When you generate the rsa key, did ssleay ask you for password?
It is possible the asking message was not displayed right and waswiting
for a input. But I don't know why you get all key, cert .. generated.
Have you dupmed them out to see the fields?
In the log, it seems the server failed to get the password. SSLeay uses
callback function to get the password.
By the way, if you make your own cert, make sure the Common Name field in
the cert is the same as your server's domain name.
On Tue, 20 Oct 1998, Jay D.
Ribak wrote:
>
> Hi all,
> I am new to this list, and relatively new to working with SSL on Apache.
> I am having some problems getting a new install up and running. I am hoping
> that someone can give me some pointers on what is wrong. I will try to include
> as much relevant info as I can, but please let me know if I left something out.
>
> I am running: Linux Slackware 3.5 Kernel 2.0.34
> Apache 1.3.1
> SSLeay 0.9.0b
> mod_ssl-2.0.8-1.3.1
>
> I have got everything compiled and built--the web server still works as it used to
> w/o SSL installed. The only problem I had with installation, is that I cannot do
> a make certificate. When doing a make certificate, I get the following:
>
> Generating test certificate signed by Snake Oil CA [TEST]
> WARNING: Do not use this for real-life/production systems
> ______________________________________________________________________
>
> STEP 1: Generating RSA private key (1024 bit) [server.key]
>
> The process then just sits there for a long time. I have let it sit over an
> hour and never got anywhere with it.
>
> I have, however, created a key, a CSR, and a CRT manually using ssleay. I
> did this using the comm ands presented in the FAQ for mod_ssl. I
placed the
> files in the appropriate directories in /usr/local/apache/etc and also
> modified the httpd.conf file. Basically, the problem is this...when
> I run /usr/local/apache/sbin/httpd -DSSL it never prompts me for the pass
> phrase for the cert and the process just dies. If I run w/o defining SSL
> thankfully I can still have my server up and running normally. This is
> the error that gets entered into the error_log-ssl file:
> [Mon Oct 19 16:11:25 1998] [crit] (22)Invalid argument: mod_ssl: Failed to read
>private key file /usr/loca
> l/apache/etc/ssl.key/inetsolve.key
> [Mon Oct 19 16:11:25 1998] [error] SSLeay: error:0906406D:PEM
>routines:DEF_CALLBACK:problems getting passw
> ord
> [Mon Oct 19 16:11:25 1998] [error] SSLeay: error:0906A068:PEM
>routines:PEM_do_header:bad password read
>
>
> I am including my httpd.conf file below, whole, minus a bunch of virtual hosts which
> would just waste space in this email message.
>
> Any help given would be appreciated!
>
> Thanks
> Jay Ribak
> [EMAIL PROTECTED]
>
>
> HTTPD.CONF file included below:
> # -FrontPage- version=2.0
> ##
> ## httpd.conf -- Apache HTTP server configuration file
> ##
>
> # This is the main server configuration file. See URL http://www.apache.org/
> # for instructions.
>
> # Do NOT simply read the instructions in here without understanding
> # what they do, if you are unsure consult the online docs. You have been
> # warned.
>
> # Dynamic Shared Object (DSO) Support
> #
> # To be able to use the functionality of a module which was built as a DSO you
> # have to place corresponding `LoadModule' lines at this location so the
> # directives contained in it are actually available _before_ they are used.
> # Please read the file README.DSO in the Apache 1.3 distribution for more
> # details about the DSO mechanism and run `httpd -l' for the list of already
> # built-in (statically linked and thus always available) modules in your httpd
> # binary.
> #
> # Example:
> # LoadModule foo_module libexec/mod_foo.so
>
>
> # ServerType is either inetd, or standalone.
>
> ServerType standalone
>
> # If you are running from inetd, go to "ServerAdmin".
>
> # Port: The port the standalone listens to. For ports < 1023, you will
> # need httpd to be run as root initially.
>
> Port 80
>
> ##
> ## SSL Support
> ##
> ## When we also provide SSL we have to listen to the
> ## standard HTTP port (see above) and to the HTTPS port
> ##
> <IfDefine SSL>
> Listen 80
> Listen 443
> </IfDefine>
>
> # HostnameLookups: Log the names of clients or just their IP numbers
> # e.g. www.apache.org (on) or 204.62.129.132 (off)
> # The default is off because it'd be overall better for the net if people
> # had to knowingly turn this feature on.
>
> HostnameLookups off
>
> # If you wish httpd to run as a different user or group, you must run
> # httpd as root initially and it will switch.
>
> # User/Group: The name (or #number) of the user/group to run httpd as.
> # On SCO (ODT 3) use User nouser and Group nogroup
> # On HPUX you may not be able to use shared memory as nobody, and the
> # suggested workaround is to create a user www and use that user.
> # NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
> # when the value of (unsigned)Group is above 60000;
> # don't use Group on these systems!
>
> User nobody
> Group nogroup
>
> # ServerAdmin: Your address, where problems with the server should be
> # e-mailed.
>
> ServerAdmin [EMAIL PROTECTED]
>
> # ServerRoot: The directory the server's config, error, and log files
> # are kept in.
> # NOTE! If you intend to place this on a NFS (or otherwise network)
> # mounted filesystem then please read the LockFile documentation,
> # you will save yourself a lot of trouble.
>
> ServerRoot /usr/local/apache
> ResourceConfig etc/srm.conf
> AccessConfig etc/access.conf
>
>
> # BindAddress: You can support virtual hosts with this option. This option
> # is used to tell the server which IP address to listen to. It can either
> # contain "*", an IP address, or a fully qualified Internet domain name.
> # See also the VirtualHost directive.
>
> BindAddress *
>
> # ErrorLog: The location of the error log file. If this does not start
> # with /, ServerRoot is prepended to it.
>
> ErrorLog /usr/local/apache/var/log/error_log
>
> # LogLevel: Control the number of messages logged to the error_log.
> # Possible values include: debug, info, notice, warn, error, crit,
> # alert, emerg.
>
> LogLevel warn
>
> # The following directives define some format nicknames for use with
> # a CustomLog directive (see below).
>
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
> LogFormat "%h %l %u %t \"%r\" %>s %b" common
> LogFormat "%{Referer}i -> %U" referer
> LogFormat "%{User-agent}i" agent
>
> # The location of the access logfile (Common Logfile Format).
> # If this does not start with /, ServerRoot is prepended to it.
>
> CustomLog /usr/local/apache/var/log/access_log common
>
> # If you would like to have an agent and referer logfile uncomment the
> # following directives.
>
> #CustomLog /usr/local/apache/var/log/referer_log referer
> #CustomLog /usr/local/apache/var/log/agent_log agent
>
> # If you prefer a single logfile with access, agent and referer information
> # (Combined Logfile Format) you can use the following directive.
>
> CustomLog /usr/local/apache/var/log/access_log combined
>
> # PidFile: The file the server should log its pid to
> PidFile /usr/local/apache/var/run/httpd.pid
>
> # ScoreBoardFile: File used to store internal server process information.
> # Not all architectures require this. But if yours does (you'll know because
> # this file is created when you run Apache) then you *must* ensure that
> # no two invocations of Apache share the same scoreboard file.
> ScoreBoardFile /usr/local/apache/var/run/httpd.scoreboard
>
> # The LockFile directive sets the path to the lockfile used when Apache
> # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
> # USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at
> # its default value. The main reason for changing it is if the logs
> # directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL
> # DISK. The PID of the main server process is automatically appended to
> # the filename.
> #
> #LockFile /usr/local/apache/var/run/httpd.lock
>
> # ServerName allows you to set a host name which is sent back to clients for
> # your server if it's different than the one the program would get (i.e. use
> # "www" instead of the host's real name).
> #
> # Note: You cannot just invent host names and hope they work. The name you
> # define here must be a valid DNS name for your host. If you don't understand
> # this, ask your network administrator.
>
> ServerName www.inetsolve.com
>
> # UseCanonicalName: (new for 1.3) With this setting turned on, whenever
> # Apache needs to construct a self-referencing URL (a url that refers back
> # to the server the response is coming from) it will use ServerName and
> # Port to form a "canonical" name. With this setting off, Apache will
> # use the hostname:port that the client supplied, when possible. This
> # also affects SERVER_NAME and SERVER_PORT in CGIs.
>
> UseCanonicalName on
>
> # CacheNegotiatedDocs: By default, Apache sends Pragma: no-cache with each
> # document that was negotiated on the basis of content. This asks proxy
> # servers not to cache the document. Uncommenting the following line disables
> # this behavior, and proxies will be allowed to cache the documents.
>
> #CacheNegotiatedDocs
>
> # Timeout: The number of seconds before receives and sends time out
>
> Timeout 300
>
> # KeepAlive: Whether or not to allow persistent connections (more than
> # one request per connection). Set to "Off" to deactivate.
>
> KeepAlive On
>
> # MaxKeepAliveRequests: The maximum number of requests to allow
> # during a persistent connection. Set to 0 to allow an unlimited amount.
> # We reccomend you leave this number high, for maximum performance.
>
> MaxKeepAliveRequests 100
>
> # KeepAliveTimeout: Number of seconds to wait for the next request
>
> KeepAliveTimeout 15
>
> # Server-pool size regulation. Rather than making you guess how many
> # server processes you need, Apache dynamically adapts to the load it
> # sees --- that is, it tries to maintain enough server processes to
> # handle the current load, plus a few spare servers to handle transient
> # load spikes (e.g., multiple simultaneous requests from a single
> # Netscape browser).
>
> # It does this by periodically checking how many servers are waiting
> # for a request. If there are fewer than MinSpareServers, it creates
> # a new spare. If there are more than MaxSpareServers, some of the
> # spares die off. These values are probably OK for most sites ---
>
> MinSpareServers 5
> MaxSpareServers 10
>
> # Number of servers to start --- should be a reasonable ballpark figure.
>
> StartServers 5
>
> # Limit on total number of servers running, i.e., limit on the number
> # of clients who can simultaneously connect --- if this limit is ever
> # reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW.
> # It is intended mainly as a brake to keep a runaway server from taking
> # Unix with it as it spirals down...
>
> MaxClients 150
>
> # MaxRequestsPerChild: the number of requests each child process is
> # allowed to process before the child dies.
> # The child will exit so as to avoid problems after prolonged use when
> # Apache (and maybe the libraries it uses) leak. On most systems, this
> # isn't really needed, but a few (such as Solaris) do have notable leaks
> # in the libraries.
>
> MaxRequestsPerChild 30
>
> # Proxy Server directives. Uncomment the following line to
> # enable the proxy server:
>
> #ProxyRequests On
>
> # To enable the cache as well, edit and uncomment the following lines:
>
> #CacheRoot /usr/local/apache/var/proxy
> #CacheSize 5
> #CacheGcInterval 4
> #CacheMaxExpire 24
> #CacheLastModifiedFactor 0.1
> #CacheDefaultExpire 1
> #NoCache a_domain.com another_domain.edu joes.garage_sale.com
>
> # Listen: Allows you to bind Apache to specific IP addresses and/or
> # ports, in addition to the default. See also the VirtualHost command
>
> #Listen 3000
> #Listen 12.34.56.78:80
>
> # VirtualHost: Allows the daemon to respond to requests for more than one
> # server address, if your server machine is configured to accept IP packets
> # for multiple addresses. This can be accomplished with the ifconfig
> # alias flag, or through kernel patches like VIF.
>
> # Any httpd.conf or srm.conf directive may go into a VirtualHost command.
> # See also the BindAddress entry.
>
> NameVirtualHost 208.220.170.253
>
> # ****************************************************
> # Virtual Host settings for Inetsolve.com's subdomain
> # customers. This way users can access things by
> # subdomain.inetsolve.com, instead of www.inetsolve.com/~subdomain
> # ****************************************************
> <VirtualHost 208.220.170.253>
> ServerAdmin [EMAIL PROTECTED]
> DocumentRoot /home/twisted/public_html
> ServerName twisted.inetsolve.com
> ErrorLog /home/twisted/public_html/error_log
> TransferLog /home/twisted/public_html/access_log
> </VirtualHost>
>
> # *********************************************************
> # Virtual Host Settings for WebServePro and its
> # subdomain customers. For some reason, customers
> # want www.theirname.webservepro.com as well as
> # theirname.webservepro.com, so each one is listed twice.
> # *********************************************************
> <VirtualHost 208.220.170.253>
> ServerAdmin [EMAIL PROTECTED]
> DocumentRoot /home/wsp/public_html
> ServerName www.webservepro.com
> ErrorLog /home/wsp/public_html/error_log
> TransferLog /home/wsp/public_html/access_log
> </VirtualHost>
>
> # TONS OF VIRTUAL HOSTS REMOVED HERE TO SAVE SPACE
> # ################################################
>
>
> <IfModule mod_ssl.c>
>
> # we disable SSL globally
> SSLDisable
>
> # configure the path/port for the SSL session cache server[RECOMMENDED].
> # Additionally sets the session cache timeout, in seconds (set to 15 for
> # testing, use a higher value in real life) [RECOMMENDED]
> SSLCacheServerPath /usr/local/apache/sbin/ssl_gcache
> SSLCacheServerPort 12345
> SSLSessionCacheTimeout 300
>
> <IfDefine SSL>
> <VirtualHost _default_:443>
>
> # setup the general virtual server configuration
> DocumentRoot /usr/local/apache/share/htdocs
> ServerName www.inetsolve.com
> ServerAdmin [EMAIL PROTECTED]
> ErrorLog /usr/local/apache/var/log/error_log-ssl
> TransferLog /usr/local/apache/var/log/access_log-ssl
>
> # enable SSL for this virtual host
> SSLEnable
>
> # this forbids access except when SSL is in use. Very handy for defending
> # against configuration errors that expose stuff that should be protected
> SSLRequireSSL
>
> # point SSLCertificateFile at a PEM encoded certificate. If
> # the certificate is encrypted, then you will be prompted for a
> # pass phrase. Note that a kill -HUP will prompt again. A test
> # certificate can be generated with `make certificate' under
> # built time. [RECOMMENDED]
> SSLCertificateFile /usr/local/apache/etc/ssl.crt/inetsolve.crt
>
> # if the key is not combined with the certificate, use this
> # directive to point at the key file. [OPTIONAL]
> SSLCertificateKeyFile /usr/local/apache/etc/ssl.key/inetsolve.key
>
> # set the CA certificate verification path where
> # to find CA certificates for client authentication or
> # alternatively one huge file containing all of them
> # (file must be PEM encoded) [OPTIONAL]
> # Note: Inside SSLCACertificatePath you need hash symlinks
> # to point to the certificate files. Use the provided
> # Makefile to update the hash symlinks after changes.
> #SSLCACertificatePath /usr/local/apache/etc/ssl.crt
> #SSLCACertificateFile /usr/local/apache/etc/ssl.crt/ca-bundle.crt
>
> # set client verification level: [RECOMMENDED]
> # 0|none: no certificate is required
> # 1|optional: the client may present a valid certificate
> # 2|require: the client must present a valid certificate
> # 3|optional_no_ca: the client may present a valid certificate
> # but it is not required to have a valid CA
> SSLVerifyClient none
>
> # set how deeply to verify the certificate issuer chain
> # before deciding the certificate is not valid. [OPTIONAL]
> #SSLVerifyDepth 10
>
> # list the ciphers that the client is permitted to negotiate.
> # See the mod_ssl documentation for a complete list. [OPTIONAL]
> #SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA
>
> # these two can be used on a per-directory basis to require or
> # ban specific ciphers. Note that (at least in the current version)
> # SSL will not attempt to renegotiate if a cipher is banned
> # (or not required). [OPTIONAL]
> #SSLRequireCipher RC4-MD5
> #SSLBanCipher RC4-MD5
>
> # translate the client X.509 into a Basic Authorisation.
> # This means that the standard Auth/DBMAuth methods can be used for
> # access control. The user name is the `one line' version of
> # the client's X.509 certificate. Note that no password is
> # obtained from the user. Every entry in the user file needs
> # this password: `xxj31ZMTZzkVA'. [OPTIONAL]
> #SSLFakeBasicAuth
>
> # a home for miscellaneous rubbish generated by SSL. Much of it
> # is duplicated in the error log file. Put this somewhere where
> # it cannot be used for symlink attacks on a real server (i.e.
> # somewhere where only root can write). [RECOMMENDED]
> SSLLogFile /usr/local/apache/var/log/ssl_misc_log
>
> # define custom SSL logging [RECOMMENDED]
> CustomLog /usr/local/apache/var/log/ssl_log "%t %h %{version}c %{cipher}c
>%{subjectdn}c %{issuerdn}c \"%r\" %b"
>
> </VirtualHost>
> </IfDefine>
>
> </IfModule>
> ______________________________________________________________________
> Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
> Official Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
