In article <> you wrote:
> I have just installed Apache with SSL using mod-ssl. When I tried to start
> the httpd (using apachectl startssl ), I was getting 'pass phase incorrect'
> error, and could not start httpd. Before the "make install", I did "make
> certificate" with private key encrypted. I also tried re-run "make
> certificate" "make install" without encrypting private key, still could not
> start httpd (with same error).
> Following are the error log file (ssl_engine_log) entry
> [09/Dec/1998 14:30:58] [info] Init: 1st startup round (still not detached)
> [09/Dec/1998 14:30:58] [info] Init: Initializing SSLeay library
> [09/Dec/1998 14:30:58] [info] Init: Loading certificate & private key of SSL-aware
>server my.server.name:8443
> [09/Dec/1998 14:30:58] [error] Init: Unable to read server certificate from file
>/opt/httpd2/etc/apache/ssl.crt/server.crt (SSLeay error follows)
> [09/Dec/1998 14:30:58] [error] SSLeay: error:0906D06C:PEM routines:PEM_read_bio:no
>start line
As the message cleary indicates, SSLeay was unable to parse the server.crt
file correctly. Especially it couldn't find the "-----BEGIN CERTIFICATE----"
line there. Check this file, it should be readable with
$ ssleay x509 -noout -text -in server.crt
SSLeay should not complain here or your certificate _is_ not really
a PEM-encoded X.509 certificate.
> I also tried to get rid of pass phrase with command "ssleay rsa -in
> server.crt.orig -out server.crt", it failed eith following error(error_log
> file) :
> [Wed Dec 9 14:30:58 1998] [error] SSLeay: error:0906D06C:PEM
>routines:PEM_read_bio:no start line
What? Wait! There is no pass phrase on the certificate. It's the private key
which can be encrypted. So, you read the mod_ssl FAQ not carefully enough. The
command is:
$ ssleay rsa -in server.key.orig -out server.key
That your command failed is expected...
> Also, in httpd.conf file, should I specify server.crt or snakeoil-ca.crt as
> directive SSLCertificateFile? The snakeoil-ca.crt was created when I did
> "make certificate" before "make install".
When you use "make install" you _already_ get a correct httpd.conf. And there
you see that the SSLCertificateFile is sercer.crt (as the filename should
indicate, BTW). The snakeoil-ca.crt is usually not needed.
> Can anyone tell what I did wrong ?
I strongly advice you to carefully follow the intrtructions and first keeping
the default configuration instead of changing things yourself. Second you
start from scratch and remove the etc/apache/ssl.*/ dirs completely, then do a
"make certificate" again followed by a "make install". Because "make install"
doesn't override existing ssl.*/* files once they were created. And I guess
you messed up something the first time.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
