Hi, I've successfully made many self-signed certificates for Apache in the past using the docs from the modssl and openssl websites. This time, I'm completely stumped and I've searched all over the Internet without finding an answer that helps. I'm getting this error message in my Apache logs:
[Thu Jun 3 09:00:11 2004] [error] OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not server name or identical to CA!?] The problem is that my cert CN is NOT identical to the CA CN and my CN DOES match the server name. I'm trying to access my site at https://www.lotspeich.org/. Here's my Apache config: <VirtualHost 209.79.149.250:443> ServerAdmin [EMAIL PROTECTED] DocumentRoot /home/httpd/html ServerName www.lotspeich.org ServerAlias www lotspeich.org localhost DirectoryIndex index.epl index.shtml index.html <IfModule mod_ssl.c> # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. Keep in mind that if you've both a RSA and a DSA # certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile /etc/httpd/conf/certs/server.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/httpd/conf/certs/server.key SSLCACertificateFile /etc/httpd/conf/certs/ca.crt </IfModule> </VirtualHost> Here's the information about my certificate: [shrimp: /etc/httpd/conf/certs] root $ openssl x509 -noout -text -in server.crt Certificate: Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=California, L=Sunnyvale, CN=Erik Lotspeich/[EMAIL PROTECTED] Validity Not Before: Jun 3 15:49:51 2004 GMT Not After : Jun 3 15:49:51 2005 GMT Subject: C=US, ST=California, L=Sunnyvale, CN=www.lotspeich.org/emailAddress=erik@ lotspeich.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:da:c6:4a:02:23:38:c0:ba:44:00:20:30:47:bf: 22:54:20:77:0d:a0:b7:e5:66:9b:51:04:5a:94:92: a2:dc:ed:01:b5:15:ab:7f:ca:37:f7:34:97:97:41: 08:3b:fa:3c:d4:71:c7:01:3b:1c:03:a5:4c:e6:4e: 15:42:b9:cd:cd:9c:5c:6d:75:b7:42:0c:11:3c:39: 94:b3:2a:ac:40:45:c6:c3:2b:f2:e1:4f:5c:5c:fa: e1:5e:4b:12:1a:59:cb:0f:36:ea:57:78:8a:ec:4e: 46:03:19:0b:29:71:7d:fb:f8:97:92:9c:e3:a0:fa: 69:05:02:24:a7:32:77:77:a9 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 3b:a1:ae:b7:ac:75:8d:54:68:2e:25:03:30:af:db:26:82:33: 4c:1e:89:fb:cd:03:5f:c3:0e:0d:87:c4:c9:88:57:3a:16:b6: af:19:d9:8d:2d:89:c9:c5:40:b9:72:f3:63:44:a4:bf:10:29: 90:0b:c7:78:44:c6:73:30:b2:67:49:3b:79:a1:05:50:27:7c: I tried to follow all of the documentation for making my own CA, CSR, and signing my certificate. I used the following commands in this order: /usr/local/ssl/misc/CA.sh -newca openssl genrsa server.key 1024 openssl req -new -key server.key -out server.csr cp demoCA/cacert.pem ca.crt cp demoCA/cakey.pem ca.key /usr/src/compile/mod_ssl-2.8.18-1.3.31/pkg.contrib/sign.sh server.csr Am I missing something simple here? Any help would be greatly appreciated. My Apache server's version string is this: Apache/1.3.27 (Unix) PHP/4.3.4 mod_ssl/2.8.11 OpenSSL/0.9.6g mod_perl/1.27 I'm creating the certificates with OpenSSL 0.9.7d. Thanks in advance, Erik. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
