Weblog entry #6 for sneex
See all weblog entries made by sneex.
#6
RFC Self-Signed SSL
Posted by sneex on Mon 9 Jun 2008 at 17:54
Request for comments -
I wrote the below to somewhat ease the creation of making self-signed certificates -- but while the script executes without error Apache2 (since the SSL update) will not start. I get this error:
[Mon Jun 09 12:17:23 2008] [error] Unable to configure RSA server private key
[Mon Jun 09 12:17:23 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
<cut>
I am at a loss as to why -- anyone with some idea? Can we not create self-signed WildCard certificates since the update?
Below is the script:
# Determine which machine, what run month and year --wcj
machine=$(/bin/uname -n |/bin/awk -F . '{print $1}')
cmonth=$(date +%m)
cyear=$(date +%g)
testcase="$machine"
case $testcase in
srv0)
machine="01"
;;
srv1)
machine="02"
;;
srv2)
machine="03"
;;
*)
machine="00"
;;
esac
# Handle Dec/12 to Jan/1 transition --wcj
# Also -- normalize for the '0' in filenames --wcj
if [[ "$cmonth" == "01" ]]
then
lmonth="12"
lyear=$(echo "$cyear 1 - p q" | dc)
if [[ `expr length "$lyear"` < 2 ]]
then
year="0$lyear"
fi
else
lmonth=$(echo "$cmonth 1 - p q" | dc)
year="$cyear"
fi
if [[ `expr length "$lmonth"` < 2 ]]
then
month="0$lmonth"
else
month="$lmonth"
fi
echo Recreating Apache SSL certificates
cd /etc/apache2 ; rm -fR /etc/apache2/CA
mkdir -p /etc/apache2/CA/{certs,crl,newcerts,private}
#echo "$machine$month$year" > /etc/apache2/CA/serial
echo "$machine" > /etc/apache2/CA/serial
touch /etc/apache2/CA/index.txt
openssl req -new -x509 -keyout /etc/apache2/CA/private/cakey.pem -out /etc/apache2/CA/cacert.pem -days 3654
openssl req -new -keyout /etc/apache2/CA/wildcard.req -out /etc/apache2/CA/wildcard.req -days 3654
openssl ca -policy policy_anything -out /etc/apache2/CA/wildcard.crt -infiles /etc/apache2/CA/wildcard.req
chattr -i /root/*SSL*
mv -f /root/SSL_Keys-Keep.tgz /root/Old_SSL_Keys-Keep.tgz
tar zcvf /root/SSL_Keys-Keep.tgz /etc/apache2/wild*
chmod 0400 /root/SSL_Keys-Keep.tgz ; chattr +i /root/*SSL*
chattr -i /etc/apache2/wildcard.*
cp -f /etc/apache2/CA/wild* /etc/apache2
chattr +i /etc/apache2/wildcard.*
echo Done ...
Any ideas about how to make a self-signed wildcard would be most appreciated.
I wrote the below to somewhat ease the creation of making self-signed certificates -- but while the script executes without error Apache2 (since the SSL update) will not start. I get this error:
[Mon Jun 09 12:17:23 2008] [error] Unable to configure RSA server private key
[Mon Jun 09 12:17:23 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
<cut>
I am at a loss as to why -- anyone with some idea? Can we not create self-signed WildCard certificates since the update?
Below is the script:
# Determine which machine, what run month and year --wcj
machine=$(/bin/uname -n |/bin/awk -F . '{print $1}')
cmonth=$(date +%m)
cyear=$(date +%g)
testcase="$machine"
case $testcase in
srv0)
machine="01"
;;
srv1)
machine="02"
;;
srv2)
machine="03"
;;
*)
machine="00"
;;
esac
# Handle Dec/12 to Jan/1 transition --wcj
# Also -- normalize for the '0' in filenames --wcj
if [[ "$cmonth" == "01" ]]
then
lmonth="12"
lyear=$(echo "$cyear 1 - p q" | dc)
if [[ `expr length "$lyear"` < 2 ]]
then
year="0$lyear"
fi
else
lmonth=$(echo "$cmonth 1 - p q" | dc)
year="$cyear"
fi
if [[ `expr length "$lmonth"` < 2 ]]
then
month="0$lmonth"
else
month="$lmonth"
fi
echo Recreating Apache SSL certificates
cd /etc/apache2 ; rm -fR /etc/apache2/CA
mkdir -p /etc/apache2/CA/{certs,crl,newcerts,private}
#echo "$machine$month$year" > /etc/apache2/CA/serial
echo "$machine" > /etc/apache2/CA/serial
touch /etc/apache2/CA/index.txt
openssl req -new -x509 -keyout /etc/apache2/CA/private/cakey.pem -out /etc/apache2/CA/cacert.pem -days 3654
openssl req -new -keyout /etc/apache2/CA/wildcard.req -out /etc/apache2/CA/wildcard.req -days 3654
openssl ca -policy policy_anything -out /etc/apache2/CA/wildcard.crt -infiles /etc/apache2/CA/wildcard.req
chattr -i /root/*SSL*
mv -f /root/SSL_Keys-Keep.tgz /root/Old_SSL_Keys-Keep.tgz
tar zcvf /root/SSL_Keys-Keep.tgz /etc/apache2/wild*
chmod 0400 /root/SSL_Keys-Keep.tgz ; chattr +i /root/*SSL*
chattr -i /etc/apache2/wildcard.*
cp -f /etc/apache2/CA/wild* /etc/apache2
chattr +i /etc/apache2/wildcard.*
echo Done ...
Any ideas about how to make a self-signed wildcard would be most appreciated.
Comments on this Entry
OK, I am dumb as a stump :P
I forgot -
openssl rsa < /etc/apache2/CA/wildcard.req > /etc/apache2/CA/wildcard.key
-Sx-
--
http://youve-reached-the.endoftheinternet.org/
I forgot -
openssl rsa < /etc/apache2/CA/wildcard.req > /etc/apache2/CA/wildcard.key
-Sx-
--
http://youve-reached-the.endoftheinternet.org/
[ Parent | Reply to this comment ]
Posted by Anonymous (217.91.xx.xx) on Tue 10 Jun 2008 at 14:42
> "machine=$(/bin/uname -n |/bin/awk -F . '{print $1}')"
man hostname might be worth a look.
man hostname might be worth a look.
[ Parent | Reply to this comment ]
How rude!
[ Parent | Reply to this comment ]