I've just installed Apache 1.3.9+OpenSSL_0.9.4+mod_ssl_2.4.2
I moved my existing certs (issued by VeriSign & Thawte) into
the /usr/local/apache/conf/ssl.crt directory. I moved my
existing .key files into 'ssl.key'.
I then ran 'make' from inside the 'ssl.crt' directory to create
the hash symlink files. This is where is problem starts.
If I examine my existing certs using the command:
openssl x509 -noout -text -in name.crt
They all view fine... but they are all Version: 1 certs.
I recently get a cert renewal from Thawte and it was a v3
cert. I can view it fine using the above openssl command,
but when the Makefile tries to read it and make the hash symlink,
I get the following error:
unable to load certificate
error:0906906C:PEM routines:PEM_read:no start line
Now, I took a look at the certs, I noticed that all of them
start with "-----BEGIN X509 CERTIFICATE-----". When I originally
got these from Thawte, the header was "-----BEGIN CERTIFICATE-----".
I was using an OLD version of SSLeay, where I would issue the
command 'getversign domain < tempfile' Where domain was the
same name used for generating the key (genkey domain) and tempfile
contained the cert from Thawte.
This seemed to "convert" it to the X509 style...
Anyway, now that I'm using OpenSSL I don't see any command
similar to this. If I simply try to edit the cert and put the
X509 in there and then run make again, I get a different set of
errors, like this:
unable to load certificate
error:0D074071:asn1 encoding routines:d2i_ASN1_INTEGER:expecting an integer
error:0D08C070:asn1 encoding routines:D2I_X509_CINF:error stack
error:0D089070:asn1 encoding routines:D2I_X509:error stack
error:0906600D:PEM routines:PEM_ASN1_read:ASN1 lib
I just can't figure it out. All of my old certs work fine. I've
TRIPLE checked with Thawte about the correctness of the new v3
cert they have issued, everything is okay on their end. This
isn't a "trailing space" problem either. I've looked at all
the simple things already...
Any ideas at all would be greatly appreciated.
Thank you very much,
Chris
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
