|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2005
/
2005-09
/
SSLCACert works - Pound says SSL_CTX_use_PrivateKey_file
[
Problem with redirects / glists(at)greywether.com ]
[
Re: [Pound Mailing List] changing conf without ... ]
SSLCACert works - Pound says SSL_CTX_use_PrivateKey_file
Will Tatam <wtatam(at)premierit.com> |
2005-09-01 14:26:31 |
[ SNIP ]
|
I'm having a few problems with pound 1.9 and ssl
my config works perfectly if i simply have the site's cert and key
inside a file, but users get the error about it not being signed by a
know authority, but if I add the contents of the file i used to use as
the SSLCACert in apache i get the following error
pound: SSL_CTX_use_PrivateKey_file failed - aborted
The certificates are supplied by instantssl.com so i'm not sure what the
format is, I saw that you need to use -nodes when creating your own
-----BEGIN CERTIFICATE-----
MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFKjCCBJOgAwIBAgIEAgACmjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MB4XDTAyMDgyNzE5MDIwMFoXDTEyMDgyNzIzNTkwMFowgdwxCzAJ
BgNVBAYTAkdCMRcwFQYDVQQKEw5Db21vZG8gTGltaXRlZDEdMBsGA1UECxMUQ29t
b2RvIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPVRlcm1zIGFuZCBDb25kaXRpb25z
IG9mIHVzZTogaHR0cDovL3d3dy5jb21vZG8ubmV0L3JlcG9zaXRvcnkxHzAdBgNV
BAsTFihjKTIwMDIgQ29tb2RvIExpbWl0ZWQxLDAqBgNVBAMTI0NvbW9kbyBDbGFz
cyAzIFNlY3VyaXR5IFNlcnZpY2VzIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA8gy2z4eE6gpxFFIt6FdcSVI6z8PwQm1i8v6m6T48eGQDDiB+a2tp
h4lUOAX02scFQAUYd378a4sOHKKCzKyFmznpy0tIGEhrKOTC0VuuA6l+mC9ME3Hf
sCkMTqqmNyY4udBEUoKQPnBI1nqbCQe8lOT0VSzytyq+HJEcaouDTTVsEOFz2iHZ
YtjxGbDx5yCNtZdHI0tqgTUbr0jgNqiQTE1M7PWIzsax0C//eZAB2FFk5y+xCI1d
z636soCWq6yLtUy0dMJHE+3oIzH0KrlhG73OpFs3Mb3lnJz7sg/XxTu/zFqrD8iG
QIkippAg07NsvhLz4yAsu8GuQ1raFnboHwIDAQABo4IB2TCCAdUwRQYDVR0fBD4w
PDA6oDigNoY0aHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL2NnaS1iaW4vQ1JM
LzIwMTgvY2RwLmNybDAdBgNVHQ4EFgQUNuDofG2dRZHumeVCdk1ws1AwrF4wgZIG
A1UdIASBijCBhzBJBgoqhkiG+GMBAgEFMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93
d3cucHVibGljLXRydXN0LmNvbS9DUFMvT21uaVJvb3QuaHRtbDA6BgwrBgEEAbIx
AQIBAwEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D
UDCBiQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUg
Q29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywg
SW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJvb3SCAgGlMCsG
A1UdEAQkMCKADzIwMDIwODI3MTkwMjI0WoEPMjAwOTA4MjcyMzU5MDBaMA4GA1Ud
DwEB/wQEAwIB5jAPBgNVHRMECDAGAQH/AgEAMA0GCSqGSIb3DQEBBQUAA4GBADoe
JG/a2zZs/jpzOd3NahxpoQAfb9Su1R/UiCmlIcJX9lV7MOfSZNYOxKpwPHZ04iqu
x0ZnMpLJS/Gn1+BWvPZyEJ1/sHXWnVe1cYWqxDqnS7jsD+bS+P+1zdRFJazqBqeK
tc0yIuQhkhvvzjSuMEQa7pt/8JQRhoqHGQEoOs+z
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFXTCCBEWgAwIBAgIQeeooWr4jz7A5QmvPxmRwgDANBgkqhkiG9w0BAQUFADCB
3DELMAkGA1UEBhMCR0IxFzAVBgNVBAoTDkNvbW9kbyBMaW1pdGVkMR0wGwYDVQQL
ExRDb21vZG8gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9VGVybXMgYW5kIENvbmRp
dGlvbnMgb2YgdXNlOiBodHRwOi8vd3d3LmNvbW9kby5uZXQvcmVwb3NpdG9yeTEf
MB0GA1UECxMWKGMpMjAwMiBDb21vZG8gTGltaXRlZDEsMCoGA1UEAxMjQ29tb2Rv
IENsYXNzIDMgU2VjdXJpdHkgU2VydmljZXMgQ0EwHhcNMDUwOTAxMDAwMDAwWhcN
MDYwOTAxMjM1OTU5WjCB6DELMAkGA1UEBhMCR0IxETAPBgNVBBETCFNXMVAgMkpU
MQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcTBkxvbmRvbjEeMBwGA1UECRMVNS02
IFN0IE1hdHRoZXcgU3RyZWV0MTYwNAYDVQQKEy1Tb2NpZXR5IGZvciB0aGUgUHJv
dGVjdGlvbiBvZiBVbmJvcm4gQ2hpbGRyZW4xHTAbBgNVBAsTFEhvc3RlZCBieSBQ
cmVtaWVyIElUMRMwEQYDVQQLEwpJbnN0YW50U1NMMRgwFgYDVQQDEw93d3cuc3B1
Yy5vcmcudWswgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKoJ3StxhEMjArT+
pxAlOBS/FDFziOgRf3jOgVpsY502C6QFdQ+OyTFUm7iP+xKPpR6Ev27+Xotx/og1
1GzvMitvAx7JrkQBvXs7AmIDkvqq70/aJjrBf8A0r5zwn6of75Rq9kLqx6L2+zNr
B/gW1soh6sSDBXSceep6YZRA1aBvAgMBAAGjggGPMIIBizAfBgNVHSMEGDAWgBQ2
4Oh8bZ1Fke6Z5UJ2TXCzUDCsXjAdBgNVHQ4EFgQUzUg71ceaEUPghLIZ4aJrhxNp
dbcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMBEGCWCGSAGG+EIBAQQEAwIGwDBGBgNVHSAEPzA9MDsG
DCsGAQQBsjEBAgEDBDArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21v
ZG8ubmV0L0NQUzCBsAYDVR0fBIGoMIGlMDigNqA0hjJodHRwOi8vY3JsLmNvbW9k
by5uZXQvQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18zLmNybDA6oDigNoY0aHR0cDov
L2NybC5jb21vZG9jYS5jb20vQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18zLmNybDAt
oCugKYEnQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18zQGNybC5jb21vZG8ubmV0MA0G
CSqGSIb3DQEBBQUAA4IBAQCAnFClmVkCOqnUBuZOx9PiBoDs7f5ZOZuas6BpXxhu
R6X6xrdt+L8y/AbwJU7L6PbhA2AHTbM0FoIc5O6zRchQDr4P2xiIsvtz5Ss824ZB
DdipdSkhLNxRuaab7d60Gl09zmeSrp5qmqzhrzDtQc9/xoeRZefmr4aRUeqz1ZG6
Irqpcb1dF0YmASx2u5ygc2nlwpP4nFz6l44kcJ1Jra9kxNBOJzzAxpuhssnew1Sm
fvfCB+HeI3L2bSBA1BaoNb5sOulZDBIKw8WmSR/8rZkToJCacICVvV0HFQhY0lc2
IUF7gJ/j92bh6B3IMvQGu9YpPKvQ5gOxlCwwAhrCXLzG
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
{my key was here}
-----END RSA PRIVATE KEY-----
Will Tatam
Internal Systems Manager
Tel +44 (0) 20 7837 2690
Fax +44 (0) 20 7278 3113
JID wtatam(at)jabber.premierit.com
Premier IT http://www.premierit.com/
New Premier House | Southampton Row
London | WC1B 5AL
|
|
|
|
|
RE: [Pound Mailing List] SSLCACert works - Pound says SSL_CTX_use_PrivateKey_file
"John D" <jwdavid(at)ibizvision.com> |
2005-09-01 16:39:31 |
[ SNIP ]
|
Howdy,
I am not sure how important order is, but in our pem files, we put the key
first, then our cert then the intermediate/ca certs. We have no problems when
doing this. I think the location of the key is not what is important, but the
order of the certs is. Your cert needs to be first, then the one that signed
yours, then the one that signed that one, etc...
So my suggestions is, reverse the order of your certs and see if that works.
John D.
********** Original Email *********
** To: pound(at)apsis.ch
** From: pound(at)apsis.ch, wtatam(at)premierit.com
** Date: Thu, 01 Sep 2005 13:26:31 +0100
**********
I'm having a few problems with pound 1.9 and ssl
my config works perfectly if i simply have the site's cert and key
inside a file, but users get the error about it not being signed by a
know authority, but if I add the contents of the file i used to use as
the SSLCACert in apache i get the following error
pound: SSL_CTX_use_PrivateKey_file failed - aborted
The certificates are supplied by instantssl.com so i'm not sure what the
format is, I saw that you need to use -nodes when creating your own
-----BEGIN CERTIFICATE-----
MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFKjCCBJOgAwIBAgIEAgACmjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MB4XDTAyMDgyNzE5MDIwMFoXDTEyMDgyNzIzNTkwMFowgdwxCzAJ
BgNVBAYTAkdCMRcwFQYDVQQKEw5Db21vZG8gTGltaXRlZDEdMBsGA1UECxMUQ29t
b2RvIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPVRlcm1zIGFuZCBDb25kaXRpb25z
IG9mIHVzZTogaHR0cDovL3d3dy5jb21vZG8ubmV0L3JlcG9zaXRvcnkxHzAdBgNV
BAsTFihjKTIwMDIgQ29tb2RvIExpbWl0ZWQxLDAqBgNVBAMTI0NvbW9kbyBDbGFz
cyAzIFNlY3VyaXR5IFNlcnZpY2VzIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA8gy2z4eE6gpxFFIt6FdcSVI6z8PwQm1i8v6m6T48eGQDDiB+a2tp
h4lUOAX02scFQAUYd378a4sOHKKCzKyFmznpy0tIGEhrKOTC0VuuA6l+mC9ME3Hf
sCkMTqqmNyY4udBEUoKQPnBI1nqbCQe8lOT0VSzytyq+HJEcaouDTTVsEOFz2iHZ
YtjxGbDx5yCNtZdHI0tqgTUbr0jgNqiQTE1M7PWIzsax0C//eZAB2FFk5y+xCI1d
z636soCWq6yLtUy0dMJHE+3oIzH0KrlhG73OpFs3Mb3lnJz7sg/XxTu/zFqrD8iG
QIkippAg07NsvhLz4yAsu8GuQ1raFnboHwIDAQABo4IB2TCCAdUwRQYDVR0fBD4w
PDA6oDigNoY0aHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL2NnaS1iaW4vQ1JM
LzIwMTgvY2RwLmNybDAdBgNVHQ4EFgQUNuDofG2dRZHumeVCdk1ws1AwrF4wgZIG
A1UdIASBijCBhzBJBgoqhkiG+GMBAgEFMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93
d3cucHVibGljLXRydXN0LmNvbS9DUFMvT21uaVJvb3QuaHRtbDA6BgwrBgEEAbIx
AQIBAwEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D
UDCBiQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUg
Q29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywg
SW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJvb3SCAgGlMCsG
A1UdEAQkMCKADzIwMDIwODI3MTkwMjI0WoEPMjAwOTA4MjcyMzU5MDBaMA4GA1Ud
DwEB/wQEAwIB5jAPBgNVHRMECDAGAQH/AgEAMA0GCSqGSIb3DQEBBQUAA4GBADoe
JG/a2zZs/jpzOd3NahxpoQAfb9Su1R/UiCmlIcJX9lV7MOfSZNYOxKpwPHZ04iqu
x0ZnMpLJS/Gn1+BWvPZyEJ1/sHXWnVe1cYWqxDqnS7jsD+bS+P+1zdRFJazqBqeK
tc0yIuQhkhvvzjSuMEQa7pt/8JQRhoqHGQEoOs+z
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFXTCCBEWgAwIBAgIQeeooWr4jz7A5QmvPxmRwgDANBgkqhkiG9w0BAQUFADCB
3DELMAkGA1UEBhMCR0IxFzAVBgNVBAoTDkNvbW9kbyBMaW1pdGVkMR0wGwYDVQQL
ExRDb21vZG8gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9VGVybXMgYW5kIENvbmRp
dGlvbnMgb2YgdXNlOiBodHRwOi8vd3d3LmNvbW9kby5uZXQvcmVwb3NpdG9yeTEf
MB0GA1UECxMWKGMpMjAwMiBDb21vZG8gTGltaXRlZDEsMCoGA1UEAxMjQ29tb2Rv
IENsYXNzIDMgU2VjdXJpdHkgU2VydmljZXMgQ0EwHhcNMDUwOTAxMDAwMDAwWhcN
MDYwOTAxMjM1OTU5WjCB6DELMAkGA1UEBhMCR0IxETAPBgNVBBETCFNXMVAgMkpU
MQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcTBkxvbmRvbjEeMBwGA1UECRMVNS02
IFN0IE1hdHRoZXcgU3RyZWV0MTYwNAYDVQQKEy1Tb2NpZXR5IGZvciB0aGUgUHJv
dGVjdGlvbiBvZiBVbmJvcm4gQ2hpbGRyZW4xHTAbBgNVBAsTFEhvc3RlZCBieSBQ
cmVtaWVyIElUMRMwEQYDVQQLEwpJbnN0YW50U1NMMRgwFgYDVQQDEw93d3cuc3B1
Yy5vcmcudWswgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKoJ3StxhEMjArT+
pxAlOBS/FDFziOgRf3jOgVpsY502C6QFdQ+OyTFUm7iP+xKPpR6Ev27+Xotx/og1
1GzvMitvAx7JrkQBvXs7AmIDkvqq70/aJjrBf8A0r5zwn6of75Rq9kLqx6L2+zNr
B/gW1soh6sSDBXSceep6YZRA1aBvAgMBAAGjggGPMIIBizAfBgNVHSMEGDAWgBQ2
4Oh8bZ1Fke6Z5UJ2TXCzUDCsXjAdBgNVHQ4EFgQUzUg71ceaEUPghLIZ4aJrhxNp
dbcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMBEGCWCGSAGG+EIBAQQEAwIGwDBGBgNVHSAEPzA9MDsG
DCsGAQQBsjEBAgEDBDArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21v
ZG8ubmV0L0NQUzCBsAYDVR0fBIGoMIGlMDigNqA0hjJodHRwOi8vY3JsLmNvbW9k
by5uZXQvQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18zLmNybDA6oDigNoY0aHR0cDov
L2NybC5jb21vZG9jYS5jb20vQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18zLmNybDAt
oCugKYEnQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18zQGNybC5jb21vZG8ubmV0MA0G
CSqGSIb3DQEBBQUAA4IBAQCAnFClmVkCOqnUBuZOx9PiBoDs7f5ZOZuas6BpXxhu
R6X6xrdt+L8y/AbwJU7L6PbhA2AHTbM0FoIc5O6zRchQDr4P2xiIsvtz5Ss824ZB
DdipdSkhLNxRuaab7d60Gl09zmeSrp5qmqzhrzDtQc9/xoeRZefmr4aRUeqz1ZG6
Irqpcb1dF0YmASx2u5ygc2nlwpP4nFz6l44kcJ1Jra9kxNBOJzzAxpuhssnew1Sm
fvfCB+HeI3L2bSBA1BaoNb5sOulZDBIKw8WmSR/8rZkToJCacICVvV0HFQhY0lc2
IUF7gJ/j92bh6B3IMvQGu9YpPKvQ5gOxlCwwAhrCXLzG
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
{my key was here}
-----END RSA PRIVATE KEY-----
Will Tatam
Internal Systems Manager
Tel +44 (0) 20 7837 2690
Fax +44 (0) 20 7278 3113
JID wtatam(at)jabber.premierit.com
Premier IT http://www.premierit.com/
New Premier House | Southampton Row
London | WC1B 5AL
|
|
|
Re: [Pound Mailing List] SSLCACert works - Pound says SSL_CTX_use_PrivateKey_file
Robert Segall <roseg(at)apsis.ch> |
2005-09-01 18:23:34 |
[ SNIP ]
|
On Thu, 01 Sep 2005 07:39:31 -0700 "John D" <jwdavid(at)ibizvision.com>
wrote:
> Howdy,
>
> I am not sure how important order is, but in our pem files, we put the
> key first, then our cert then the intermediate/ca certs. We have no
> problems when doing this. I think the location of the key is not what
> is important, but the order of the certs is. Your cert needs to be
> first, then the one that signed yours, then the one that signed that
> one, etc...
>
> So my suggestions is, reverse the order of your certs and see if that
> works.
The certificate order is important indeed - the order you describe is
correct. See man SSL_CTX_use_certificate_chain_file(3ssl) for details.
However the error message of the OP is not about certificate order, but
rather results from a problem with the certificate key. The usual reason
is that the key is encrypted (aka password protected).
For the OP: you sometimes need to use the option -nodes in order to
extract the private key WITHOUT A PASSWORD. In your case, assuming you
already have the certificate and key you used with Apache, you can try
openssl rsa -in yourfile.pem -out key.pem
This will prompt you for the original password and then write the
private key (without password) to key.pem. Combine it with the
certificate chain and you're done.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
|
|
|
RE: [Pound Mailing List] SSLCACert works - Pound says SSL_CTX_use_PrivateKey_file
Will Tatam <wtatam(at)premierit.com> |
2005-09-01 19:57:00 |
[ SNIP ]
|
Thanks, swapping the order was all that was required
On Thu, 2005-09-01 at 07:39 -0700, John D wrote:
> Howdy,
>
> I am not sure how important order is, but in our pem files, we put the key
first, then our cert then the intermediate/ca certs. We have no problems when
doing this. I think the location of the key is not what is important, but the
order of the certs is. Your cert needs to be first, then the one that signed
yours, then the one that signed that one, etc...
>
> So my suggestions is, reverse the order of your certs and see if that works.
>
> John D.
>
> ********** Original Email *********
> ** To: pound(at)apsis.ch
> ** From: pound(at)apsis.ch, wtatam(at)premierit.com
> ** Date: Thu, 01 Sep 2005 13:26:31 +0100
> **********
>
> I'm having a few problems with pound 1.9 and ssl
>
> my config works perfectly if i simply have the site's cert and key
> inside a file, but users get the error about it not being signed by a
> know authority, but if I add the contents of the file i used to use as
> the SSLCACert in apache i get the following error
>
> pound: SSL_CTX_use_PrivateKey_file failed - aborted
>
> The certificates are supplied by instantssl.com so i'm not sure what the
> format is, I saw that you need to use -nodes when creating your own
>
> -----BEGIN CERTIFICATE-----
> MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
> VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
> bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
> b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
> UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
> cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
> b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
> iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
> r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
> 04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
> GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
> 3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
> lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> MIIFKjCCBJOgAwIBAgIEAgACmjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
> UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
> cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
> b2JhbCBSb290MB4XDTAyMDgyNzE5MDIwMFoXDTEyMDgyNzIzNTkwMFowgdwxCzAJ
> BgNVBAYTAkdCMRcwFQYDVQQKEw5Db21vZG8gTGltaXRlZDEdMBsGA1UECxMUQ29t
> b2RvIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPVRlcm1zIGFuZCBDb25kaXRpb25z
> IG9mIHVzZTogaHR0cDovL3d3dy5jb21vZG8ubmV0L3JlcG9zaXRvcnkxHzAdBgNV
> BAsTFihjKTIwMDIgQ29tb2RvIExpbWl0ZWQxLDAqBgNVBAMTI0NvbW9kbyBDbGFz
> cyAzIFNlY3VyaXR5IFNlcnZpY2VzIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
> MIIBCgKCAQEA8gy2z4eE6gpxFFIt6FdcSVI6z8PwQm1i8v6m6T48eGQDDiB+a2tp
> h4lUOAX02scFQAUYd378a4sOHKKCzKyFmznpy0tIGEhrKOTC0VuuA6l+mC9ME3Hf
> sCkMTqqmNyY4udBEUoKQPnBI1nqbCQe8lOT0VSzytyq+HJEcaouDTTVsEOFz2iHZ
> YtjxGbDx5yCNtZdHI0tqgTUbr0jgNqiQTE1M7PWIzsax0C//eZAB2FFk5y+xCI1d
> z636soCWq6yLtUy0dMJHE+3oIzH0KrlhG73OpFs3Mb3lnJz7sg/XxTu/zFqrD8iG
> QIkippAg07NsvhLz4yAsu8GuQ1raFnboHwIDAQABo4IB2TCCAdUwRQYDVR0fBD4w
> PDA6oDigNoY0aHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL2NnaS1iaW4vQ1JM
> LzIwMTgvY2RwLmNybDAdBgNVHQ4EFgQUNuDofG2dRZHumeVCdk1ws1AwrF4wgZIG
> A1UdIASBijCBhzBJBgoqhkiG+GMBAgEFMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93
> d3cucHVibGljLXRydXN0LmNvbS9DUFMvT21uaVJvb3QuaHRtbDA6BgwrBgEEAbIx
> AQIBAwEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9D
> UDCBiQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUg
> Q29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywg
> SW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJvb3SCAgGlMCsG
> A1UdEAQkMCKADzIwMDIwODI3MTkwMjI0WoEPMjAwOTA4MjcyMzU5MDBaMA4GA1Ud
> DwEB/wQEAwIB5jAPBgNVHRMECDAGAQH/AgEAMA0GCSqGSIb3DQEBBQUAA4GBADoe
> JG/a2zZs/jpzOd3NahxpoQAfb9Su1R/UiCmlIcJX9lV7MOfSZNYOxKpwPHZ04iqu
> x0ZnMpLJS/Gn1+BWvPZyEJ1/sHXWnVe1cYWqxDqnS7jsD+bS+P+1zdRFJazqBqeK
> tc0yIuQhkhvvzjSuMEQa7pt/8JQRhoqHGQEoOs+z
> -----END CERTIFICATE-----
>
> -----BEGIN CERTIFICATE-----
> MIIFXTCCBEWgAwIBAgIQeeooWr4jz7A5QmvPxmRwgDANBgkqhkiG9w0BAQUFADCB
> 3DELMAkGA1UEBhMCR0IxFzAVBgNVBAoTDkNvbW9kbyBMaW1pdGVkMR0wGwYDVQQL
> ExRDb21vZG8gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9VGVybXMgYW5kIENvbmRp
> dGlvbnMgb2YgdXNlOiBodHRwOi8vd3d3LmNvbW9kby5uZXQvcmVwb3NpdG9yeTEf
> MB0GA1UECxMWKGMpMjAwMiBDb21vZG8gTGltaXRlZDEsMCoGA1UEAxMjQ29tb2Rv
> IENsYXNzIDMgU2VjdXJpdHkgU2VydmljZXMgQ0EwHhcNMDUwOTAxMDAwMDAwWhcN
> MDYwOTAxMjM1OTU5WjCB6DELMAkGA1UEBhMCR0IxETAPBgNVBBETCFNXMVAgMkpU
> MQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcTBkxvbmRvbjEeMBwGA1UECRMVNS02
> IFN0IE1hdHRoZXcgU3RyZWV0MTYwNAYDVQQKEy1Tb2NpZXR5IGZvciB0aGUgUHJv
> dGVjdGlvbiBvZiBVbmJvcm4gQ2hpbGRyZW4xHTAbBgNVBAsTFEhvc3RlZCBieSBQ
> cmVtaWVyIElUMRMwEQYDVQQLEwpJbnN0YW50U1NMMRgwFgYDVQQDEw93d3cuc3B1
> Yy5vcmcudWswgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKoJ3StxhEMjArT+
> pxAlOBS/FDFziOgRf3jOgVpsY502C6QFdQ+OyTFUm7iP+xKPpR6Ev27+Xotx/og1
> 1GzvMitvAx7JrkQBvXs7AmIDkvqq70/aJjrBf8A0r5zwn6of75Rq9kLqx6L2+zNr
> B/gW1soh6sSDBXSceep6YZRA1aBvAgMBAAGjggGPMIIBizAfBgNVHSMEGDAWgBQ2
> 4Oh8bZ1Fke6Z5UJ2TXCzUDCsXjAdBgNVHQ4EFgQUzUg71ceaEUPghLIZ4aJrhxNp
> dbcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
> BQUHAwEGCCsGAQUFBwMCMBEGCWCGSAGG+EIBAQQEAwIGwDBGBgNVHSAEPzA9MDsG
> DCsGAQQBsjEBAgEDBDArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21v
> ZG8ubmV0L0NQUzCBsAYDVR0fBIGoMIGlMDigNqA0hjJodHRwOi8vY3JsLmNvbW9k
> by5uZXQvQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18zLmNybDA6oDigNoY0aHR0cDov
> L2NybC5jb21vZG9jYS5jb20vQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18zLmNybDAt
> oCugKYEnQ2xhc3MzU2VjdXJpdHlTZXJ2aWNlc18zQGNybC5jb21vZG8ubmV0MA0G
> CSqGSIb3DQEBBQUAA4IBAQCAnFClmVkCOqnUBuZOx9PiBoDs7f5ZOZuas6BpXxhu
> R6X6xrdt+L8y/AbwJU7L6PbhA2AHTbM0FoIc5O6zRchQDr4P2xiIsvtz5Ss824ZB
> DdipdSkhLNxRuaab7d60Gl09zmeSrp5qmqzhrzDtQc9/xoeRZefmr4aRUeqz1ZG6
> Irqpcb1dF0YmASx2u5ygc2nlwpP4nFz6l44kcJ1Jra9kxNBOJzzAxpuhssnew1Sm
> fvfCB+HeI3L2bSBA1BaoNb5sOulZDBIKw8WmSR/8rZkToJCacICVvV0HFQhY0lc2
> IUF7gJ/j92bh6B3IMvQGu9YpPKvQ5gOxlCwwAhrCXLzG
> -----END CERTIFICATE-----
> -----BEGIN RSA PRIVATE KEY-----
> {my key was here}
> -----END RSA PRIVATE KEY-----
>
>
> Will Tatam
> Internal Systems Manager
>
> Tel +44 (0) 20 7837 2690
> Fax +44 (0) 20 7278 3113
>
> JID wtatam(at)jabber.premierit.com
>
> Premier IT http://www.premierit.com/
>
> New Premier House | Southampton Row
> London | WC1B 5AL
>
>
>
Will Tatam
Internal Systems Manager
Tel +44 (0) 20 7837 2690
Fax +44 (0) 20 7278 3113
JID wtatam(at)jabber.premierit.com
Premier IT http://www.premierit.com/
New Premier House | Southampton Row
London | WC1B 5AL
|
|
|
|
|
|
