Re: X509v3 extensions
On Thu, Sep 30, 1999, WSO Support wrote: The problem was that at the top of the Makefile script in 'ssl.crt' the variable SSL_PROGRAM was undefined. I'm not sure why? I replaced it with: SSL_PROGRAM=/usr/local/bin/openssl And everything works great! Thanks for your help and patience! Confusing. The variable is intentionally undefined there. Because if called from the top-level the top-level provides this variable (by overiding it on the "make" command line). And even if you run the "make" locally the embedded shell script finds a reasonable "openssl" or "ssleay" program in your $PATH. So either your $PATH was broken or you messed up something else. But ok, now that it works be happy... I just wanted to say that I cannot fix anything in this Makefile because it is not broken IMO ;) Two things: 1. Not sure what you mean by "top-level". I meant the top-level Makefile in the Apache source tree. 2. It was probably finding an old installation of ssleay before it found openssl is my guess. Perhaps, yes. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
The problem was that at the top of the Makefile script in 'ssl.crt' the variable SSL_PROGRAM was undefined. I'm not sure why? I replaced it with: SSL_PROGRAM=/usr/local/bin/openssl And everything works great! Thanks for your help and patience! -Chris At 09:42 PM 9/28/1999 +0200, you wrote: On Tue, Sep 28, 1999, WSO Support wrote: Yes, here is the cert I'm having the problem with. I've had Thawte triple check it, and they have found no problems. This is a cert for a client of mine, of course. -BEGIN CERTIFICATE- MIICsDCCAhmgAwIBAgIDAIPNMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0 aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw05OTA5 MTMxMzM0NDVaFw0wMDA5MjYxMzM0NDVaMIGRMQswCQYDVQQGEwJVUzEQMA4GA1UE CBMHRmxvcmlkYTEOMAwGA1UEBxMFTWlhbWkxGjAYBgNVBAoTEUZyZWVsYW5jZSBT dWNjZXNzMSEwHwYDVQQLExhTZWN1cmUgU2VydmljZXMgRGl2aXNpb24xITAfBgNV BAMTGHd3dy5mcmVlbGFuY2VzdWNjZXNzLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA MEgCQQC8bvTfSBgoKNaqMlXUv7Fr4GVNWY/6CuriCtggMeC0BqSKq021bhwfo3DL oav8rGbLJBvbbSwa89P0FUvf0pj5AgMBAAGjJTAjMBMGA1UdJQQMMAoGCCsGAQUF BwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEALt7627Hs+30X4Kc9 k1OyppVfE3i2JcgzpF5ZVF1pd1JCkAiSlKh94EnmIWbgZpImvZSeZgixYhT6bMXS 7N53vuMpWKdlMhdXb1aWX2y157aeAlVvGv3jFePejaNzw7SUDdsuplabE8r11n4l UMtE1UKmRQBKQua/WLReskiWrVM= -END CERTIFICATE- Sorry, I've cut pasted it into a `x.crt' file in a ssl.crt/ directory, ran `make' there and got no error. Instead I got a correct hash symlink lrwxr-xr-x 1 rse wheel 5 Sep 28 21:40 4b136f34.0 - x.crt So it seems like a local problem for you and I've no clue what's the problem is. Perhaps you've CRLFs in the file or other invisible things? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
On Wed, Sep 29, 1999, WSO Support wrote: The problem was that at the top of the Makefile script in 'ssl.crt' the variable SSL_PROGRAM was undefined. I'm not sure why? I replaced it with: SSL_PROGRAM=/usr/local/bin/openssl And everything works great! Thanks for your help and patience! Confusing. The variable is intentionally undefined there. Because if called from the top-level the top-level provides this variable (by overiding it on the "make" command line). And even if you run the "make" locally the embedded shell script finds a reasonable "openssl" or "ssleay" program in your $PATH. So either your $PATH was broken or you messed up something else. But ok, now that it works be happy... I just wanted to say that I cannot fix anything in this Makefile because it is not broken IMO ;) Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
Confusing. The variable is intentionally undefined there. Because if called from the top-level the top-level provides this variable (by overiding it on the "make" command line). And even if you run the "make" locally the embedded shell script finds a reasonable "openssl" or "ssleay" program in your $PATH. So either your $PATH was broken or you messed up something else. But ok, now that it works be happy... I just wanted to say that I cannot fix anything in this Makefile because it is not broken IMO ;) That makes sense. I too, don't have the openssl bin dir in my path. I'll add it only if I need to use it. - Jon Earle (613) 751-4948 (Pager) HUB Computer Consulting Inc.(613) 830-1499 (Office) http://www.hubcc.ca 1-888-353-7272 (Within Canada/US) "God does not subtract from one's alloted time on Earth, those hours spent flying." --Unknown __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
On Wed, Sep 29, 1999, Jon Earle wrote: Sorry, I've cut pasted it into a `x.crt' file in a ssl.crt/ directory, ran `make' there and got no error. Instead I got a correct hash symlink Maybe a stupid question, but why is this symlink of importance? I've got 2 certs and keys working fine without it, but I noticed the Snakeoil certs did have these links. The hash symlinks are needed only for client authentication. There they allow OpenSSL to quickly access certs without having to scan the filesystem and check every cert which stays around. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
Thanks for the response, but it seems you've misunderstood me. Now, I took a look at the certs, I noticed that all of them start with "-BEGIN X509 CERTIFICATE-". When I originally got these from Thawte, the header was "-BEGIN CERTIFICATE-". Yes, OpenSSL looks for "BEGIN CERTIFICATE", so just remove the "X509" part and try again. When I said "all of them" I was referring to the Thawte certs that has already been installed using the stronghold "getverisign" command over a year ago, using our old software. I have no problem with these, they work fine with OpenSSL mod_ssl. The *new* cert I have from Thawte starts with just "-BEGIN CERTIFICATE-", as all of the others I have ever gotten in the past from Thawte. The only difference now is that this is a v3 cert, not v1, as all these others were. You said to remove the X590, but it isn't there. The new cert from Thawte doesn't have this in the header and it still won't work. Please again see my original message. http://www.progressive-comp.com/Lists/?l=apache-modsslm=93808996711717w=2 The main problem is that the 'Makefile' in 'ssl.crt' doesn't recognize the new style v3 cert from Thawte and thus will not create a "hash link" for it. Is there some sort of equivelent to the "getversign" command in OpenSSL? Or was the purpose or the getverisign command simply to move the cert from a temp file into the "certs" directory and create a hash link? I have put my time in on this one, I have spent almost 15 hours on the problem. Can somebody please shed some light? Thank you.. -Chris At 11:36 AM 9/27/1999 +0200, you wrote: On Wed, Sep 22, 1999, WSO Support wrote: [...] I get the following error: unable to load certificate error:0906906C:PEM routines:PEM_read:no start line I was using an OLD version of SSLeay, where I would issue the command 'getversign domain tempfile' [...] "getverisign" was from Stronghold, not from SSLeay. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
On Mon, Sep 27, 1999, WSO Support wrote: [...] The *new* cert I have from Thawte starts with just "-BEGIN CERTIFICATE-", as all of the others I have ever gotten in the past from Thawte. The only difference now is that this is a v3 cert, not v1, as all these others were. You said to remove the X590, but it isn't there. The new cert from Thawte doesn't have this in the header and it still won't work. Please again see my original message. http://www.progressive-comp.com/Lists/?l=apache-modsslm=93808996711717w=2 The main problem is that the 'Makefile' in 'ssl.crt' doesn't recognize the new style v3 cert from Thawte and thus will not create a "hash link" for it. Errr.. the Makefile uses "openssl x509" command and this one _DOES_ understand x509v3 certs, of course. Hmmm... can you post your certificate (not the key, only the cert, of course) so we can have a more closer look at this particular cert and to find out why the hash isn't created? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
Yes, here is the cert I'm having the problem with. I've had Thawte triple check it, and they have found no problems. This is a cert for a client of mine, of course. -BEGIN CERTIFICATE- MIICsDCCAhmgAwIBAgIDAIPNMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0 aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw05OTA5 MTMxMzM0NDVaFw0wMDA5MjYxMzM0NDVaMIGRMQswCQYDVQQGEwJVUzEQMA4GA1UE CBMHRmxvcmlkYTEOMAwGA1UEBxMFTWlhbWkxGjAYBgNVBAoTEUZyZWVsYW5jZSBT dWNjZXNzMSEwHwYDVQQLExhTZWN1cmUgU2VydmljZXMgRGl2aXNpb24xITAfBgNV BAMTGHd3dy5mcmVlbGFuY2VzdWNjZXNzLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA MEgCQQC8bvTfSBgoKNaqMlXUv7Fr4GVNWY/6CuriCtggMeC0BqSKq021bhwfo3DL oav8rGbLJBvbbSwa89P0FUvf0pj5AgMBAAGjJTAjMBMGA1UdJQQMMAoGCCsGAQUF BwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEALt7627Hs+30X4Kc9 k1OyppVfE3i2JcgzpF5ZVF1pd1JCkAiSlKh94EnmIWbgZpImvZSeZgixYhT6bMXS 7N53vuMpWKdlMhdXb1aWX2y157aeAlVvGv3jFePejaNzw7SUDdsuplabE8r11n4l UMtE1UKmRQBKQua/WLReskiWrVM= -END CERTIFICATE- I really appreciate the help... My original posting contains the errors I receive from the Makefile in 'ssl.crt'. http://www.progressive-comp.com/Lists/?l=apache-modsslm=93808996711717w=2 Thanks again, Chris At 10:00 AM 9/28/1999 +0200, you wrote: On Mon, Sep 27, 1999, WSO Support wrote: [...] The *new* cert I have from Thawte starts with just "-BEGIN CERTIFICATE-", as all of the others I have ever gotten in the past from Thawte. The only difference now is that this is a v3 cert, not v1, as all these others were. You said to remove the X590, but it isn't there. The new cert from Thawte doesn't have this in the header and it still won't work. Please again see my original message. http://www.progressive-comp.com/Lists/?l=apache-modsslm=93808996711717w=2 The main problem is that the 'Makefile' in 'ssl.crt' doesn't recognize the new style v3 cert from Thawte and thus will not create a "hash link" for it. Errr.. the Makefile uses "openssl x509" command and this one _DOES_ understand x509v3 certs, of course. Hmmm... can you post your certificate (not the key, only the cert, of course) so we can have a more closer look at this particular cert and to find out why the hash isn't created? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
On Tue, Sep 28, 1999, WSO Support wrote: Yes, here is the cert I'm having the problem with. I've had Thawte triple check it, and they have found no problems. This is a cert for a client of mine, of course. -BEGIN CERTIFICATE- MIICsDCCAhmgAwIBAgIDAIPNMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0 aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw05OTA5 MTMxMzM0NDVaFw0wMDA5MjYxMzM0NDVaMIGRMQswCQYDVQQGEwJVUzEQMA4GA1UE CBMHRmxvcmlkYTEOMAwGA1UEBxMFTWlhbWkxGjAYBgNVBAoTEUZyZWVsYW5jZSBT dWNjZXNzMSEwHwYDVQQLExhTZWN1cmUgU2VydmljZXMgRGl2aXNpb24xITAfBgNV BAMTGHd3dy5mcmVlbGFuY2VzdWNjZXNzLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA MEgCQQC8bvTfSBgoKNaqMlXUv7Fr4GVNWY/6CuriCtggMeC0BqSKq021bhwfo3DL oav8rGbLJBvbbSwa89P0FUvf0pj5AgMBAAGjJTAjMBMGA1UdJQQMMAoGCCsGAQUF BwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEALt7627Hs+30X4Kc9 k1OyppVfE3i2JcgzpF5ZVF1pd1JCkAiSlKh94EnmIWbgZpImvZSeZgixYhT6bMXS 7N53vuMpWKdlMhdXb1aWX2y157aeAlVvGv3jFePejaNzw7SUDdsuplabE8r11n4l UMtE1UKmRQBKQua/WLReskiWrVM= -END CERTIFICATE- Sorry, I've cut pasted it into a `x.crt' file in a ssl.crt/ directory, ran `make' there and got no error. Instead I got a correct hash symlink lrwxr-xr-x 1 rse wheel 5 Sep 28 21:40 4b136f34.0 - x.crt So it seems like a local problem for you and I've no clue what's the problem is. Perhaps you've CRLFs in the file or other invisible things? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
On Wed, Sep 22, 1999, WSO Support wrote: [...] I get the following error: unable to load certificate error:0906906C:PEM routines:PEM_read:no start line Now, I took a look at the certs, I noticed that all of them start with "-BEGIN X509 CERTIFICATE-". When I originally got these from Thawte, the header was "-BEGIN CERTIFICATE-". Yes, OpenSSL looks for "BEGIN CERTIFICATE", so just remove the "X509" part and try again. I was using an OLD version of SSLeay, where I would issue the command 'getversign domain tempfile' [...] "getverisign" was from Stronghold, not from SSLeay. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]