certificate problems

I apologize in advacne if this is off-topic for this list.

Just installed our new Verisign cert on our apache box but are having two
problems with it:

1. The person who generated the key that was sent to verisign used the wrong
common name so the secure URL we use doesn't match the URL on the cert,
throwing up a warning screen...any way around this other than starting over
with a new cert?


2. Whenever we start httpd we are promoted for a password for ssl to start,
which doesn't work for us as httpd restarts itself ever night. Our old cert
never did this, is this something new?


Thanks for any help...

Erik


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: certificate problems

> Just installed our new Verisign cert on our apache box but are having two
> problems with it:
>
> 1. The person who generated the key that was sent to verisign used the wrong
> common name so the secure URL we use doesn't match the URL on the cert,
> throwing up a warning screen...any way around this other than starting over
> with a new cert?

Unfortunately no, you will need to get a new one or move your secure pages to
that domain.


> 2. Whenever we start httpd we are promoted for a password for ssl to start,
> which doesn't work for us as httpd restarts itself ever night. Our old cert
> never did this, is this something new?

The key is encrypted, so in case anyone broke into your server, the attacker
would not be able to simply take your certificate and key and impersonate you.
He would also need that passphrase.

The way of doing this is to decrypt the key :

# ./usr/local/ssl/install/bin/openssl rsa -in www.example.com.key \
-out www.example.com.key.unsecure

(more info at http://www.apacheworld.org/ty24/site.chapter17.html)

mod_ssl also has a directive so you can have a script provide that phrase
automatically. It is convenient, but not really any more secure, see the
"How can I get rid of the pass-phrase dialog at Apache startup time?" entry at
http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html

Cheers

Daniel
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Certificate Problems

Plain text please...

If you got an error in the ssl error-log then apache must be running.
The invalid method error is exactly that - the HTTP method wasn't GET,
POST etc... What request were you making when you got the error?
Cross-check the access log for details...

It looks like your certificate common name is localhost.localdomain and
this doesn't match the ServerName argument which is what the warning is
about.

The DNS error means that he browser cannot resolve eghapp to an IP
address while curl, apparently, can. No idea why - depends on OS,
browser version, config etc. (eg, if the browser goes via a proxy, the
proxy will not see a local /etc/hosts definition of eghapp).=20

Tip: if you post back, cut'n'paste exact error messages - do not
paraphrase as this loses important information. Also, give OS, apache
1.3 or 2 etc.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20

Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. =
This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le pr=E9sent e-mail =
est
un message priv=E9 et personnel, sans rapport avec l'activit=E9 =
boursi=E8re du
Groupe SWX.



-----Original Message-----
From: Richard Skeggs [mailto:RSKEGGS@mobius.com]
Sent: Mittwoch, 16. Juni 2004 11:07
To: 'modssl-users@modssl.org'
Subject: Certificate Problems




I am trying to set up ssl on my server and I have been through what I
believe are the correct settings. I can run the command line script
'openssl s_client -connect eghapp:443 -state -debug' I don't appear to
get an error message. However when trying to start apache using the
startssl switch the following error turns up in the ssl_error_log
[Tue Jun 15 15:11:04 2004] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)=20
[Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!?
[Tue Jun 15 15:11:07 2004] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)=20
[Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!?
[Tue Jun 15 15:26:34 2004] [error] [client 10.14.1.150] Invalid method
in request=20
I have also been able to successfully run the command 'curl
https://eghapp'. However when I try to run 'https://eghapp' through the
browser I get an error saying that the DNS server cannot be found. On
checking the nothing gets written to any of the ssl log files.
Does anyone know how I can resolve this?=20
Thanks=20
Richard Skeggs=20
Software Engineer=20
Mobius Management Systems=20
Cavendish House=20
5 The Avenue=20
Egham=20
Surrey=20
TW20 9AB=20
Tel: +44 (0) 1784 484700=20
Mobile: + 44 (0) 7971 608315=20
email: rskeggs@mobius.com

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.=20


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org