Upgrading apache form 2.0.x to 2.2.x

Kövesdán Gábor gabor.kovesdan at t-hosting.hu
Wed Feb 1 09:10:37 PST 2006

Kövesdán Gábor wrote:

> Charles Swiger wrote:
>> On Jan 31, 2006, at 10:06 AM, Kövesdán Gábor wrote:
>>> I've upgradde today, but SSL doesn't work with the old settings. I  
>>> suspect something's wrong with my self-signed certificates. If I  
>>> set SSLEngine On globally, I get this:
>>> [Tue Jan 31 14:11:09 2006] [warn] RSA server certificate is a CA  
>>> certificate (BasicConstraints: CA certificate (BasicConstraints: CA  
>>> == TRUE !?)
>> Yeah, the RSA cert you use for your CA to sign other certs should 
>> not  be used as a host cert for SSL.  Generate a new RSA cert, 
>> generate a  CSR, and use the CA cert to sign your new RSA cert for 
>> the webserver:
>>    openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem - 
>> days 365
>>    openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out  
>> tmp.pem
>>    openssl ca -policy policy_anything -out newcert.pem -infiles tmp.pem
>>    #  (newcert.pem contains signed certificate, newreq.pem still  
>> contains
>>    #  unsigned certificate and private key)
> Thanks, I see the point, but I don't really experienced in generating 
> certs. The lines you wrote lead me to the following:
> root at server# openssl req -nodes -new -x509 -keyout newreq.pem -out 
> newreq.pem -days 365
> Generating a 1024 bit RSA private key
> .........++++++
> ..........................++++++
> writing new private key to 'newreq.pem'
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or 
> a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:HU
> State or Province Name (full name) [Some-State]:Budapest
> Locality Name (eg, city) []:Budapest
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:T-Hosting.Hu
> Organizational Unit Name (eg, section) []:HTTP Server
> Common Name (eg, YOUR name) []:server.t-hosting.hu
> Email Address []:postmaster at t-hosting.hu
> root at server# openssl x509 -x509toreq -in newreq.pem -signkey 
> newreq.pem -out  tmp.pem
> Getting request Private Key
> Generating certificate request
> root at server# openssl ca -policy policy_anything -out newcert.pem 
> -infiles tmp.pem
> Using configuration from /etc/ssl/openssl.cnf
> Error opening CA private key ./demoCA/private/cakey.pem
> 46641:error:0E06D06C:configuration file routines:NCONF_get_string:no 
> value:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_lib.c:329:group=CA_default 
> name=unique_subject
> 46641:error:02001002:system library:fopen:No such file or 
> directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:276:fopen('./demoCA/private/cakey.pem','r') 
> 46641:error:20074002:BIO routines:FILE_CTRL:system 
> lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:278: 
> unable to load CA private key
> Segmentation fault (core dumped)
> Could you tell me what's wrong?
> Thanks,
> Gabor Kovesdan
Hi again,

since then I've found a howto about certs: 
I followed the steps, and now I have three separate files:
1, the ca cert, called cacert.pem
2, the signed cert, called cert.pem
3, the private key, called key.pem

My httpd.conf contains this about SSL configuration:

<IfModule mod_ssl.c>

SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLCertificateFile /usr/local/etc/apache22/cert.pem
SSLCertificateKeyFile /usr/local/etc/apache22/key.pem
SSLCACertificateFile /usr/local/etc/apache22/cacert.pem

SSLSessionCache         dbm:/var/run/ssl_scache
SSLSessionCacheTimeout  300

SSLMutex  file:/var/run/ssl_mutex

SSLEngine       Off


Now, if I globally set SSLEngine On apache doesn't start and writes 
nothing to the error log. If I only set SSLEngine On is a VirtualHost 
section, I get the same Invalid method in request message.

Does somebody have any idea?


Gabor Kovesdan

More information about the freebsd-questions mailing list