Re: SSL Certificate Installation Problem
At 11:07 PM 11/20/00 +, you wrote: There should be either a load of trusted certificates in a single file or a directory containing them. If you are using client authentication then it may try to read the whole lot in. If one is corrupt then this could be a problem. Actually now I look at the error message: error:0B067002:x509 certificate routines:X509_add_cert_file:system lib I can't find the relevant function in OpenSSL: does it give *exactly* the same error? If so then I suggest you get the function to print out the file it is trying to load when it gets the error and then examine it. Alternatively try using the s_server utility as a test server to check it works OK. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. Thank you for your help. Prior to trying your suggestions this morning, I received a message from a Thawte rep asking if I had tried a test cert on the system. I had not tried a test cert, but I have now. Initially it failed just the way that the original cert had, but I decided to try several certificate types to see if that was the problem. It ended up working with the "Test X509v1 SSL Cert". For a website that doesn't need anything more than a "standard" SSL connection, does the X509v3 offer any more security or other differences above the x509v1? If deemed important to change to an X509v3 format, can OpenSSL handle it? Thanks again, Greg Dawson, President Visionary Website Creations, Inc. Post Office Box 905 Brandon, Florida 33509-0905 http://www.visionary-web.com/ [EMAIL PROTECTED] 813-661-7164 phone 801-459-4789 fax __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL Certificate Installation Problem
"Visionary Website Creations, Inc." wrote: At 11:07 PM 11/20/00 +, you wrote: There should be either a load of trusted certificates in a single file or a directory containing them. If you are using client authentication then it may try to read the whole lot in. If one is corrupt then this could be a problem. Actually now I look at the error message: error:0B067002:x509 certificate routines:X509_add_cert_file:system lib I can't find the relevant function in OpenSSL: does it give *exactly* the same error? If so then I suggest you get the function to print out the file it is trying to load when it gets the error and then examine it. Alternatively try using the s_server utility as a test server to check it works OK. Thank you for your help. Prior to trying your suggestions this morning, I received a message from a Thawte rep asking if I had tried a test cert on the system. I had not tried a test cert, but I have now. Initially it failed just the way that the original cert had, but I decided to try several certificate types to see if that was the problem. It ended up working with the "Test X509v1 SSL Cert". For a website that doesn't need anything more than a "standard" SSL connection, does the X509v3 offer any more security or other differences above the x509v1? If deemed important to change to an X509v3 format, can OpenSSL handle it? Yes OpenSSL can handle v3 format. Indeed v1 format should be avoided where possible because it is somewhat restrictive and has some security issues. Can you try the certificate with s_server: openssl s_server -www -cert certfile -key keyfile -port 443 and see if you get any errors with that? You should also be able to connect to it using a web browser and get a status page. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL Certificate Installation Problem
At 09:50 PM 11/17/00 +, you wrote: "Visionary Website Creations, Inc." wrote: Hi, I chatted via IRC with a Thawte tech for about 3 hours. Unfortunately, we're stumped. Here's the problem: I generated a csr for probrasive.com using SSLeay. While trying to install the resulting cert, I got the following error: ns1:/vhost # /web/httpsd -d /web/ssl_conf -f /web/ssl_conf/httpd.conf Reading certificate and key for server ns1.vwc.net Enter PEM pass phrase: Reading certificate and key for server probrasive.com Error reading server certificate file /usr/local/ssl/certs/probrasive.com.cert: error:02001002:system library:fopen:system lib error:0B067002:x509 certificate routines:X509_add_cert_file:system lib error:0D074071:asn1 encoding routines:d2i_ASN1_INTEGER:expecting an integer error:0D08C070:asn1 encoding routines:D2I_X509_CINF:error stack error:0D089070:asn1 encoding routines:D2I_X509:error stack error:0906600D:PEM routines:PEM_ASN1_read:ASN1 lib ns1:/vhost # Strange, those error messages don't seem consistent. The first one suggests it can't open the file: is the file name correct and does it have the correct permissions? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. Yes. The filename and permissions are correct. Greg Dawson, President Visionary Website Creations, Inc. Post Office Box 905 Brandon, Florida 33509-0905 http://www.visionary-web.com/ [EMAIL PROTECTED] 813-661-7164 phone 801-459-4789 fax __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL Certificate Installation Problem
"Visionary Website Creations, Inc." wrote: At 09:50 PM 11/17/00 +, you wrote: "Visionary Website Creations, Inc." wrote: Hi, I chatted via IRC with a Thawte tech for about 3 hours. Unfortunately, we're stumped. Here's the problem: I generated a csr for probrasive.com using SSLeay. While trying to install the resulting cert, I got the following error: ns1:/vhost # /web/httpsd -d /web/ssl_conf -f /web/ssl_conf/httpd.conf Reading certificate and key for server ns1.vwc.net Enter PEM pass phrase: Reading certificate and key for server probrasive.com Error reading server certificate file /usr/local/ssl/certs/probrasive.com.cert: error:02001002:system library:fopen:system lib error:0B067002:x509 certificate routines:X509_add_cert_file:system lib error:0D074071:asn1 encoding routines:d2i_ASN1_INTEGER:expecting an integer error:0D08C070:asn1 encoding routines:D2I_X509_CINF:error stack error:0D089070:asn1 encoding routines:D2I_X509:error stack error:0906600D:PEM routines:PEM_ASN1_read:ASN1 lib ns1:/vhost # Strange, those error messages don't seem consistent. The first one suggests it can't open the file: is the file name correct and does it have the correct permissions? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. Yes. The filename and permissions are correct. What does this alleged certificate look like? Can you read it with openssl x509 -in cert.pem or does it give a similar error? Can you include the certificate file? It doesn't contain anything confidential and it may be packaged in an unusual way which needs converting. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL Certificate Installation Problem
At 04:57 PM 11/20/00 +, you wrote: "Visionary Website Creations, Inc." wrote: At 09:50 PM 11/17/00 +, you wrote: "Visionary Website Creations, Inc." wrote: Hi, I chatted via IRC with a Thawte tech for about 3 hours. Unfortunately, we're stumped. Here's the problem: I generated a csr for probrasive.com using SSLeay. While trying to install the resulting cert, I got the following error: ns1:/vhost # /web/httpsd -d /web/ssl_conf -f /web/ssl_conf/httpd.conf Reading certificate and key for server ns1.vwc.net Enter PEM pass phrase: Reading certificate and key for server probrasive.com Error reading server certificate file /usr/local/ssl/certs/probrasive.com.cert: error:02001002:system library:fopen:system lib error:0B067002:x509 certificate routines:X509_add_cert_file:system lib error:0D074071:asn1 encoding routines:d2i_ASN1_INTEGER:expecting an integer error:0D08C070:asn1 encoding routines:D2I_X509_CINF:error stack error:0D089070:asn1 encoding routines:D2I_X509:error stack error:0906600D:PEM routines:PEM_ASN1_read:ASN1 lib ns1:/vhost # Strange, those error messages don't seem consistent. The first one suggests it can't open the file: is the file name correct and does it have the correct permissions? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. Yes. The filename and permissions are correct. What does this alleged certificate look like? Can you read it with openssl x509 -in cert.pem or does it give a similar error? Can you include the certificate file? It doesn't contain anything confidential and it may be packaged in an unusual way which needs converting. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. It looks ok to me: ns1:/usr/local/ssl/bin # ./openssl x509 -in ../certs/probrasive.com.cert -BEGIN CERTIFICATE- MIICyzCCAjSgAwIBAgIDD1JqMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0 aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wMDEx MTYyMjI3NDJaFw0wMTExMzAyMjI3NDJaMGkxCzAJBgNVBAYTAlVTMRAwDgYDVQQI EwdGbG9yaWRhMRMwEQYDVQQHEwpDbGVhcndhdGVyMRowGAYDVQQKExFDNCBDYXJi aWRlcywgSW5jLjEXMBUGA1UEAxMOcHJvYnJhc2l2ZS5jb20wgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAL/Js29tGdY2fciay8B3Up3lIZwKr/VpGjGSa4XYSm/W 7yyVQIg75wAM6waudwfvbRDktsW+yc9Wdnr6BAt+LmaNNOnCmYe6x9I4pq53HEoB 64VGmJQGFLZk1RRjviGDUG4DWv9vbsyX0d2l3ACatmmxcjkANbCGU8RLON82IR83 AgMBAAGjJTAjMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJ KoZIhvcNAQEEBQADgYEAVuk+CfgSCQXCpsTtEAY2vg6hVeeNVmj+8jHUwuNfh6WU UiFvefeVT5uRvNMT0tNDzbHSsNZsBCP+7Gc2QqgcnjPuocmSopShS3dSLIICt8nn 6M4D5QtGpsYwh9p7fLqZkTEQCl7hHdOwagpLSGxAsBVRePu49KoLC1uyOjz7fsY= -END CERTIFICATE- ns1:/usr/local/ssl/bin # Greg Dawson, President Visionary Website Creations, Inc. Post Office Box 905 Brandon, Florida 33509-0905 http://www.visionary-web.com/ [EMAIL PROTECTED] 813-661-7164 phone 801-459-4789 fax __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL Certificate Installation Problem
"Visionary Website Creations, Inc." wrote: What does this alleged certificate look like? Can you read it with openssl x509 -in cert.pem or does it give a similar error? Can you include the certificate file? It doesn't contain anything confidential and it may be packaged in an unusual way which needs converting. It looks ok to me: ns1:/usr/local/ssl/bin # ./openssl x509 -in ../certs/probrasive.com.cert Hmmm seems OK to me too. Is that the only certificate in the file? I suppose it is possible that some other certificate it attempts to read in somewhere is corrupt: check the trusted file or directory to see if anything is wrong there. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL Certificate Installation Problem
At 07:54 PM 11/20/00 +, you wrote: Hmmm seems OK to me too. Is that the only certificate in the file? I suppose it is possible that some other certificate it attempts to read in somewhere is corrupt: check the trusted file or directory to see if anything is wrong there. Steve. There is one other certificate referenced in the httpsd.conf file. I'm sure that the error is not with the other cert, because I can remove the probrasive.com virtual host information and https boots just fine. I'm unclear as to what you mean by "check the trusted file or directory" ... what specifically should I do? Thanks, Greg Dawson, President Visionary Website Creations, Inc. Post Office Box 905 Brandon, Florida 33509-0905 http://www.visionary-web.com/ [EMAIL PROTECTED] 813-661-7164 phone 801-459-4789 fax __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL Certificate Installation Problem
"Visionary Website Creations, Inc." wrote: At 07:54 PM 11/20/00 +, you wrote: Hmmm seems OK to me too. Is that the only certificate in the file? I suppose it is possible that some other certificate it attempts to read in somewhere is corrupt: check the trusted file or directory to see if anything is wrong there. Steve. There is one other certificate referenced in the httpsd.conf file. I'm sure that the error is not with the other cert, because I can remove the probrasive.com virtual host information and https boots just fine. I'm unclear as to what you mean by "check the trusted file or directory" ... what specifically should I do? There should be either a load of trusted certificates in a single file or a directory containing them. If you are using client authentication then it may try to read the whole lot in. If one is corrupt then this could be a problem. Actually now I look at the error message: error:0B067002:x509 certificate routines:X509_add_cert_file:system lib I can't find the relevant function in OpenSSL: does it give *exactly* the same error? If so then I suggest you get the function to print out the file it is trying to load when it gets the error and then examine it. Alternatively try using the s_server utility as a test server to check it works OK. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]