Self-signed cert trouble - please help

Self-signed cert trouble - please help

am 03.06.2004 18:43:20 von Erik Lotspeich

Hi,

I've successfully made many self-signed certificates for Apache in the
past using the docs from the modssl and openssl websites. This time, I'm
completely stumped and I've searched all over the Internet without finding
an answer that helps. I'm getting this error message in my Apache logs:

[Thu Jun 3 09:00:11 2004] [error] OpenSSL: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in
certificate not server name or identical to CA!?]

The problem is that my cert CN is NOT identical to the CA CN and my CN
DOES match the server name. I'm trying to access my site at
https://www.lotspeich.org/. Here's my Apache config:


ServerAdmin erik@lotspeich.org
DocumentRoot /home/httpd/html
ServerName www.lotspeich.org
ServerAlias www lotspeich.org localhost
DirectoryIndex index.epl index.shtml index.html

# Enable/Disable SSL for this virtual host.
SSLEngine on

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time. Keep in mind that if you've both a RSA and a DSA
# certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
SSLCertificateFile /etc/httpd/conf/certs/server.crt

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/conf/certs/server.key

SSLCACertificateFile /etc/httpd/conf/certs/ca.crt



Here's the information about my certificate:


[shrimp: /etc/httpd/conf/certs] root $ openssl x509 -noout -text -in
server.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=California, L=Sunnyvale, CN=Erik
Lotspeich/emailAddress=erik@lotspeich.org
Validity
Not Before: Jun 3 15:49:51 2004 GMT
Not After : Jun 3 15:49:51 2005 GMT
Subject: C=US, ST=California, L=Sunnyvale,
CN=www.lotspeich.org/emailAddress=erik@
lotspeich.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:da:c6:4a:02:23:38:c0:ba:44:00:20:30:47:bf:
22:54:20:77:0d:a0:b7:e5:66:9b:51:04:5a:94:92:
a2:dc:ed:01:b5:15:ab:7f:ca:37:f7:34:97:97:41:
08:3b:fa:3c:d4:71:c7:01:3b:1c:03:a5:4c:e6:4e:
15:42:b9:cd:cd:9c:5c:6d:75:b7:42:0c:11:3c:39:
94:b3:2a:ac:40:45:c6:c3:2b:f2:e1:4f:5c:5c:fa:
e1:5e:4b:12:1a:59:cb:0f:36:ea:57:78:8a:ec:4e:
46:03:19:0b:29:71:7d:fb:f8:97:92:9c:e3:a0:fa:
69:05:02:24:a7:32:77:77:a9
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
3b:a1:ae:b7:ac:75:8d:54:68:2e:25:03:30:af:db:26:82:33:
4c:1e:89:fb:cd:03:5f:c3:0e:0d:87:c4:c9:88:57:3a:16:b6:
af:19:d9:8d:2d:89:c9:c5:40:b9:72:f3:63:44:a4:bf:10:29:
90:0b:c7:78:44:c6:73:30:b2:67:49:3b:79:a1:05:50:27:7c:


I tried to follow all of the documentation for making my own CA, CSR, and
signing my certificate. I used the following commands in this order:

/usr/local/ssl/misc/CA.sh -newca
openssl genrsa server.key 1024
openssl req -new -key server.key -out server.csr
cp demoCA/cacert.pem ca.crt
cp demoCA/cakey.pem ca.key
/usr/src/compile/mod_ssl-2.8.18-1.3.31/pkg.contrib/sign.sh server.csr

Am I missing something simple here? Any help would be greatly
appreciated. My Apache server's version string is this:

Apache/1.3.27 (Unix) PHP/4.3.4 mod_ssl/2.8.11 OpenSSL/0.9.6g mod_perl/1.27

I'm creating the certificates with OpenSSL 0.9.7d.

Thanks in advance,

Erik.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org