Re: [Cosign-discuss] cosign integration in development

Shawn Rahl Fri, 17 Aug 2012 07:50:05 -0700

I used c_rehash to generate the symlinks as documented in the Cosign
implementation docs.


Info....

------------------------------------------------------------
------------------------------------------------------------
---------------------------------------------
[root@molar cosign-ca-dir]# sha512sum umwebCA.pem
e8de2020db961a1d20ef17752945ebdfdc089ceeb9d9370d6cbbac29f3c65711994e5e54a03338d3d6b03b711faa197c229b9eb9832be982fa0cd3eb65a79a04
 umwebCA.pem

[root@molar cosign-ca-dir]# yum list authconfig
Loaded plugins: rhnplugin, security
Installed Packages
authconfig.x86_64                                              5.3.21-7.el5
                                             installed
------------------------------------------------------------
------------------------------------------------------------
---------------------------------------------

I just removed them and used what you suggested, which generated as follows:
------------------------------------------------------------
------------------------------------------------------------
---------------------------------------------

[root@molar cosign-ca-dir]# rm -f *.0
[root@molar cosign-ca-dir]# ls -la
total 60
drwxr-x---  3 apache apache 4096 Aug 17 10:40 .
drwxr-xr-x 10 root   root   4096 Aug 14 14:33 ..
drwx------  2 root   root   4096 Aug 17 07:44 archive
-rw-------  1 root   root   1521 Aug 17 07:45 extCAroot.pem
-rw-------  1 root   root   5379 Aug 17 07:43 incommonCA.pem
-rw-------  1 root   root   3309 Aug 17 07:45 intermediate.pem
-rw-r--r--  1 root   root   1334 Aug 17 08:52 umwebCA.pem
[root@molar cosign-ca-dir]# cacertdir_rehash .
unable to load certificate
16755:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

[root@molar cosign-ca-dir]# ls -la
total 76
drwxr-x---  3 apache apache 4096 Aug 17 10:40 .
drwxr-xr-x 10 root   root   4096 Aug 14 14:33 ..
lrwxrwxrwx  1 root   root     13 Aug 17 10:40 3c58f906.0 -> extCAroot.pem
lrwxrwxrwx  1 root   root     11 Aug 17 10:40 4700e8dd.0 -> umwebCA.pem
lrwxrwxrwx  1 root   root     14 Aug 17 10:40 84df5188.0 -> incommonCA.pem
drwx------  2 root   root   4096 Aug 17 07:44 archive
lrwxrwxrwx  1 root   root     16 Aug 17 10:40 b0de3e19.0 -> intermediate.pem
-rw-------  1 root   root   1521 Aug 17 07:45 extCAroot.pem
-rw-------  1 root   root   5379 Aug 17 07:43 incommonCA.pem
-rw-------  1 root   root   3309 Aug 17 07:45 intermediate.pem
-rw-r--r--  1 root   root   1334 Aug 17 08:52 umwebCA.pem


------------------------------------------------------------
------------------------------------------------------------
---------------------------------------------

Also, it seems that the hash output for the umwebCA is not what you are
saying it should be:

[root@molar cosign-ca-dir]# openssl x509 -hash -noout -in ./umwebCA.pem
4700e8dd


Thanks,
Shawn Rahl
Unix Administrator

Dental Informatics, School of Dentistry

University of Michigan

sr...@umich.edu



On Fri, Aug 17, 2012 at 10:35 AM, Mark Montague <m...@catseye.org> wrote:

> On August 17, 2012 10:27 , Shawn Rahl <sr...@umich.edu> wrote:
>
>> Output....
>>
>> [root@molar cosign-ca-dir]# ls -la /etc/httpd/cosign-ca-dir
>> [...]
>>
>> lrwxrwxrwx  1 root   root     11 Aug 17 07:51 fa84f4ea.0 -> umwebCA.pem
>> [...]
>>
>> -rw-r--r--  1 root   root   1334 Aug 17 08:52 umwebCA.pem
>> [root@molar cosign-ca-dir]# sha512sum umwebCA.pem
>> e8de2020db961a1d20ef17752945eb**dfdc089ceeb9d9370d6cbbac29f3c6**
>> 5711994e5e54a03338d3d6b03b711f**aa197c229b9eb9832be982fa0cd3eb**65a79a04
>>  umwebCA.pem
>>
>>     Be sure you have the following in that directory (note that this
>>     will be different for people from other institutions):
>>
>>     lrwxrwxrwx. 1 root root     11 Jul 10 11:22 5cc1e784.0 -> umwebCA.pem
>>     -rw-r--r--. 1 root root   1334 Mar 19 10:56 umwebCA.pem
>>
>>     Also make sure you have the correct CA root certificate:
>>
>>     [root@minos certs]# sha512sum umwebCA.pem
>>     e8de2020db961a1d20ef17752945eb**dfdc089ceeb9d9370d6cbbac29f3c6**
>> 5711994e5e54a03338d3d6b03b711f**aa197c229b9eb9832be982fa0cd3eb**65a79a04
>>      umwebCA.pem
>>     [root@minos certs]#
>>
>>
> If you have the wrong hash -- as you seem to -- mod_cosign will not be
> able to find the CA root certificate for UM Web CA.
>
> How did you generate the hash symlink?
>
> If this is a Red Hat Enterprise Linux box, make sure you have the
> authconfig RPM installed, then run:
>
> cd /etc/httpd/cosign-ca-dir ; /usr/sbin/cacertdir_rehash .
>
> Or, if you have the c_rehash script from the OpenSSL source code
> distribution, run:
>
> cd /etc/httpd/cosign-ca-dir ; c_rehash .
>
> Also, you should be able to see the same output for:
>
> [root@minos certs]# openssl x509 -hash -noout -in ./umwebCA.pem
> 5cc1e784
> [root@minos certs]#
>
> Short form:  fixing the hash symlink should solve the problem.
>
> --
>   Mark Montague
>   m...@catseye.org
>
>

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss

Re: [Cosign-discuss] cosign integration in development

Reply via email to