Hi Gustav, Thank you for your response.
Here is what I have in the nsssl section of the config file: ns_param certificate ${serverdir}/modules/openssl/server.pem ns_param address $address ns_param port 443 ns_param ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!RC4" ns_param ciphersuites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" ns_param protocols "!SSLv2:!SSLv3:!TLSv1.0:!TLSv1.1" ns_param OCSPstapling on ns_param verify 0 ns_param maxinput [expr 10 * 1024 * 1024] ns_param extraheaders { Strict-Transport-Security "max-age=31536000; includeSubDomains" X-Frame-Options SAMEORIGIN X-Content-Type-Options nosniff } ${serverdir) is defined as /usr/local/ns/servers/mealdeliverysoftware set homedir /usr/local/ns set servername “mealdeliverysoftware" set serverdir ${homedir}/servers/${servername} This issue surfaced when I was creating a new ssl certificate. The old certificate expires at the end of the month. The old certificate continued to work after I updated naviserver (with openssl 1.1k). The new certificate did not work. The old certificate has the Diffie-Hellmand key exchange applied. I applied the DH key exchange via openssl: openssl dhparam 2048 >> server.pem The version of openssl installed at the time predated 1.1k. I believe that it was 1.1.i; it may have been an earlier version. I decided to not apply the DH Param to the new certificate. The new certificate now works. Thank you for your responsiveness and your help. Best regards, Thorpe > On Jul 27, 2021, at 03:15, Gustaf Neumann <neum...@wu.ac.at> wrote: > > Hi Thorpe. > > NaviServer 4.99.21 is not released yet... but nevertheless, it is supposed to > work (and is in use e.g. on openacs.org and on many more sites). > > What is your configuration line for the certificate? > It looks like NaviServer is passing the the path > > > ns/server/mealdeliverysoftware/module/nsssl//usr/local/ns/servers/mealdeliverysoftware/modules/openssl/server.pem > > to OpenSSL, but it should pass probably > > /usr/local/ns/servers/mealdeliverysoftware/modules/openssl/server.pem > > -g > > On 24.07.21 14:43, THORPE MAYES via naviserver-devel wrote: >> Hi, >> >> I have updated to naviserver-4-99.21 >> >> I get this error when starting the server: >> Notice: OpenSSL OpenSSL 1.1.1k 25 Mar 2021 initialized >> Notice: load certificate from >> <ns/server/mealdeliverysoftware/module/nsssl//usr/local/ns/servers/mealdeliverysoftware/modules/openssl/server.pem> >> ... >> Warning: private key load error: error:06065064:digital envelope >> routines:EVP_DecryptFinal_ex:bad decrypt >> Error: nsssl: init error: No such file or directory >> Error: modload: /usr/local/ns/bin/nsssl.so: Ns_ModuleInit returned: -1 >> Fatal: modload: failed to load module '/usr/local/ns/bin/nsssl.so’ >> >> I checked the server.pem file: >> openssl rsa -inform PEM -in server.pem -check -noout >> Enter pass phrase for server.pem: >> RSA key ok >> >> I am stuck. >> >> Does anyone have any insight re this issue? >> >> Thank you. >> >> Thorpe >> >> >> >> _______________________________________________ >> naviserver-devel mailing list >> naviserver-devel@lists.sourceforge.net >> <mailto:naviserver-devel@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/naviserver-devel >> <https://lists.sourceforge.net/lists/listinfo/naviserver-devel> > -- > Univ.Prof. Dr. Gustaf Neumann > Head of the Institute of Information Systems and New Media > of Vienna University of Economics and Business > Program Director of MSc "Information Systems" > _______________________________________________ > naviserver-devel mailing list > naviserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/naviserver-devel
_______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel