Environment
Novell Open Enterprise Server
Suse Linux 9.1
Suse Linux 9.1
Situation
SSLCertificateFile: file '/etc/ssl/servercerts/servercert.pem' does not exist or is empty
Starting httpd2 (worker) Syntax error on line 53 of /etc/apache2/vhosts.d/vhost-ssl.conf:
An error occurred while loading http://192.168.79.70
Could not connect to host 192.168.79.70
Apache2 is not running after fresh install of OES
Starting httpd2 (worker) Syntax error on line 53 of /etc/apache2/vhosts.d/vhost-ssl.conf:
An error occurred while loading http://192.168.79.70
Could not connect to host 192.168.79.70
Apache2 is not running after fresh install of OES
Resolution
There are 2 options to resolve this problem.
1. Use NOVL102256 - How to use eDirectory SSL certificates for Apache2 on OES to resolve the problem
2. Follow steps below to create OpenSSL Certificates
Step 1 - Create Suse CA files.
Verify there is an /etc/ssl directory. If not, create it by doing the following:
# mkdir /etc/ssl
Change the rights to the /etc/ssl directory by doing the following:
# chown -R root /etc/ssl
# chmod g-rwx /etc/ssl
# chmod o-rwx /etc/ssl
Verify there is an /etc/ssl/demoCA directory, if not create it by doing the following:
# mkdir /etc/ssl/demoCA
# touch /etc/ssl/demoCA/index.txt
# echo '00000000' >> /etc/ssl/demoCA/serial
Generating the CA files by doing the following:
# openssl req -new -x509 -extensions v3_ca -keyout /etc/ssl/private/cakey.pem -out /etc/ssl/cacert.pem -days 1095
Generating a 1024 bit RSA private key
..++++++
..................++++++
writing new private key to '/etc/ssl/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Utah
Locality Name (eg, city) []:Provo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Novell
Organizational Unit Name (eg, section) []:NTS
Common Name (eg, YOUR name) []:FS1
Email Address []:support@novell.com
Step 2 - Create CSR and ServerKey file.
# openssl req -new -nodes -out /etc/ssl/servercerts/servercert.csr -keyout /etc/ssl/servercerts/serverkey.pem
Generating a 1024 bit RSA private key
........++++++
..........++++++
writing new private key to '/etc/ssl/servercerts/serverkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Utah
Locality Name (eg, city) []:Provo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Novell
Organizational Unit Name (eg, section) []:NTS
Common Name (eg, YOUR name) []:FS1
Email Address []:support@novell.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:novell
An optional company name []:
Step 3 - Sign CSR with Suse CA
# openssl ca -cert /etc/ssl/cacert.pem -keyfile /etc/ssl/private/cakey.pem -out /etc/ssl/servercerts/servercert.pem -outdir /etc/ssl/servercerts -infiles /etc/ssl/servercerts/servercert.csr
Using configuration from /etc/ssl/openssl.cnf
30528:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=CA_default name=unique_subject
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jun 2 16:43:56 2005 GMT
Not After : Jun 2 16:43:56 2006 GMT
Subject:
countryName = US
stateOrProvinceName = Utah
organizationName = Novell
organizationalUnitName = NTS
commonName = FS1
emailAddress = support@novell.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier: BF:40:F4:BA:55:24:1F:19:88:95:FA:C7:33:46:8A:A3:E3:65:81:F3
X509v3 Authority Key Identifier: keyid:C6:34:1E:26:CF:9F:CA:31:84:4F:F2:2A:60:F4:E3:87:8C:B8:29:4D
DirName:/C=US/ST=Utah/L=Provo/O=Novell/OU=NTS/CN=FS1/emailAddress=support@novell.com
serial:00
Certificate is to be certified until Jun 2 16:43:56 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated.
Step 1 - Create Suse CA files.
Verify there is an /etc/ssl directory. If not, create it by doing the following:
# mkdir /etc/ssl
Change the rights to the /etc/ssl directory by doing the following:
# chown -R root /etc/ssl
# chmod g-rwx /etc/ssl
# chmod o-rwx /etc/ssl
Verify there is an /etc/ssl/demoCA directory, if not create it by doing the following:
# mkdir /etc/ssl/demoCA
# touch /etc/ssl/demoCA/index.txt
# echo '00000000' >> /etc/ssl/demoCA/serial
Generating the CA files by doing the following:
# openssl req -new -x509 -extensions v3_ca -keyout /etc/ssl/private/cakey.pem -out /etc/ssl/cacert.pem -days 1095
Generating a 1024 bit RSA private key
..++++++
..................++++++
writing new private key to '/etc/ssl/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Utah
Locality Name (eg, city) []:Provo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Novell
Organizational Unit Name (eg, section) []:NTS
Email Address []:support@novell.com
Step 2 - Create CSR and ServerKey file.
# openssl req -new -nodes -out /etc/ssl/servercerts/servercert.csr -keyout /etc/ssl/servercerts/serverkey.pem
Generating a 1024 bit RSA private key
........++++++
..........++++++
writing new private key to '/etc/ssl/servercerts/serverkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Utah
Locality Name (eg, city) []:Provo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Novell
Organizational Unit Name (eg, section) []:NTS
Common Name (eg, YOUR name) []:FS1
Email Address []:support@novell.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:novell
An optional company name []:
Step 3 - Sign CSR with Suse CA
# openssl ca -cert /etc/ssl/cacert.pem -keyfile /etc/ssl/private/cakey.pem -out /etc/ssl/servercerts/servercert.pem -outdir /etc/ssl/servercerts -infiles /etc/ssl/servercerts/servercert.csr
Using configuration from /etc/ssl/openssl.cnf
30528:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=CA_default name=unique_subject
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jun 2 16:43:56 2005 GMT
Not After : Jun 2 16:43:56 2006 GMT
Subject:
countryName = US
stateOrProvinceName = Utah
organizationName = Novell
organizationalUnitName = NTS
commonName = FS1
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier: BF:40:F4:BA:55:24:1F:19:88:95:FA:C7:33:46:8A:A3:E3:65:81:F3
X509v3 Authority Key Identifier: keyid:C6:34:1E:26:CF:9F:CA:31:84:4F:F2:2A:60:F4:E3:87:8C:B8:29:4D
DirName:/C=US/ST=Utah/L=Provo/O=Novell/OU=NTS/CN=FS1/emailAddress=support@novell.com
serial:00
Certificate is to be certified until Jun 2 16:43:56 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated.
Additional Information
During the install of OES, the root user was given a password less than 4 characters, which caused the CA portion of the install to not create the Self Signed Certs used for Apache2.
Formerly known as TID# 10097845
Formerly known as TID# NOVL102284
Formerly known as TID# 10097845
Formerly known as TID# NOVL102284