSLVerifyClient 7-active the mechanism RBAC in ra.conf and ra_node. conf I have the following error in the file ra_error.log [Tue Jun 8 10:20:00 2004] [error] access to /var/www/html/ra/index.html failed for 10.10.X.X, reason: SSL requirement expression not fulfilled (see SSL logfile for more details) Can't locate rbac-utils.lib in @INC (@INC contains: /usr/local/openca.0.9.1.1/modules/perl5/i386-linux /usr/local/openca.0.9.1.1/modules/perl5 /usr/lib/perl5/5.6.1/i386-linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i386-linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.6.1/i386-linux /usr/lib/perl5/vendor_perl/5.6.1 /usr/lib/perl5/vendor_perl .) at /usr/local/openca.0.9.1.1/openca/lib/servers/ra/functions/initRBAC line 4. Compilation failed in require at /var/www/cgi-bin/ra/RAServer line 203. [Tue Jun 8 10:20:22 2004] [error] [client 10.10.240.35] Premature end of script headers: /var/www/cgi-bin/ra/RAServer in the file error_SSL. log do not have anything logged Is able someone to help me? Thanks! PJ *** HI, I've found also this error. The problem is in forgotten path to rbac-utils in initRBAC. Use this patch to correct == diff -r -u openca-0.9.1.8/src/common/lib/functions/initRBAC openca-0.9.1.8.update/src/common/lib/functions/initRBAC --- openca-0.9.1.8/src/common/lib/functions/initRBACTue Aug 13 11:04:51 2002 +++ openca-0.9.1.8.update/src/common/lib/functions/initRBAC Thu May 13 11:34:02 2004 @@ -1,7 +1,7 @@ ## Uses the OpenCA::RBAC module ## load rbac-utils.lib -require rbac-utils.lib; +require $common_libs/rbac-utils.lib; 1; == Simply add $common_libs path to the rbac-utils.lib in initRBAC file. Bye Robert Wolf.
[Openca-Users] A few questions on openca-0.9.1.8
Hi, I have a few questions on using openca version 0.9.1.8. Can anyone answer them (not all at once). - Is it possible to enter different expiration date for different certificates? - Is it possible to revoke certificate from RA interface and have the possibility to revoke certificate from PUB interface? - Is there a functionality for renew certificate? And I would like to understand the way, how user can get his certificate and private key, if he generate it on PUB OpenCA interface. For example, I want to create key pairs and certificate for web server. I create keys and CSR on PUB, then this request is approved on RA and certificate is issued on CA. Then I can get certificate for web server on web using PUB interface and /cgi/pki?cmd=getcertkey=10type=CERTIFICATE. But this will send me only the certificate without private key. I can get private key (in encrypted form) from CA and RA interface, but can I get private key from PUB too (or is it denied for security reason)? Thank you for any answer:) Robert Wolf. --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] A few questions on openca-0.9.1.8
Thank you for you answers:) On Thu, 3 Jun 2004, Oliver Welter wrote: - Is it possible to enter different expiration date for different certificates? I think you can assign different times to different roles, but I think you cant do this per certificate *** Great, this should be enough. I've found the config for ssl for each role. Probably this is the place. Thank you!:) - Is it possible to revoke certificate from RA interface and have the possibility to revoke certificate from PUB interface? You can request the revocation from the PUB when you know the CRIN (Revocation pin) or withput pin on the ra. The revocation itself can only be done on the CA because it must be signed (its added to the revocation list which is then signed) *** Yes, I ment CRR. But the problem is that if you create CRR on PUB, it's written to DB, and when approving CRR on RA, it run cmd approveCRR with CRR serial in KEY variable. input type=Hidden Name=key Value=1312 input type=Hidden Name=cmd value=approveCRR But if I want to create CRR on RA, it creates something like virtual CRR (it's NOT written into DB) and if I want to approve this CRR, it wants to run cmd approveCRR but with certificate serial number in SERIAL variable. input type=hidden name=serial value=6 input type=hidden name=cmd value=approveCRR And here is the problem, because I cannot define two scripts of the same name with different content. I need one approveCRR CMD with owner_method CRR_SERIAL and owner_argument KEY and the other approveCRR CMD with owner_method CERTIFICATE_SERIAL and owner_argument SERIAL. The only solution I see is to let approveCRR for CRR created on PUB with CRR_SERIAL/KEY and use approveCRRnotSigned for CRR created on RA with CERTIFICATE_SERIAL/SERIAL. Am I right? What is to correct solution? - Is there a functionality for renew certificate? Yes - go to archived request and re-request it. But for security reasons you should NOT do this because you will recycle the keypair. *** Oh, I thought this is for deleted requests to make them again available. Ok, great! And I would like to understand the way, how user can get his certificate and private key, if he generate it on PUB OpenCA interface. For example, I want to create key pairs and certificate for web server. I create keys and CSR on PUB, then this request is approved on RA and certificate is issued on CA. Then I can get certificate for web server on web using PUB interface and /cgi/pki?cmd=getcertkey=10type=CERTIFICATE. But this will send me only the certificate without private key. I can get private key (in encrypted form) from CA and RA interface, but can I get private key from PUB too (or is it denied for security reason)? I think it is disabled for security because the roll-out of the keys should be done in a more secure way - but Im not sure about this... *** Hmmm, looks like good idea to download private key only on CA and RA. OK, again thank you very much for answers:) Robert Wolf. --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Error issuiing cert
On Wed, 2 Jun 2004, Oliver Welter wrote: writing RSA key Using configuration from /usr/local/openca/openca/etc/openssl/openssl/User.conf unable to load number from /usr/local/openca/openca/var/crypto/serial The serial file exists and is readable... Any Ideas ? *** does this file exists? has it correct permissions for apache user? contains some number (of last issued certificate)? is anything running in chroot? check the file, if there is EOL char (0x0a) - some program can crash on this. Wolf. --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Error issuiing cert
On Wed, 2 Jun 2004, Oliver Welter wrote: Yes, I set perm to 666 to test - same result The content was 4 byte 001EOF - i striped one leading zero 01eof no this step works fine - now I get *** hmmm, I has also this error, with more than one zero at beginning it doesn't work. Error 6793 - General Error. PIN-mail cannot be created!. *** I has the same error with openca-0.9.1.8. I think this is not error of openca, but openssl 0.9.7d version while creating S/MIME mail message. This error is only in openssl 0.9.7d, if you use openssl 0.9.7c or latest build of openssl 0.9.7 (0.9.7e), it works fine. I use OpenSSL 0.9.7e-dev staticaly build in special directory and while installation of openca I enter --with-openssl-prefix=/myown/OpenSSL/dir Wolf. --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Error issuiing cert
On Wed, 2 Jun 2004, Michael Bell wrote: On Wed, 2 Jun 2004, Oliver Welter wrote: Yes, I set perm to 666 to test - same result The content was 4 byte 001EOF - i striped one leading zero 01eof no this step works fine - now I get *** hmmm, I has also this error, with more than one zero at beginning it doesn't work. Where and when do you have this error. If OpenCA creates a serial in this file with more than one leading zero then this is a bug which must be fixed. I fixed some issues with serials during recovery in the past. *** I ment when I worked with openssl a few years ago without openca. I created serial with 000 and it has not worked. Is this an error in openssl? Wolf. --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users