Re: [squid-users] getting a CA to take PEM format csrs

Jonathan Giles Wed, 27 Aug 2003 16:48:00 +0000

Henrik:

Again thanks for the help.

I went through the apache mod_ssl directions to the letter, and still having trouble. here are the commands they refer to.

openssl genrsa -des3 -out www.virtualhost.com.key 1024

openssl req -new -key www.virtualhost.com.key -out www.virtualhost.com.csr

openssl x509 -req -days 30 -in www.virtualhost.com.csr -signkey www.virtualhost.com.key -out www.virtualhost.com.crt

Using the test .crt and key created by openssl, this is what I get from...

[EMAIL PROTECTED] openssl]# /usr/local/squid/sbin/squid -D -d 1 Enter PEM pass phrase: 2003/08/27 16:17:24| Failed to acquire SSL private key '/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM routines:DEF_CALLBACK:problems getting password FATAL: Bungled squid.conf line 64: https_port 443 cert=/etc/openssl/owa.clinedavis.com.crt key=/etc/openssl/owa.clinedavis.com.key Squid Cache (Version 2.5.STABLE3): Terminated abnormally. CPU Usage: 0.080 seconds = 0.060 user + 0.020 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 360 Aborted [EMAIL PROTECTED] openssl]# /usr/local/squid/sbin/squid -D -d 1 Enter PEM pass phrase: [EMAIL PROTECTED] openssl]# Enter PEM pass phrase: 2003/08/27 16:17:53| Failed to acquire SSL private key '/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM routines:DEF_CALLBACK:problems getting password FATAL: Bungled squid.conf line 64: https_port 443 cert=/etc/openssl/owa.clinedavis.com.crt key=/etc/openssl/owa.clinedavis.com.key Squid Cache (Version 2.5.STABLE3): Terminated abnormally. CPU Usage: 0.070 seconds = 0.050 user + 0.020 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 359 Enter PEM pass phrase: 2003/08/27 16:17:56| Failed to acquire SSL private key '/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM routines:DEF_CALLBACK:problems getting password FATAL: Bungled squid.conf line 64: https_port 443 cert=/etc/openssl/owa.clinedavis.com.crt key=/etc/openssl/owa.clinedavis.com.key Squid Cache (Version 2.5.STABLE3): Terminated abnormally. CPU Usage: 0.070 seconds = 0.040 user + 0.030 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 359 Enter PEM pass phrase: 2003/08/27 16:17:59| Failed to acquire SSL private key '/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM routines:DEF_CALLBACK:problems getting password FATAL: Bungled squid.conf line 64: https_port 443 cert=/etc/openssl/owa.clinedavis.com.crt key=/etc/openssl/owa.clinedavis.com.key Squid Cache (Version 2.5.STABLE3): Terminated abnormally. CPU Usage: 0.090 seconds = 0.070 user + 0.020 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 359 Enter PEM pass phrase: 2003/08/27 16:18:02| Failed to acquire SSL private key '/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM routines:DEF_CALLBACK:problems getting password FATAL: Bungled squid.conf line 64: https_port 443 cert=/etc/openssl/owa.clinedavis.com.crt key=/etc/openssl/owa.clinedavis.com.key Squid Cache (Version 2.5.STABLE3): Terminated abnormally. CPU Usage: 0.070 seconds = 0.060 user + 0.010 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 359 Enter PEM pass phrase: 2003/08/27 16:18:06| Failed to acquire SSL private key '/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM routines:DEF_CALLBACK:problems getting password FATAL: Bungled squid.conf line 64: https_port 443 cert=/etc/openssl/owa.clinedavis.com.crt key=/etc/openssl/owa.clinedavis.com.key Squid Cache (Version 2.5.STABLE3): Terminated abnormally. CPU Usage: 0.080 seconds = 0.050 user + 0.030 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 359

[EMAIL PROTECTED] openssl]#

On Tuesday, August 26, 2003, at 08:07 PM, Henrik Nordstrom wrote:

The Thawte guide for Apache mod_ssl works just fine for Squid, and
their instructions does generate a PEM formatted CSR... and Thawte
gives you a PEM formatted certificate back if you follow this
procedure.

The Apache guys have not confused the file formats. Apache mod_ssl
wants PEM formatted certificates just as Squid. This is different
from the DER format expected by many others but has the major benefit
that the certificate can be exchanged in plain text email etc..

However, if you have a CA which insists in binary DER certificates
then OpenSSL have options to convert these to/from PEM format if
needed.


The error you are seeing probably means that your Squid binary is not
SSL enabled.. what does "squid -v" say about your configure options?
And is there any comments regarding configure options next to the
https_port option in your squid.conf.default?

Regards
Henrik

On Tuesday 26 August 2003 23.24, Jonathan Giles wrote:

hello:

I have a working config for an https accel setup, but I have hit a
big problem. I have looked over the lists and have not found how
other people deal with this.

I work with Thawte.com to get other certs for other https (apache)
servers, and they have told me they do not accept PEM anything.
And I understand that the csr must  be in PEM for a CA to issue a
PEM crt. Thawte has told me it will be really hard to find a CA
that accepts PEM.

How have other people here delt with this?

Here attached is Thawte's response to my request.

"Hi Jonathan

The PEM format requirement is misleading, as the PEM format
mentioned actually refers to a standard DER format certificate, the
guys developing
the Apache standards seem to have confused the file types.
Therefore since
you are able to generate standard format CSRs, squid should also
work with
standard format certificates, even though Apache and squid are not
the same
they share the same openssl libraries.

What error message do you receive when you restart the daemon?
Please send
us the error logs."

Of course my logs just say Bungled conf file at the config

Aug 25 17:22:29 owa squid: Bungled squid.conf line 62: https_port
443 cert=/etc/openssl/certs/owa.clinedavis.com.test.crt
key=/etc/openssl/private/owa.clinedavis.com.key

This is using the crt and key that was created using Thawte's
directions.

Any suggestions would be greatly appreciated!

jg

---=---=---
Jonathan Giles
Senior Unix Administrator
Cline Davis Mann
---
Privileged/Confidential Information may be contained in this
message.  If you are not the addressee indicated in this message
(or responsible for delivery of the message to such person), you
may not copy or deliver this message to anyone.  In such case,
you should destroy this message and kindly notify the sender
by reply e-mail.  Please advise immediately if you or your
employer do not consent to Internet e-mail of this kind.
Opinions, conclusions, and other information in this message
that do not relate to the official business of CDM shall
be understood as neither given nor endorsed by it.


--
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]

---=---=---
Jonathan Giles
Senior Unix Administrator
Cline Davis Mann
---
Privileged/Confidential Information may be contained in this
message.  If you are not the addressee indicated in this message
(or responsible for delivery of the message to such person), you
may not copy or deliver this message to anyone.  In such case,
you should destroy this message and kindly notify the sender
by reply e-mail.  Please advise immediately if you or your
employer do not consent to Internet e-mail of this kind.
Opinions, conclusions, and other information in this message
that do not relate to the official business of CDM shall
be understood as neither given nor endorsed by it.

Re: [squid-users] getting a CA to take PEM format csrs

Reply via email to