Hi Pound List,

we were running a web-shop in germany with a single Apache server and
now moved to a pound installation.
Everything works great, except the https.
Unfortunately im not an ssl expert and i dont have a clue what we are
doing wrong.

In our apache config we had the following lines in out httpd.conf:
SSLCertificateFile      /root/ssl/www_directshopper_de.crt
SSLCertificateKeyFile   /root/csr/server.key
SSLCACertificateFile    /root/ssl/ca-bundle.dat
and we never hat problems with this setup.

In pound, we use this setup:
ListenHTTPS *,443 /usr/local/pound/etc/ds.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

And to generate this ds.pem file i just executed:
cat /root/csr/server.key /root/ssl/www_directshopper_de.crt >
etc/ds2.pem

to have this SSLCertificateKeyFile and the SSLCertificateFile in one
file.

Now, when a client tries to connect to the ssl server we always get the
message:
The certificate for "www.directshopper.de" is signed by the unknown
Certificate Authority "www.directshopper.de". It is not possible to 
verify that this is a valid certificate
(as you can see here: https://www.directshopper.de)

What is going wrong ?

Why should the cert be signed by someone else ?
Those are exactly the same files like in apache!

Thanks a lot,

-Max
maximilian.treiber(at)stusta.de

Max,

You may need to put your CA file (ca-bundle.dat) as part of that single file
(ds2.pem) as well. It may contain chain info that is needed by some browsers
(we have to do this for some of our certs).

I could be totally wrong (since I don't know what is in that CA file), but I
would start there.

John D.

********** Original Email *********
** To:   pound(at)apsis.ch
** From: Maximilian Treiber <maximilian.treiber(at)stusta.de>
** Date: Wed, 21 Apr 2004 17:00:59 +0200
**********

Hi Pound List,

we were running a web-shop in germany with a single Apache server and
now moved to a pound installation.
Everything works great, except the https.
Unfortunately im not an ssl expert and i dont have a clue what we are
doing wrong.

In our apache config we had the following lines in out httpd.conf:
SSLCertificateFile      /root/ssl/www_directshopper_de.crt
SSLCertificateKeyFile   /root/csr/server.key
SSLCACertificateFile    /root/ssl/ca-bundle.dat
and we never hat problems with this setup.

In pound, we use this setup:
ListenHTTPS *,443 /usr/local/pound/etc/ds.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

And to generate this ds.pem file i just executed:
cat /root/csr/server.key /root/ssl/www_directshopper_de.crt >
etc/ds2.pem

to have this SSLCertificateKeyFile and the SSLCertificateFile in one
file.

Now, when a client tries to connect to the ssl server we always get the
message:
The certificate for "www.directshopper.de" is signed by the unknown
Certificate Authority "www.directshopper.de". It is not possible to 
verify that this is a valid certificate
(as you can see here: https://www.directshopper.de)

What is going wrong ?

Why should the cert be signed by someone else ?
Those are exactly the same files like in apache!

Thanks a lot,

-Max
maximilian.treiber(at)stusta.de

On Wed, 2004-04-21 at 17:12, John D wrote:[...]

John is correct. If you had a CA certificates file it means you had
"intermediate" certificates between the "well-known" CA and your server
certificate. Add the contents of ca-bundle.dat to your certificate file
and you should be OK.

Two additional remarks:

1. make sure all your files are in PEM format.

2. make sure your private key is NOT password-protected.[...]

Thanks a lot for the quick replys !!!

Unfortunately it didnt work.

When i add the key, the crt and the ca-bundle into one file (in that
order), pound doent work _at all_.
No error messages, successfull startup, threads are listening, but no
response from server. Not only from port 443 but 80, too.
I tried with telnet: Seems like he is listening but just doesnt send
anything. As soon as i change the pem file back to only contain the key
and the crt everything works again.

The files look like this:

/root/csr/server.key:
-----BEGIN RSA PRIVATE KEY-----
...13 lines...
-----END RSA PRIVATE KEY-----

/root/ssl/www_directshopper_de.crt:
-----BEGIN CERTIFICATE-----
...29 lines...
-----END CERTIFICATE-----

/root/ssl/ca-bundle.dat:
-----BEGIN CERTIFICATE-----
...11 lines...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...26 lines...
-----END CERTIFICATE-----

strangely, the ca-bundle seems to have a different EOL character ... but
i changed this and still no response.

The remarks:
1. How do i know that a file is in PEM format?
all the files seem to be encoded in the same way ...
2. The key worked with our apache installation, so i guess this should
be the case, right ?

Thank You,

-Max

On Wed, 2004-04-21 at 17:34, Robert Segall wrote:[...]

update:

it works, if i remove the
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
line from my pound.conf

But this IE bug is something that really affects a lot of our customers
...

-Max


On Wed, 2004-04-21 at 18:38, Maximilian Treiber wrote:[...]

On Wed, 2004-04-21 at 21:45, Maximilian Treiber wrote:[...]

This could be due to a non-standard OpenSSL installation: which cyphers
get compiled in is a configuration-time choice. Please check your
installation.[...]

Hi List,

i compiled -current and statically linked to a fresh new openssl-0.9.7d,
everything works great now,

thanks a lot!

-Max

On Thu, 2004-04-22 at 13:02, Robert Segall wrote:[...]