This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: Apache-SSL
From: Juan Martinez <martinez@eecs.cwru.edu>
Date: Tue, 11 Jul 2000 11:21:09 -0400 (EDT)
Hello listers,
I've installed apache-ssl-1.3.6_1.35-3.i386.rpm and
openssl-0.9.5a-1.i386.rpm on a RedHat 6.2 system.
I've generated a dummy certificate and the httpsd daemon
starts. When I try to load a page however, the client shows
a "Network: Broken Pipe" error. For each attempt to read a
page, the httpsd error log shows something like:
[Tue Jul 11 10:54:07 2000] [notice] child pid 8946 exit signal
Segmentation fault (11)
Does anyone know why the segfaults might happen?
Do I need to provide more information?
Any apache-ssl lists?
Juan
===
Subject: Re: Apache-SSL
From: "Greg Wright" <redhat_list@mail.com>
Date: Wed, 12 Jul 2000 03:19:28 +1000
REPLY SEPARATOR ***********
On 11/07/00 at 11:21 Juan Martinez wrote:
>Hello listers,
>
>I've installed apache-ssl-1.3.6_1.35-3.i386.rpm and
>openssl-0.9.5a-1.i386.rpm on a RedHat 6.2 system.
>
>I've generated a dummy certificate and the httpsd daemon
>starts. When I try to load a page however, the client shows
>a "Network: Broken Pipe" error. For each attempt to read a
>page, the httpsd error log shows something like:
>
you can get my 1.3.9 rpm from ftp.zedz.net , I can send the pgp sig for
you too check the file, it will install with dummy certs etc and just
work....
I think Gordon M may have a 1.3.12 RPM , but I have not looked at his setup
etc , his site is ftp.eburg.com
Also I know for a fact that Micheal McGillick has worked on one as well
very recently.
I am not sure of what restrictions etc legally you may have.
===
Subject: Re: Apache-SSL
From: Gordon Messmer <yinyang@eburg.com>
Date: Tue, 11 Jul 2000 14:51:45 -0700
This is a multi-part message in MIME format.
--------------389CE707E0D7AFD653895CDE
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Juan Martinez wrote:
> I've generated a dummy certificate and the httpsd daemon
> starts. When I try to load a page however, the client shows
> a "Network: Broken Pipe" error. For each attempt to read a
> page, the httpsd error log shows something like:
>
> [Tue Jul 11 10:54:07 2000] [notice] child pid 8946 exit signal
> Segmentation fault (11)
You've probably got your certificates and keys mixed up. Try using the
attached script.
MSG
--------------389CE707E0D7AFD653895CDE
Content-Type: text/plain; charset=us-ascii;
name="Generate_SSL_Certificate"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Generate_SSL_Certificate"
#!/bin/sh
#
# This is a self documenting shell script. It is intended that you read
# this file before executing it.
# There are a few things that should be checked further:
# 1) This script creates new private keys for every CSR. As far as I know,
# you can create any number of CSR's using the same key. Are there any
# advantages/disadvantages to creating news keys for each certificate?
# Should we be reusing keys?
# 2) This script unencrypts the private key so that apache can use it.
# Does apache-ssl need the key to function? If not, we can avoid
# keeping an unencrypted key around, and avoid specifying that file
# in apache's configs.
#
# This script should be run in /usr/local/ssl/certs.archive/<DOMAIN>/<YEAR>,
# so that we can keep an archival copy of all certificates, and related
# files.
# Once finished, the certificate should be placed in /usr/local/ssl/certs,
# and the private key (unencrypted) should be in /usr/local/ssl/private
#
# All of the files in /usr/local/ssl/private should be mode 0400, and owned
# by root. Apache will read them as root, before it drops root permissions.
# The original keys should also be mode 0400 and owned by root.
#
PATH=$PATH:/usr/local/ssl/bin
#
# Give the domain name as the first argument to this script.
#
DOMAIN=$1
[ "$DOMAIN" = "" ] && {
echo "No domain given"
exit 1
}
#
# If you wish to have an organization's name attached to this certificate,
# then it should be the second argument to this script.
# Because SSL does not require this field, no default is given. However,
# Thawte may require an organization's name to be attached to a certificate,
# so this script SHOULD be called as:
# ./Generate_SSL_Certificate <DOMAINNAME> "<Organization Name>"
#
ORG=$2
[ "$ORG" = "" ] && {
echo "No organization name given, using \".\""
ORG="."
}
EMAIL=$3
[ "$EMAIL" = "" ] && {
echo "No email address given, using support@eburg.com"
EMAIL=support@eburg.com
}
#
# The first step in generating a certificate is to generate a CSR, or
# certificate request. This step will also generate an encrypted,
# private key, called privkey.pem. Don't lose this file, or the
# password used to encrypt the key. That would be bad.
#
openssl req -new > ${DOMAIN}.csr <<EOF
US
Washington
Ellensburg
${ORG}
.
${DOMAIN}
${EMAIL}
EOF
#
# Now, we remove the password (unencrypt) from the domain's private key.
# The resulting key is used by apache.
#
openssl rsa -in privkey.pem -out ${DOMAIN}.cert.key
#
# Finally, use the CSR (certificate request) and our own private key to
# create a "self signed" certificate. This certificate can be used
# until a certificate signed by a known authority (eg Thawte) is
# available.
#
openssl x509 -in ${DOMAIN}.csr \
-out ${DOMAIN}.cert \
-req -signkey \
${DOMAIN}.cert.key -days 365
#
# I'm renaming this file for consitancy.
#
mv privkey.pem $DOMAIN.privkey.pem
#
# We should now have the following files:
# DOMAIN.privkey.pem The PEM encrypted private key
# DOMAIN.key The unencrypted private key used by apache
# DOMAIN.csr The certificate request used by Thawte
# DOMAIN.cert The certificate that we signed
#
--------------389CE707E0D7AFD653895CDE--
===
Subject: Re: Apache-SSL
From: "Michael J. McGillick" <mike@universe.ne.mediaone.net>
Date: Tue, 11 Jul 2000 15:22:38 -0400 (EDT)
On Wed, 12 Jul 2000, Greg Wright wrote:
>
>
> *********** REPLY SEPARATOR ***********
>
> On 11/07/00 at 11:21 Juan Martinez wrote:
>
> >Hello listers,
> >
> >I've installed apache-ssl-1.3.6_1.35-3.i386.rpm and
> >openssl-0.9.5a-1.i386.rpm on a RedHat 6.2 system.
> >
> >I've generated a dummy certificate and the httpsd daemon
> >starts. When I try to load a page however, the client shows
> >a "Network: Broken Pipe" error. For each attempt to read a
> >page, the httpsd error log shows something like:
> >
>
> you can get my 1.3.9 rpm from ftp.zedz.net , I can send the pgp sig for
> you too check the file, it will install with dummy certs etc and just
> work....
>
> I think Gordon M may have a 1.3.12 RPM , but I have not looked at his setup
> etc , his site is ftp.eburg.com
>
> Also I know for a fact that Micheal McGillick has worked on one as well
> very recently.
>
> I am not sure of what restrictions etc legally you may have.
Juan:
My RPM is just about finished (putting the final touches on it now). It
installs completely configured with a dummy certificate, and blends
flawlessly into a Red Hat 6.2 installtion. The httpsd.conf file comes
preconfigured to run both http and https connections off just the one
server. Using ntsysv, you would simply stop httpd, and start up
httpsd. The final things I'm looking at are integrating php4 support.
- Mike
===
Subject: Re: Apache-SSL
From: Juan Martinez <martinez@eecs.cwru.edu>
Date: Tue, 11 Jul 2000 15:14:57 -0400 (EDT)
On Wed, 12 Jul 2000, Greg Wright wrote:
> *********** REPLY SEPARATOR ***********
>
> On 11/07/00 at 11:21 Juan Martinez wrote:
>
> >Hello listers,
> >
> >I've installed apache-ssl-1.3.6_1.35-3.i386.rpm and
> >openssl-0.9.5a-1.i386.rpm on a RedHat 6.2 system.
> >
> >I've generated a dummy certificate and the httpsd daemon
> >starts. When I try to load a page however, the client shows
> >a "Network: Broken Pipe" error. For each attempt to read a
> >page, the httpsd error log shows something like:
> >
>
> you can get my 1.3.9 rpm from ftp.zedz.net , I can send the pgp sig for
> you too check the file, it will install with dummy certs etc and just
> work....
>
> I think Gordon M may have a 1.3.12 RPM , but I have not looked at his setup
> etc , his site is ftp.eburg.com
>
> Also I know for a fact that Micheal McGillick has worked on one as well
> very recently.
>
> I am not sure of what restrictions etc legally you may have.
>
> Regards
>
> Greg Wright
> IT Consultant Sydney Australia
Greg,
Thanks for the more recent version of apache-ssl.
I don't have any legal restrictions at all so I grabbed
a copy of your 1.3.9 rpm. I installed it and got it started
but it segfaults the same as the other one did. The child
process dies when I try to load the index page that comes with
the package.
The error message I get on the client side is "Connection
reset by peer". The error_log file shows:
[Tue Jul 11 15:12:09 2000] [notice] child pid 9822 exit signal
Segmentation fault (11)
Is there anything else I can try? I really need to get this
thing working. Any more hints/advice?
===
Subject: Re: Apache-SSL
From: "Greg Wright" <redhat_list@mail.com>
Date: Wed, 12 Jul 2000 18:22:40 +1000
REPLY SEPARATOR ***********
On 11/07/00 at 14:51 Gordon Messmer wrote:
>Juan Martinez wrote:
>> I've generated a dummy certificate and the httpsd daemon
>> starts. When I try to load a page however, the client shows
>> a "Network: Broken Pipe" error. For each attempt to read a
>> page, the httpsd error log shows something like:
>>
>> [Tue Jul 11 10:54:07 2000] [notice] child pid 8946 exit signal
>> Segmentation fault (11)
>
>You've probably got your certificates and keys mixed up. Try using the
>attached script.
>
Yes, its odd, I also believe maybe the certs are being damaged in the
download (FTP mode maybe wrong), I know it works cause I compiled it on a
6.1 box recently after getting the same report from someone else. I suggest
re compiling from SRPM and do not modify the conf file at all after
install, apart from that its something in the box itself I have not
encountered.
Mail me privately and I will give you a HTTP URL that you can use Lynx to
download from......
REMEMBER I included dummy certs as part of the RPM install, do not generate
anything, just install and it should be working.
===