SSLCertificateFile: file '/etc/ssl/servercerts/servercert.pem' does not exist or is empty

(Last modified: 02Jun2005)

This document (10097845) is provided subject to the disclaimer at the end of this document.

fact

Novell Open Enterprise Server

Suse Linux 9.1

symptom

SSLCertificateFile: file '/etc/ssl/servercerts/servercert.pem' does not exist or is empty

Starting httpd2 (worker) Syntax error on line 53 of /etc/apache2/vhosts.d/vhost-ssl.conf:

An error occurred while loading http://192.168.79.70

Could not connect to host 192.168.79.70

Apache2 is not running after fresh install of OES

cause

During the install of OES, the root user was given a password less than 4 characters, which caused the CA portion of the install to not create the Self Signed Certs used for Apache2.

fix

There are 2 options to resolve this problem.

1.  Use NOVL102256 - How to use eDirectory SSL certificates for Apache2 on OES to resolve the problem
2.  Follow steps below to create OpenSSL Certificates

Step 1 - Create Suse CA files.

Verify there is an /etc/ssl directory.  If not, create it by doing the following:

# mkdir /etc/ssl

Change the rights to the /etc/ssl directory by doing the following:

# chown -R root /etc/ssl
# chmod g-rwx /etc/ssl
# chmod o-rwx /etc/ssl

Verify there is an /etc/ssl/demoCA directory, if not create it by doing the following:

# mkdir /etc/ssl/demoCA
# touch /etc/ssl/demoCA/index.txt
# echo '00000000' >> /etc/ssl/demoCA/serial

Generating the CA files by doing the following:

# openssl req -new -x509 -extensions v3_ca -keyout /etc/ssl/private/cakey.pem -out /etc/ssl/cacert.pem -days 1095

Generating a 1024 bit RSA private key
..++++++
..................++++++
writing new private key to '/etc/ssl/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Utah
Locality Name (eg, city) []:Provo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Novell
Organizational Unit Name (eg, section) []:NTS
Common Name (eg, YOUR name) []:FS1
Email Address []:support@novell.com 


Step 2 - Create CSR and ServerKey file.

# openssl req -new -nodes -out /etc/ssl/servercerts/servercert.csr -keyout /etc/ssl/servercerts/serverkey.pem

Generating a 1024 bit RSA private key
........++++++
..........++++++
writing new private key to '/etc/ssl/servercerts/serverkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Utah
Locality Name (eg, city) []:Provo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Novell
Organizational Unit Name (eg, section) []:NTS
Common Name (eg, YOUR name) []:FS1
Email Address []:support@novell.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:novell
An optional company name []:


Step 3 - Sign CSR with Suse CA

# openssl ca -cert /etc/ssl/cacert.pem -keyfile /etc/ssl/private/cakey.pem -out /etc/ssl/servercerts/servercert.pem -outdir /etc/ssl/servercerts -infiles /etc/ssl/servercerts/servercert.csr

Using configuration from /etc/ssl/openssl.cnf
30528:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=CA_default name=unique_subject

Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
    Serial Number: 0 (0x0)
    Validity
        Not Before: Jun 2 16:43:56 2005 GMT
        Not After : Jun 2 16:43:56 2006 GMT
    Subject:
        countryName = US
        stateOrProvinceName = Utah
        organizationName = Novell
        organizationalUnitName = NTS
        commonName = FS1
        emailAddress = support@novell.com
    X509v3 extensions:
        X509v3 Basic Constraints:
            CA:FALSE
    Netscape Comment:
        OpenSSL Generated Certificate
    X509v3 Subject Key Identifier:   BF:40:F4:BA:55:24:1F:19:88:95:FA:C7:33:46:8A:A3:E3:65:81:F3
    X509v3 Authority Key Identifier:   keyid:C6:34:1E:26:CF:9F:CA:31:84:4F:F2:2A:60:F4:E3:87:8C:B8:29:4D
        DirName:/C=US/ST=Utah/L=Provo/O=Novell/OU=NTS/CN=FS1/emailAddress=support@novell.com
        serial:00

Certificate is to be certified until Jun 2 16:43:56 2006 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated.

document

Document Title: SSLCertificateFile: file '/etc/ssl/servercerts/servercert.pem' does not exist or is empty
Document ID: 10097845
Solution ID: NOVL102284
Creation Date: 02Jun2005
Modified Date: 02Jun2005
Novell Product Class:Linux

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.