|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2004
/
2004-04
/
Pound/SSL Startup error
[
Questions for the Group/Author / Dylan Neild ... ]
[
[MailServer Notification]To Recipient virus found ... ]
Pound/SSL Startup error
Jonathan Cyr <cyrj(at)cyr.info> |
2004-04-07 21:19:29 |
[ FULL ]
|
Hello,
Having problems with startup of Pound. I am running SuSE 9.0, kernel 2.4.21,
with OpenSSL 0.9.7b., and Pound 1.7.
The first instance on port 80 starts fine, so I know Pound is set up correctly
for normal web traffic.
Config file:
# Main listening ports
ListenHTTPS 192.168.0.25,443 /usr/share/ssl/certs/combo1.pem
User root
Group adm
RootJail /var/pound/jail
Client 15
Alive 60
HTTPSHeaders 0 ""
LogLevel 3
.(continues on)
When started on 443, the log shows starting... then
Apr 7 16:15:20 echo1 pound: SSL_CTX_use_certificate_chain_file failed -
aborted
I used the suggested self-signed openssl command in the Pound SSL Section of
the documentation.
openssl req -x509 -newkey rs:1024 -keyout test.pem -out test.pem \
-days 365 -nodes
The OpenSSL discussion group seems to be down, I'm thinking OpenSSL is the
culprit here.
Also, After I have a self-signed certificate working, I need to generate a CSR
for Verisign, what command would I use for that, with Pound... there are so
many variants in OpenSSL documentation and help sources.
Help greatly appreciated,
-Jonathan Cyr
cyrj(at)cyr.info
|
|
|
Re: Pound/SSL Startup error
Robert Segall <roseg(at)apsis.ch> |
2004-04-08 14:26:08 |
[ FULL ]
|
On Wed, 2004-04-07 at 21:19, Jonathan Cyr wrote:[...]
The command above is for generating the required private key, which you
have to add to the certificate.
Are you sure you have a certificate at all? Try 'openssl x509 -in
test.pem -text' to check it - you should see the full certificate
details.
[...]
That depends very much on what your deal with Verisign is.[...]
|
|
|
Re: Pound/SSL Startup error
Jonathan Cyr <cyrj(at)cyr.info> |
2004-04-11 18:20:34 |
[ FULL ]
|
Hello,
1) I ran the script below, it looks like it's there. results below
echo1:/etc/ssl/certs # openssl x509 -in combo1.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=DELAWARE, L=WILMINGTON, O=DOCUMENTAL SOLUTIONS, LLC,
OU=INFORMATION TECHNOLOGY,
CN=WWW.DOCUMENTALSOLUTIONS.COM/emailAddress=CYRJ(at)CYR.INFO
Validity
Not Before: Apr 7 19:52:26 2004 GMT
Not After : Apr 7 19:52:26 2005 GMT
Subject: C=US, ST=DELAWARE, L=WILMINGTON, O=DOCUMENTAL SOLUTIONS, LLC,
OU=INFORMATION TECHNOLOGY,
CN=WWW.DOCUMENTALSOLUTIONS.COM/emailAddress=CYRJ(at)CYR.INFO
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ac:5b:5e:0c:68:99:85:7c:cf:5b:52:6f:eb:93:
e9:9d:65:c4:b0:61:cd:cb:2b:57:76:92:40:d2:38:
6f:c0:d3:4f:0b:52:a4:3e:a6:83:ac:75:f3:5d:11:
c2:07:e3:dd:f8:e8:cc:d6:47:73:67:b8:60:2a:ab:
f4:f5:fc:08:ba:9f:ce:98:0f:52:d8:03:13:25:12:
e2:8b:f2:d8:09:fe:31:ad:fb:7a:fe:cd:3b:41:5c:
6d:f3:26:06:3c:98:8e:4e:e6:fc:42:5b:4f:cc:71:
89:11:45:1c:9c:64:0d:08:3d:48:62:ad:eb:b2:66:
85:42:35:ff:b1:1c:2b:7e:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
99:EE:9B:E5:8C:0B:F2:AC:77:49:BB:D5:56:64:DC:AA:F0:D3:74:B3
X509v3 Authority Key Identifier:
keyid:99:EE:9B:E5:8C:0B:F2:AC:77:49:BB:D5:56:64:DC:AA:F0:D3:74:B3
DirName:/C=US/ST=DELAWARE/L=WILMINGTON/O=DOCUMENTAL SOLUTIONS,
LLC/OU=INFORMATION
TECHNOLOGY/CN=WWW.DOCUMENTALSOLUTIONS.COM/emailAddress=CYRJ(at)CYR.INFO
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
30:0a:27:6f:fd:21:cb:68:69:de:76:70:8f:3f:85:00:17:0e:
11:07:7b:ae:4c:e1:84:63:06:c4:6f:f9:85:a5:d1:3d:f8:c1:
50:48:6b:10:a6:fe:29:02:31:0e:35:8d:8b:c9:f8:a9:13:9a:
57:f1:5b:21:d4:6f:c1:8f:6b:22:b5:26:6e:da:41:3d:28:ca:
f5:11:90:52:7e:3c:28:48:05:84:88:05:f7:54:5a:75:16:4b:
eb:25:31:b9:dd:b0:59:6e:7e:42:bc:b1:6a:32:0d:5e:28:fc:
2d:d3:d4:4e:f9:c9:dd:99:15:95:a1:b9:c2:cd:cc:10:1d:c9:
08:c5
-----BEGIN CERTIFICATE-----
MIIEFTCCA36gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBvjELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCERFTEFXQVJFMRMwEQYDVQQHEwpXSUxNSU5HVE9OMSIwIAYDVQQK
ExlET0NVTUVOVEFMIFNPTFVUSU9OUywgTExDMR8wHQYDVQQLExZJTkZPUk1BVElP
TiBURUNITk9MT0dZMSQwIgYDVQQDExtXV1cuRE9DVU1FTlRBTFNPTFVUSU9OUy5D
T00xHDAaBgkqhkiG9w0BCQEWDUNZUkpAQ1lSLklORk8wHhcNMDQwNDA3MTk1MjI2
WhcNMDUwNDA3MTk1MjI2WjCBvjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCERFTEFX
QVJFMRMwEQYDVQQHEwpXSUxNSU5HVE9OMSIwIAYDVQQKExlET0NVTUVOVEFMIFNP
TFVUSU9OUywgTExDMR8wHQYDVQQLExZJTkZPUk1BVElPTiBURUNITk9MT0dZMSQw
IgYDVQQDExtXV1cuRE9DVU1FTlRBTFNPTFVUSU9OUy5DT00xHDAaBgkqhkiG9w0B
CQEWDUNZUkpAQ1lSLklORk8wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKxb
XgxomYV8z1tSb+uT6Z1lxLBhzcsrV3aSQNI4b8DTTwtSpD6mg6x1810Rwgfj3fjo
zNZHc2e4YCqr9PX8CLqfzpgPUtgDEyUS4ovy2An+Ma37ev7NO0FcbfMmBjyYjk7m
/EJbT8xxiRFFHJxkDQg9SGKt67JmhUI1/7EcK37JAgMBAAGjggEfMIIBGzAdBgNV
HQ4EFgQUme6b5YwL8qx3SbvVVmTcqvDTdLMwgesGA1UdIwSB4zCB4IAUme6b5YwL
8qx3SbvVVmTcqvDTdLOhgcSkgcEwgb4xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhE
RUxBV0FSRTETMBEGA1UEBxMKV0lMTUlOR1RPTjEiMCAGA1UEChMZRE9DVU1FTlRB
TCBTT0xVVElPTlMsIExMQzEfMB0GA1UECxMWSU5GT1JNQVRJT04gVEVDSE5PTE9H
WTEkMCIGA1UEAxMbV1dXLkRPQ1VNRU5UQUxTT0xVVElPTlMuQ09NMRwwGgYJKoZI
hvcNAQkBFg1DWVJKQENZUi5JTkZPggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
AQEEBQADgYEAMAonb/0hy2hp3nZwjz+FABcOEQd7rkzhhGMGxG/5haXRPfjBUEhr
EKb+KQIxDjWNi8n4qROaV/FbIdRvwY9rIrUmbtpBPSjK9RGQUn48KEgFhIgF91Ra
dRZL6yUxud2wWW5+QryxajINXij8LdPUTvnJ3ZkVlaG5ws3MEB3JCMU=
-----END CERTIFICATE-----
2) As to Verisign, I have a very standard 128bit Class 3 Certificate with
them... In previous attempts, I had not used the -nodes flag, in generating the
CSR for Verisign/
OReilly's Linux Security Cookbook has a recipe for generating a CSR...
$ openssl req -in privkey.pem -out filename.csr
...all assuming, I get the self-signed one working.
[...]
|
|
|
Re: Pound/SSL Startup error
Jonathan Cyr <cyrj(at)cyr.info> |
2004-04-12 23:31:41 |
[ FULL ]
|
Hello, apoligize for premature post...
1) I ran the script below, it looks like it's there. results below
echo1:/etc/ssl/certs # openssl x509 -in combo1.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=DELAWARE, L=WILMINGTON, O=DOCUMENTAL SOLUTIONS, LLC,
OU=INFORMATION TECHNOLOGY,
CN=WWW.DOCUMENTALSOLUTIONS.COM/emailAddress=CYRJ(at)CYR.INFO
Validity
Not Before: Apr 7 19:52:26 2004 GMT
Not After : Apr 7 19:52:26 2005 GMT
Subject: C=US, ST=DELAWARE, L=WILMINGTON, O=DOCUMENTAL SOLUTIONS, LLC,
OU=INFORMATION TECHNOLOGY,
CN=WWW.DOCUMENTALSOLUTIONS.COM/emailAddress=CYRJ(at)CYR.INFO
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ac:5b:5e:0c:68:99:85:7c:cf:5b:52:6f:eb:93:
e9:9d:65:c4:b0:61:cd:cb:2b:57:76:92:40:d2:38:
6f:c0:d3:4f:0b:52:a4:3e:a6:83:ac:75:f3:5d:11:
c2:07:e3:dd:f8:e8:cc:d6:47:73:67:b8:60:2a:ab:
f4:f5:fc:08:ba:9f:ce:98:0f:52:d8:03:13:25:12:
e2:8b:f2:d8:09:fe:31:ad:fb:7a:fe:cd:3b:41:5c:
6d:f3:26:06:3c:98:8e:4e:e6:fc:42:5b:4f:cc:71:
89:11:45:1c:9c:64:0d:08:3d:48:62:ad:eb:b2:66:
85:42:35:ff:b1:1c:2b:7e:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
99:EE:9B:E5:8C:0B:F2:AC:77:49:BB:D5:56:64:DC:AA:F0:D3:74:B3
X509v3 Authority Key Identifier:
keyid:99:EE:9B:E5:8C:0B:F2:AC:77:49:BB:D5:56:64:DC:AA:F0:D3:74:B3
DirName:/C=US/ST=DELAWARE/L=WILMINGTON/O=DOCUMENTAL SOLUTIONS,
LLC/OU=INFORMATION
TECHNOLOGY/CN=WWW.DOCUMENTALSOLUTIONS.COM/emailAddress=CYRJ(at)CYR.INFO
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
30:0a:27:6f:fd:21:cb:68:69:de:76:70:8f:3f:85:00:17:0e:
11:07:7b:ae:4c:e1:84:63:06:c4:6f:f9:85:a5:d1:3d:f8:c1:
50:48:6b:10:a6:fe:29:02:31:0e:35:8d:8b:c9:f8:a9:13:9a:
57:f1:5b:21:d4:6f:c1:8f:6b:22:b5:26:6e:da:41:3d:28:ca:
f5:11:90:52:7e:3c:28:48:05:84:88:05:f7:54:5a:75:16:4b:
eb:25:31:b9:dd:b0:59:6e:7e:42:bc:b1:6a:32:0d:5e:28:fc:
2d:d3:d4:4e:f9:c9:dd:99:15:95:a1:b9:c2:cd:cc:10:1d:c9:
08:c5
-----BEGIN CERTIFICATE-----
MIIEFTCCA36gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBvjELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCERFTEFXQVJFMRMwEQYDVQQHEwpXSUxNSU5HVE9OMSIwIAYDVQQK
ExlET0NVTUVOVEFMIFNPTFVUSU9OUywgTExDMR8wHQYDVQQLExZJTkZPUk1BVElP
TiBURUNITk9MT0dZMSQwIgYDVQQDExtXV1cuRE9DVU1FTlRBTFNPTFVUSU9OUy5D
T00xHDAaBgkqhkiG9w0BCQEWDUNZUkpAQ1lSLklORk8wHhcNMDQwNDA3MTk1MjI2
WhcNMDUwNDA3MTk1MjI2WjCBvjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCERFTEFX
QVJFMRMwEQYDVQQHEwpXSUxNSU5HVE9OMSIwIAYDVQQKExlET0NVTUVOVEFMIFNP
TFVUSU9OUywgTExDMR8wHQYDVQQLExZJTkZPUk1BVElPTiBURUNITk9MT0dZMSQw
IgYDVQQDExtXV1cuRE9DVU1FTlRBTFNPTFVUSU9OUy5DT00xHDAaBgkqhkiG9w0B
CQEWDUNZUkpAQ1lSLklORk8wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKxb
XgxomYV8z1tSb+uT6Z1lxLBhzcsrV3aSQNI4b8DTTwtSpD6mg6x1810Rwgfj3fjo
zNZHc2e4YCqr9PX8CLqfzpgPUtgDEyUS4ovy2An+Ma37ev7NO0FcbfMmBjyYjk7m
/EJbT8xxiRFFHJxkDQg9SGKt67JmhUI1/7EcK37JAgMBAAGjggEfMIIBGzAdBgNV
HQ4EFgQUme6b5YwL8qx3SbvVVmTcqvDTdLMwgesGA1UdIwSB4zCB4IAUme6b5YwL
8qx3SbvVVmTcqvDTdLOhgcSkgcEwgb4xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhE
RUxBV0FSRTETMBEGA1UEBxMKV0lMTUlOR1RPTjEiMCAGA1UEChMZRE9DVU1FTlRB
TCBTT0xVVElPTlMsIExMQzEfMB0GA1UECxMWSU5GT1JNQVRJT04gVEVDSE5PTE9H
WTEkMCIGA1UEAxMbV1dXLkRPQ1VNRU5UQUxTT0xVVElPTlMuQ09NMRwwGgYJKoZI
hvcNAQkBFg1DWVJKQENZUi5JTkZPggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
AQEEBQADgYEAMAonb/0hy2hp3nZwjz+FABcOEQd7rkzhhGMGxG/5haXRPfjBUEhr
EKb+KQIxDjWNi8n4qROaV/FbIdRvwY9rIrUmbtpBPSjK9RGQUn48KEgFhIgF91Ra
dRZL6yUxud2wWW5+QryxajINXij8LdPUTvnJ3ZkVlaG5ws3MEB3JCMU=
-----END CERTIFICATE-----
2) As to Verisign, I have a very standard 128bit Class 3 Certificate with
them... In previous attempts, I had not used the -nodes flag, in generating the
CSR for Verisign/
OReilly's Linux Security Cookbook has a recipe for generating a CSR...
$ openssl req -in privkey.pem -out filename.csr
...all assuming, I get the self-signed one working.
-Jon Cyr
[...][...]
>>>
>>>openssl req -x509 -newkey rs:1024 -keyout test.pem -out test.pem \
>>> -days 365 -nodes
>>>
>>>[...]
>>>
>>>[...][...]
|
|
|
|
