Re: Apache SSL problem (64 Views)
Reply
Frequent Advisor
Seetha Lakshmi
Posts: 48
Registered: ‎11-16-2004
Message 1 of 17 (64 Views)

Apache SSL problem

I have an web application using SSL. On some servers my application doesn't start and the following error message is logged in the error log file.

Thu Feb 3 03:35:39 2005] [crit] error setting verify locations
[Thu Feb 3 03:35:39 2005] [crit] error:02001002:system library:fopen:No such file or directory
[Thu Feb 3 03:35:39 2005] [crit] error:2006D002:BIO routines:BIO_new_file:system lib
[Thu Feb 3 03:35:39 2005] [crit] error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

Can anyone help me with the problem
Honored Contributor
RAC_1
Posts: 5,920
Registered: ‎03-21-2002
Message 2 of 17 (64 Views)

Re: Apache SSL problem

To me it looks like it is problem with few of the libraries on some boxes. Are all libraries present on the boxes where it is a problem??

Anil
There is no substitute to HARDWORK
Frequent Advisor
Seetha Lakshmi
Posts: 48
Registered: ‎11-16-2004
Message 3 of 17 (64 Views)

Re: Apache SSL problem

Can you mention the names of the library files.
Honored Contributor
Peter Godron
Posts: 4,470
Registered: ‎02-13-2002
Message 4 of 17 (64 Views)

Re: Apache SSL problem

Seetha,
have you got a SSLCertificateFile or SSLCertificateKeyFile ?
Where are they located?
Regards
Frequent Advisor
Seetha Lakshmi
Posts: 48
Registered: ‎11-16-2004
Message 5 of 17 (64 Views)

Re: Apache SSL problem

Yes, they are located under apache/ssl/certs and apache/ssl/private directories.
Honored Contributor
Peter Godron
Posts: 4,470
Registered: ‎02-13-2002
Message 6 of 17 (64 Views)

Re: Apache SSL problem

Seetha,
may also be worthwhile to try:
SSLCACertificatePath may have to be fully qualified
i.e. same as ServerRoot
ServerRoot /etc/httpsd
SSLCACertificatePath /etc/httpsd/certifs
Regards
Frequent Advisor
Seetha Lakshmi
Posts: 48
Registered: ‎11-16-2004
Message 7 of 17 (64 Views)

Re: Apache SSL problem

Yes i have fully qualified the certificate file and the key file.

SSLCertificateKeyFile apache/ssl/private/$WEB_HOST.key
SSLCertificateFile apache/ssl/certs/$WEB_HOST.cert

Honored Contributor
Peter Godron
Posts: 4,470
Registered: ‎02-13-2002
Message 8 of 17 (64 Views)

Re: Apache SSL problem

Seetha,
would you not need a "/" before the first entry to make the path absolute?
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 9 of 17 (64 Views)

Re: Apache SSL problem

Are these the SSL keys and Certs that came with apache. Those are somewhat fake and useless, using the name localhost.localdomain.

I recently learned (last Friday) how to generate proper ssl certificates and keys. If this is where the problem is I can connect to a machine at another office and get you the script I developed to semi automate the process.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Frequent Advisor
Seetha Lakshmi
Posts: 48
Registered: ‎11-16-2004
Message 10 of 17 (64 Views)

Re: Apache SSL problem

No. actually i have set them as follows.

SSLCertificateKeyFile $WEB_HOME/data/apache/ssl/private/$WEB_HOST.key
SSLCertificateFile $WEB_HOME/data/apache/ssl/certs/$WEB_HOST.cert

Where the variables WEB_HOME and WEB_HOST are set by the application

Frequent Advisor
Seetha Lakshmi
Posts: 48
Registered: ‎11-16-2004
Message 11 of 17 (64 Views)

Re: Apache SSL problem

No the SSL certificate and key were created for the application by us.
Honored Contributor
Peter Godron
Posts: 4,470
Registered: ‎02-13-2002
Message 12 of 17 (64 Views)

Re: Apache SSL problem

Seetha,
as my last attempt can you replace the $variables with hardcoded values and try again. My thinking is what happens if $WEB_HOME or $WEB_HOST are incorrect/blank?
That would explain the no such file message.
Regards
Frequent Advisor
Seetha Lakshmi
Posts: 48
Registered: ‎11-16-2004
Message 13 of 17 (64 Views)

Re: Apache SSL problem

This situation is impossible because all these environment variables are set in a particular ".ksh" file and it is run each time the application starts. Also the application will not start if these variables are not set.
Frequent Advisor
Seetha Lakshmi
Posts: 48
Registered: ‎11-16-2004
Message 14 of 17 (64 Views)

Re: Apache SSL problem

I also tried setting the SSLCertificateFile and SSLCertificateKeyFile specifying the absolute path but still i get the same error. Can some one help me with the problem
Valued Contributor
VEL_1
Posts: 140
Registered: ‎12-08-2004
Message 15 of 17 (64 Views)

Re: Apache SSL problem

Hi,

I think it looks the CA certificate file.
Try to add SSLCACertificateFile option also.

like:

SSLCertificateFile /tmp/server.crt
SSLCertificateKeyFile /tmp/myserver.key
SSLCACertificateFile /tmp/other-bundle.txt
Valued Contributor
VEL_1
Posts: 140
Registered: ‎12-08-2004
Message 16 of 17 (64 Views)

Re: Apache SSL problem

Here is the steps I did for Apache with SSL:

To build apache with OpenSSL for secure communication, Use following steps.

Steps:

I. Build

a. Untar the Source & configure, gmake and gmake install

# tar -zxvf httpd-2.0.46.tar.gz

b. Configure the apache with options

# cd httpd-2.0.46
# ./configure --prefix=/usr/local/apache --with-ssl=/usr/local/ssl/lib --enable-expires --enable-ssl --enable-rewrite --enable-so --enable-xml --enable-modules=most

b. Compile & install the apache using following commands

# gmake
# gmake install

II. Create Certificate Authority (CA)

a. To create RSA private key

# /usr/local/ssl/bin/openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
...++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
#

b. To create self-signed CA certificate

# /usr/local/ssl/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TN
Locality Name (eg, city) []:CBE
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cisco
Organizational Unit Name (eg, section) []:OpenSource
Common Name (eg, YOUR name) []:linuxtest.cisco.com
Email Address []:opensource@cisco.com
#

III. Create SSL Certificate

a. To create RSA private key

# /usr/local/ssl/bin/openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
...............................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
#

b. Decrypt private key (so that apache can start w/o asking for password)

# mv server.key server.key.secure
# /usr/local/ssl/bin/openssl rsa -in server.key.secure -out server.key
Enter pass phrase for server.key.secure:
writing RSA key
#

c. To create a Certificate Signing Request (CSR)

# /usr/local/ssl/bin/openssl req -new -days 365 -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TN
Locality Name (eg, city) []:CBE
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cisco
Organizational Unit Name (eg, section) []:OpenSource
Common Name (eg, YOUR name) []:linuxtest.cisco.com
Email Address []:opensource@cisco.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:welcome
An optional company name []:Senas.net
#

IV. Sign SSL Certificate

# /usr/local/ssl/bin/openssl x509 -req -days 30 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=IN/ST=TN/L=CBE/O=cisco/OU=OpenSource/CN=linuxtest.cisco.com/emailAddress=opensource@cisco.com
Getting Private key
#

V. Create directories for SSL certificate & key and copy the certificate & key to corresponding directories

# mkdir /usr/local/apache/conf/ssl.crt
# mkdir /usr/local/apache/conf/ssl.key
# cp server.crt ssl.crt
# cp server.key ssl.key

VI. Apache configuration

In /usr/local/apache/conf/httpd.conf,

ServerName linuxtest.cisco.com
ServerAdmin sysadmin@linuxtest.cisco.com

VII. Start Apache

# /usr/local/apache/bin/apachectl startssl // both 80 & 443

To check apache whether it listens on port 80 & 443

a. Use "netstat" command

# netstat -na | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
# netstat -na | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN

b. Use the following URL's

http://127.0.0.1/
https://127.0.0.1/

VII. Stop apache

# /usr/local/apache/bin/apachectl stop

To check apache whether it listens on port 80 & 443

# netstat -na | grep 80
# netstat -na | grep 443
#


Note: See the file /usr/local/apache/conf/ssl.conf for SSL configuration
Frequent Advisor
Seetha Lakshmi
Posts: 48
Registered: ‎11-16-2004
Message 17 of 17 (64 Views)

Re: Apache SSL problem

Thanks everyone

The error message was due to absence of CA certificate file. When I set the valid file name for SSLCACertificateFile it worked properly.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.