On Wed, Dec 01, 2004, Dan O'Brien wrote:
> On Nov 23, 2004, at 1:59 PM, Charles B Cranston wrote:
>
> >It's possible from what you describe that it was a
> >hanging alias, that is, a symbolic link pointing to
> >a file that does not actually exist. This looks like
> >a file initially but gets a "file does not exist"
> >when you try to actually use it...
> >
> >Dan O'Brien wrote:
> >
> >>On Nov 22, 2004, at 1:41 PM, Dr. Stephen Henson wrote:
> >>>On Mon, Nov 22, 2004, Dan O'Brien wrote:
> >>>
> >>>>
> >>>>Searched for openssl.cnf and it is on the system:
> >>>>
> >>>>[EMAIL PROTECTED]:/etc/ssl# locate openssl.cnf
> >>>>/usr/lib/ssl/openssl.cnf
> >>>>
> >>>>Is this a clue to the problem?
> >>>>
> >>>
> >>>Might be :-) Depends what's in that file. Does it contain a line
> >>>with:
> >>>
> >>>[distinguished_name]
> >>>
> >>>on it? Does it have world read permissions? What happens if you
> >>>include the
> >>>command line switch: -config /usr/lib/ssl/openssl.cnf to the req
> >>>command that
> >>>was failing before?
> >>>
> >>>
> >>Progress! It appears that although "locate" indicated the presence of
> >>the openssl.cnf file... (as in:
> >>[EMAIL PROTECTED]:~$ locate openssl.cnf
> >>/usr/lib/ssl/openssl.cnf)
> >>...when I vi'd it as root, the file was blank, and vi indicated that
> >>it was making a new file.
> >>Adding the -config /usr/lib/ssl/openssl.cnf switch yielded this:
> >>[EMAIL PROTECTED]:~# openssl req -new -x509 -keyout private/cakey.pem -out
> >>cacert.pem -days 7000 -config /usr/lib/ssl/openssl.cnf
> >>Using configuration from /usr/lib/ssl/openssl.cnf
> >>error on line 1074095624 of /usr/lib/ssl/openssl.cnf
> >>1708:error:02001002:system library:fopen:No such file or
> >>directory:bss_file.c:104:fopen('/usr/lib/ssl/openssl.cnf','rb')
> >>1708:error:2006D002:BIO routines:BIO_new_file:system
> >>lib:bss_file.c:106:
> >>1708:error:0E064002:configuration file routines:CONF_load:system
> >>lib:conf_lib.c:91:
> >>Changing directories and listing showed this:
> >>[EMAIL PROTECTED]:/usr/lib/ssl# ls
> >>certs lib misc openssl.cnf private
> >>...wherein openssl.cnf was displayed in red text set against a black
> >>selection rectangle -- what does this indicate?
> >>In any case, all signs pointed to a malfunctioning file, so I rm'd
> >>it. You previously suggested that I unpack one from another
> >>installation. Unless you have a better idea, I believe the next move
> >>will be to try to install 0.9.7e.
> >>- Dan O'Brien
> >>
>
>
> OK, installed 0.9.7e and the openssl.cnf file to the right location.
> Was then able to create the certificate authority.
>
> However, the next step, creating the SSL key for apache, met with the
> following error:
>
> [EMAIL PROTECTED]:/etc/ssl# openssl req -new -config ./openssl.cnf -nodes
> -out
> ./apache-req.pem -keyout ./apache-key.pem
> Using configuration from ./openssl.cnf
> error on line 1074095624 of ./openssl.cnf
> 297:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:104:fopen('./openssl.cnf','rb')
> 297:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:106:
> 297:error:0E064002:configuration file routines:CONF_load:system
> lib:conf_lib.c:91:
>
> Ideas?
>
It can't find ./openssl.cnf?
I suggest you dump all these cookbook recipes and stick to something like:
CA.pl -newca
(this creates root CA)
CA.pl -newreq
(creates a certificate request)
CA.pl -sign
(signs request).
After running those the private key is in newreq.pem, the certificate in
newcert.pem and the CA certificate in demoCA/cacert.pem and you can copy them
to wherever is appropriate.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
