[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

guidance on SSL certs and Apache2

I'm trying to set up apache2 to use ssl.  I see numerous bugs about
this, including the fact that the setup is neither automated nor documented
(267477 -- which includes some recipes and references to help) and
that a tool, ssl-cert, used at one point by apache2 for debconf, has
problems (230485).  The changelog says that ssl-cert was dropped for
the setup.

There seem to be at least 3 ways to setup certificates:

There is a configuration file /etc/ssl/openssl.cnf, and there seems to
be space for certificates and keys under /etc/ssl/ and

Can anyone suggest which of these knobs I should tweak to set things
up?  And where should I put the resulting files?  I use KDE, and I see
it has Kleopatra for certificate management.  Is that useable?

I want to be my own CA as well as having the certificates (one for
each virtual domain).

Documentation seems sparse.  man apache2-ssl-cert gets me the openssl
man page; apache2-ssl-cert --help just runs the program.  ssl-cert's
manpage is under make-ssl-cert (I think), and is unilluminating.

When I originally installed apache2 the setup script ran and ended up
producing the same error as reported in 230485 (I think the script
invoked ssl-cert):

> writing new private key to '/etc/apache2/ssl/apache.pem'
> -----
> problems making Certificate Request
> 20712:error:0D07A098:asn1 encoding routines:ASN1_mbstring_copy:string too short:a_mbstr.c:147:minsize=1
> dpkg: error processing apache2-common (--configure):
>  subprocess post-installation script returned error exit status 1

When I added
	SSLCertificateFile /etc/apache2/ssl/apache.pem
to my Apache configuration (for a virtual server) I got further than
without it, but had the error
> [Sun Sep 18 18:50:57 2005] [error] Init: Unable to read server certificate from file /etc/apache2/ssl/apache.pem
> [Sun Sep 18 18:50:57 2005] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> [Sun Sep 18 18:50:57 2005] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

My theory is that the original setup used values from openssl.cnf.  I
hadn't touched them, so some were empty, producing the "string too
short."  The resulting certificate is no good, leading to the 2nd set
of errors.

Reply to: