Re: X509v3 extensions
On Thu, Sep 30, 1999, WSO Support wrote: > > > The problem was that at the top of the Makefile script > > > in 'ssl.crt' the variable SSL_PROGRAM was undefined. I'm > > > not sure why? > > > > > > I replaced it with: > > > SSL_PROGRAM=/usr/local/bin/openssl > > > > > > And everything works great! > > > Thanks for your help and patience! > > > >Confusing. The variable is intentionally undefined there. Because if called > >from the top-level the top-level provides this variable (by overiding it on > >the "make" command line). And even if you run the "make" locally the embedded > >shell script finds a reasonable "openssl" or "ssleay" program in your $PATH. > >So either your $PATH was broken or you messed up something else. But ok, now > >that it works be happy... I just wanted to say that I cannot fix anything in > >this Makefile because it is not broken IMO ;) > > Two things: > > 1. Not sure what you mean by "top-level". I meant the top-level Makefile in the Apache source tree. > 2. It was probably finding an old installation of ssleay before > it found openssl is my guess. Perhaps, yes. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
At 02:33 PM 9/30/1999 +0200, you wrote: >On Wed, Sep 29, 1999, WSO Support wrote: > > > The problem was that at the top of the Makefile script > > in 'ssl.crt' the variable SSL_PROGRAM was undefined. I'm > > not sure why? > > > > I replaced it with: > > SSL_PROGRAM=/usr/local/bin/openssl > > > > And everything works great! > > Thanks for your help and patience! > >Confusing. The variable is intentionally undefined there. Because if called >from the top-level the top-level provides this variable (by overiding it on >the "make" command line). And even if you run the "make" locally the embedded >shell script finds a reasonable "openssl" or "ssleay" program in your $PATH. >So either your $PATH was broken or you messed up something else. But ok, now >that it works be happy... I just wanted to say that I cannot fix anything in >this Makefile because it is not broken IMO ;) Two things: 1. Not sure what you mean by "top-level". 2. It was probably finding an old installation of ssleay before it found openssl is my guess. Thanks, Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
>Confusing. The variable is intentionally undefined there. Because if called >from the top-level the top-level provides this variable (by overiding it on >the "make" command line). And even if you run the "make" locally the embedded >shell script finds a reasonable "openssl" or "ssleay" program in your $PATH. >So either your $PATH was broken or you messed up something else. But ok, now >that it works be happy... I just wanted to say that I cannot fix anything in >this Makefile because it is not broken IMO ;) That makes sense. I too, don't have the openssl bin dir in my path. I'll add it only if I need to use it. - Jon Earle (613) 751-4948 (Pager) HUB Computer Consulting Inc.(613) 830-1499 (Office) http://www.hubcc.ca 1-888-353-7272 (Within Canada/US) "God does not subtract from one's alloted time on Earth, those hours spent flying." --Unknown __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
On Wed, Sep 29, 1999, WSO Support wrote: > The problem was that at the top of the Makefile script > in 'ssl.crt' the variable SSL_PROGRAM was undefined. I'm > not sure why? > > I replaced it with: > SSL_PROGRAM=/usr/local/bin/openssl > > And everything works great! > Thanks for your help and patience! Confusing. The variable is intentionally undefined there. Because if called from the top-level the top-level provides this variable (by overiding it on the "make" command line). And even if you run the "make" locally the embedded shell script finds a reasonable "openssl" or "ssleay" program in your $PATH. So either your $PATH was broken or you messed up something else. But ok, now that it works be happy... I just wanted to say that I cannot fix anything in this Makefile because it is not broken IMO ;) Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
The problem was that at the top of the Makefile script in 'ssl.crt' the variable SSL_PROGRAM was undefined. I'm not sure why? I replaced it with: SSL_PROGRAM=/usr/local/bin/openssl And everything works great! Thanks for your help and patience! -Chris At 09:42 PM 9/28/1999 +0200, you wrote: >On Tue, Sep 28, 1999, WSO Support wrote: > > > Yes, here is the cert I'm having the problem with. I've had > > Thawte triple check it, and they have found no problems. This > > is a cert for a client of mine, of course. > > > > -BEGIN CERTIFICATE- > > MIICsDCCAhmgAwIBAgIDAIPNMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa > > QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb > > BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0 > > aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB > > MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw05OTA5 > > MTMxMzM0NDVaFw0wMDA5MjYxMzM0NDVaMIGRMQswCQYDVQQGEwJVUzEQMA4GA1UE > > CBMHRmxvcmlkYTEOMAwGA1UEBxMFTWlhbWkxGjAYBgNVBAoTEUZyZWVsYW5jZSBT > > dWNjZXNzMSEwHwYDVQQLExhTZWN1cmUgU2VydmljZXMgRGl2aXNpb24xITAfBgNV > > BAMTGHd3dy5mcmVlbGFuY2VzdWNjZXNzLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA > > MEgCQQC8bvTfSBgoKNaqMlXUv7Fr4GVNWY/6CuriCtggMeC0BqSKq021bhwfo3DL > > oav8rGbLJBvbbSwa89P0FUvf0pj5AgMBAAGjJTAjMBMGA1UdJQQMMAoGCCsGAQUF > > BwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEALt7627Hs+30X4Kc9 > > k1OyppVfE3i2JcgzpF5ZVF1pd1JCkAiSlKh94EnmIWbgZpImvZSeZgixYhT6bMXS > > 7N53vuMpWKdlMhdXb1aWX2y157aeAlVvGv3jFePejaNzw7SUDdsuplabE8r11n4l > > UMtE1UKmRQBKQua/WLReskiWrVM= > > -END CERTIFICATE- > >Sorry, I've cut & pasted it into a `x.crt' file in a ssl.crt/ directory, ran >`make' there and got no error. Instead I got a correct hash symlink > >lrwxr-xr-x 1 rse wheel 5 Sep 28 21:40 4b136f34.0 -> x.crt > >So it seems like a local problem for you and I've no clue what's the problem >is. Perhaps you've CRLFs in the file or other invisible things? > >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
On Wed, Sep 29, 1999, Jon Earle wrote: > >Sorry, I've cut & pasted it into a `x.crt' file in a ssl.crt/ directory, ran > >`make' there and got no error. Instead I got a correct hash symlink > > Maybe a stupid question, but why is this symlink of importance? I've got 2 > certs and keys working fine without it, but I noticed the Snakeoil certs > did have these links. The hash symlinks are needed only for client authentication. There they allow OpenSSL to quickly access certs without having to scan the filesystem and check every cert which stays around. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
>Sorry, I've cut & pasted it into a `x.crt' file in a ssl.crt/ directory, ran >`make' there and got no error. Instead I got a correct hash symlink Maybe a stupid question, but why is this symlink of importance? I've got 2 certs and keys working fine without it, but I noticed the Snakeoil certs did have these links. Cheers! Jon - Jon Earle (613) 751-4948 (Pager) HUB Computer Consulting Inc.(613) 830-1499 (Office) http://www.hubcc.ca 1-888-353-7272 (Within Canada/US) "God does not subtract from one's alloted time on Earth, those hours spent flying." --Unknown __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
On Tue, Sep 28, 1999, WSO Support wrote: > Yes, here is the cert I'm having the problem with. I've had > Thawte triple check it, and they have found no problems. This > is a cert for a client of mine, of course. > > -BEGIN CERTIFICATE- > MIICsDCCAhmgAwIBAgIDAIPNMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa > QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb > BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0 > aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB > MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw05OTA5 > MTMxMzM0NDVaFw0wMDA5MjYxMzM0NDVaMIGRMQswCQYDVQQGEwJVUzEQMA4GA1UE > CBMHRmxvcmlkYTEOMAwGA1UEBxMFTWlhbWkxGjAYBgNVBAoTEUZyZWVsYW5jZSBT > dWNjZXNzMSEwHwYDVQQLExhTZWN1cmUgU2VydmljZXMgRGl2aXNpb24xITAfBgNV > BAMTGHd3dy5mcmVlbGFuY2VzdWNjZXNzLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA > MEgCQQC8bvTfSBgoKNaqMlXUv7Fr4GVNWY/6CuriCtggMeC0BqSKq021bhwfo3DL > oav8rGbLJBvbbSwa89P0FUvf0pj5AgMBAAGjJTAjMBMGA1UdJQQMMAoGCCsGAQUF > BwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEALt7627Hs+30X4Kc9 > k1OyppVfE3i2JcgzpF5ZVF1pd1JCkAiSlKh94EnmIWbgZpImvZSeZgixYhT6bMXS > 7N53vuMpWKdlMhdXb1aWX2y157aeAlVvGv3jFePejaNzw7SUDdsuplabE8r11n4l > UMtE1UKmRQBKQua/WLReskiWrVM= > -END CERTIFICATE- Sorry, I've cut & pasted it into a `x.crt' file in a ssl.crt/ directory, ran `make' there and got no error. Instead I got a correct hash symlink lrwxr-xr-x 1 rse wheel 5 Sep 28 21:40 4b136f34.0 -> x.crt So it seems like a local problem for you and I've no clue what's the problem is. Perhaps you've CRLFs in the file or other invisible things? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
Yes, here is the cert I'm having the problem with. I've had Thawte triple check it, and they have found no problems. This is a cert for a client of mine, of course. -BEGIN CERTIFICATE- MIICsDCCAhmgAwIBAgIDAIPNMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0 aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw05OTA5 MTMxMzM0NDVaFw0wMDA5MjYxMzM0NDVaMIGRMQswCQYDVQQGEwJVUzEQMA4GA1UE CBMHRmxvcmlkYTEOMAwGA1UEBxMFTWlhbWkxGjAYBgNVBAoTEUZyZWVsYW5jZSBT dWNjZXNzMSEwHwYDVQQLExhTZWN1cmUgU2VydmljZXMgRGl2aXNpb24xITAfBgNV BAMTGHd3dy5mcmVlbGFuY2VzdWNjZXNzLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA MEgCQQC8bvTfSBgoKNaqMlXUv7Fr4GVNWY/6CuriCtggMeC0BqSKq021bhwfo3DL oav8rGbLJBvbbSwa89P0FUvf0pj5AgMBAAGjJTAjMBMGA1UdJQQMMAoGCCsGAQUF BwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEALt7627Hs+30X4Kc9 k1OyppVfE3i2JcgzpF5ZVF1pd1JCkAiSlKh94EnmIWbgZpImvZSeZgixYhT6bMXS 7N53vuMpWKdlMhdXb1aWX2y157aeAlVvGv3jFePejaNzw7SUDdsuplabE8r11n4l UMtE1UKmRQBKQua/WLReskiWrVM= -END CERTIFICATE- I really appreciate the help... My original posting contains the errors I receive from the Makefile in 'ssl.crt'. http://www.progressive-comp.com/Lists/?l=apache-modssl&m=93808996711717&w=2 Thanks again, Chris At 10:00 AM 9/28/1999 +0200, you wrote: >On Mon, Sep 27, 1999, WSO Support wrote: > > > [...] > > The *new* cert I have from Thawte starts with just > > "-BEGIN CERTIFICATE-", as all of the others I have ever > > gotten in the past from Thawte. The only difference now is that > > this is a v3 cert, not v1, as all these others were. > > > > You said to remove the X590, but it isn't there. The new cert from > > Thawte doesn't have this in the header and it still won't work. > > Please again see my original message. > > > > http://www.progressive-comp.com/Lists/?l=apache-modssl&m=93808996711717&w=2 > > > > The main problem is that the 'Makefile' in 'ssl.crt' doesn't > > recognize the new style v3 cert from Thawte and thus will not > > create a "hash link" for it. > >Errr.. the Makefile uses "openssl x509" command and this one _DOES_ understand >x509v3 certs, of course. Hmmm... can you post your certificate (not the key, >only the cert, of course) so we can have a more closer look at this particular >cert and to find out why the hash isn't created? > >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
On Mon, Sep 27, 1999, WSO Support wrote: > [...] > The *new* cert I have from Thawte starts with just > "-BEGIN CERTIFICATE-", as all of the others I have ever > gotten in the past from Thawte. The only difference now is that > this is a v3 cert, not v1, as all these others were. > > You said to remove the X590, but it isn't there. The new cert from > Thawte doesn't have this in the header and it still won't work. > Please again see my original message. > > http://www.progressive-comp.com/Lists/?l=apache-modssl&m=93808996711717&w=2 > > The main problem is that the 'Makefile' in 'ssl.crt' doesn't > recognize the new style v3 cert from Thawte and thus will not > create a "hash link" for it. Errr.. the Makefile uses "openssl x509" command and this one _DOES_ understand x509v3 certs, of course. Hmmm... can you post your certificate (not the key, only the cert, of course) so we can have a more closer look at this particular cert and to find out why the hash isn't created? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
Thanks for the response, but it seems you've misunderstood me. >> Now, I took a look at the certs, I noticed that all of them >> start with "-BEGIN X509 CERTIFICATE-". When I originally >> got these from Thawte, the header was "-BEGIN CERTIFICATE-". >Yes, OpenSSL looks for "BEGIN CERTIFICATE", so just >remove the "X509" part and try again. When I said "all of them" I was referring to the Thawte certs that has already been installed using the stronghold "getverisign" command over a year ago, using our old software. I have no problem with these, they work fine with OpenSSL & mod_ssl. The *new* cert I have from Thawte starts with just "-BEGIN CERTIFICATE-", as all of the others I have ever gotten in the past from Thawte. The only difference now is that this is a v3 cert, not v1, as all these others were. You said to remove the X590, but it isn't there. The new cert from Thawte doesn't have this in the header and it still won't work. Please again see my original message. http://www.progressive-comp.com/Lists/?l=apache-modssl&m=93808996711717&w=2 The main problem is that the 'Makefile' in 'ssl.crt' doesn't recognize the new style v3 cert from Thawte and thus will not create a "hash link" for it. Is there some sort of equivelent to the "getversign" command in OpenSSL? Or was the purpose or the getverisign command simply to move the cert from a temp file into the "certs" directory and create a hash link? I have put my time in on this one, I have spent almost 15 hours on the problem. Can somebody please shed some light? Thank you.. -Chris At 11:36 AM 9/27/1999 +0200, you wrote: >On Wed, Sep 22, 1999, WSO Support wrote: > > > [...] > > I get the following error: > > unable to load certificate > > error:0906906C:PEM routines:PEM_read:no start line > > > > > > I was using an OLD version of SSLeay, where I would issue the > > command 'getversign domain < tempfile' > > [...] > >"getverisign" was from Stronghold, not from SSLeay. > >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: X509v3 extensions
On Wed, Sep 22, 1999, WSO Support wrote: > [...] > I get the following error: > unable to load certificate > error:0906906C:PEM routines:PEM_read:no start line > > Now, I took a look at the certs, I noticed that all of them > start with "-BEGIN X509 CERTIFICATE-". When I originally > got these from Thawte, the header was "-BEGIN CERTIFICATE-". Yes, OpenSSL looks for "BEGIN CERTIFICATE", so just remove the "X509" part and try again. > I was using an OLD version of SSLeay, where I would issue the > command 'getversign domain < tempfile' > [...] "getverisign" was from Stronghold, not from SSLeay. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
X509v3 extensions
I've just installed Apache 1.3.9+OpenSSL_0.9.4+mod_ssl_2.4.2 I moved my existing certs (issued by VeriSign & Thawte) into the /usr/local/apache/conf/ssl.crt directory. I moved my existing .key files into 'ssl.key'. I then ran 'make' from inside the 'ssl.crt' directory to create the hash symlink files. This is where is problem starts. If I examine my existing certs using the command: openssl x509 -noout -text -in name.crt They all view fine... but they are all Version: 1 certs. I recently get a cert renewal from Thawte and it was a v3 cert. I can view it fine using the above openssl command, but when the Makefile tries to read it and make the hash symlink, I get the following error: unable to load certificate error:0906906C:PEM routines:PEM_read:no start line Now, I took a look at the certs, I noticed that all of them start with "-BEGIN X509 CERTIFICATE-". When I originally got these from Thawte, the header was "-BEGIN CERTIFICATE-". I was using an OLD version of SSLeay, where I would issue the command 'getversign domain < tempfile' Where domain was the same name used for generating the key (genkey domain) and tempfile contained the cert from Thawte. This seemed to "convert" it to the X509 style... Anyway, now that I'm using OpenSSL I don't see any command similar to this. If I simply try to edit the cert and put the X509 in there and then run make again, I get a different set of errors, like this: unable to load certificate error:0D074071:asn1 encoding routines:d2i_ASN1_INTEGER:expecting an integer error:0D08C070:asn1 encoding routines:D2I_X509_CINF:error stack error:0D089070:asn1 encoding routines:D2I_X509:error stack error:0906600D:PEM routines:PEM_ASN1_read:ASN1 lib I just can't figure it out. All of my old certs work fine. I've TRIPLE checked with Thawte about the correctness of the new v3 cert they have issued, everything is okay on their end. This isn't a "trailing space" problem either. I've looked at all the simple things already... Any ideas at all would be greatly appreciated. Thank you very much, Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]