I used c_rehash to generate the symlinks as documented in the Cosign
implementation docs.
Info....
------------------------------------------------------------
------------------------------------------------------------
---------------------------------------------
[root@molar cosign-ca-dir]# sha512sum umwebCA.pem
e8de2020db961a1d20ef17752945ebdfdc089ceeb9d9370d6cbbac29f3c65711994e5e54a03338d3d6b03b711faa197c229b9eb9832be982fa0cd3eb65a79a04
umwebCA.pem
[root@molar cosign-ca-dir]# yum list authconfig
Loaded plugins: rhnplugin, security
Installed Packages
authconfig.x86_64 5.3.21-7.el5
installed
------------------------------------------------------------
------------------------------------------------------------
---------------------------------------------
I just removed them and used what you suggested, which generated as follows:
------------------------------------------------------------
------------------------------------------------------------
---------------------------------------------
[root@molar cosign-ca-dir]# rm -f *.0
[root@molar cosign-ca-dir]# ls -la
total 60
drwxr-x--- 3 apache apache 4096 Aug 17 10:40 .
drwxr-xr-x 10 root root 4096 Aug 14 14:33 ..
drwx------ 2 root root 4096 Aug 17 07:44 archive
-rw------- 1 root root 1521 Aug 17 07:45 extCAroot.pem
-rw------- 1 root root 5379 Aug 17 07:43 incommonCA.pem
-rw------- 1 root root 3309 Aug 17 07:45 intermediate.pem
-rw-r--r-- 1 root root 1334 Aug 17 08:52 umwebCA.pem
[root@molar cosign-ca-dir]# cacertdir_rehash .
unable to load certificate
16755:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
[root@molar cosign-ca-dir]# ls -la
total 76
drwxr-x--- 3 apache apache 4096 Aug 17 10:40 .
drwxr-xr-x 10 root root 4096 Aug 14 14:33 ..
lrwxrwxrwx 1 root root 13 Aug 17 10:40 3c58f906.0 -> extCAroot.pem
lrwxrwxrwx 1 root root 11 Aug 17 10:40 4700e8dd.0 -> umwebCA.pem
lrwxrwxrwx 1 root root 14 Aug 17 10:40 84df5188.0 -> incommonCA.pem
drwx------ 2 root root 4096 Aug 17 07:44 archive
lrwxrwxrwx 1 root root 16 Aug 17 10:40 b0de3e19.0 -> intermediate.pem
-rw------- 1 root root 1521 Aug 17 07:45 extCAroot.pem
-rw------- 1 root root 5379 Aug 17 07:43 incommonCA.pem
-rw------- 1 root root 3309 Aug 17 07:45 intermediate.pem
-rw-r--r-- 1 root root 1334 Aug 17 08:52 umwebCA.pem
------------------------------------------------------------
------------------------------------------------------------
---------------------------------------------
Also, it seems that the hash output for the umwebCA is not what you are
saying it should be:
[root@molar cosign-ca-dir]# openssl x509 -hash -noout -in ./umwebCA.pem
4700e8dd
Thanks,
Shawn Rahl
Unix Administrator
Dental Informatics, School of Dentistry
University of Michigan
sr...@umich.edu
On Fri, Aug 17, 2012 at 10:35 AM, Mark Montague <m...@catseye.org> wrote:
> On August 17, 2012 10:27 , Shawn Rahl <sr...@umich.edu> wrote:
>
>> Output....
>>
>> [root@molar cosign-ca-dir]# ls -la /etc/httpd/cosign-ca-dir
>> [...]
>>
>> lrwxrwxrwx 1 root root 11 Aug 17 07:51 fa84f4ea.0 -> umwebCA.pem
>> [...]
>>
>> -rw-r--r-- 1 root root 1334 Aug 17 08:52 umwebCA.pem
>> [root@molar cosign-ca-dir]# sha512sum umwebCA.pem
>> e8de2020db961a1d20ef17752945eb**dfdc089ceeb9d9370d6cbbac29f3c6**
>> 5711994e5e54a03338d3d6b03b711f**aa197c229b9eb9832be982fa0cd3eb**65a79a04
>> umwebCA.pem
>>
>> Be sure you have the following in that directory (note that this
>> will be different for people from other institutions):
>>
>> lrwxrwxrwx. 1 root root 11 Jul 10 11:22 5cc1e784.0 -> umwebCA.pem
>> -rw-r--r--. 1 root root 1334 Mar 19 10:56 umwebCA.pem
>>
>> Also make sure you have the correct CA root certificate:
>>
>> [root@minos certs]# sha512sum umwebCA.pem
>> e8de2020db961a1d20ef17752945eb**dfdc089ceeb9d9370d6cbbac29f3c6**
>> 5711994e5e54a03338d3d6b03b711f**aa197c229b9eb9832be982fa0cd3eb**65a79a04
>> umwebCA.pem
>> [root@minos certs]#
>>
>>
> If you have the wrong hash -- as you seem to -- mod_cosign will not be
> able to find the CA root certificate for UM Web CA.
>
> How did you generate the hash symlink?
>
> If this is a Red Hat Enterprise Linux box, make sure you have the
> authconfig RPM installed, then run:
>
> cd /etc/httpd/cosign-ca-dir ; /usr/sbin/cacertdir_rehash .
>
> Or, if you have the c_rehash script from the OpenSSL source code
> distribution, run:
>
> cd /etc/httpd/cosign-ca-dir ; c_rehash .
>
> Also, you should be able to see the same output for:
>
> [root@minos certs]# openssl x509 -hash -noout -in ./umwebCA.pem
> 5cc1e784
> [root@minos certs]#
>
> Short form: fixing the hash symlink should solve the problem.
>
> --
> Mark Montague
> m...@catseye.org
>
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss