This site is now 100% read-only, and retired.

XML logo

RFC Self-Signed SSL
Posted by sneex on Mon 9 Jun 2008 at 17:54
Tags: none.
Request for comments -

I wrote the below to somewhat ease the creation of making self-signed certificates -- but while the script executes without error Apache2 (since the SSL update) will not start. I get this error:


[Mon Jun 09 12:17:23 2008] [error] Unable to configure RSA server private key
[Mon Jun 09 12:17:23 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
<cut>

I am at a loss as to why -- anyone with some idea? Can we not create self-signed WildCard certificates since the update?

Below is the script:

# Determine which machine, what run month and year --wcj
machine=$(/bin/uname -n |/bin/awk -F . '{print $1}')
cmonth=$(date +%m)
cyear=$(date +%g)

testcase="$machine"
case $testcase in
srv0)
machine="01"
;;
srv1)
machine="02"
;;
srv2)
machine="03"
;;
*)
machine="00"
;;
esac

# Handle Dec/12 to Jan/1 transition --wcj
# Also -- normalize for the '0' in filenames --wcj
if [[ "$cmonth" == "01" ]]
then
lmonth="12"
lyear=$(echo "$cyear 1 - p q" | dc)
if [[ `expr length "$lyear"` < 2 ]]
then
year="0$lyear"
fi
else
lmonth=$(echo "$cmonth 1 - p q" | dc)
year="$cyear"
fi

if [[ `expr length "$lmonth"` < 2 ]]
then
month="0$lmonth"
else
month="$lmonth"
fi

echo Recreating Apache SSL certificates
cd /etc/apache2 ; rm -fR /etc/apache2/CA

mkdir -p /etc/apache2/CA/{certs,crl,newcerts,private}

#echo "$machine$month$year" > /etc/apache2/CA/serial
echo "$machine" > /etc/apache2/CA/serial

touch /etc/apache2/CA/index.txt

openssl req -new -x509 -keyout /etc/apache2/CA/private/cakey.pem -out /etc/apache2/CA/cacert.pem -days 3654

openssl req -new -keyout /etc/apache2/CA/wildcard.req -out /etc/apache2/CA/wildcard.req -days 3654

openssl ca -policy policy_anything -out /etc/apache2/CA/wildcard.crt -infiles /etc/apache2/CA/wildcard.req

chattr -i /root/*SSL*
mv -f /root/SSL_Keys-Keep.tgz /root/Old_SSL_Keys-Keep.tgz
tar zcvf /root/SSL_Keys-Keep.tgz /etc/apache2/wild*
chmod 0400 /root/SSL_Keys-Keep.tgz ; chattr +i /root/*SSL*
chattr -i /etc/apache2/wildcard.*
cp -f /etc/apache2/CA/wild* /etc/apache2
chattr +i /etc/apache2/wildcard.*
echo Done ...


Any ideas about how to make a self-signed wildcard would be most appreciated.

 

Comments on this Entry

Re: RFC Self-Signed SSL
Posted by sneex (63.139.xx.xx) on Mon 9 Jun 2008 at 18:01
[ View Weblogs ]
OK, I am dumb as a stump :P

I forgot -

openssl rsa < /etc/apache2/CA/wildcard.req > /etc/apache2/CA/wildcard.key


-Sx-
--
http://youve-reached-the.endoftheinternet.org/

[ Parent ]

Re: RFC Self-Signed SSL
Posted by Anonymous (217.91.xx.xx) on Tue 10 Jun 2008 at 14:42
> "machine=$(/bin/uname -n |/bin/awk -F . '{print $1}')"

man hostname might be worth a look.

[ Parent ]

Re: RFC Self-Signed SSL
Posted by atrixnet (69.152.xx.xx) on Mon 16 Jun 2008 at 09:14
[ View Weblogs ]
How rude!

[ Parent ]