Private Key not found

I am working on a new installation of Slackware 8.1. I am trying to get the
mod_ssl working. I have generated the key and crt files but when I try to
startssl I get an error that the Private Key not found and it doesn't start.
I am stumped. Any ideas where to start?

Justin
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

>1 out of 1 certificate requests certified, commit? [y/n]y
>Write out database with 1 new entries
>ata Base Updated
>CA verifying: server.crt <-> CA cert
>server.crt: /C=US/ST=Kansas/L=Lawrence/O=Pelathe
>Center/CN=www.pelathe.org/Email=tkitchen@pelathe.org
>error 18 at 0 depth lookup:self signed certificate
>/C=US/ST=Kansas/L=Lawrence/O=Pelathe
>Center/CN=www.pelathe.org/Email=tkitchen@pelathe.org
>error 7 at 0 depth lookup:certificate signature failure
>
>What is an 'error 18 at depth 0' and an 'error 7 at depth 0'? Would >this be a
>reason why my server cannot find the Private Key?

I've no idea what this error means but I've seen it several times but never seen an explanation on the list. I would strongly recommend that you use the alternative certificate scripts available as ssl.ca-0.1.tar.gz at:

http://www.openssl.org/contrib/

These have fixed this problem for me numerous times.

_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

Still no luck. I get the same error with this script too. Thank you for=20
pointing out the script though. It was a LOT easier to use than the other=
one=20
I had been using.=20


On Monday 10 March 2003 04:42, camun2020 wrote:
> >1 out of 1 certificate requests certified, commit? [y/n]y
> >Write out database with 1 new entries
> >ata Base Updated
> >CA verifying: server.crt <-> CA cert
> >server.crt: /C=3DUS/ST=3DKansas/L=3DLawrence/O=3DPelathe
> >Center/CN=3Dwww.pelathe.org/Email=3Dtkitchen@pelathe.org
> >error 18 at 0 depth lookup:self signed certificate
> >/C=3DUS/ST=3DKansas/L=3DLawrence/O=3DPelathe
> >Center/CN=3Dwww.pelathe.org/Email=3Dtkitchen@pelathe.org
> >error 7 at 0 depth lookup:certificate signature failure
> >
> >What is an 'error 18 at depth 0' and an 'error 7 at depth 0'? Would >t=
his
> > be a reason why my server cannot find the Private Key?
>
> I've no idea what this error means but I've seen it several times but n=
ever
> seen an explanation on the list. I would strongly recommend that you us=
e
> the alternative certificate scripts available as ssl.ca-0.1.tar.gz at:
>
> http://www.openssl.org/contrib/
>
> These have fixed this problem for me numerous times.
>
> _______________________________________________
> No banners. No pop-ups. No kidding.
> Introducing My Way - http://www.myway.com
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

--=20
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

--- On Thu 03/13, A. Putnam < aputnam@pelathe.org > wrote:

Still no luck. I get the same error with this script too. Thank you for
pointing out the script though. It was a LOT easier to use than the other one
I had been using.

OK, now I'm getting vague but could this be to do with the fact that you have some 'incomplete' keys and data in your ca.db.certs directory from the previous failed attempts?

Make sure you start in a whole new clean directory...

Having said that, I haven't actually tried those scripts with the most recent openssl so perhaps there are new problems.

cam

_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

Okay, I cleaned out all of the older versions of the keys and ran the scr=
ipts=20
again. I ended up with this:

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: www.pelathe.org.crt <-> CA cert
www.pelathe.org.crt: OK

That does mean it worked, right? Everything is good? If so, should I move=
the=20
new files I have to their respective directories or should I change my=20
httpd.conf file to point to the new directory? I don't know if moving or=20
copying/patsing damages the integrity of the encryptions or not.


On Thursday 13 March 2003 05:01, camun2020 wrote:
> --- On Thu 03/13, A. Putnam < aputnam@pelathe.org > wrote:
>
> Still no luck. I get the same error with this script too. Thank you for
> pointing out the script though. It was a LOT easier to use than the oth=
er
> one I had been using.
>
> OK, now I'm getting vague but could this be to do with the fact that yo=
u
> have some 'incomplete' keys and data in your ca.db.certs directory from=
the
> previous failed attempts?
>
> Make sure you start in a whole new clean directory...
>
> Having said that, I haven't actually tried those scripts with the most
> recent openssl so perhaps there are new problems.
>
> cam
>
> _______________________________________________
> No banners. No pop-ups. No kidding.
> Introducing My Way - http://www.myway.com
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

--=20
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

you should beable to safely move then into place. make sure perms are
restricted as possible to prevent their info from being leaked.

On Fri, 14 Mar 2003, A. Putnam wrote:

> Okay, I cleaned out all of the older versions of the keys and ran the scripts
> again. I ended up with this:
>
> 1 out of 1 certificate requests certified, commit? [y/n]y
> Write out database with 1 new entries
> Data Base Updated
> CA verifying: www.pelathe.org.crt <-> CA cert
> www.pelathe.org.crt: OK
>
> That does mean it worked, right? Everything is good? If so, should I move the
> new files I have to their respective directories or should I change my
> httpd.conf file to point to the new directory? I don't know if moving or
> copying/patsing damages the integrity of the encryptions or not.
>
>
> On Thursday 13 March 2003 05:01, camun2020 wrote:
> > --- On Thu 03/13, A. Putnam < aputnam@pelathe.org > wrote:
> >
> > Still no luck. I get the same error with this script too. Thank you for
> > pointing out the script though. It was a LOT easier to use than the other
> > one I had been using.
> >
> > OK, now I'm getting vague but could this be to do with the fact that you
> > have some 'incomplete' keys and data in your ca.db.certs directory from the
> > previous failed attempts?
> >
> > Make sure you start in a whole new clean directory...
> >
> > Having said that, I haven't actually tried those scripts with the most
> > recent openssl so perhaps there are new problems.
> >
> > cam
> >
> > _______________________________________________
> > No banners. No pop-ups. No kidding.
> > Introducing My Way - http://www.myway.com
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
>
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

You can copy your cert and key files to apache's conf directory.

A. Putnam said:
> Okay, I cleaned out all of the older versions of the keys and ran the
> scripts again. I ended up with this:
>
> 1 out of 1 certificate requests certified, commit? [y/n]y
> Write out database with 1 new entries
> Data Base Updated
> CA verifying: www.pelathe.org.crt <-> CA cert
> www.pelathe.org.crt: OK
>
> That does mean it worked, right? Everything is good? If so, should I
> move the new files I have to their respective directories or should I
> change my httpd.conf file to point to the new directory? I don't know
> if moving or copying/patsing damages the integrity of the encryptions
> or not.
>
>
> On Thursday 13 March 2003 05:01, camun2020 wrote:
>> --- On Thu 03/13, A. Putnam < aputnam@pelathe.org > wrote:
>>
>> Still no luck. I get the same error with this script too. Thank you
>> for pointing out the script though. It was a LOT easier to use than
>> the other one I had been using.
>>
>> OK, now I'm getting vague but could this be to do with the fact that
>> you have some 'incomplete' keys and data in your ca.db.certs directory
>> from the previous failed attempts?
>>
>> Make sure you start in a whole new clean directory...
>>
>> Having said that, I haven't actually tried those scripts with the most
>> recent openssl so perhaps there are new problems.
>>
>> cam
>>
>> _______________________________________________
>> No banners. No pop-ups. No kidding.
>> Introducing My Way - http://www.myway.com
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>
> --
> A. Putnam
> Assistant IT Administrator
> Pelathe Community Resource Center
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org


--
Aaron Stromas | "Tik-tik-tik!!!... ja, Pantani is weg..."
ams@izoard.com | BRTN commentator
+1 (301) 493 4933 | L'Alpe d'Huez
http://www.izoard.com | 1995 Tour de France



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

--- On Fri 03/14, A. Putnam < aputnam@pelathe.org > wrote:
>That does mean it worked, right? Everything is good?

Everything is rosy...

>If so, should I move the
>new files I have to their respective directories or should I change >my httpd.conf file to point to the new directory?

I would personally suggest that you protect (chmod 700;chown root.root) the area where the files are currently stored and copy the key and the crt to the httpd.conf area where you should set appropriate perms on them too. See e.g. here for some guidance:

http://en.tldp.org/HOWTO/SSL-RedHat-HOWTO-4.html

>I don't know if >moving or copying/patsing damages the integrity of the encryptions or >not.

No, not in any way that I know of...

_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

Just a guess: have you also added the CA certificate to the CA certificate
bundle? Also, set your logging to "trace", it should give you a clue.

-a

A. Putnam said:
> I went ahead and changed my httpd.conf file to reflect the new
> directory. And when I went to restart Apache, it worked! (THANK YOU!!)
> However, when I go to my shopping cart and click 'checkout' (thus
> sending me to the secure server) I get this error moeesage:
>
> "www.pelathe.org has received an incorrect or unexpected message. Error
> Code: -12227"
>
> I've never seen an error code like that before. Does anyone know what
> it means?
>
> On Friday 14 March 2003 13:37, A. Putnam wrote:
>> Okay, I cleaned out all of the older versions of the keys and ran the
>> scripts again. I ended up with this:
>>
>> 1 out of 1 certificate requests certified, commit? [y/n]y
>> Write out database with 1 new entries
>> Data Base Updated
>> CA verifying: www.pelathe.org.crt <-> CA cert
>> www.pelathe.org.crt: OK
>>
>> That does mean it worked, right? Everything is good? If so, should I
>> move the new files I have to their respective directories or should I
>> change my httpd.conf file to point to the new directory? I don't know
>> if moving or copying/patsing damages the integrity of the encryptions
>> or not.
>>
>> On Thursday 13 March 2003 05:01, camun2020 wrote:
>> > --- On Thu 03/13, A. Putnam < aputnam@pelathe.org > wrote:
>> >
>> > Still no luck. I get the same error with this script too. Thank you
>> > for pointing out the script though. It was a LOT easier to use than
>> > the other one I had been using.
>> >
>> > OK, now I'm getting vague but could this be to do with the fact that
>> > you have some 'incomplete' keys and data in your ca.db.certs
>> > directory from the previous failed attempts?
>> >
>> > Make sure you start in a whole new clean directory...
>> >
>> > Having said that, I haven't actually tried those scripts with the
>> > most recent openssl so perhaps there are new problems.
>> >
>> > cam
>> >
>> > _______________________________________________
>> > No banners. No pop-ups. No kidding.
>> > Introducing My Way - http://www.myway.com
>> > ____________________________________________________________ __________
>> > Apache Interface to OpenSSL (mod_ssl)
>> > www.modssl.org User Support Mailing List
>> > modssl-users@modssl.org Automated List Manager
>> > majordomo@modssl.org
>
> --
> A. Putnam
> Assistant IT Administrator
> Pelathe Community Resource Center
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org


--
Aaron Stromas | "Tik-tik-tik!!!... ja, Pantani is weg..."
ams@izoard.com | BRTN commentator
+1 (301) 493 4933 | L'Alpe d'Huez
http://www.izoard.com | 1995 Tour de France



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

--- On Fri 03/14, A. Putnam < aputnam@pelathe.org > wrote:
>I get this error moeesage:

>"www.pelathe.org has received an incorrect or unexpected message. Error Code: -12227"
>I've never seen an error code like that before. Does anyone know what it means?

Again, a guess, but you haven't set SSLVerifyClient Require have you? You (presumably, otherwise, get reading on client certificates) want 'none' here. If not, in fact, in any case, have a look in your SSL log files (not the 'normal' log files) which will have been specified in httpd.conf... The logs are your friend.

cam

_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

I went ahead and changed my httpd.conf file to reflect the new directory.=
And=20
when I went to restart Apache, it worked! (THANK YOU!!) However, when I g=
o to=20
my shopping cart and click 'checkout' (thus sending me to the secure serv=
er)=20
I get this error moeesage:

"www.pelathe.org has received an incorrect or unexpected message. Error C=
ode:=20
-12227"

I've never seen an error code like that before. Does anyone know what it=20
means?

On Friday 14 March 2003 13:37, A. Putnam wrote:
> Okay, I cleaned out all of the older versions of the keys and ran the
> scripts again. I ended up with this:
>
> 1 out of 1 certificate requests certified, commit? [y/n]y
> Write out database with 1 new entries
> Data Base Updated
> CA verifying: www.pelathe.org.crt <-> CA cert
> www.pelathe.org.crt: OK
>
> That does mean it worked, right? Everything is good? If so, should I mo=
ve
> the new files I have to their respective directories or should I change=
my
> httpd.conf file to point to the new directory? I don't know if moving o=
r
> copying/patsing damages the integrity of the encryptions or not.
>
> On Thursday 13 March 2003 05:01, camun2020 wrote:
> > --- On Thu 03/13, A. Putnam < aputnam@pelathe.org > wrote:
> >
> > Still no luck. I get the same error with this script too. Thank you f=
or
> > pointing out the script though. It was a LOT easier to use than the o=
ther
> > one I had been using.
> >
> > OK, now I'm getting vague but could this be to do with the fact that =
you
> > have some 'incomplete' keys and data in your ca.db.certs directory fr=
om
> > the previous failed attempts?
> >
> > Make sure you start in a whole new clean directory...
> >
> > Having said that, I haven't actually tried those scripts with the mos=
t
> > recent openssl so perhaps there are new problems.
> >
> > cam
> >
> > _______________________________________________
> > No banners. No pop-ups. No kidding.
> > Introducing My Way - http://www.myway.com
> > ____________________________________________________________ _________=
_
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.or=
g
> > User Support Mailing List modssl-users@modssl.or=
g
> > Automated List Manager majordomo@modssl.or=
g

--=20
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

Right then. I moved my certificates into their respective directories and=
=20
re-reeditted my httpd.conf file to reflect those changes and set the=20
SSLVerifyClient to 'none'. I was not sure where to go to change the loggi=
ng=20
to 'trace' though. But, I can get into the secure server now so it=20
technically works. (thank you again Camun, and DuFresne and Stromas too)=20

However, I am finding that all of the pages I've visited while in https a=
re=20
pulling up 404 errors. The same pages pull up fine in http. Do I need to =
have=20
a mirrored web directory just for https to get the files to show up or=20
something? This is the only real conclusion I can think of.

On Thursday 13 March 2003 11:55, cam wrote:
> --- On Fri 03/14, A. Putnam < aputnam@pelathe.org > wrote:
> >I get this error moeesage:
> >
> >"www.pelathe.org has received an incorrect or unexpected message. Erro=
r
> > Code: -12227" I've never seen an error code like that before. Does an=
yone
> > know what it means?
>
> Again, a guess, but you haven't set SSLVerifyClient Require have you? Y=
ou
> (presumably, otherwise, get reading on client certificates) want 'none'
> here. If not, in fact, in any case, have a look in your SSL log files (=
not
> the 'normal' log files) which will have been specified in httpd.conf...=
The
> logs are your friend.
>
> cam
>
> _______________________________________________
> No banners. No pop-ups. No kidding.
> Introducing My Way - http://www.myway.com
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

--=20
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

A. Putnam said:
> Right then. I moved my certificates into their respective directories
> and re-reeditted my httpd.conf file to reflect those changes and set
> the SSLVerifyClient to 'none'. I was not sure where to go to change
> the logging to 'trace' though. But, I can get into the secure server
> now so it technically works. (thank you again Camun, and DuFresne and
> Stromas too)

SSLLogLevel trace

>
> However, I am finding that all of the pages I've visited while in https
> are pulling up 404 errors. The same pages pull up fine in http. Do I
> need to have a mirrored web directory just for https to get the files
> to show up or something? This is the only real conclusion I can think
> of.

What does the access log say?

If you still can't figure it out looking at logs you should post your
httpd.conf>
> On Thursday 13 March 2003 11:55, cam wrote:
>> --- On Fri 03/14, A. Putnam < aputnam@pelathe.org > wrote:
>> >I get this error moeesage:
>> >
>> >"www.pelathe.org has received an incorrect or unexpected message.
>> >Error
>> > Code: -12227" I've never seen an error code like that before. Does
>> > anyone know what it means?
>>
>> Again, a guess, but you haven't set SSLVerifyClient Require have you?
>> You (presumably, otherwise, get reading on client certificates) want
>> 'none' here. If not, in fact, in any case, have a look in your SSL log
>> files (not the 'normal' log files) which will have been specified in
>> httpd.conf... The logs are your friend.
>>
>> cam
>>
>> _______________________________________________
>> No banners. No pop-ups. No kidding.
>> Introducing My Way - http://www.myway.com
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>
> --
> A. Putnam
> Assistant IT Administrator
> Pelathe Community Resource Center
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org


--
Aaron Stromas | "Tik-tik-tik!!!... ja, Pantani is weg..."
ams@izoard.com | BRTN commentator
+1 (301) 493 4933 | L'Alpe d'Huez
http://www.izoard.com | 1995 Tour de France



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

I found the SSLLogLevel, thanks. Here is the engine log from today. I'm n=
ot=20
really sure what to make of it...

[15/Mar/2003 14:30:18 11313] [info] Server: Apache/1.3.26, Interface:=20
mod_ssl/2.8.10, Library: OpenSSL/0.9.6g
[15/Mar/2003 14:30:18 11313] [info] Init: 1st startup round (still not=20
detached)
[15/Mar/2003 14:30:18 11313] [info] Init: Initializing OpenSSL library
[15/Mar/2003 14:30:18 11313] [info] Init: Loading certificate & private =
key=20
of SSL-aware server matrix.pelathe.org:443
[15/Mar/2003 14:30:18 11313] [info] Init: Seeding PRNG with 136 bytes of=
=20
entropy
[15/Mar/2003 14:30:18 11313] [info] Init: Generating temporary RSA priva=
te=20
keys (512/1024 bits)
[15/Mar/2003 14:30:18 11313] [info] Init: Configuring temporary DH param=
eters=20
(512/1024 bits)
[15/Mar/2003 14:30:20 11314] [info] Init: 2nd startup round (already=20
detached)
[15/Mar/2003 14:30:20 11314] [info] Init: Reinitializing OpenSSL library
[15/Mar/2003 14:30:20 11314] [info] Init: Seeding PRNG with 136 bytes of=
=20
entropy
[15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary RSA priv=
ate=20
keys (512/1024 bits)
[15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary DH param=
eters=20
(512/1024 bits)
[15/Mar/2003 14:30:20 11314] [info] Init: Initializing (virtual) servers=
for=20
SSL
[15/Mar/2003 14:30:20 11314] [info] Init: Configuring server=20
matrix.pelathe.org:443 for SSL protocol
[15/Mar/2003 14:30:20 11314] [info] Init: (matrix.pelathe.org:443) RSA s=
erver=20
certificate enables Server Gated Cryptography (SGC)
[15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA s=
erver=20
certificate CommonName (CN) `www.pelathe.org' does NOT match se
rver name!?
[15/Mar/2003 14:34:52 11671] [info] Connection to child 2 established (s=
erver=20
matrix.pelathe.org:443, client 24.124.34.100)
[15/Mar/2003 14:34:52 11671] [info] Seeding PRNG with 1160 bytes of entr=
opy
[15/Mar/2003 14:37:04 11671] [info] Connection: Client IP: 24.124.34.100=
,=20
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[15/Mar/2003 14:37:04 11671] [info] Initial (No.1) HTTPS request receive=
d for=20
child 2 (server matrix.pelathe.org:443)
[15/Mar/2003 14:37:16 11671] [info] Subsequent (No.2) HTTPS request rece=
ived=20
for child 2 (server matrix.pelathe.org:443)
[15/Mar/2003 14:37:33 11671] [info] Connection to child 2 closed with=20
standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100)
[15/Mar/2003 14:52:36 11499] [info] Connection to child 1 established (s=
erver=20
matrix.pelathe.org:443, client 24.124.34.100)
[15/Mar/2003 14:52:36 11499] [info] Seeding PRNG with 1160 bytes of entr=
opy
[15/Mar/2003 14:52:36 11499] [info] Connection: Client IP: 24.124.34.100=
,=20
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[15/Mar/2003 14:52:36 11499] [info] Initial (No.1) HTTPS request receive=
d for=20
child 1 (server matrix.pelathe.org:443)
[15/Mar/2003 14:52:52 11499] [info] Connection to child 1 closed with=20
standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100)
ssl_engine_log lines 394-440/440 (END)

I'll go ahead and post the mod_ssl section of my httpd.conf as well, sans=
the=20
descriptive text:



SSLPassPhraseDialog builtin

#SSLSessionCache none
#SSLSessionCache shmht:/var/run/ssl_scache(512000)
#SSLSessionCache shmcb:/var/run/ssl_scache(512000)
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300

SSLMutex file:/var/run/ssl_mutex

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512

SSLLog /var/log/httpd/ssl_engine_log
SSLLogLevel trace





##
## SSL Virtual Host Context
##



DocumentRoot "/srv/www/htdocs"
ServerName matrix.pelathe.org
ServerAdmin tkitchen@pelathe.org
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log

SSLEngine on

SSLCipherSuite=20
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL

SSLCertificateFile /etc/httpd/ssl.crt/www.pelathe.org.crt

SSLCertificateKeyFile /etc/httpd/ssl.key/www.pelathe.org.key

SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt

SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt

SSLCARevocationPath /etc/httpd/ssl.crl

SSLVerifyClient none
SSLVerifyDepth 10

#
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >=3D 1 and %{TIME_WDAY} <=3D 5 \
# and %{TIME_HOUR} >=3D 8 and %{TIME_HOUR} <=3D 20 ) \
# or %{REMOTE_ADDR} =3D~ m/^192\.76\.162\.[0-9]+$/
#


SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"



I hope this helps. I'm really becoming baffled by this.


On Thursday 13 March 2003 13:36, you wrote:
> A. Putnam said:
> > Right then. I moved my certificates into their respective directories
> > and re-reeditted my httpd.conf file to reflect those changes and set
> > the SSLVerifyClient to 'none'. I was not sure where to go to change
> > the logging to 'trace' though. But, I can get into the secure server
> > now so it technically works. (thank you again Camun, and DuFresne an=
d
> > Stromas too)
>
> SSLLogLevel trace
>
> > However, I am finding that all of the pages I've visited while in htt=
ps
> > are pulling up 404 errors. The same pages pull up fine in http. Do I
> > need to have a mirrored web directory just for https to get the file=
s
> > to show up or something? This is the only real conclusion I can thin=
k
> > of.
>
> What does the access log say?
>
> If you still can't figure it out looking at logs you should post your
> httpd.conf>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

Quick check...
Check your Docroot (& add ?). Just looked at your site & I
get http fine (with content) but https shows SuSE test page.

FYI - to remove this error:
[15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA
server
certificate CommonName (CN) `www.pelathe.org' does NOT match se
rver name!?

change this line...
ServerName matrix.pelathe.org
(no big deal...)

----- Original Message -----
From: "A. Putnam"
To:
Sent: Saturday, March 15, 2003 3:07 PM
Subject: Re: private key not found


I found the SSLLogLevel, thanks. Here is the engine log from today. I'm not
really sure what to make of it...

[15/Mar/2003 14:30:18 11313] [info] Server: Apache/1.3.26, Interface:
mod_ssl/2.8.10, Library: OpenSSL/0.9.6g
[15/Mar/2003 14:30:18 11313] [info] Init: 1st startup round (still not
detached)
[15/Mar/2003 14:30:18 11313] [info] Init: Initializing OpenSSL library
[15/Mar/2003 14:30:18 11313] [info] Init: Loading certificate & private key
of SSL-aware server matrix.pelathe.org:443
[15/Mar/2003 14:30:18 11313] [info] Init: Seeding PRNG with 136 bytes of
entropy
[15/Mar/2003 14:30:18 11313] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[15/Mar/2003 14:30:18 11313] [info] Init: Configuring temporary DH
parameters
(512/1024 bits)
[15/Mar/2003 14:30:20 11314] [info] Init: 2nd startup round (already
detached)
[15/Mar/2003 14:30:20 11314] [info] Init: Reinitializing OpenSSL library
[15/Mar/2003 14:30:20 11314] [info] Init: Seeding PRNG with 136 bytes of
entropy
[15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary RSA private
keys (512/1024 bits)
[15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary DH
parameters
(512/1024 bits)
[15/Mar/2003 14:30:20 11314] [info] Init: Initializing (virtual) servers
for
SSL
[15/Mar/2003 14:30:20 11314] [info] Init: Configuring server
matrix.pelathe.org:443 for SSL protocol
[15/Mar/2003 14:30:20 11314] [info] Init: (matrix.pelathe.org:443) RSA
server
certificate enables Server Gated Cryptography (SGC)
[15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA
server
certificate CommonName (CN) `www.pelathe.org' does NOT match se
rver name!?
[15/Mar/2003 14:34:52 11671] [info] Connection to child 2 established
(server
matrix.pelathe.org:443, client 24.124.34.100)
[15/Mar/2003 14:34:52 11671] [info] Seeding PRNG with 1160 bytes of entropy
[15/Mar/2003 14:37:04 11671] [info] Connection: Client IP: 24.124.34.100,
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[15/Mar/2003 14:37:04 11671] [info] Initial (No.1) HTTPS request received
for
child 2 (server matrix.pelathe.org:443)
[15/Mar/2003 14:37:16 11671] [info] Subsequent (No.2) HTTPS request
received
for child 2 (server matrix.pelathe.org:443)
[15/Mar/2003 14:37:33 11671] [info] Connection to child 2 closed with
standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100)
[15/Mar/2003 14:52:36 11499] [info] Connection to child 1 established
(server
matrix.pelathe.org:443, client 24.124.34.100)
[15/Mar/2003 14:52:36 11499] [info] Seeding PRNG with 1160 bytes of entropy
[15/Mar/2003 14:52:36 11499] [info] Connection: Client IP: 24.124.34.100,
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[15/Mar/2003 14:52:36 11499] [info] Initial (No.1) HTTPS request received
for
child 1 (server matrix.pelathe.org:443)
[15/Mar/2003 14:52:52 11499] [info] Connection to child 1 closed with
standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100)
ssl_engine_log lines 394-440/440 (END)

I'll go ahead and post the mod_ssl section of my httpd.conf as well, sans
the
descriptive text:



SSLPassPhraseDialog builtin

#SSLSessionCache none
#SSLSessionCache shmht:/var/run/ssl_scache(512000)
#SSLSessionCache shmcb:/var/run/ssl_scache(512000)
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300

SSLMutex file:/var/run/ssl_mutex

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512

SSLLog /var/log/httpd/ssl_engine_log
SSLLogLevel trace





##
## SSL Virtual Host Context
##



DocumentRoot "/srv/www/htdocs"
ServerName matrix.pelathe.org
ServerAdmin tkitchen@pelathe.org
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log

SSLEngine on

SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL

SSLCertificateFile /etc/httpd/ssl.crt/www.pelathe.org.crt

SSLCertificateKeyFile /etc/httpd/ssl.key/www.pelathe.org.key

SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt

SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt

SSLCARevocationPath /etc/httpd/ssl.crl

SSLVerifyClient none
SSLVerifyDepth 10

#
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#


SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"



I hope this helps. I'm really becoming baffled by this.


On Thursday 13 March 2003 13:36, you wrote:
> A. Putnam said:
> > Right then. I moved my certificates into their respective directories
> > and re-reeditted my httpd.conf file to reflect those changes and set
> > the SSLVerifyClient to 'none'. I was not sure where to go to change
> > the logging to 'trace' though. But, I can get into the secure server
> > now so it technically works. (thank you again Camun, and DuFresne and
> > Stromas too)
>
> SSLLogLevel trace
>
> > However, I am finding that all of the pages I've visited while in https
> > are pulling up 404 errors. The same pages pull up fine in http. Do I
> > need to have a mirrored web directory just for https to get the files
> > to show up or something? This is the only real conclusion I can think
> > of.
>
> What does the access log say?
>
> If you still can't figure it out looking at logs you should post your
> httpd.conf>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

Changed the SeverName - thanks, I was wondering about that.

How do I check my Docroot? "& add ?" What does that mean?


On Friday 14 March 2003 12:53, Ron Gedye wrote:
> Quick check...
> Check your Docroot (& add ?). Just looked at your site=
& I
> get http fine (with content) but https shows SuSE test page.
>
> FYI - to remove this error:
> [15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA
> server
> certificate CommonName (CN) `www.pelathe.org' does NOT match se
> rver name!?
>
> change this line...
> ServerName matrix.pelathe.org
> (no big deal...)
>
> ----- Original Message -----
> From: "A. Putnam"
> To:
> Sent: Saturday, March 15, 2003 3:07 PM
> Subject: Re: private key not found
>
>
> I found the SSLLogLevel, thanks. Here is the engine log from today. I'm=
not
> really sure what to make of it...
>
> [15/Mar/2003 14:30:18 11313] [info] Server: Apache/1.3.26, Interface:
> mod_ssl/2.8.10, Library: OpenSSL/0.9.6g
> [15/Mar/2003 14:30:18 11313] [info] Init: 1st startup round (still not
> detached)
> [15/Mar/2003 14:30:18 11313] [info] Init: Initializing OpenSSL library
> [15/Mar/2003 14:30:18 11313] [info] Init: Loading certificate & privat=
e
> key of SSL-aware server matrix.pelathe.org:443
> [15/Mar/2003 14:30:18 11313] [info] Init: Seeding PRNG with 136 bytes =
of
> entropy
> [15/Mar/2003 14:30:18 11313] [info] Init: Generating temporary RSA pri=
vate
> keys (512/1024 bits)
> [15/Mar/2003 14:30:18 11313] [info] Init: Configuring temporary DH
> parameters
> (512/1024 bits)
> [15/Mar/2003 14:30:20 11314] [info] Init: 2nd startup round (already
> detached)
> [15/Mar/2003 14:30:20 11314] [info] Init: Reinitializing OpenSSL libra=
ry
> [15/Mar/2003 14:30:20 11314] [info] Init: Seeding PRNG with 136 bytes =
of
> entropy
> [15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary RSA
> private keys (512/1024 bits)
> [15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary DH
> parameters
> (512/1024 bits)
> [15/Mar/2003 14:30:20 11314] [info] Init: Initializing (virtual) serve=
rs
> for
> SSL
> [15/Mar/2003 14:30:20 11314] [info] Init: Configuring server
> matrix.pelathe.org:443 for SSL protocol
> [15/Mar/2003 14:30:20 11314] [info] Init: (matrix.pelathe.org:443) RSA
> server
> certificate enables Server Gated Cryptography (SGC)
> [15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA
> server
> certificate CommonName (CN) `www.pelathe.org' does NOT match se
> rver name!?
> [15/Mar/2003 14:34:52 11671] [info] Connection to child 2 established
> (server
> matrix.pelathe.org:443, client 24.124.34.100)
> [15/Mar/2003 14:34:52 11671] [info] Seeding PRNG with 1160 bytes of
> entropy [15/Mar/2003 14:37:04 11671] [info] Connection: Client IP:
> 24.124.34.100, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
> [15/Mar/2003 14:37:04 11671] [info] Initial (No.1) HTTPS request recei=
ved
> for
> child 2 (server matrix.pelathe.org:443)
> [15/Mar/2003 14:37:16 11671] [info] Subsequent (No.2) HTTPS request
> received
> for child 2 (server matrix.pelathe.org:443)
> [15/Mar/2003 14:37:33 11671] [info] Connection to child 2 closed with
> standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100)
> [15/Mar/2003 14:52:36 11499] [info] Connection to child 1 established
> (server
> matrix.pelathe.org:443, client 24.124.34.100)
> [15/Mar/2003 14:52:36 11499] [info] Seeding PRNG with 1160 bytes of
> entropy [15/Mar/2003 14:52:36 11499] [info] Connection: Client IP:
> 24.124.34.100, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
> [15/Mar/2003 14:52:36 11499] [info] Initial (No.1) HTTPS request recei=
ved
> for
> child 1 (server matrix.pelathe.org:443)
> [15/Mar/2003 14:52:52 11499] [info] Connection to child 1 closed with
> standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100)
> ssl_engine_log lines 394-440/440 (END)
>
> I'll go ahead and post the mod_ssl section of my httpd.conf as well, sa=
ns
> the
> descriptive text:
>
>
>
> SSLPassPhraseDialog builtin
>
> #SSLSessionCache none
> #SSLSessionCache shmht:/var/run/ssl_scache(512000)
> #SSLSessionCache shmcb:/var/run/ssl_scache(512000)
> SSLSessionCache dbm:/var/run/ssl_scache
> SSLSessionCacheTimeout 300
>
> SSLMutex file:/var/run/ssl_mutex
>
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> #SSLRandomSeed startup file:/dev/random 512
> #SSLRandomSeed startup file:/dev/urandom 512
> #SSLRandomSeed connect file:/dev/random 512
> #SSLRandomSeed connect file:/dev/urandom 512
>
> SSLLog /var/log/httpd/ssl_engine_log
> SSLLogLevel trace
>
>
>
>
>
> ##
> ## SSL Virtual Host Context
> ##
>
>
>
> DocumentRoot "/srv/www/htdocs"
> ServerName matrix.pelathe.org
> ServerAdmin tkitchen@pelathe.org
> ErrorLog /var/log/httpd/error_log
> TransferLog /var/log/httpd/access_log
>
> SSLEngine on
>
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
>
> SSLCertificateFile /etc/httpd/ssl.crt/www.pelathe.org.crt
>
> SSLCertificateKeyFile /etc/httpd/ssl.key/www.pelathe.org.key
>
> SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
>
> SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
>
> SSLCARevocationPath /etc/httpd/ssl.crl
>
> SSLVerifyClient none
> SSLVerifyDepth 10
>
> #
> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> # and %{TIME_WDAY} >=3D 1 and %{TIME_WDAY} <=3D 5 \
> # and %{TIME_HOUR} >=3D 8 and %{TIME_HOUR} <=3D 20 ) \
> # or %{REMOTE_ADDR} =3D~ m/^192\.76\.162\.[0-9]+$/
> #
>
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog /var/log/httpd/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
> I hope this helps. I'm really becoming baffled by this.
>
> On Thursday 13 March 2003 13:36, you wrote:
> > A. Putnam said:
> > > Right then. I moved my certificates into their respective directori=
es
> > > and re-reeditted my httpd.conf file to reflect those changes and s=
et
> > > the SSLVerifyClient to 'none'. I was not sure where to go to chang=
e
> > > the logging to 'trace' though. But, I can get into the secure serv=
er
> > > now so it technically works. (thank you again Camun, and DuFresne =
and
> > > Stromas too)
> >
> > SSLLogLevel trace
> >
> > > However, I am finding that all of the pages I've visited while in h=
ttps
> > > are pulling up 404 errors. The same pages pull up fine in http. Do=
I
> > > need to have a mirrored web directory just for https to get the fi=
les
> > > to show up or something? This is the only real conclusion I can th=
ink
> > > of.
> >
> > What does the access log say?
> >
> > If you still can't figure it out looking at logs you should post your
> > httpd.conf>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

--=20
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

>
> DocumentRoot "/srv/www/htdocs"
> ServerName matrix.pelathe.org
> ServerAdmin tkitchen@pelathe.org
> ErrorLog /var/log/httpd/error_log
> TransferLog /var/log/httpd/access_log

Is DocumentRoot above the actual content of your site? (betting not) Maybe
compare this setting to what is set for port 80 (http)
Other than that I had no problems with getting to your site via https.

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/home/httpd/html"

There is usually a related setting (maybe not in virtual hosts, little
rusty - brainfog)
#
# This should be changed to whatever you set DocumentRoot to.
#


----- Original Message -----
From: "A. Putnam"
To:
Sent: Saturday, March 15, 2003 4:02 PM
Subject: Re: private key not found


Changed the SeverName - thanks, I was wondering about that.

How do I check my Docroot? "& add ?" What does that mean?


On Friday 14 March 2003 12:53, Ron Gedye wrote:
> Quick check...
> Check your Docroot (& add ?). Just looked at your site &
I
> get http fine (with content) but https shows SuSE test page.
>
> FYI - to remove this error:
> [15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA
> server
> certificate CommonName (CN) `www.pelathe.org' does NOT match se
> rver name!?
>
> change this line...
> ServerName matrix.pelathe.org
> (no big deal...)
>
> ----- Original Message -----
> From: "A. Putnam"
> To:
> Sent: Saturday, March 15, 2003 3:07 PM
> Subject: Re: private key not found
>
>
> I found the SSLLogLevel, thanks. Here is the engine log from today. I'm
not
> really sure what to make of it...
>
> [15/Mar/2003 14:30:18 11313] [info] Server: Apache/1.3.26, Interface:
> mod_ssl/2.8.10, Library: OpenSSL/0.9.6g
> [15/Mar/2003 14:30:18 11313] [info] Init: 1st startup round (still not
> detached)
> [15/Mar/2003 14:30:18 11313] [info] Init: Initializing OpenSSL library
> [15/Mar/2003 14:30:18 11313] [info] Init: Loading certificate & private
> key of SSL-aware server matrix.pelathe.org:443
> [15/Mar/2003 14:30:18 11313] [info] Init: Seeding PRNG with 136 bytes of
> entropy
> [15/Mar/2003 14:30:18 11313] [info] Init: Generating temporary RSA
private
> keys (512/1024 bits)
> [15/Mar/2003 14:30:18 11313] [info] Init: Configuring temporary DH
> parameters
> (512/1024 bits)
> [15/Mar/2003 14:30:20 11314] [info] Init: 2nd startup round (already
> detached)
> [15/Mar/2003 14:30:20 11314] [info] Init: Reinitializing OpenSSL library
> [15/Mar/2003 14:30:20 11314] [info] Init: Seeding PRNG with 136 bytes of
> entropy
> [15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary RSA
> private keys (512/1024 bits)
> [15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary DH
> parameters
> (512/1024 bits)
> [15/Mar/2003 14:30:20 11314] [info] Init: Initializing (virtual) servers
> for
> SSL
> [15/Mar/2003 14:30:20 11314] [info] Init: Configuring server
> matrix.pelathe.org:443 for SSL protocol
> [15/Mar/2003 14:30:20 11314] [info] Init: (matrix.pelathe.org:443) RSA
> server
> certificate enables Server Gated Cryptography (SGC)
> [15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) RSA
> server
> certificate CommonName (CN) `www.pelathe.org' does NOT match se
> rver name!?
> [15/Mar/2003 14:34:52 11671] [info] Connection to child 2 established
> (server
> matrix.pelathe.org:443, client 24.124.34.100)
> [15/Mar/2003 14:34:52 11671] [info] Seeding PRNG with 1160 bytes of
> entropy [15/Mar/2003 14:37:04 11671] [info] Connection: Client IP:
> 24.124.34.100, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
> [15/Mar/2003 14:37:04 11671] [info] Initial (No.1) HTTPS request received
> for
> child 2 (server matrix.pelathe.org:443)
> [15/Mar/2003 14:37:16 11671] [info] Subsequent (No.2) HTTPS request
> received
> for child 2 (server matrix.pelathe.org:443)
> [15/Mar/2003 14:37:33 11671] [info] Connection to child 2 closed with
> standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100)
> [15/Mar/2003 14:52:36 11499] [info] Connection to child 1 established
> (server
> matrix.pelathe.org:443, client 24.124.34.100)
> [15/Mar/2003 14:52:36 11499] [info] Seeding PRNG with 1160 bytes of
> entropy [15/Mar/2003 14:52:36 11499] [info] Connection: Client IP:
> 24.124.34.100, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
> [15/Mar/2003 14:52:36 11499] [info] Initial (No.1) HTTPS request received
> for
> child 1 (server matrix.pelathe.org:443)
> [15/Mar/2003 14:52:52 11499] [info] Connection to child 1 closed with
> standard shutdown (server matrix.pelathe.org:443, client 24.124.34.100)
> ssl_engine_log lines 394-440/440 (END)
>
> I'll go ahead and post the mod_ssl section of my httpd.conf as well, sans
> the
> descriptive text:
>
>
>
> SSLPassPhraseDialog builtin
>
> #SSLSessionCache none
> #SSLSessionCache shmht:/var/run/ssl_scache(512000)
> #SSLSessionCache shmcb:/var/run/ssl_scache(512000)
> SSLSessionCache dbm:/var/run/ssl_scache
> SSLSessionCacheTimeout 300
>
> SSLMutex file:/var/run/ssl_mutex
>
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> #SSLRandomSeed startup file:/dev/random 512
> #SSLRandomSeed startup file:/dev/urandom 512
> #SSLRandomSeed connect file:/dev/random 512
> #SSLRandomSeed connect file:/dev/urandom 512
>
> SSLLog /var/log/httpd/ssl_engine_log
> SSLLogLevel trace
>
>
>
>
>
> ##
> ## SSL Virtual Host Context
> ##
>
>
>
> DocumentRoot "/srv/www/htdocs"
> ServerName matrix.pelathe.org
> ServerAdmin tkitchen@pelathe.org
> ErrorLog /var/log/httpd/error_log
> TransferLog /var/log/httpd/access_log
>
> SSLEngine on
>
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
>
> SSLCertificateFile /etc/httpd/ssl.crt/www.pelathe.org.crt
>
> SSLCertificateKeyFile /etc/httpd/ssl.key/www.pelathe.org.key
>
> SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
>
> SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
>
> SSLCARevocationPath /etc/httpd/ssl.crl
>
> SSLVerifyClient none
> SSLVerifyDepth 10
>
> #
> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> #
>
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog /var/log/httpd/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
> I hope this helps. I'm really becoming baffled by this.
>
> On Thursday 13 March 2003 13:36, you wrote:
> > A. Putnam said:
> > > Right then. I moved my certificates into their respective directories
> > > and re-reeditted my httpd.conf file to reflect those changes and set
> > > the SSLVerifyClient to 'none'. I was not sure where to go to change
> > > the logging to 'trace' though. But, I can get into the secure server
> > > now so it technically works. (thank you again Camun, and DuFresne and
> > > Stromas too)
> >
> > SSLLogLevel trace
> >
> > > However, I am finding that all of the pages I've visited while in
https
> > > are pulling up 404 errors. The same pages pull up fine in http. Do I
> > > need to have a mirrored web directory just for https to get the files
> > > to show up or something? This is the only real conclusion I can think
> > > of.
> >
> > What does the access log say?
> >
> > If you still can't figure it out looking at logs you should post your
> > httpd.conf>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

--
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: private key not found

Ohhhh...okay. I see it now. One of those 'duh, it's right in front of me'=
=20
things.=20

Ok, so now I've changed the DocumentRoot, but the only li=
ne I=20
could find already had the correct path in it. There was one other=20
type line:


SSLOptions +StdEnvVars


But it didn't have any effect when I changed it so I changed it back.=20

On Friday 14 March 2003 13:45, Ron Gedye wrote:
>
>
> > DocumentRoot "/srv/www/htdocs"
> > ServerName matrix.pelathe.org
> > ServerAdmin tkitchen@pelathe.org
> > ErrorLog /var/log/httpd/error_log
> > TransferLog /var/log/httpd/access_log
>
> Is DocumentRoot above the actual content of your site? (betting not) M=
aybe
> compare this setting to what is set for port 80 (http)
> Other than that I had no problems with getting to your site via https.
>
> #
> # DocumentRoot: The directory out of which you will serve your
> # documents. By default, all requests are taken from this directory, bu=
t
> # symbolic links and aliases may be used to point to other locations.
> #
> DocumentRoot "/home/httpd/html"
>
> There is usually a related setting (maybe not in virtual hosts, little
> rusty - brainfog)
> #
> # This should be changed to whatever you set DocumentRoot to.
> #
>
>
> ----- Original Message -----
> From: "A. Putnam"
> To:
> Sent: Saturday, March 15, 2003 4:02 PM
> Subject: Re: private key not found
>
>
> Changed the SeverName - thanks, I was wondering about that.
>
> How do I check my Docroot? "& add ?" What does that mea=
n?
>
> On Friday 14 March 2003 12:53, Ron Gedye wrote:
> > Quick check...
> > Check your Docroot (& add ?). Just looked at your si=
te &
>
> I
>
> > get http fine (with content) but https shows SuSE test page.
> >
> > FYI - to remove this error:
> > [15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) R=
SA
> > server
> > certificate CommonName (CN) `www.pelathe.org' does NOT match se
> > rver name!?
> >
> > change this line...
> > ServerName matrix.pelathe.org
> > (no big deal...)
> >
> > ----- Original Message -----
> > From: "A. Putnam"
> > To:
> > Sent: Saturday, March 15, 2003 3:07 PM
> > Subject: Re: private key not found
> >
> >
> > I found the SSLLogLevel, thanks. Here is the engine log from today. I=
'm
>
> not
>
> > really sure what to make of it...
> >
> > [15/Mar/2003 14:30:18 11313] [info] Server: Apache/1.3.26, Interface=
:
> > mod_ssl/2.8.10, Library: OpenSSL/0.9.6g
> > [15/Mar/2003 14:30:18 11313] [info] Init: 1st startup round (still n=
ot
> > detached)
> > [15/Mar/2003 14:30:18 11313] [info] Init: Initializing OpenSSL libra=
ry
> > [15/Mar/2003 14:30:18 11313] [info] Init: Loading certificate & priv=
ate
> > key of SSL-aware server matrix.pelathe.org:443
> > [15/Mar/2003 14:30:18 11313] [info] Init: Seeding PRNG with 136 byte=
s of
> > entropy
> > [15/Mar/2003 14:30:18 11313] [info] Init: Generating temporary RSA
>
> private
>
> > keys (512/1024 bits)
> > [15/Mar/2003 14:30:18 11313] [info] Init: Configuring temporary DH
> > parameters
> > (512/1024 bits)
> > [15/Mar/2003 14:30:20 11314] [info] Init: 2nd startup round (already
> > detached)
> > [15/Mar/2003 14:30:20 11314] [info] Init: Reinitializing OpenSSL lib=
rary
> > [15/Mar/2003 14:30:20 11314] [info] Init: Seeding PRNG with 136 byte=
s of
> > entropy
> > [15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary RSA
> > private keys (512/1024 bits)
> > [15/Mar/2003 14:30:20 11314] [info] Init: Configuring temporary DH
> > parameters
> > (512/1024 bits)
> > [15/Mar/2003 14:30:20 11314] [info] Init: Initializing (virtual) ser=
vers
> > for
> > SSL
> > [15/Mar/2003 14:30:20 11314] [info] Init: Configuring server
> > matrix.pelathe.org:443 for SSL protocol
> > [15/Mar/2003 14:30:20 11314] [info] Init: (matrix.pelathe.org:443) R=
SA
> > server
> > certificate enables Server Gated Cryptography (SGC)
> > [15/Mar/2003 14:30:20 11314] [warn] Init: (matrix.pelathe.org:443) R=
SA
> > server
> > certificate CommonName (CN) `www.pelathe.org' does NOT match se
> > rver name!?
> > [15/Mar/2003 14:34:52 11671] [info] Connection to child 2 establishe=
d
> > (server
> > matrix.pelathe.org:443, client 24.124.34.100)
> > [15/Mar/2003 14:34:52 11671] [info] Seeding PRNG with 1160 bytes of
> > entropy [15/Mar/2003 14:37:04 11671] [info] Connection: Client IP:
> > 24.124.34.100, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
> > [15/Mar/2003 14:37:04 11671] [info] Initial (No.1) HTTPS request
> > received for
> > child 2 (server matrix.pelathe.org:443)
> > [15/Mar/2003 14:37:16 11671] [info] Subsequent (No.2) HTTPS request
> > received
> > for child 2 (server matrix.pelathe.org:443)
> > [15/Mar/2003 14:37:33 11671] [info] Connection to child 2 closed wit=
h
> > standard shutdown (server matrix.pelathe.org:443, client 24.124.34.10=
0)
> > [15/Mar/2003 14:52:36 11499] [info] Connection to child 1 establishe=
d
> > (server
> > matrix.pelathe.org:443, client 24.124.34.100)
> > [15/Mar/2003 14:52:36 11499] [info] Seeding PRNG with 1160 bytes of
> > entropy [15/Mar/2003 14:52:36 11499] [info] Connection: Client IP:
> > 24.124.34.100, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
> > [15/Mar/2003 14:52:36 11499] [info] Initial (No.1) HTTPS request
> > received for
> > child 1 (server matrix.pelathe.org:443)
> > [15/Mar/2003 14:52:52 11499] [info] Connection to child 1 closed wit=
h
> > standard shutdown (server matrix.pelathe.org:443, client 24.124.34.10=
0)
> > ssl_engine_log lines 394-440/440 (END)
> >
> > I'll go ahead and post the mod_ssl section of my httpd.conf as well, =
sans
> > the
> > descriptive text:
> >
> >
> >
> > SSLPassPhraseDialog builtin
> >
> > #SSLSessionCache none
> > #SSLSessionCache shmht:/var/run/ssl_scache(512000)
> > #SSLSessionCache shmcb:/var/run/ssl_scache(512000)
> > SSLSessionCache dbm:/var/run/ssl_scache
> > SSLSessionCacheTimeout 300
> >
> > SSLMutex file:/var/run/ssl_mutex
> >
> > SSLRandomSeed startup builtin
> > SSLRandomSeed connect builtin
> > #SSLRandomSeed startup file:/dev/random 512
> > #SSLRandomSeed startup file:/dev/urandom 512
> > #SSLRandomSeed connect file:/dev/random 512
> > #SSLRandomSeed connect file:/dev/urandom 512
> >
> > SSLLog /var/log/httpd/ssl_engine_log
> > SSLLogLevel trace
> >
> >
> >
> >
> >
> > ##
> > ## SSL Virtual Host Context
> > ##
> >
> >
> >
> > DocumentRoot "/srv/www/htdocs"
> > ServerName matrix.pelathe.org
> > ServerAdmin tkitchen@pelathe.org
> > ErrorLog /var/log/httpd/error_log
> > TransferLog /var/log/httpd/access_log
> >
> > SSLEngine on
> >
> > SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
> >
> > SSLCertificateFile /etc/httpd/ssl.crt/www.pelathe.org.crt
> >
> > SSLCertificateKeyFile /etc/httpd/ssl.key/www.pelathe.org.key
> >
> > SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
> >
> > SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
> >
> > SSLCARevocationPath /etc/httpd/ssl.crl
> >
> > SSLVerifyClient none
> > SSLVerifyDepth 10
> >
> > #
> > #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> > # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> > # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> > # and %{TIME_WDAY} >=3D 1 and %{TIME_WDAY} <=3D 5 \
> > # and %{TIME_HOUR} >=3D 8 and %{TIME_HOUR} <=3D 20 )=
\
> > # or %{REMOTE_ADDR} =3D~ m/^192\.76\.162\.[0-9]+$/
> > #
> >
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SetEnvIf User-Agent ".*MSIE.*" \
> > nokeepalive ssl-unclean-shutdown \
> > downgrade-1.0 force-response-1.0
> >
> > CustomLog /var/log/httpd/ssl_request_log \
> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >
> >
> >
> > I hope this helps. I'm really becoming baffled by this.
> >
> > On Thursday 13 March 2003 13:36, you wrote:
> > > A. Putnam said:
> > > > Right then. I moved my certificates into their respective directo=
ries
> > > > and re-reeditted my httpd.conf file to reflect those changes and=
set
> > > > the SSLVerifyClient to 'none'. I was not sure where to go to cha=
nge
> > > > the logging to 'trace' though. But, I can get into the secure se=
rver
> > > > now so it technically works. (thank you again Camun, and DuFresn=
e
> > > > and Stromas too)
> > >
> > > SSLLogLevel trace
> > >
> > > > However, I am finding that all of the pages I've visited while in
>
> https
>
> > > > are pulling up 404 errors. The same pages pull up fine in http. =
Do I
> > > > need to have a mirrored web directory just for https to get the
> > > > files to show up or something? This is the only real conclusion =
I
> > > > can think of.
> > >
> > > What does the access log say?
> > >
> > > If you still can't figure it out looking at logs you should post yo=
ur
> > > httpd.conf>
> >
> > ____________________________________________________________ _________=
_
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.or=
g
> > User Support Mailing List modssl-users@modssl.or=
g
> > Automated List Manager majordomo@modssl.or=
g
> >
> >
> > ____________________________________________________________ _________=
_
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.or=
g
> > User Support Mailing List modssl-users@modssl.or=
g
> > Automated List Manager majordomo@modssl.or=
g

--=20
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org