Showing results for 
Search instead for 
Do you mean 

Apache SSL problem

Frequent Advisor

Apache SSL problem

I have an web application using SSL. On some servers my application doesn't start and the following error message is logged in the error log file.

Thu Feb 3 03:35:39 2005] [crit] error setting verify locations
[Thu Feb 3 03:35:39 2005] [crit] error:02001002:system library:fopen:No such file or directory
[Thu Feb 3 03:35:39 2005] [crit] error:2006D002:BIO routines:BIO_new_file:system lib
[Thu Feb 3 03:35:39 2005] [crit] error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

Can anyone help me with the problem
16 REPLIES
Honored Contributor Honored Contributor

Re: Apache SSL problem

To me it looks like it is problem with few of the libraries on some boxes. Are all libraries present on the boxes where it is a problem??

Anil
There is no substitute to HARDWORK
Frequent Advisor

Re: Apache SSL problem

Can you mention the names of the library files.
Honored Contributor Honored Contributor

Re: Apache SSL problem

Seetha,
have you got a SSLCertificateFile or SSLCertificateKeyFile ?
Where are they located?
Regards
Frequent Advisor

Re: Apache SSL problem

Yes, they are located under apache/ssl/certs and apache/ssl/private directories.
Honored Contributor Honored Contributor

Re: Apache SSL problem

Seetha,
may also be worthwhile to try:
SSLCACertificatePath may have to be fully qualified
i.e. same as ServerRoot
ServerRoot /etc/httpsd
SSLCACertificatePath /etc/httpsd/certifs
Regards
Frequent Advisor

Re: Apache SSL problem

Yes i have fully qualified the certificate file and the key file.

SSLCertificateKeyFile apache/ssl/private/$WEB_HOST.key
SSLCertificateFile apache/ssl/certs/$WEB_HOST.cert

Honored Contributor Honored Contributor

Re: Apache SSL problem

Seetha,
would you not need a "/" before the first entry to make the path absolute?
Exalted Contributor Exalted Contributor

Re: Apache SSL problem

Are these the SSL keys and Certs that came with apache. Those are somewhat fake and useless, using the name localhost.localdomain.

I recently learned (last Friday) how to generate proper ssl certificates and keys. If this is where the problem is I can connect to a machine at another office and get you the script I developed to semi automate the process.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Frequent Advisor

Re: Apache SSL problem

No. actually i have set them as follows.

SSLCertificateKeyFile $WEB_HOME/data/apache/ssl/private/$WEB_HOST.key
SSLCertificateFile $WEB_HOME/data/apache/ssl/certs/$WEB_HOST.cert

Where the variables WEB_HOME and WEB_HOST are set by the application

Frequent Advisor

Re: Apache SSL problem

No the SSL certificate and key were created for the application by us.
Honored Contributor Honored Contributor

Re: Apache SSL problem

Seetha,
as my last attempt can you replace the $variables with hardcoded values and try again. My thinking is what happens if $WEB_HOME or $WEB_HOST are incorrect/blank?
That would explain the no such file message.
Regards
Frequent Advisor

Re: Apache SSL problem

This situation is impossible because all these environment variables are set in a particular ".ksh" file and it is run each time the application starts. Also the application will not start if these variables are not set.
Frequent Advisor

Re: Apache SSL problem

I also tried setting the SSLCertificateFile and SSLCertificateKeyFile specifying the absolute path but still i get the same error. Can some one help me with the problem
Valued Contributor Valued Contributor

Re: Apache SSL problem

Hi,

I think it looks the CA certificate file.
Try to add SSLCACertificateFile option also.

like:

SSLCertificateFile /tmp/server.crt
SSLCertificateKeyFile /tmp/myserver.key
SSLCACertificateFile /tmp/other-bundle.txt
Valued Contributor Valued Contributor

Re: Apache SSL problem

Here is the steps I did for Apache with SSL:

To build apache with OpenSSL for secure communication, Use following steps.

Steps:

I. Build

a. Untar the Source & configure, gmake and gmake install

# tar -zxvf httpd-2.0.46.tar.gz

b. Configure the apache with options

# cd httpd-2.0.46
# ./configure --prefix=/usr/local/apache --with-ssl=/usr/local/ssl/lib --enable-expires --enable-ssl --enable-rewrite --enable-so --enable-xml --enable-modules=most

b. Compile & install the apache using following commands

# gmake
# gmake install

II. Create Certificate Authority (CA)

a. To create RSA private key

# /usr/local/ssl/bin/openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
...++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
#

b. To create self-signed CA certificate

# /usr/local/ssl/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TN
Locality Name (eg, city) []:CBE
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cisco
Organizational Unit Name (eg, section) []:OpenSource
Common Name (eg, YOUR name) []:linuxtest.cisco.com
Email Address []:opensource@cisco.com
#

III. Create SSL Certificate

a. To create RSA private key

# /usr/local/ssl/bin/openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
...............................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
#

b. Decrypt private key (so that apache can start w/o asking for password)

# mv server.key server.key.secure
# /usr/local/ssl/bin/openssl rsa -in server.key.secure -out server.key
Enter pass phrase for server.key.secure:
writing RSA key
#

c. To create a Certificate Signing Request (CSR)

# /usr/local/ssl/bin/openssl req -new -days 365 -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TN
Locality Name (eg, city) []:CBE
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cisco
Organizational Unit Name (eg, section) []:OpenSource
Common Name (eg, YOUR name) []:linuxtest.cisco.com
Email Address []:opensource@cisco.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:welcome
An optional company name []:Senas.net
#

IV. Sign SSL Certificate

# /usr/local/ssl/bin/openssl x509 -req -days 30 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=IN/ST=TN/L=CBE/O=cisco/OU=OpenSource/CN=linuxtest.cisco.com/emailAddress=opensource@cisco.com
Getting Private key
#

V. Create directories for SSL certificate & key and copy the certificate & key to corresponding directories

# mkdir /usr/local/apache/conf/ssl.crt
# mkdir /usr/local/apache/conf/ssl.key
# cp server.crt ssl.crt
# cp server.key ssl.key

VI. Apache configuration

In /usr/local/apache/conf/httpd.conf,

ServerName linuxtest.cisco.com
ServerAdmin sysadmin@linuxtest.cisco.com

VII. Start Apache

# /usr/local/apache/bin/apachectl startssl // both 80 & 443

To check apache whether it listens on port 80 & 443

a. Use "netstat" command

# netstat -na | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
# netstat -na | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN

b. Use the following URL's

http://127.0.0.1/
https://127.0.0.1/

VII. Stop apache

# /usr/local/apache/bin/apachectl stop

To check apache whether it listens on port 80 & 443

# netstat -na | grep 80
# netstat -na | grep 443
#


Note: See the file /usr/local/apache/conf/ssl.conf for SSL configuration
Highlighted
Frequent Advisor

Re: Apache SSL problem

Thanks everyone

The error message was due to absence of CA certificate file. When I set the valid file name for SSLCACertificateFile it worked properly.