Re: [openssl-users] 1st time through, only -- "Can't open root/database.attr for reading, No such file or directory" ?
On Sun, Jun 4, 2017 at 8:57 PM, Jeffrey Walton wrote: > On Sun, Jun 4, 2017 at 7:56 PM, PGNet Dev wrote: >> On 6/4/17 4:51 PM, Jeffrey Walton wrote: but the process STARTS with an apparently non-fatal error ... Using configuration from /home/sec/newCA/openssl.cnf Can't open root/database.attr for reading, No such file or directory 140013244086016:error:02001002:system library:fopen::crypto/bio/bss_file.c:74:fopen('root/database.attr','r') 140013244086016:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:81: >>> >>> >>> This usually indicates the OpenSSL conf file cannot be found. Its odd >>> that "Using configuration from /home/sec/newCA/openssl.cnf" is >>> reported. >>> >>> Maybe you can try `OPENSSL_CONF=/home/sec/newCA/openssl.cnf ` >>> to isolate the issue (or maybe rule out its not a conf file problem). >> >> >> The message above doesn't indicate that openssl.cnf can't be found. In fact >> it explcitly states that it IS found and IS using it >> Using configuration from /home/sec/newCA/openssl.cnf >> >> It's the same openssl.cnf used in all the PRIOR steps, with not problem >> whatsoever. >> >> Rather it's >> Can't open root/database.attr for reading, No such file or directory >> >> that's not found. >> >> I've found that if I simply >> >> touch root/database.attr >> touch intermediate/database.attr >> >> as already's been done with >> >> touch root/database >> touch intermediate/database > > Oh, I was not aware you were skipping steps. I guess that explains the > unusual results. BTW, I believe you are also supposed to add an initial serial number. Something like: echo "0" > serialno.txt Check your conf file for the filename. (The information is somewhere in the docs. It may be in the Certificates HOWTO or the CA HOWTO). Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 1st time through, only -- "Can't open root/database.attr for reading, No such file or directory" ?
On Sun, Jun 4, 2017 at 7:56 PM, PGNet Dev wrote: > On 6/4/17 4:51 PM, Jeffrey Walton wrote: >>> >>> but the process STARTS with an apparently non-fatal error ... >>> >>> Using configuration from /home/sec/newCA/openssl.cnf >>> Can't open root/database.attr for reading, No such file or >>> directory >>> 140013244086016:error:02001002:system >>> library:fopen::crypto/bio/bss_file.c:74:fopen('root/database.attr','r') >>> 140013244086016:error:2006D080:BIO routines:BIO_new_file:no such >>> file:crypto/bio/bss_file.c:81: >> >> >> This usually indicates the OpenSSL conf file cannot be found. Its odd >> that "Using configuration from /home/sec/newCA/openssl.cnf" is >> reported. >> >> Maybe you can try `OPENSSL_CONF=/home/sec/newCA/openssl.cnf ` >> to isolate the issue (or maybe rule out its not a conf file problem). > > > The message above doesn't indicate that openssl.cnf can't be found. In fact > it explcitly states that it IS found and IS using it > >>> Using configuration from /home/sec/newCA/openssl.cnf > > It's the same openssl.cnf used in all the PRIOR steps, with not problem > whatsoever. > > Rather it's > >>> Can't open root/database.attr for reading, No such file or >>> directory > > that's not found. > > I've found that if I simply > > touch root/database.attr > touch intermediate/database.attr > > as already's been done with > > touch root/database > touch intermediate/database Oh, I was not aware you were skipping steps. I guess that explains the unusual results. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 1st time through, only -- "Can't open root/database.attr for reading, No such file or directory" ?
On 6/4/17 4:51 PM, Jeffrey Walton wrote: but the process STARTS with an apparently non-fatal error ... Using configuration from /home/sec/newCA/openssl.cnf Can't open root/database.attr for reading, No such file or directory 140013244086016:error:02001002:system library:fopen::crypto/bio/bss_file.c:74:fopen('root/database.attr','r') 140013244086016:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:81: This usually indicates the OpenSSL conf file cannot be found. Its odd that "Using configuration from /home/sec/newCA/openssl.cnf" is reported. Maybe you can try `OPENSSL_CONF=/home/sec/newCA/openssl.cnf ` to isolate the issue (or maybe rule out its not a conf file problem). The message above doesn't indicate that openssl.cnf can't be found. In fact it explcitly states that it IS found and IS using it >> Using configuration from /home/sec/newCA/openssl.cnf It's the same openssl.cnf used in all the PRIOR steps, with not problem whatsoever. Rather it's >> Can't open root/database.attr for reading, No such file or directory that's not found. I've found that if I simply touch root/database.attr touch intermediate/database.attr as already's been done with touch root/database touch intermediate/database -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 1st time through, only -- "Can't open root/database.attr for reading, No such file or directory" ?
> but the process STARTS with an apparently non-fatal error ... > > Using configuration from /home/sec/newCA/openssl.cnf > Can't open root/database.attr for reading, No such file or directory > 140013244086016:error:02001002:system > library:fopen::crypto/bio/bss_file.c:74:fopen('root/database.attr','r') > 140013244086016:error:2006D080:BIO routines:BIO_new_file:no such > file:crypto/bio/bss_file.c:81: This usually indicates the OpenSSL conf file cannot be found. Its odd that "Using configuration from /home/sec/newCA/openssl.cnf" is reported. Maybe you can try `OPENSSL_CONF=/home/sec/newCA/openssl.cnf ` to isolate the issue (or maybe rule out its not a conf file problem). Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] 1st time through, only -- "Can't open root/database.attr for reading, No such file or directory" ?
I've a new, local CA for (primary) local, self-signed, elliptical cert issuance & use. I've built/installed, openssl version OpenSSL 1.1.0f 25 May 2017 I've created a ROOT crt & key, & and an INTERMEDIATE key & csr. On exec of signing the INTERMEDIATE key with the ROOT. openssl ca -batch \ -notext \ -extensions ext_intermediate \ -config /home/sec/newCA/openssl.cnf \ -name ca_root \ -in intermediate/csr/newCA.INTERMEDIATE.csr.pem \ -out intermediate/certs/newCA.INTERMEDIATE.crt.pem It appears to complete -- the cert's created openssl x509 \ -noout \ -text \ -in intermediate/certs/newCA.INTERMEDIATE.crt.pem Certificate: Data: Version: 3 (0x2) Serial Number: 4096 (0x1000) Signature Algorithm: ecdsa-with-SHA256 ... but the process STARTS with an apparently non-fatal error ... Using configuration from /home/sec/newCA/openssl.cnf Can't open root/database.attr for reading, No such file or directory 140013244086016:error:02001002:system library:fopen::crypto/bio/bss_file.c:74:fopen('root/database.attr','r') 140013244086016:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:81: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Jun 4 18:54:29 2017 GMT Not After : Jun 2 18:54:29 2027 GMT ... Write out database with 1 new entries Data Base Updated The only mention of root/database is in my openssl.conf ... [ ca_root ] dir = root certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/database <- unique_subject= yes ... PRIOR to creating the ROOT key, I touch root/database touch intermediate/database AFTER the signing, ls -al root/database* -rw-r--r-- 1 root root 167 Jun 4 11:54 root/database -rw-r--r-- 1 root root 21 Jun 4 11:54 root/database.attr -rw-r--r-- 1 root root 0 Jun 4 11:51 root/database.old and if I RE-exec the cmd, openssl ca -batch \ ... there's no more error Using configuration /home/sec/newCA/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: ... Checking cat root/database.attr unique_subject = yes Which appears (?) to originate from the "[ ca_root ]" in my openssl.cnf Do I need to touch, or manually populate, the root/database.attr prior to first exec to init as well? Or is this a bug? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Possible OpenSSL 1.1.0 regression with "enc -d" command?
Thanks for the pointer. Seems as if the right option is "-md" though. On 06/04/2017 02:54 PM, Salz, Rich via openssl-users wrote: > > In 1.1.0 the default digest changed from MD5 to SHA256. So use the "-digest > md5" flag to read or write data from older releases. > -- > Senior Architect, Akamai Technologies > Member, OpenSSL Dev Team > IM: richs...@jabber.at Twitter: RichSalz > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Possible OpenSSL 1.1.0 regression with "enc -d" command?
In 1.1.0 the default digest changed from MD5 to SHA256. So use the "-digest md5" flag to read or write data from older releases. -- Senior Architect, Akamai Technologies Member, OpenSSL Dev Team IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Possible OpenSSL 1.1.0 regression with "enc -d" command?
I have a ciphertext that I used to decrypt with openssl enc -d -aes-256-cbc -a -in ciphertext.txt > plaintext.bin and given the correct password it decrypted fine on OpenSSL 0.9.x to 1.0.2g (Ubuntu 16.04). Now I got word that OpenSSL 1.1.0 can no longer decrypt the file. Apparently the user tested unter Arch Linux and Mint and got this error: 139925102714752:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:535 Is there some known regression with OpenSSL 1.1.0 that could cause this? I can provide an example including the correct password by mail if anyone wants to look at this; I refrained from posting this to the list because it's 30 kB. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users