Erro Code: -8182

Erro Code: -8182

am 02.06.2003 22:40:07 von Ronald Petty

I get the follow error in my browser

"Could not establish an encrypted connection because certificate
presented by test.example.dom is invalid or corrupted. Error Code:
-8182"

when I go to my server via https. I looked in the archive and found
black magic like

"restart your browser"

I tried this spell, and alas, to no avail.

This happened to me before and it worked by restarting the browser.
Needless to say I don't like the idea of people having to do that. And
better when I click on the ok button (even though it is really not ok) I
get this in my logs




[02/Jun/2003 15:25:47 01074] [info] Connection to child 5 established
(server test.example.dom:443, client x.x.x.x)
[02/Jun/2003 15:25:47 01074] [info] Seeding PRNG with 1160 bytes of
entropy




[02/Jun/2003 15:29:12 01074] [error] SSL handshake failed (server
test.example.dom:443, client x.x.x.x) (OpenSSL library error follows)
[02/Jun/2003 15:29:12 01074] [error] OpenSSL: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint:
Subject CN in certificate not server name or identical to CA!?]


I have changed the client and the server name for my own security (don't
know if it matters). I heard that "CN in certificate not server name or
identical to CA!?" means dns is messed up, however DNS is working fine
for me (far as I can tell). I can pop/ssh/http to the test.example.dom
just fine. (No its not set in my /etc/host)

Any idea at what I am doing wrong? I have never done this before so
please forgive my newby ways.

Thanks
Ron


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Erro Code: -8182

am 02.06.2003 22:48:09 von ahmed.nauman

Ronald,

The problem looks like your server SSL certificate does not have your
server name say www.yoursite.com as CN=3D"www.yoursite.com" in Subject
Name. that is what bother client and server sides are showing in
messages and logs. Can you please confirm if this is correct ?

Regards
Nauman

-----Original Message-----
From: Ronald Petty [mailto:ron.petty@unigeek.com]
Sent: Monday, June 02, 2003 4:40 PM
To: modssl-users@modssl.org
Cc: ron.petty@unigeek.com
Subject: Erro Code: -8182


I get the follow error in my browser=20

"Could not establish an encrypted connection because certificate
presented by test.example.dom is invalid or corrupted. Error Code:=20
-8182"

when I go to my server via https. I looked in the archive and found
black magic like

"restart your browser"

I tried this spell, and alas, to no avail. =20

This happened to me before and it worked by restarting the browser.=20
Needless to say I don't like the idea of people having to do that. And
better when I click on the ok button (even though it is really not ok) I
get this in my logs




[02/Jun/2003 15:25:47 01074] [info] Connection to child 5 established
(server test.example.dom:443, client x.x.x.x)
[02/Jun/2003 15:25:47 01074] [info] Seeding PRNG with 1160 bytes of
entropy




[02/Jun/2003 15:29:12 01074] [error] SSL handshake failed (server
test.example.dom:443, client x.x.x.x) (OpenSSL library error follows)
[02/Jun/2003 15:29:12 01074] [error] OpenSSL: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint:
Subject CN in certificate not server name or identical to CA!?]


I have changed the client and the server name for my own security (don't
know if it matters). I heard that "CN in certificate not server name or
identical to CA!?" means dns is messed up, however DNS is working fine
for me (far as I can tell). I can pop/ssh/http to the test.example.dom
just fine. (No its not set in my /etc/host)

Any idea at what I am doing wrong? I have never done this before so
please forgive my newby ways.

Thanks
Ron


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Erro Code: -8182

am 03.06.2003 01:34:54 von Ronald Petty

I am trying to create my own certificate using my own CA. I used the
example in the FAQ

http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29

So what file is "really my certificate", is the server.key? or the
ca.key?

I made a key using

http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28

What file should I be checking?

Ron


On Mon, 2003-06-02 at 15:48, Nauman, Ahmed [IT] wrote:
> Ronald,
>
> The problem looks like your server SSL certificate does not have your
> server name say www.yoursite.com as CN="www.yoursite.com" in Subject
> Name. that is what bother client and server sides are showing in
> messages and logs. Can you please confirm if this is correct ?
>
> Regards
> Nauman
>
> -----Original Message-----
> From: Ronald Petty [mailto:ron.petty@unigeek.com]
> Sent: Monday, June 02, 2003 4:40 PM
> To: modssl-users@modssl.org
> Cc: ron.petty@unigeek.com
> Subject: Erro Code: -8182
>
>
> I get the follow error in my browser
>
> "Could not establish an encrypted connection because certificate
> presented by test.example.dom is invalid or corrupted. Error Code:
> -8182"
>
> when I go to my server via https. I looked in the archive and found
> black magic like
>
> "restart your browser"
>
> I tried this spell, and alas, to no avail.
>
> This happened to me before and it worked by restarting the browser.
> Needless to say I don't like the idea of people having to do that. And
> better when I click on the ok button (even though it is really not ok) I
> get this in my logs
>
>
>
>
> [02/Jun/2003 15:25:47 01074] [info] Connection to child 5 established
> (server test.example.dom:443, client x.x.x.x)
> [02/Jun/2003 15:25:47 01074] [info] Seeding PRNG with 1160 bytes of
> entropy
>
>
>
>
> [02/Jun/2003 15:29:12 01074] [error] SSL handshake failed (server
> test.example.dom:443, client x.x.x.x) (OpenSSL library error follows)
> [02/Jun/2003 15:29:12 01074] [error] OpenSSL: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint:
> Subject CN in certificate not server name or identical to CA!?]
>
>
> I have changed the client and the server name for my own security (don't
> know if it matters). I heard that "CN in certificate not server name or
> identical to CA!?" means dns is messed up, however DNS is working fine
> for me (far as I can tell). I can pop/ssh/http to the test.example.dom
> just fine. (No its not set in my /etc/host)
>
> Any idea at what I am doing wrong? I have never done this before so
> please forgive my newby ways.
>
> Thanks
> Ron
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Erro Code: -8182

am 03.06.2003 01:53:16 von Ronald Petty

OK, I think I figured it out. It really is what the error says (Imagine
that). I made myself a CA, then made another certificate. The other
certificate was exactly the same as the CA one.

Now it works using ca.key and ca.crt. However now I have two questions.

1) Why can't you have two exact same certs?
2) If the can't be the same, what has to be different?
... (let me sneak in a third question)
3) Is it safe to use the CA certs on a server? Or should I use a
machine that is not used via ssl normally and then copy the other certs
over?
... (one more :))
4) Is there more documentation for this these kind of questions? Did I
miss it in the man page?

Thanks everyone!
Ron


On Mon, 2003-06-02 at 15:48, Nauman, Ahmed [IT] wrote:
> Ronald,
>
> The problem looks like your server SSL certificate does not have your
> server name say www.yoursite.com as CN="www.yoursite.com" in Subject
> Name. that is what bother client and server sides are showing in
> messages and logs. Can you please confirm if this is correct ?
>
> Regards
> Nauman
>
> -----Original Message-----
> From: Ronald Petty [mailto:ron.petty@unigeek.com]
> Sent: Monday, June 02, 2003 4:40 PM
> To: modssl-users@modssl.org
> Cc: ron.petty@unigeek.com
> Subject: Erro Code: -8182
>
>
> I get the follow error in my browser
>
> "Could not establish an encrypted connection because certificate
> presented by test.example.dom is invalid or corrupted. Error Code:
> -8182"
>
> when I go to my server via https. I looked in the archive and found
> black magic like
>
> "restart your browser"
>
> I tried this spell, and alas, to no avail.
>
> This happened to me before and it worked by restarting the browser.
> Needless to say I don't like the idea of people having to do that. And
> better when I click on the ok button (even though it is really not ok) I
> get this in my logs
>
>
>
>
> [02/Jun/2003 15:25:47 01074] [info] Connection to child 5 established
> (server test.example.dom:443, client x.x.x.x)
> [02/Jun/2003 15:25:47 01074] [info] Seeding PRNG with 1160 bytes of
> entropy
>
>
>
>
> [02/Jun/2003 15:29:12 01074] [error] SSL handshake failed (server
> test.example.dom:443, client x.x.x.x) (OpenSSL library error follows)
> [02/Jun/2003 15:29:12 01074] [error] OpenSSL: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint:
> Subject CN in certificate not server name or identical to CA!?]
>
>
> I have changed the client and the server name for my own security (don't
> know if it matters). I heard that "CN in certificate not server name or
> identical to CA!?" means dns is messed up, however DNS is working fine
> for me (far as I can tell). I can pop/ssh/http to the test.example.dom
> just fine. (No its not set in my /etc/host)
>
> Any idea at what I am doing wrong? I have never done this before so
> please forgive my newby ways.
>
> Thanks
> Ron
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org