Error load ssl_mod.so
I've been working on an Apache 1.3 server install under Windows for several days and went restart Apache and got the following message... Cannot load mod_ssl.so into server (182) I've done everything including a complete wipe and replace of Apache and get the same message everytime I launch Apache with SSL support. The check sum on mos_ssl.so is correct as is the path. If I do an install on any other Windows box Apache runs flawlessly. Has anyone else every tackled this problem? Kevin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Creating my own CA
I've got OpenSA (Apache w/openssl+modssl) running on a Windows platform and am trying to create my own CA. I'm able to create a private key and make a cert for that CA but can't use my CA to sign the CSR. I see from the modssl docs the step by step but then the last step gets to running the script sign.sh and, well, obviously Windows has some problems running a .sh file. Every place I see on line mentions that there's some strange requirements of the openssl ca command. Does anyone know of some other approach to sign the CSR. I've been messing with CygWin and Mac OSx and a few other things but it seems like an awful lot of trouble to go through if I have to actually 'build' a *nix server just to sign my server cert. Any help is always appreciated. Kevin Ericson Kinetic Technologies, Inc. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem starting apache with ssl mod_ssl
greetings to everyone i have the following problem and it will be very nice of you if you could help me out with this! in one redhat7.2 i have installed apache/php/ssl/mod_ssl as it can be seen at the end of my mail In the httpd.conf i have put the following: ***httpd.conf*** __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem starting apache with ssl mod_ssl
=/usr' '--with-gettext=/usr' '--with-mysql=/usr' '--with-pgsql' '--with-ldap' '--with-mm' '--with-mcal=/usr/local/libmcal' '--with-db3=/usr' APACHE MODULES mod_php4, mod_gzip, mod_dav, mod_auth_ldap, mod_ssl, mod_setenvif, mod_so, mod_headers, mod_digest, mod_auth_dbm, mod_auth, mod_access, mod_rewrite, mod_alias, mod_userdir, mod_speling, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_status, mod_negotiation, mod_mime, mod_log_referer, mod_log_agent, mod_log_config, mod_env, mod_vhost_alias, mod_mmap_static, http_core __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
problem starting apache with ssl-mod_ssl
greetings to everyone i have the following problem and it will be very nice of you if you could help me out with this! in one redhat7.2 i have installed apache/php/ssl/mod_ssl as it can be seen at the end of my mail In the httpd.conf i have put the following: ***httpd.conf*** __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Ultimate BrowserMatch List (second try)
So, has anybody compiled an ultimate BrowserMatch list for ModSSL-Apache? In my regular Apache I've had the following in for some time now: BrowserMatch Mozilla/2 nokeepalive BrowserMatch MSIE 4\.0b2; nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch RealPlayer 4\.0 force-response-1.0 BrowserMatch Java/1\.0 force-response-1.0 BrowserMatch JDK/1\.0 force-response-1.0 I would assume that the ultimate BrowserMatch list for ModSSL-Apache would be different and more inclusive than one for regular Apache? This is a great dialog, I appreciate the active responses. By the way, I run mine stuff on BSDI 2.1, 4.0.1 and 4.1 boxes without problems. Thanks, -Chris WSO At 03:05 PM 6/20/2001 -0700, you wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of WSO Support Does solving this problem with sweeping wildcard BrowserMatch statements adversely affect the functionality of Apache and ModSSL? No. Everything will function fine. What I getting at is, why don't we just BrowserMatch everything and call it a day? What are be losing when we downgrade or force 1.0? Performance. By downgrading to HTTP 1.0 and disabling keep alives, the client has to negotiate a new connection on every hit. If your site contains many small images, your clients will definately notice a slowdown if they are on a slow link (dial up, across the ocean, etc). Pages will take longer to load. You may also notice a slight increase in server load, but also see that more httpd processes are needed (since they will be tied up longer waiting for the client to send something over the pipe instead of disconnecting immediately after sending a response). But some browsers are simply broken with regards to SSL, keep alives and HTTP 1.1. All versions of MSIE older than 5.0 are known to be problematic, and now it appears that Netscape on Macintosh is also broken. For more info related to this, search the archives for the thread KeepAlive and IE, again -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Ultimate BrowserMatch List (second try)
Thanks so much for sharing your findings, it has helped me a great deal. Thanks, Chris At 03:28 PM 7/18/2001 -0700, you wrote: You can see my message dated 6/20 for an example of where to put it. So far my additions work perfectly. DAve on 7/18/01 12:01 PM, David Rees at [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Andrea Cerrito What about: SetEnvIf User-Agent MSIE [1-4] nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 SetEnvIf User-Agent MSIE [5-9] ssl-unclean-shutdown Make sure those are only in your SSL virtual hosts, keep alive works fine for most MSIE browsers for normal HTTP. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Dave Goodrich Director of Interface Development Reality Based Learning Company 9521 NE Willows Road, Suite 100 Redmond, WA 98052 Toll Free 1-877-869-6603 ext. 237 Fax (425) 558-5655 [EMAIL PROTECTED] http://www.rblc.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Ultimate BrowserMatch List (was: Netscape + ModSSL=Dead slow.)
Thanks Dave, much appreciated! So, has anybody compiled the ultimate BrowserMatch list for ModSSL-Apache? In my regular Apache I've had the following in for some time now: BrowserMatch Mozilla/2 nokeepalive BrowserMatch MSIE 4\.0b2; nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch RealPlayer 4\.0 force-response-1.0 BrowserMatch Java/1\.0 force-response-1.0 BrowserMatch JDK/1\.0 force-response-1.0 I build my regular Apache separately from my ModSSL-Apache so that I can run the ModSSL version at nice level -20, so that it appears to be as fast as possible. I would assume that the ultimate BrowserMatch list for ModSSL-Apache would be different and more inclusive than one for regular Apache? This is a great dialog, I appreciate the active responses. By the way, I run mine stuff on BSDI 2.1, 4.0.1 and 4.1 boxes without problems. Thanks, -Chris WSO At 03:05 PM 6/20/2001 -0700, you wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of WSO Support Does solving this problem with sweeping wildcard BrowserMatch statements adversely affect the functionality of Apache and ModSSL? No. Everything will function fine. What I getting at is, why don't we just BrowserMatch everything and call it a day? What are be losing when we downgrade or force 1.0? Performance. By downgrading to HTTP 1.0 and disabling keep alives, the client has to negotiate a new connection on every hit. If your site contains many small images, your clients will definately notice a slowdown if they are on a slow link (dial up, across the ocean, etc). Pages will take longer to load. You may also notice a slight increase in server load, but also see that more httpd processes are needed (since they will be tied up longer waiting for the client to send something over the pipe instead of disconnecting immediately after sending a response). But some browsers are simply broken with regards to SSL, keep alives and HTTP 1.1. All versions of MSIE older than 5.0 are known to be problematic, and now it appears that Netscape on Macintosh is also broken. For more info related to this, search the archives for the thread KeepAlive and IE, again -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with mod_ssl 2.66 and ippp0
Where is the problem ? I guess your HTTPS VirtualHost is bound not to the external IP and so the main server tries to answer the request with HTTP only. Check your configuration and make sure you use VirtualHost _default_:443 and don't have either no Listen directives or Listen directives or both internal and external addresses. This was my first idea, and i have testet this, for my tests, i bound only the ippp0 to 443, is the same result, the comm is working, but in log stands "unknown request method", i have killed any listen-directive, checked all variants, but nothing. Only internaly works all, https is no working externaly :-((( Ernst __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem with mod_ssl 2.66 and ippp0
Hy, i have compiled for a debian 2.2 potato the apache 1.3.12 with mod_ssl 2.6.6 This is my problem: i can use http https inside the lan (192.168.1.x), but not https from outside via official static ISDN-ip. the normal http is working fine. In the logfile stands: "unknown request method ..a.." The browser don´t open anything. Inside the lan, this problems doesn´t exist. I asume, there is a problem with isdn4linux. I don´t use firewalling/ipchains or other things. The ISDN-IP is static and bounded correctly to the interface. All other daemons on this machine works great. Where is the problem ? Ernst __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Failed to generate temporary 512 bit RSA private key
Hello, I get this error message when i start apache after installing modssl : "Failed to generate temporary 512 bit RSA private key" I have looked in the archive and found people having the same problem... but no answer. How can I fix this ? Thank you very much, Laurent __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
2 - Failed to generate temporary 512 bit RSA private key
Thank you very much, but we still couldn't make it work. We made sure the PRNG has been seeded with at least 128 bits of randomness. The error message is still there. How can we fix that ? Thanks, Laurent - Original Message - From: "Mads Toftum" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 11, 2000 11:28 AM Subject: Re: Failed to generate temporary 512 bit RSA private key On Tue, Jul 11, 2000 at 11:15:22AM -0400, Silesky Marketing Inc, Support wrote: Hello, I get this error message when i start apache after installing modssl : "Failed to generate temporary 512 bit RSA private key" I have looked in the archive and found people having the same problem... but no answer. Hm - I know that I've answered this several times, and that the answers are there... it is also in the FAQ: http://www.modssl.org/docs/2.6/ssl_faq.html#ToC15 and http://www.openssl.org/support/faq.html#6 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 2 - Failed to generate temporary 512 bit RSA private key
The ssl_engine_log is empty any idea ? Thanks, Laurent - Original Message - From: "Lutz Jaenicke" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 11, 2000 2:06 PM Subject: Re: 2 - Failed to generate temporary 512 bit RSA private key On Tue, Jul 11, 2000 at 11:52:32AM -0400, Silesky Marketing Inc, Support wrote: Thank you very much, but we still couldn't make it work. We made sure the PRNG has been seeded with at least 128 bits of randomness. The error message is still there. How can we fix that ? Please make sure to check _all_ logfiles, there is especially the ssl_engine_log. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_bandwidth.so module with mod_ssl-1.3.12.2.6.2-0.6.0.src.rpm
Hi there. I've recently been trying to get the third-party module mod_bandwidth.so to function in the copy of apache-modssl I'm running, but I've had no luck. Originally, I was running v 1.3.9 of mod_ssl. However, as it was installed as an RPM, I couldn't recomile it with mod_bandwidth. I found that apache-1.3.12. comes with mod_bandwidth included, so I downloaded this, pulled out the mod_bandwidth.so file, stuck it in /usr/lib/apache/, and added it to the apache config file. However, when I did this, I got the following error in my error_log: [warn] Loaded DSO lib/apache/mod_bandwidth.so uses plain Apache 1.3 DSO, this module might crash under EAPI! I assumed this was because of differences between 1.3.9 and 1.3.12, so I downloaded apache-mod_ssl-1.3.12.2.6.2-0.6.0.src.rpm (today), which I noticed doesn't come with mod_bandwidth.so, and built and installed it. I used the mod_bandwidth.so file from the main apache rpm. and left the module reference in the config file. However, on restarting the server again, I got an almost identical error, as below: [warn] Loaded DSO lib/apache/mod_bandwidth.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI) I was wondering if anyone has any ideas about what might be causing this - I'm afraid I don't understand the error. Is this module incompatible with mod_ssl? Is that why it's not included? Are there any alternatives (I just want to limit bandwidth by transfer rate on a virtualhost basis)? Is it the module which needs to be compiled with -deapi switch? Is there any way to do this only on the module, without having to do a source compile of modssl (all I really want is the .so file)? The module is located at ftp://ftp.cohprog.com/pub/apache/module/mod_bandwidth.c Many thanks for any advice. Andrew Clark. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Certificate creation : error 7
I am running SuSE 6.2 with Apache and Mod_ssl. I am trying to create my own certificate. Everything works fine up to where you sign your own certificate. Then I get this error: snip 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt - CA cert server.crt: [EMAIL PROTECTED] error 7 at 0 depth lookup:certificate signature failure snip What does this mean ? I try and use the sign.sh script that comes with the openSSL This box is not yet connected to the internet, might it be that it is trying to the a DNS lookup ? Leon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Compile ar warnings?
While compiling Apache 1.3.9 with mod_ssl 2.4.2 and OpenSSL 0.9.4 I got the following warnings: ar cr libssl.a mod_ssl.o ssl_engine_config.o ssl_engine_compat.o ssl_engine_ds.o ssl_engine_dh.o ssl_engine_init.o ssl_engine_kernel.o ssl_engine_rand.o ssl_engine_io.o ssl_engine_log.o ssl_engine_mutex.o ssl_engine_pphrase.o ssl_engine_scache.o ssl_engine_vars.o ssl_engine_ext.o ssl_expr.o ssl_expr_scan.o ssl_expr_parse.o ssl_expr_eval.o ssl_util.o ssl_util_ssl.o ssl_util_sdbm.o ssl_util_table.o ar: warning: ssl_engine_config.o truncated to ssl_engine_conf ar: warning: ssl_engine_compat.o truncated to ssl_engine_comp ar: warning: ssl_engine_init.o truncated to ssl_engine_init ar: warning: ssl_engine_kernel.o truncated to ssl_engine_kern ar: warning: ssl_engine_rand.o truncated to ssl_engine_rand ar: warning: ssl_engine_log.o truncated to ssl_engine_log. ar: warning: ssl_engine_mutex.o truncated to ssl_engine_mute ar: warning: ssl_engine_pphrase.o truncated to ssl_engine_pphr ar: warning: ssl_engine_scache.o truncated to ssl_engine_scac ar: warning: ssl_engine_vars.o truncated to ssl_engine_vars ar: warning: ssl_engine_ext.o truncated to ssl_engine_ext. ar: warning: ssl_expr_parse.o truncated to ssl_expr_parse. ar: warning: ssl_util_table.o truncated to ssl_util_table. Should I be worried about this? I wish I know what they meant, but I'm not a guru yet... Thanks, Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
The problem was that at the top of the Makefile script in 'ssl.crt' the variable SSL_PROGRAM was undefined. I'm not sure why? I replaced it with: SSL_PROGRAM=/usr/local/bin/openssl And everything works great! Thanks for your help and patience! -Chris At 09:42 PM 9/28/1999 +0200, you wrote: On Tue, Sep 28, 1999, WSO Support wrote: Yes, here is the cert I'm having the problem with. I've had Thawte triple check it, and they have found no problems. This is a cert for a client of mine, of course. -BEGIN CERTIFICATE- MIICsDCCAhmgAwIBAgIDAIPNMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0 aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw05OTA5 MTMxMzM0NDVaFw0wMDA5MjYxMzM0NDVaMIGRMQswCQYDVQQGEwJVUzEQMA4GA1UE CBMHRmxvcmlkYTEOMAwGA1UEBxMFTWlhbWkxGjAYBgNVBAoTEUZyZWVsYW5jZSBT dWNjZXNzMSEwHwYDVQQLExhTZWN1cmUgU2VydmljZXMgRGl2aXNpb24xITAfBgNV BAMTGHd3dy5mcmVlbGFuY2VzdWNjZXNzLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA MEgCQQC8bvTfSBgoKNaqMlXUv7Fr4GVNWY/6CuriCtggMeC0BqSKq021bhwfo3DL oav8rGbLJBvbbSwa89P0FUvf0pj5AgMBAAGjJTAjMBMGA1UdJQQMMAoGCCsGAQUF BwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEALt7627Hs+30X4Kc9 k1OyppVfE3i2JcgzpF5ZVF1pd1JCkAiSlKh94EnmIWbgZpImvZSeZgixYhT6bMXS 7N53vuMpWKdlMhdXb1aWX2y157aeAlVvGv3jFePejaNzw7SUDdsuplabE8r11n4l UMtE1UKmRQBKQua/WLReskiWrVM= -END CERTIFICATE- Sorry, I've cut pasted it into a `x.crt' file in a ssl.crt/ directory, ran `make' there and got no error. Instead I got a correct hash symlink lrwxr-xr-x 1 rse wheel 5 Sep 28 21:40 4b136f34.0 - x.crt So it seems like a local problem for you and I've no clue what's the problem is. Perhaps you've CRLFs in the file or other invisible things? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
Thanks for the response, but it seems you've misunderstood me. Now, I took a look at the certs, I noticed that all of them start with "-BEGIN X509 CERTIFICATE-". When I originally got these from Thawte, the header was "-BEGIN CERTIFICATE-". Yes, OpenSSL looks for "BEGIN CERTIFICATE", so just remove the "X509" part and try again. When I said "all of them" I was referring to the Thawte certs that has already been installed using the stronghold "getverisign" command over a year ago, using our old software. I have no problem with these, they work fine with OpenSSL mod_ssl. The *new* cert I have from Thawte starts with just "-BEGIN CERTIFICATE-", as all of the others I have ever gotten in the past from Thawte. The only difference now is that this is a v3 cert, not v1, as all these others were. You said to remove the X590, but it isn't there. The new cert from Thawte doesn't have this in the header and it still won't work. Please again see my original message. http://www.progressive-comp.com/Lists/?l=apache-modsslm=93808996711717w=2 The main problem is that the 'Makefile' in 'ssl.crt' doesn't recognize the new style v3 cert from Thawte and thus will not create a "hash link" for it. Is there some sort of equivelent to the "getversign" command in OpenSSL? Or was the purpose or the getverisign command simply to move the cert from a temp file into the "certs" directory and create a hash link? I have put my time in on this one, I have spent almost 15 hours on the problem. Can somebody please shed some light? Thank you.. -Chris At 11:36 AM 9/27/1999 +0200, you wrote: On Wed, Sep 22, 1999, WSO Support wrote: [...] I get the following error: unable to load certificate error:0906906C:PEM routines:PEM_read:no start line I was using an OLD version of SSLeay, where I would issue the command 'getversign domain tempfile' [...] "getverisign" was from Stronghold, not from SSLeay. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
Yes, here is the cert I'm having the problem with. I've had Thawte triple check it, and they have found no problems. This is a cert for a client of mine, of course. -BEGIN CERTIFICATE- MIICsDCCAhmgAwIBAgIDAIPNMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0 aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw05OTA5 MTMxMzM0NDVaFw0wMDA5MjYxMzM0NDVaMIGRMQswCQYDVQQGEwJVUzEQMA4GA1UE CBMHRmxvcmlkYTEOMAwGA1UEBxMFTWlhbWkxGjAYBgNVBAoTEUZyZWVsYW5jZSBT dWNjZXNzMSEwHwYDVQQLExhTZWN1cmUgU2VydmljZXMgRGl2aXNpb24xITAfBgNV BAMTGHd3dy5mcmVlbGFuY2VzdWNjZXNzLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA MEgCQQC8bvTfSBgoKNaqMlXUv7Fr4GVNWY/6CuriCtggMeC0BqSKq021bhwfo3DL oav8rGbLJBvbbSwa89P0FUvf0pj5AgMBAAGjJTAjMBMGA1UdJQQMMAoGCCsGAQUF BwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEALt7627Hs+30X4Kc9 k1OyppVfE3i2JcgzpF5ZVF1pd1JCkAiSlKh94EnmIWbgZpImvZSeZgixYhT6bMXS 7N53vuMpWKdlMhdXb1aWX2y157aeAlVvGv3jFePejaNzw7SUDdsuplabE8r11n4l UMtE1UKmRQBKQua/WLReskiWrVM= -END CERTIFICATE- I really appreciate the help... My original posting contains the errors I receive from the Makefile in 'ssl.crt'. http://www.progressive-comp.com/Lists/?l=apache-modsslm=93808996711717w=2 Thanks again, Chris At 10:00 AM 9/28/1999 +0200, you wrote: On Mon, Sep 27, 1999, WSO Support wrote: [...] The *new* cert I have from Thawte starts with just "-BEGIN CERTIFICATE-", as all of the others I have ever gotten in the past from Thawte. The only difference now is that this is a v3 cert, not v1, as all these others were. You said to remove the X590, but it isn't there. The new cert from Thawte doesn't have this in the header and it still won't work. Please again see my original message. http://www.progressive-comp.com/Lists/?l=apache-modsslm=93808996711717w=2 The main problem is that the 'Makefile' in 'ssl.crt' doesn't recognize the new style v3 cert from Thawte and thus will not create a "hash link" for it. Errr.. the Makefile uses "openssl x509" command and this one _DOES_ understand x509v3 certs, of course. Hmmm... can you post your certificate (not the key, only the cert, of course) so we can have a more closer look at this particular cert and to find out why the hash isn't created? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
X509v3 extensions
I've just installed Apache 1.3.9+OpenSSL_0.9.4+mod_ssl_2.4.2 I moved my existing certs (issued by VeriSign Thawte) into the /usr/local/apache/conf/ssl.crt directory. I moved my existing .key files into 'ssl.key'. I then ran 'make' from inside the 'ssl.crt' directory to create the hash symlink files. This is where is problem starts. If I examine my existing certs using the command: openssl x509 -noout -text -in name.crt They all view fine... but they are all Version: 1 certs. I recently get a cert renewal from Thawte and it was a v3 cert. I can view it fine using the above openssl command, but when the Makefile tries to read it and make the hash symlink, I get the following error: unable to load certificate error:0906906C:PEM routines:PEM_read:no start line Now, I took a look at the certs, I noticed that all of them start with "-BEGIN X509 CERTIFICATE-". When I originally got these from Thawte, the header was "-BEGIN CERTIFICATE-". I was using an OLD version of SSLeay, where I would issue the command 'getversign domain tempfile' Where domain was the same name used for generating the key (genkey domain) and tempfile contained the cert from Thawte. This seemed to "convert" it to the X509 style... Anyway, now that I'm using OpenSSL I don't see any command similar to this. If I simply try to edit the cert and put the X509 in there and then run make again, I get a different set of errors, like this: unable to load certificate error:0D074071:asn1 encoding routines:d2i_ASN1_INTEGER:expecting an integer error:0D08C070:asn1 encoding routines:D2I_X509_CINF:error stack error:0D089070:asn1 encoding routines:D2I_X509:error stack error:0906600D:PEM routines:PEM_ASN1_read:ASN1 lib I just can't figure it out. All of my old certs work fine. I've TRIPLE checked with Thawte about the correctness of the new v3 cert they have issued, everything is okay on their end. This isn't a "trailing space" problem either. I've looked at all the simple things already... Any ideas at all would be greatly appreciated. Thank you very much, Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]