Re: SSLCertificateChain file for Intermediate CA
On Fri, May 18, 2001 at 11:58:02AM +1200, Damon Maria wrote: Since I haven't gotten too much of a response yet (expect for thanks to Juha) I'll post my VirtualHost in httpd.conf, which I probably should have done in the first place. If I uncomment the SSLCertificateChainFile line then the following appears in the log and apache won't start... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've copied my original message at the bottom of this one which contains the contents of /etc/httpd/conf/ssl.crt/intermediate_ca.crt (as I got it from Verisign's site). Without going through mod_ssl's source: did you try to put the complete chain into the ChainFile? The server cert is in its own file. For my server (www.aet.tu-cottbus.de) I have an intermediate and a root CA certificate. Both are concatenated together into the chain file. With respect to the error message, mod_ssl can write more messages than that into e.g. an ssl_engine_log. Did you check all possible logfiles? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
AW: SSLCertificateChain file for Intermediate CA
Lutz, when I try to access your site with Internet Explorer 5.5, IE tells me that it cannot verify the certificate. German error message is: Das Zertifikat wurde von einer Firma ausgestellt, die Sie nicht als vertrauenswürdig eingestuft haben. Untersuchen Sie das Zertifikat um festzustellen, ob Sie der ausstellenden Institution vertrauen möchten. -Ursprüngliche Nachricht- Von: Lutz Jaenicke [SMTP:[EMAIL PROTECTED]] Gesendet am: Freitag, 18. Mai 2001 10:50 An: [EMAIL PROTECTED] Betreff: Re: SSLCertificateChain file for Intermediate CA On Fri, May 18, 2001 at 11:58:02AM +1200, Damon Maria wrote: Since I haven't gotten too much of a response yet (expect for thanks to Juha) I'll post my VirtualHost in httpd.conf, which I probably should have done in the first place. If I uncomment the SSLCertificateChainFile line then the following appears in the log and apache won't start... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've copied my original message at the bottom of this one which contains the contents of /etc/httpd/conf/ssl.crt/intermediate_ca.crt (as I got it from Verisign's site). Without going through mod_ssl's source: did you try to put the complete chain into the ChainFile? The server cert is in its own file. For my server (www.aet.tu-cottbus.de) I have an intermediate and a root CA certificate. Both are concatenated together into the chain file. With respect to the error message, mod_ssl can write more messages than that into e.g. an ssl_engine_log. Did you check all possible logfiles? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
On Fri, May 18, 2001 at 01:21:31PM +0200, Henning von Bargen wrote: Lutz, when I try to access your site with Internet Explorer 5.5, IE tells me that it cannot verify the certificate. German error message is: Das Zertifikat wurde von einer Firma ausgestellt, die Sie nicht als vertrauenswürdig eingestuft haben. Untersuchen Sie das Zertifikat um festzustellen, ob Sie der ausstellenden Institution vertrauen möchten. Yes, that is true. Our certificate was issued by our university's computer center (intermediate CA) and the root CA is the DFN (german research network, the provider for the german universities and scientific institutions). emws1 26: openssl s_client -connect www.aet.tu-cottbus.de:443 CONNECTED(0003) depth=2 /C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet Cottbus/OU=Allgemeine Elektrotechnik und Numerische [EMAIL PROTECTED] i:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet [EMAIL PROTECTED] 1 s:/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet [EMAIL PROTECTED] i:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] 2 s:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] i:/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification [EMAIL PROTECTED] The message IE shows is due to the fact, that DFN-PCA is not part of the standard CA bundle. When you import the DFN-PCA certificate, the problem will go away: http://www.pca.dfn.de/dfnpca/certify/ssl/pca-key.html (I also have not initialized the trusted CA storage for openssl s_client, which correspondingly complains about self signed certificate in certificate chain). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: modssl freezes on startup
Last week, I posted this question: http://www.mail-archive.com/modssl-users%40modssl.org/msg11396.html After reading some responses to other apparently similar problems, I tried removing the passphrase from my cert. Now, I get this error, which I've seen often on the list recently as well: mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) OpenSSL: error:04069003:rsa routines:RSA_memory_lock:BN lib According to the FAQ, if I get this error, I should also get a failure on make certificate, but I do not -- so it seems the PRNG is not actually at fault. Still stumped... -- Alex Howansky Wankwood Associates http://www.wankwood.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: R: Cert signed by own CA and IE
Hi Arcady! Have you solved your problem? I wasw able to install your Certificate, after I installed your self-signed CA certificate. Is it possible this to be the missing step in your testing? The CA cert has to be added to your root auth., then you'll be able to install the actual server certificate. Hope this help, Paul PS: I am using IE 5.0 On Wed, 16 May 2001, Arcady Genkin wrote: Andrea Cerrito [EMAIL PROTECTED] writes: Connecting to a secure site with a certificate signed by own CA, IE seems to provide no obvious way of permanently adding the cert to the browser's configuration. As a result, a warning that The security certificate is issued by a company you have not chosen to trust... is displayed every time I'm trying to establish a connection. Is there a fool-proof way to permanently add a certificate or tell IE that the CA is to be trusted? Show Certificate / Install Certificate. I tried that, and it didn't work. It told me that the certificate was installed successfully, but once I quit IE, restart it, and load the page again, it displays the same warning again. The minimal html page I'm experimenting with is at https://www.thpoon.com If anyone would try to install the certificate from it in IE: maybe I did something wrong with configuration? I wasn't able to install it. Can u print your conf? You mean from httpd.conf? Since it's huge, I've posted it at http://www.thpoon.com/tmp/httpd.conf rather than sending to the list. The SSL-related stuff is at the bottom of it. Thanks! p.s. This is a repost, since I have replied from a different email address than the one I've subscribed from and I'm afraid that it didn't come through. Sorry if this is a dupe. -- Arcady Genkin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Bills travel through the mail at twice the speed of checks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
List configuration (posting from a different email)
This may have already been discussed, but I didn't find it in the archives. Posts to the list from email address different from the one I'm subscribed to are silently dropped: they are not allowed through, neither are they bounced. I find this behaviour a bit frustrating: at first I have to be always mindful whether I post from work or from home, and adjust my From line accordingly; secondly if I make a mistake by forgetting to adjust my From line, I have no means of knowing it other than my message not appearing in the list. Is this intentional or a misconfiguration? Thanks, -- Arcady Genkin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: R: Cert signed by own CA and IE
Paul-Catalin Oros [EMAIL PROTECTED] writes: Have you solved your problem? I wasw able to install your Certificate, after I installed your self-signed CA certificate. Is it possible this to be the missing step in your testing? The CA cert has to be added to your root auth., then you'll be able to install the actual server certificate. Yes, it seems that I have solved the problem by pointing SSLCertificateChainFile to my ca.crt, with off-list help from another list member. It now works fine. In my opinion the easiest way of configuring IE to access sites with sertificates singed by own CAs is to put the CA's certificate in a URL and let the users click on it: the browser will pop up a dialogue to install a new root authority cert, and after that all is done. Thanks, -- Arcady Genkin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: List configuration (posting from a different email)
Posts to the list from email address different from the one I'm subscribed to are silently dropped It is a deliberate anti-spam feature. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: List configuration (posting from a different email)
Rich Salz [EMAIL PROTECTED] writes: Posts to the list from email address different from the one I'm subscribed to are silently dropped It is a deliberate anti-spam feature. That much I figured out. Leaving out the discussion of questionability of such measure, I think that a bounce should be sent if a post is not accepted. -- Arcady Genkin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Trouble configuring Apache/mod_ssl to satisfy these requirements...
I inquired of the list a few days ago: http://marc.theaimsgroup.com/?l=apache-modsslm=98987009932371w=2 Thanks to the respondents. Appended below is the solution (edited portions of my httpd.conf) with which I'm going. Now I have the pleasure of dealing with Microsoft's Web Folders implementation (a DAV client) which re-asks for username/password way too often. None of the other DAV clients I've tested do that. Kingsley [EMAIL PROTECTED] DocumentRoot /usr/local/apache/htdocs Directory / AllowOverride None Options None Order deny,allow Deny from all /Directory Directory /usr/local/apache/htdocs/author Order allow,deny Allow from all /Directory Directory /usr/local/apache/htdocs/author/staging Order deny,allow Deny from all /Directory VirtualHost _default_:443 Directory /usr/local/apache/htdocs SSLRequireSSL DAV On AuthType Basic /Directory Directory /usr/local/apache/htdocs/author Options Indexes require user author Order allow,deny Allow from all /Directory Directory /usr/local/apache/htdocs/author/staging Order allow,deny Allow from all /Directory __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: List configuration (posting from a different email)
On Fri, May 18, 2001 at 01:59:03PM -0400, Arcady Genkin wrote: Rich Salz [EMAIL PROTECTED] writes: It is a deliberate anti-spam feature. That much I figured out. Leaving out the discussion of questionability of such measure, I think that a bounce should be sent if a post is not accepted. AFAIK it hasn't been sent to /dev/null yet - it has simply been sent to the mailing list admin (Ralf) to be approvede... He just haven't had the time to approve them yet. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Trouble configuring Apache/mod_ssl to satisfy these requirements...
Kingsley, Now I have the pleasure of dealing with Microsoft's Web Folders implementation (a DAV client) which re-asks for username/password way too often. I am using web_dav on one of my sites, and it works quite well from Microsoft's Web Folders. What do you mean: re-asks for username/password way too often We use the M$-IE-5.5 install version on Win 98/NT/2K. It asks for username/password when the shortcut is created, and then each time the shortcut is used. So if you create the shortcut and then access it, it asks twice; the create and access are two different ops from the M$ view. If you leave the shortcut intact, then reuse it, it will only ask as you enter. If you let it remember the password, then its even more streamlined. Although I dislike most things about M$, we have good luck using WebDAV using Web Folders. Let me know more about the issue and I will retrieve the config file and compare with the fragments you sent. Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]