On Tue, 2008-12-30 at 11:43 -0500, David W Blaine wrote:
>
> In IE 6, I get the error:
>
> Error Code: 700
>
>
> The PKCS#7-object signals an error.
> The signature is not valid.
>
> PKCS#7-Error 7932039:
> OpenCA::PKCS7->parseDepth: There is
> a problem with the verification of
> the chain. ( error:7:certificate
> signature failure)
>
>
>
>
>
>
>
> In Firefox 3, I get the error:
>
> Error Code: 6203
>
> The request is not signed!
>
> after a popup that states "sign is needed to proceed"
>
> I have checked both browsers and the RA and Root certificate look
> properly imported.
>
> -----------------------------------------------------------------
<snip><snip>
>
> I have this same problem. I checked the chain directory - and all is
> ok there. It contains the cacert.crt and the chain. Permissions on the
> file are 644 and owned by the web server account. I put in the patch
> for viewCSR that Max posted in another thread. Can anyone else sign
> their CSR's in Openca 1.0.2?
>
<snip>
Hi, David. I can think of two possible issues. If I recall, when one
imports the PKCS#12 package for the RA operator into the browser and it
installs the CA cert, it does not set it as authorized to do much of
anything. I believe I had to go into the CA cert in Firefox and check
on the three check boxes for the various CA cert faculties.
Or, it could be some of the bugs we hit which resulted in similar
errors. I'm fighting my own deadline so I haven't cleaned this up but
here is a cut and paste from our internal documentation:
We need to patch the source code for some bugs in version 1.0.2.
cd src/common/lib/cmds
Backup the original versions:
mv approveCSR{,.orig}
mv viewCRR{,.orig}
mv viewCert{,.orig}
mv send_email_cert{,.orig}
Move these backups to the base directory since they MUST not be
installed in the cmds directory even as renamed files:
mv *.orig ../../../../
Download the new versions using wget from the following locations:
http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_6295020/viewCert
http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_6295020/send_email_cert
http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_7221014/approveCSR
http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_7221014/viewCRR
Next we need to fix some spelling and grammar in the emails by patching
the mails directory:
cd ../mails (i.e., src/common/lib/mails)
patch -p1 < opencamail-1.0.2.patch
Now we need to patch DBI.pm
cd ../../../modules/openca-dbi
cp DBI.pm ../../../
Apply the opencaDBI.pm-1.0.2.patch patch
patch -p0 < opencaDBI.pm-1.0.2.patch
I'll attach the two patches which are ours. I've submitted them to the
OpenCA developers and do not know if they've been accepted. Frankly,
I'm a perl ignoramus so they may not be very good patches. Good luck -
John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsulli...@opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--- DBI.pm 2008-12-07 00:53:21.000000000 +0000
+++ DBI.fixed.pm 2008-12-06 21:52:16.000000000 +0000
@@ -2380,9 +2380,11 @@
}
}
- ## order by key to support correct listings
- $query.= " order by ".
- $OpenCA::DBI::SQL->{VARIABLE}->{$arguments {TABLE}."_ORDERBY"}[0];
+ if ( $mode ne "count(*)" ) {
+ ## order by key to support correct listings
+ $query.= " order by ".
+ $OpenCA::DBI::SQL->{VARIABLE}->{$arguments {TABLE}."_ORDERBY"}[0];
+ }
$self->debug ("searchItems: query: $query");
diff -Naur mails/C/certsMail.msg mails.fixed/C/certsMail.msg
--- mails/C/certsMail.msg 2007-11-07 19:53:40.000000000 +0000
+++ mails.fixed/C/certsMail.msg 2008-12-07 00:22:37.000000000 +0000
@@ -1,12 +1,12 @@
Dear @USER@,
-You are able to download the requested certificate from our server
+You may download the requested certificate from our server
at the URI:
@httpd_protocol@://@httpd_host@@httpd_port@
-please use the serial number reported in the subject of this email.
-You can either follow the proposed link to import the certificate
+Please use the serial number reported in the subject of this email.
+Alternately, you can follow the link below to import the certificate
directly from the server (no action required from you):
@httpd_protocol@://@httpd_host@@httpd_port@@pub_cgi_url_prefix@/pki?cmd=getcert&k...@serial@&type=CERTIFICATE
@@ -17,8 +17,8 @@
@httpd_protocol@://@httpd_host@@httpd_port@@pub_htdocs_url_prefix@
Please remember to keep at least one safe backup of your private
-key: if you'll lose it you'll not be able to read the crypted
-messages you received so far.
+key; if you lose it, you'll not be able to read the encrypted
+messages you have previously received.
Last, but not least, please add the LDAP server of our organization
to your browser's list. You can find it at the following address:
@@ -33,12 +33,12 @@
LDAP Port : @ldap_port@
Dir Root : o...@ca_organization@, c...@ca_country@
-Now you are able to search directly users' certificates by the
+You can then directly search users' certificates using the
search facility built in Netscape with just one mouse click.
- Sincerily Yours,
+ Sincerely Yours,
@ca_organization@ Security Staff.
diff -Naur mails/C/confirm_cert_sign.msg mails.fixed/C/confirm_cert_sign.msg
--- mails/C/confirm_cert_sign.msg 2007-11-07 19:53:40.000000000 +0000
+++ mails.fixed/C/confirm_cert_sign.msg 2008-12-07 00:30:45.000000000 +0000
@@ -1,11 +1,11 @@
Dear Customer,
-your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ was
+Your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ has been
generated. You can download it now from our server at the URI:
@httpd_protocol@://@httpd_host@@httpd_port@
-Please use the serial number. You can either follow the proposed link to import
+Please use the serial number. Alternately, you can follow the link below to import
the certificate directly from the server (no action required from you):
@httpd_protocol@://@httpd_host@@httpd_port@@pub_cgi_url_prefix@/pki?cmd=getcert&k...@__serial__@&type=CERTIFICATE
@@ -16,8 +16,8 @@
@httpd_protocol@://@httpd_host@@httpd_port@@pub_htdocs_url_prefix@
Please remember to keep at least one safe backup of your private
-key: if you'll lose it you'll not be able to read the crypted
-messages you received so far.
+key; if you lose it, you'll not be able to read the encrypted
+messages you have previously received.
-Sincerily Yours,
+Sincerely Yours,
@ca_organization@ Security Staff.
diff -Naur mails/C/expiringMail.msg mails.fixed/C/expiringMail.msg
--- mails/C/expiringMail.msg 2007-11-07 19:53:40.000000000 +0000
+++ mails.fixed/C/expiringMail.msg 2008-12-07 00:24:57.000000000 +0000
@@ -1,18 +1,18 @@
Dear Owner of Certificate __CERT_SERIAL__,
-the certificate with the serial __CERT_SERIAL__ and the subject
-__CERT_SUBJECT__ will expiring at __CERT_NOTAFTER__.
+The certificate with the serial __CERT_SERIAL__ and the subject
+__CERT_SUBJECT__ will expire at __CERT_NOTAFTER__.
The certificate was issued for __CERT_CN__.
Please visit our webpage to request a new certificate or
contact your registration authority to renew the certificate.
-You can simply reply to this email for further informations.
+You can simply reply to this email for further information.
@httpd_protocol@://@httpd_host@@httpd_port@
Please remember that the services for which the certificate
-is used will propably no longer usable if the certificate
-is expired.
+is used will probably no longer be usable once the certificate
+expires.
- Sincerily Yours,
+ Sincerely Yours,
@ca_organization@ Security Staff.
diff -Naur mails/C/request_pin_mail.msg mails.fixed/C/request_pin_mail.msg
--- mails/C/request_pin_mail.msg 2007-11-07 19:53:40.000000000 +0000
+++ mails.fixed/C/request_pin_mail.msg 2008-12-07 00:26:15.000000000 +0000
@@ -1,9 +1,9 @@
Dear Customer,
-your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ was
+Your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ has been
generated. You can download it now.
-Please use the PIN you are entered during the generation of
+Please use the PIN you entered during the generation of
the request to revoke the certificate.
-Sincerly, your adminstration team
+Sincerely, your administration team
diff -Naur mails/C/secure_pin_mail.msg mails.fixed/C/secure_pin_mail.msg
--- mails/C/secure_pin_mail.msg 2007-11-07 19:53:40.000000000 +0000
+++ mails.fixed/C/secure_pin_mail.msg 2008-12-07 00:27:08.000000000 +0000
@@ -1,10 +1,10 @@
Dear Customer,
-your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ was
+Your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ has been
generated. You can download it now.
Please use the following PIN to revoke your certificate:
$PIN
-Sincerly, your adminstration team
+Sincerely, your adminstration team
diff -Naur mails/en_GB/certsMail.msg mails.fixed/en_GB/certsMail.msg
--- mails/en_GB/certsMail.msg 2007-11-07 19:53:40.000000000 +0000
+++ mails.fixed/en_GB/certsMail.msg 2008-12-07 00:29:26.000000000 +0000
@@ -1,12 +1,12 @@
Dear @USER@,
-You are able to download the requested certificate from our server
+You may download the requested certificate from our server
at the URI:
@httpd_protocol@://@httpd_host@@httpd_port@
-please use the serial number reported in the subject of this email.
-You can either follow the proposed link to import the certificate
+Please use the serial number reported in the subject of this email.
+Alternately, you can follow the link below to import the certificate
directly from the server (no action required from you):
@httpd_protocol@://@httpd_host@@httpd_port@@pub_cgi_url_prefix@/pki?cmd=getcert&k...@serial@&type=CERTIFICATE
@@ -17,10 +17,10 @@
@httpd_protocol@://@httpd_host@@httpd_port@@pub_htdocs_url_prefix@
Please remember to keep at least one safe backup of your private
-key: if you'll lose it you'll not be able to read the crypted
-messages you received so far.
+key; if you lose it, you'll not be able to read the encrypted
+messages you have previously received.
-Last, but not least, please add the LDAP server of our organization
+Last, but not least, please add the LDAP server of our organisation
to your browser's list. You can find it at the following address:
ldap://@ldap_host@:@ldap_port@/@ca_organization@,@ca_country@
@@ -33,12 +33,12 @@
LDAP Port : @ldap_port@
Dir Root : o...@ca_organization@, c...@ca_country@
-Now you are able to search directly users' certificates by the
+You can then directly search users' certificates using the
search facility built in Netscape with just one mouse click.
- Sincerily Yours,
+ Sincerely Yours,
@ca_organization@ Security Staff.
diff -Naur mails/en_GB/confirm_cert_sign.msg mails.fixed/en_GB/confirm_cert_sign.msg
--- mails/en_GB/confirm_cert_sign.msg 2007-11-07 19:53:40.000000000 +0000
+++ mails.fixed/en_GB/confirm_cert_sign.msg 2008-12-07 00:30:32.000000000 +0000
@@ -1,11 +1,11 @@
Dear Customer,
-your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ was
+Your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ has been
generated. You can download it now from our server at the URI:
@httpd_protocol@://@httpd_host@@httpd_port@
-Please use the serial number. You can either follow the proposed link to import
+Please use the serial number. Alternately, you can follow the link below to import
the certificate directly from the server (no action required from you):
@httpd_protocol@://@httpd_host@@httpd_port@@pub_cgi_url_prefix@/pki?cmd=getcert&k...@__serial__@&type=CERTIFICATE
@@ -16,8 +16,8 @@
@httpd_protocol@://@httpd_host@@httpd_port@@pub_htdocs_url_prefix@
Please remember to keep at least one safe backup of your private
-key: if you'll lose it you'll not be able to read the crypted
-messages you received so far.
+key; if you lose it, you'll not be able to read the encrypted
+messages you have previously received.
-Sincerily Yours,
+Sincerely Yours,
@ca_organization@ Security Staff.
diff -Naur mails/en_GB/expiringMail.msg mails.fixed/en_GB/expiringMail.msg
--- mails/en_GB/expiringMail.msg 2007-11-07 19:53:40.000000000 +0000
+++ mails.fixed/en_GB/expiringMail.msg 2008-12-07 00:31:32.000000000 +0000
@@ -1,18 +1,18 @@
Dear Owner of Certificate __CERT_SERIAL__,
-the certificate with the serial __CERT_SERIAL__ and the subject
-__CERT_SUBJECT__ will expiring at __CERT_NOTAFTER__.
+The certificate with the serial __CERT_SERIAL__ and the subject
+__CERT_SUBJECT__ will expire at __CERT_NOTAFTER__.
The certificate was issued for __CERT_CN__.
Please visit our webpage to request a new certificate or
contact your registration authority to renew the certificate.
-You can simply reply to this email for further informations.
+You can simply reply to this email for further information.
@httpd_protocol@://@httpd_host@@httpd_port@
Please remember that the services for which the certificate
-is used will propably no longer usable if the certificate
-is expired.
+is used will probably no longer be usable once the certificate
+expires.
- Sincerily Yours,
+ Sincerely Yours,
@ca_organization@ Security Staff.
diff -Naur mails/en_GB/request_pin_mail.msg mails.fixed/en_GB/request_pin_mail.msg
--- mails/en_GB/request_pin_mail.msg 2007-11-07 19:53:40.000000000 +0000
+++ mails.fixed/en_GB/request_pin_mail.msg 2008-12-07 00:32:02.000000000 +0000
@@ -1,9 +1,9 @@
Dear Customer,
-your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ was
+Your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ has been
generated. You can download it now.
-Please use the PIN you are entered during the generation of
+Please use the PIN you entered during the generation of
the request to revoke the certificate.
-Sincerly, your adminstration team
+Sincerely, your administration team
diff -Naur mails/en_GB/secure_pin_mail.msg mails.fixed/en_GB/secure_pin_mail.msg
--- mails/en_GB/secure_pin_mail.msg 2007-11-07 19:53:40.000000000 +0000
+++ mails.fixed/en_GB/secure_pin_mail.msg 2008-12-07 00:32:29.000000000 +0000
@@ -1,10 +1,10 @@
Dear Customer,
-your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ was
+Your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ has been
generated. You can download it now.
Please use the following PIN to revoke your certificate:
$PIN
-Sincerly, your adminstration team
+Sincerely, your adminstration team
------------------------------------------------------------------------------
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
