topic Re: Apache SSL problem in Operating System - HP-UX

Apache SSL problem

Seetha Lakshmi — Mon, 07 Feb 2005 09:30:31 GMT

I have an web application using SSL. On some servers my application doesn't start and the following error message is logged in the error log file.

Thu Feb 3 03:35:39 2005] [crit] error setting verify locations
[Thu Feb 3 03:35:39 2005] [crit] error:02001002:system library:fopen:No such file or directory
[Thu Feb 3 03:35:39 2005] [crit] error:2006D002:BIO routines:BIO_new_file:system lib
[Thu Feb 3 03:35:39 2005] [crit] error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

Can anyone help me with the problem

Re: Apache SSL problem

RAC_1 — Mon, 07 Feb 2005 09:36:39 GMT

To me it looks like it is problem with few of the libraries on some boxes. Are all libraries present on the boxes where it is a problem??

Anil

Re: Apache SSL problem

Seetha Lakshmi — Mon, 07 Feb 2005 09:38:08 GMT

Can you mention the names of the library files.

Re: Apache SSL problem

Peter Godron — Mon, 07 Feb 2005 09:47:15 GMT

Seetha,
have you got a SSLCertificateFile or SSLCertificateKeyFile ?
Where are they located?
Regards

Re: Apache SSL problem

Seetha Lakshmi — Mon, 07 Feb 2005 09:50:20 GMT

Yes, they are located under apache/ssl/certs and apache/ssl/private directories.

Re: Apache SSL problem

Peter Godron — Mon, 07 Feb 2005 09:50:52 GMT

Seetha,
may also be worthwhile to try:
SSLCACertificatePath may have to be fully qualified
i.e. same as ServerRoot
ServerRoot /etc/httpsd
SSLCACertificatePath /etc/httpsd/certifs
Regards

Re: Apache SSL problem

Seetha Lakshmi — Mon, 07 Feb 2005 09:53:36 GMT

Yes i have fully qualified the certificate file and the key file.

SSLCertificateKeyFile apache/ssl/private/$WEB_HOST.key
SSLCertificateFile apache/ssl/certs/$WEB_HOST.cert

Re: Apache SSL problem

Peter Godron — Mon, 07 Feb 2005 09:54:58 GMT

Seetha,
would you not need a "/" before the first entry to make the path absolute?

Re: Apache SSL problem

Steven E. Protter — Mon, 07 Feb 2005 09:57:41 GMT

Are these the SSL keys and Certs that came with apache. Those are somewhat fake and useless, using the name localhost.localdomain.

I recently learned (last Friday) how to generate proper ssl certificates and keys. If this is where the problem is I can connect to a machine at another office and get you the script I developed to semi automate the process.

SEP

Re: Apache SSL problem

Seetha Lakshmi — Mon, 07 Feb 2005 09:58:55 GMT

No. actually i have set them as follows.

SSLCertificateKeyFile $WEB_HOME/data/apache/ssl/private/$WEB_HOST.key
SSLCertificateFile $WEB_HOME/data/apache/ssl/certs/$WEB_HOST.cert

Where the variables WEB_HOME and WEB_HOST are set by the application

Re: Apache SSL problem

Seetha Lakshmi — Mon, 07 Feb 2005 09:59:58 GMT

No the SSL certificate and key were created for the application by us.

Re: Apache SSL problem

Peter Godron — Mon, 07 Feb 2005 11:19:17 GMT

Seetha,
as my last attempt can you replace the $variables with hardcoded values and try again. My thinking is what happens if $WEB_HOME or $WEB_HOST are incorrect/blank?
That would explain the no such file message.
Regards

Re: Apache SSL problem

Seetha Lakshmi — Mon, 07 Feb 2005 22:24:48 GMT

This situation is impossible because all these environment variables are set in a particular ".ksh" file and it is run each time the application starts. Also the application will not start if these variables are not set.

Re: Apache SSL problem

Seetha Lakshmi — Mon, 07 Feb 2005 23:43:28 GMT

I also tried setting the SSLCertificateFile and SSLCertificateKeyFile specifying the absolute path but still i get the same error. Can some one help me with the problem

Re: Apache SSL problem

VEL_1 — Wed, 09 Feb 2005 04:21:27 GMT

Hi,

I think it looks the CA certificate file.
Try to add SSLCACertificateFile option also.

like:

SSLCertificateFile /tmp/server.crt
SSLCertificateKeyFile /tmp/myserver.key
SSLCACertificateFile /tmp/other-bundle.txt

Re: Apache SSL problem

VEL_1 — Wed, 09 Feb 2005 05:33:03 GMT

Here is the steps I did for Apache with SSL:

To build apache with OpenSSL for secure communication, Use following steps.

Steps:

I. Build

a. Untar the Source & configure, gmake and gmake install

# tar -zxvf httpd-2.0.46.tar.gz

b. Configure the apache with options

# cd httpd-2.0.46
# ./configure --prefix=/usr/local/apache --with-ssl=/usr/local/ssl/lib --enable-expires --enable-ssl --enable-rewrite --enable-so --enable-xml --enable-modules=most

b. Compile & install the apache using following commands

# gmake
# gmake install

II. Create Certificate Authority (CA)

a. To create RSA private key

# /usr/local/ssl/bin/openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
...++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
#

b. To create self-signed CA certificate

# /usr/local/ssl/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TN
Locality Name (eg, city) []:CBE
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cisco
Organizational Unit Name (eg, section) []:OpenSource
Common Name (eg, YOUR name) []:linuxtest.cisco.com
Email Address []:opensource@cisco.com
#

III. Create SSL Certificate

a. To create RSA private key

# /usr/local/ssl/bin/openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
...............................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
#

b. Decrypt private key (so that apache can start w/o asking for password)

# mv server.key server.key.secure
# /usr/local/ssl/bin/openssl rsa -in server.key.secure -out server.key
Enter pass phrase for server.key.secure:
writing RSA key
#

c. To create a Certificate Signing Request (CSR)

# /usr/local/ssl/bin/openssl req -new -days 365 -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TN
Locality Name (eg, city) []:CBE
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cisco
Organizational Unit Name (eg, section) []:OpenSource
Common Name (eg, YOUR name) []:linuxtest.cisco.com
Email Address []:opensource@cisco.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:welcome
An optional company name []:Senas.net
#

IV. Sign SSL Certificate

# /usr/local/ssl/bin/openssl x509 -req -days 30 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=IN/ST=TN/L=CBE/O=cisco/OU=OpenSource/CN=linuxtest.cisco.com/emailAddress=opensource@cisco.com
Getting Private key
#

V. Create directories for SSL certificate & key and copy the certificate & key to corresponding directories

# mkdir /usr/local/apache/conf/ssl.crt
# mkdir /usr/local/apache/conf/ssl.key
# cp server.crt ssl.crt
# cp server.key ssl.key

VI. Apache configuration

In /usr/local/apache/conf/httpd.conf,

ServerName linuxtest.cisco.com
ServerAdmin sysadmin@linuxtest.cisco.com

VII. Start Apache

# /usr/local/apache/bin/apachectl startssl // both 80 & 443

To check apache whether it listens on port 80 & 443

a. Use "netstat" command

# netstat -na | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
# netstat -na | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN

b. Use the following URL's

http://127.0.0.1/
https://127.0.0.1/

VII. Stop apache

# /usr/local/apache/bin/apachectl stop

To check apache whether it listens on port 80 & 443

# netstat -na | grep 80
# netstat -na | grep 443
#

Note: See the file /usr/local/apache/conf/ssl.conf for SSL configuration

Re: Apache SSL problem

Seetha Lakshmi — Wed, 09 Feb 2005 05:36:41 GMT

Thanks everyone

The error message was due to absence of CA certificate file. When I set the valid file name for SSLCACertificateFile it worked properly.