Re: self signed ssl cert on C5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Thu, 25 Oct 2007, Brian Mathis wrote:

On 10/25/07, Tom Diehl <tdiehl@xxxxxxxxxxxx> wrote:
Hi,

Does anyone have a pointer to correct documentation for generating and
installing a self signed ssl cert for use on httpd on a C-5 machine?

The docs say to use genkey but AFAIK upstream rm'd crypto-utils from the
distro and as such it is not available. I tried generating the cert on a C-4
machine using genkey and installing on the C-5 machine but I get the following
error when I try to connect:

[...]

Can anyone tell me where I am going wrong here? Google is not being helpful
and I am getting frustrated. I wish I better understood open ssl. :-(

Regards,

--
Tom Diehl               tdiehl@xxxxxxxxxxxx             Spamtrap address mtd123@xxxxxxxxxxxx


You might find a bunch of guides online that give you ways to do it
using openssl, but C5 has a Makefile already set up to do this for
you.  Steps:
1. cd /etc/pki/tls/certs
2. make testcert
3. restart apache

The default ssl.conf file points to the localhost.* files that are
generated by this command.

Ok, So I changed the Makefile from localhost to match the actual hostname of
the machine. I then ran "make testcert" as suggested above and answered the
questions as appropriate. It then generated the cert without errors. I then
modified ssl.conf to point to the .key file and the .crt file, restarted apache.

Everything looked OK in the logs. I then pointed a browser at the machine and I
got the following errors in the ssl error log:

[Thu Oct 25 14:31:25 2007] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSLv3 read client certificate B
[Thu Oct 25 14:31:25 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client certificate B
[Thu Oct 25 14:31:25 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client certificate B
[Thu Oct 25 14:31:25 2007] [info] [client 192.168.0.3] SSL library error 1 in handshake (server roadrunner.example.com:443)
[Thu Oct 25 14:31:25 2007] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification?
[Thu Oct 25 14:31:25 2007] [info] [client 192.168.0.3] Connection closed to child 0 with abortive shutdown (server roadrunner.example.com:443)

In addition I catted the key and crt together to make a .pem and ran verify
on the cert. I got the following output:

(roadrunner pts1) # openssl verify roadrunner.example.com.pem
roadrunner.example.com.pem: /C=US/ST=Pennsylvania/L=Mytown/O=TN Techs LLC/CN=roadrunner.example.com/emailAddress=support@xxxxxxxxxxx
error 18 at 0 depth lookup:self signed certificate
OK
(roadrunner pts1) #

Am I correct that the above error is normal for a self signed cert?

Obviously I am missing something. Can anyone point me at a solution to this
problem?

Regards,

--
Tom Diehl		tdiehl@xxxxxxxxxxxx		Spamtrap address mtd123@xxxxxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux