This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: Apache-SSL From: Juan Martinez <martinez@eecs.cwru.edu> Date: Tue, 11 Jul 2000 11:21:09 -0400 (EDT) Hello listers, I've installed apache-ssl-1.3.6_1.35-3.i386.rpm and openssl-0.9.5a-1.i386.rpm on a RedHat 6.2 system. I've generated a dummy certificate and the httpsd daemon starts. When I try to load a page however, the client shows a "Network: Broken Pipe" error. For each attempt to read a page, the httpsd error log shows something like: [Tue Jul 11 10:54:07 2000] [notice] child pid 8946 exit signal Segmentation fault (11) Does anyone know why the segfaults might happen? Do I need to provide more information? Any apache-ssl lists? Juan === Subject: Re: Apache-SSL From: "Greg Wright" <redhat_list@mail.com> Date: Wed, 12 Jul 2000 03:19:28 +1000 REPLY SEPARATOR *********** On 11/07/00 at 11:21 Juan Martinez wrote: >Hello listers, > >I've installed apache-ssl-1.3.6_1.35-3.i386.rpm and >openssl-0.9.5a-1.i386.rpm on a RedHat 6.2 system. > >I've generated a dummy certificate and the httpsd daemon >starts. When I try to load a page however, the client shows >a "Network: Broken Pipe" error. For each attempt to read a >page, the httpsd error log shows something like: > you can get my 1.3.9 rpm from ftp.zedz.net , I can send the pgp sig for you too check the file, it will install with dummy certs etc and just work.... I think Gordon M may have a 1.3.12 RPM , but I have not looked at his setup etc , his site is ftp.eburg.com Also I know for a fact that Micheal McGillick has worked on one as well very recently. I am not sure of what restrictions etc legally you may have. === Subject: Re: Apache-SSL From: Gordon Messmer <yinyang@eburg.com> Date: Tue, 11 Jul 2000 14:51:45 -0700 This is a multi-part message in MIME format. --------------389CE707E0D7AFD653895CDE Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Juan Martinez wrote: > I've generated a dummy certificate and the httpsd daemon > starts. When I try to load a page however, the client shows > a "Network: Broken Pipe" error. For each attempt to read a > page, the httpsd error log shows something like: > > [Tue Jul 11 10:54:07 2000] [notice] child pid 8946 exit signal > Segmentation fault (11) You've probably got your certificates and keys mixed up. Try using the attached script. MSG --------------389CE707E0D7AFD653895CDE Content-Type: text/plain; charset=us-ascii; name="Generate_SSL_Certificate" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="Generate_SSL_Certificate" #!/bin/sh # # This is a self documenting shell script. It is intended that you read # this file before executing it. # There are a few things that should be checked further: # 1) This script creates new private keys for every CSR. As far as I know, # you can create any number of CSR's using the same key. Are there any # advantages/disadvantages to creating news keys for each certificate? # Should we be reusing keys? # 2) This script unencrypts the private key so that apache can use it. # Does apache-ssl need the key to function? If not, we can avoid # keeping an unencrypted key around, and avoid specifying that file # in apache's configs. # # This script should be run in /usr/local/ssl/certs.archive/<DOMAIN>/<YEAR>, # so that we can keep an archival copy of all certificates, and related # files. # Once finished, the certificate should be placed in /usr/local/ssl/certs, # and the private key (unencrypted) should be in /usr/local/ssl/private # # All of the files in /usr/local/ssl/private should be mode 0400, and owned # by root. Apache will read them as root, before it drops root permissions. # The original keys should also be mode 0400 and owned by root. # PATH=$PATH:/usr/local/ssl/bin # # Give the domain name as the first argument to this script. # DOMAIN=$1 [ "$DOMAIN" = "" ] && { echo "No domain given" exit 1 } # # If you wish to have an organization's name attached to this certificate, # then it should be the second argument to this script. # Because SSL does not require this field, no default is given. However, # Thawte may require an organization's name to be attached to a certificate, # so this script SHOULD be called as: # ./Generate_SSL_Certificate <DOMAINNAME> "<Organization Name>" # ORG=$2 [ "$ORG" = "" ] && { echo "No organization name given, using \".\"" ORG="." } EMAIL=$3 [ "$EMAIL" = "" ] && { echo "No email address given, using support@eburg.com" EMAIL=support@eburg.com } # # The first step in generating a certificate is to generate a CSR, or # certificate request. This step will also generate an encrypted, # private key, called privkey.pem. Don't lose this file, or the # password used to encrypt the key. That would be bad. # openssl req -new > ${DOMAIN}.csr <<EOF US Washington Ellensburg ${ORG} . ${DOMAIN} ${EMAIL} EOF # # Now, we remove the password (unencrypt) from the domain's private key. # The resulting key is used by apache. # openssl rsa -in privkey.pem -out ${DOMAIN}.cert.key # # Finally, use the CSR (certificate request) and our own private key to # create a "self signed" certificate. This certificate can be used # until a certificate signed by a known authority (eg Thawte) is # available. # openssl x509 -in ${DOMAIN}.csr \ -out ${DOMAIN}.cert \ -req -signkey \ ${DOMAIN}.cert.key -days 365 # # I'm renaming this file for consitancy. # mv privkey.pem $DOMAIN.privkey.pem # # We should now have the following files: # DOMAIN.privkey.pem The PEM encrypted private key # DOMAIN.key The unencrypted private key used by apache # DOMAIN.csr The certificate request used by Thawte # DOMAIN.cert The certificate that we signed # --------------389CE707E0D7AFD653895CDE-- === Subject: Re: Apache-SSL From: "Michael J. McGillick" <mike@universe.ne.mediaone.net> Date: Tue, 11 Jul 2000 15:22:38 -0400 (EDT) On Wed, 12 Jul 2000, Greg Wright wrote: > > > *********** REPLY SEPARATOR *********** > > On 11/07/00 at 11:21 Juan Martinez wrote: > > >Hello listers, > > > >I've installed apache-ssl-1.3.6_1.35-3.i386.rpm and > >openssl-0.9.5a-1.i386.rpm on a RedHat 6.2 system. > > > >I've generated a dummy certificate and the httpsd daemon > >starts. When I try to load a page however, the client shows > >a "Network: Broken Pipe" error. For each attempt to read a > >page, the httpsd error log shows something like: > > > > you can get my 1.3.9 rpm from ftp.zedz.net , I can send the pgp sig for > you too check the file, it will install with dummy certs etc and just > work.... > > I think Gordon M may have a 1.3.12 RPM , but I have not looked at his setup > etc , his site is ftp.eburg.com > > Also I know for a fact that Micheal McGillick has worked on one as well > very recently. > > I am not sure of what restrictions etc legally you may have. Juan: My RPM is just about finished (putting the final touches on it now). It installs completely configured with a dummy certificate, and blends flawlessly into a Red Hat 6.2 installtion. The httpsd.conf file comes preconfigured to run both http and https connections off just the one server. Using ntsysv, you would simply stop httpd, and start up httpsd. The final things I'm looking at are integrating php4 support. - Mike === Subject: Re: Apache-SSL From: Juan Martinez <martinez@eecs.cwru.edu> Date: Tue, 11 Jul 2000 15:14:57 -0400 (EDT) On Wed, 12 Jul 2000, Greg Wright wrote: > *********** REPLY SEPARATOR *********** > > On 11/07/00 at 11:21 Juan Martinez wrote: > > >Hello listers, > > > >I've installed apache-ssl-1.3.6_1.35-3.i386.rpm and > >openssl-0.9.5a-1.i386.rpm on a RedHat 6.2 system. > > > >I've generated a dummy certificate and the httpsd daemon > >starts. When I try to load a page however, the client shows > >a "Network: Broken Pipe" error. For each attempt to read a > >page, the httpsd error log shows something like: > > > > you can get my 1.3.9 rpm from ftp.zedz.net , I can send the pgp sig for > you too check the file, it will install with dummy certs etc and just > work.... > > I think Gordon M may have a 1.3.12 RPM , but I have not looked at his setup > etc , his site is ftp.eburg.com > > Also I know for a fact that Micheal McGillick has worked on one as well > very recently. > > I am not sure of what restrictions etc legally you may have. > > Regards > > Greg Wright > IT Consultant Sydney Australia Greg, Thanks for the more recent version of apache-ssl. I don't have any legal restrictions at all so I grabbed a copy of your 1.3.9 rpm. I installed it and got it started but it segfaults the same as the other one did. The child process dies when I try to load the index page that comes with the package. The error message I get on the client side is "Connection reset by peer". The error_log file shows: [Tue Jul 11 15:12:09 2000] [notice] child pid 9822 exit signal Segmentation fault (11) Is there anything else I can try? I really need to get this thing working. Any more hints/advice? === Subject: Re: Apache-SSL From: "Greg Wright" <redhat_list@mail.com> Date: Wed, 12 Jul 2000 18:22:40 +1000 REPLY SEPARATOR *********** On 11/07/00 at 14:51 Gordon Messmer wrote: >Juan Martinez wrote: >> I've generated a dummy certificate and the httpsd daemon >> starts. When I try to load a page however, the client shows >> a "Network: Broken Pipe" error. For each attempt to read a >> page, the httpsd error log shows something like: >> >> [Tue Jul 11 10:54:07 2000] [notice] child pid 8946 exit signal >> Segmentation fault (11) > >You've probably got your certificates and keys mixed up. Try using the >attached script. > Yes, its odd, I also believe maybe the certs are being damaged in the download (FTP mode maybe wrong), I know it works cause I compiled it on a 6.1 box recently after getting the same report from someone else. I suggest re compiling from SRPM and do not modify the conf file at all after install, apart from that its something in the box itself I have not encountered. Mail me privately and I will give you a HTTP URL that you can use Lynx to download from...... REMEMBER I included dummy certs as part of the RPM install, do not generate anything, just install and it should be working. ===