[users@httpd] self-signed SSL cert problems with httpd-2.0.55 and openssl-0.9.7i

Mark Slater <lists@xxxxxxxxxxxxxxxxxx> · Thu, 16 Mar 2006 14:46:08 -0800

I've been building my own binaries for apache and openssl for a few  

years now, and I can't recall ever having a problem like this before.  

Both packages built find and both seem to be working correctly,  

except that apache is unable to use the self-signed SSL certificate I  

created. Apache is working just fine on http, and at the same time  

failing on https.

The procedure I'm using is the same as I've used on machines I've set  

up previously. The biggest difference is that the new machine is  

running MacOS X on an Intel chip. Everything has been compiled  

natively for it (I didn't copy any binaries from other machines), so  

I would have assumed the procedures for generating a self-signed  

certificate would be the same.

In the past, I've found these instructions worked just fine, even  

with Apache 2.x

    http://developer.apple.com/internet/serverside/modssl.html

These instructions are basically the same as the ones found on the  

mod_ssl website:

    http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real
    http://www.modssl.org/docs/2.8/ssl_faq.html#cert-ownca

  539  openssl genrsa -des3 -out server.key 1024
  540  openssl req -new -key server.key -out server.csr
  541  dir
  542  openssl genrsa -des3 -out ca.key 1024
  543  openssl req -new -x509 -days 365 -key ca.key -out ca.crt
  544  mroe sign.sh
  545  more sign.sh
  546  ./sign.sh server.csr
  547  sudo cp server.key /usr/local/apache2/conf/ssl.key/
  548  sudo cp server.crt /usr/local/apache2/conf/ssl.crt/
  549  sudo /usr/local/apache2/bin/apachectl stop
  550  sudo /usr/local/apache2/bin/apachectl startssl

However, when I followed them this time and restarted apache, my  

browser was unable to create a secure connection. There are no error  

messages in the log files related to SSL. I used curl to see if I  

could get more information:

======================================================================== 

=

$ curl -g -3 -k https://whisper.cse.ucsc.edu
curl: (35) error:04077068:rsa routines:RSA_verify:bad signature

======================================================================== 

=

Then I ran openssl's s_client command and got this:

======================================================================== 

=

$ openssl s_client -connect localhost:443
CONNECTED(00000003)

depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  

Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 

emailAddress=mslater@xxxxxxxxxxxx

verify error:num=20:unable to get local issuer certificate
verify return:1

depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  

Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 

emailAddress=mslater@xxxxxxxxxxxx

verify error:num=27:certificate not trusted
verify return:1

depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  

Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 

emailAddress=mslater@xxxxxxxxxxxx

verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain

0 s:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software  

Engineering Lab/CN=whisper.cse.ucsc.edu/ 

emailAddress=mslater@xxxxxxxxxxxx

   i:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  

Software Engineering Lab/CN=Mark Slater/ 

emailAddress=mslater@xxxxxxxxxxxx

---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3DCCAkUCAQEwDQYJKoZIhvcNAQEEBQAwgbExCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1V
QyBTYW50YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcg
TGFiMRQwEgYDVQQDEwtNYXJrIFNsYXRlcjEjMCEGCSqGSIb3DQEJARYUbXNsYXRl
ckBzb2UudWNzYy5lZHUwHhcNMDYwMzE2MjAzODMwWhcNMDcwMzE2MjAzODMwWjCB
ujELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTClNh
bnRhIENydXoxFjAUBgNVBAoTDVVDIFNhbnRhIENydXoxJTAjBgNVBAsTHFNPRSBT
b2Z0d2FyZSBFbmdpbmVlcmluZyBMYWIxHTAbBgNVBAMTFHdoaXNwZXIuY3NlLnVj
c2MuZWR1MSMwIQYJKoZIhvcNAQkBFhRtc2xhdGVyQHNvZS51Y3NjLmVkdTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA6F0mA2DqryuSduNy3ossnxn3FhR9OnS6
8rrOj/zws85hnUSjeaoVVrYZ9ns50apoovlpPoHJNXTY2AYJBRJEPb7y9g3sn3kw
iE8vljGWHzA2vv/NQNPxAFVRCpvZiys2ixC7rbzosRYnmEbvqzzi9aisJ3vDDOd3
gGZsxm0MWpcCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBKNhqbGIV4lQp5az3ebG2z
GyKVzRrd7Oy8D8SUjN3qP+MNLL2i4c2vt7WOZ2nvwgpCEDlPWX4V4uGjDkZhWu1S
0Nd8LHYig+e8eULEJbV+WjMrmz3t0gflBcJkR7b2ri2qbYwZoTsA7b+LaeWvmSYj
NbereZPBdGF44YigxjYT5w==
-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  

Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 

emailAddress=mslater@xxxxxxxxxxxx

issuer=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  

Software Engineering Lab/CN=Mark Slater/ 

emailAddress=mslater@xxxxxxxxxxxx

---
No client certificate CA names sent
---
SSL handshake has read 1300 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA

    Session-ID:  

6EA0454B3C48C92BE620031BD0302FBDAC8D07A33D7710868A45D4251060D4BD

    Session-ID-ctx:

    Master-Key:  

3E0CF350B3BB3248C20013C8676E5E7D38E85F70CA7BF67D2DEC3A8F950192BB1F91EAB2 

FEE029A0FEED1218FFD7D655

    Key-Arg   : None
    Start Time: 1142545988
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
^C

======================================================================== 

=

I then tried this set of directions: http://www.securityfocus.com/ 

infocus/1818

I ran the command: openssl req -new -x509 -days 365 -keyout  

server.key -out server.crt

Then I installed the generated files in apache and restarted  

(apachectl startssl).

I got the same error with my browser and with curl, but openssl  

s_client gave this:

======================================================================== 

=

$ openssl s_client -connect whisper.cse.ucsc.edu:443
CONNECTED(00000003)

depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  

Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 

emailAddress=mslater@xxxxxxxxxxxx

verify error:num=18:self signed certificate
verify return:1

depth=0 /C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  

Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 

emailAddress=mslater@xxxxxxxxxxxx

verify return:1
---
Certificate chain

0 s:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE Software  

Engineering Lab/CN=whisper.cse.ucsc.edu/ 

emailAddress=mslater@xxxxxxxxxxxx

   i:/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  

Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 

emailAddress=mslater@xxxxxxxxxxxx

---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEGTCCA4KgAwIBAgIJAIFnlzdIQqO8MA0GCSqGSIb3DQEBBAUAMIG6MQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKU2FudGEgQ3J1
ejEWMBQGA1UEChMNVUMgU2FudGEgQ3J1ejElMCMGA1UECxMcU09FIFNvZnR3YXJl
IEVuZ2luZWVyaW5nIExhYjEdMBsGA1UEAxMUd2hpc3Blci5jc2UudWNzYy5lZHUx
IzAhBgkqhkiG9w0BCQEWFG1zbGF0ZXJAc29lLnVjc2MuZWR1MB4XDTA2MDMxNjIx
NTYwMloXDTA3MDMxNjIxNTYwMlowgboxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1VQyBTYW50
YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcgTGFiMR0w
GwYDVQQDExR3aGlzcGVyLmNzZS51Y3NjLmVkdTEjMCEGCSqGSIb3DQEJARYUbXNs
YXRlckBzb2UudWNzYy5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK4n
3ODtRv7l77GFQkEdRxINB7/CGOJjbTgTB6Q75Chm4NMi7k50uBIVVfY4V7zxuv5m
K4x4y37B6GmG5yXhBAI1LhtZxy9IKkg4brXXzOOJQhBuQSTMempnacMlbxGBRON5
Xqt0iuk06Ly/R1lCdDJCSJwVMJmCZYJRhPls2GttAgMBAAGjggEjMIIBHzAdBgNV
HQ4EFgQUBUP6LK0EJZrh80OYfsZonqwoTfYwge8GA1UdIwSB5zCB5IAUBUP6LK0E
JZrh80OYfsZonqwoTfahgcCkgb0wgboxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBDcnV6MRYwFAYDVQQKEw1VQyBTYW50
YSBDcnV6MSUwIwYDVQQLExxTT0UgU29mdHdhcmUgRW5naW5lZXJpbmcgTGFiMR0w
GwYDVQQDExR3aGlzcGVyLmNzZS51Y3NjLmVkdTEjMCEGCSqGSIb3DQEJARYUbXNs
YXRlckBzb2UudWNzYy5lZHWCCQCBZ5c3SEKjvDAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBBAUAA4GBAJo/Y40mwSmttCGon0TuYBtB/paGhbummFiwDhsYZbTn5VUW
kOAiv4Y4FOOe6sEyzt9GGBeRjSoBJ3Ja6UqTo2trcJN8ulfAZaMAx7uVNwbdZvei
xe19jcPtxvfRuk6izJt+XgfmIuy3tFbADRCESzezC3eCZV16ucedP/gBJie3
-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  

Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 

emailAddress=mslater@xxxxxxxxxxxx

issuer=/C=US/ST=California/L=Santa Cruz/O=UC Santa Cruz/OU=SOE  

Software Engineering Lab/CN=whisper.cse.ucsc.edu/ 

emailAddress=mslater@xxxxxxxxxxxx

---
No client certificate CA names sent
---
SSL handshake has read 1617 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA

    Session-ID:  

002C52406C37D29DEA0DFB9BDEDE44DB3289F0E5719767A449CDD6C2FBDD1989

    Session-ID-ctx:

    Master-Key:  

235C61CC423B0D9E386E4767EF8F0F0B9A98DE490DEF4CC20F7B9A7E820A314CC8504957 

441F473D582F9A7283654B46

    Key-Arg   : None
    Start Time: 1142546565
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
closed

======================================================================== 

=

Could this be an endian issue with the intel processor? I would think  

that, since I built the binaries on the intel machine (and saw the  

processor correctly registered in the ./configure process), that  

endianness wouldn't be an issue. Is there something else that I  

should be doing instead?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx