From: Shawn R. <sr...@um...> - 2012-08-17 14:49:56
|
I used c_rehash to generate the symlinks as documented in the Cosign implementation docs. Info.... ------------------------------------------------------------ ------------------------------------------------------------ --------------------------------------------- [root@molar cosign-ca-dir]# sha512sum umwebCA.pem e8de2020db961a1d20ef17752945ebdfdc089ceeb9d9370d6cbbac29f3c65711994e5e54a03338d3d6b03b711faa197c229b9eb9832be982fa0cd3eb65a79a04 umwebCA.pem [root@molar cosign-ca-dir]# yum list authconfig Loaded plugins: rhnplugin, security Installed Packages authconfig.x86_64 5.3.21-7.el5 installed ------------------------------------------------------------ ------------------------------------------------------------ --------------------------------------------- I just removed them and used what you suggested, which generated as follows: ------------------------------------------------------------ ------------------------------------------------------------ --------------------------------------------- [root@molar cosign-ca-dir]# rm -f *.0 [root@molar cosign-ca-dir]# ls -la total 60 drwxr-x--- 3 apache apache 4096 Aug 17 10:40 . drwxr-xr-x 10 root root 4096 Aug 14 14:33 .. drwx------ 2 root root 4096 Aug 17 07:44 archive -rw------- 1 root root 1521 Aug 17 07:45 extCAroot.pem -rw------- 1 root root 5379 Aug 17 07:43 incommonCA.pem -rw------- 1 root root 3309 Aug 17 07:45 intermediate.pem -rw-r--r-- 1 root root 1334 Aug 17 08:52 umwebCA.pem [root@molar cosign-ca-dir]# cacertdir_rehash . unable to load certificate 16755:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE [root@molar cosign-ca-dir]# ls -la total 76 drwxr-x--- 3 apache apache 4096 Aug 17 10:40 . drwxr-xr-x 10 root root 4096 Aug 14 14:33 .. lrwxrwxrwx 1 root root 13 Aug 17 10:40 3c58f906.0 -> extCAroot.pem lrwxrwxrwx 1 root root 11 Aug 17 10:40 4700e8dd.0 -> umwebCA.pem lrwxrwxrwx 1 root root 14 Aug 17 10:40 84df5188.0 -> incommonCA.pem drwx------ 2 root root 4096 Aug 17 07:44 archive lrwxrwxrwx 1 root root 16 Aug 17 10:40 b0de3e19.0 -> intermediate.pem -rw------- 1 root root 1521 Aug 17 07:45 extCAroot.pem -rw------- 1 root root 5379 Aug 17 07:43 incommonCA.pem -rw------- 1 root root 3309 Aug 17 07:45 intermediate.pem -rw-r--r-- 1 root root 1334 Aug 17 08:52 umwebCA.pem ------------------------------------------------------------ ------------------------------------------------------------ --------------------------------------------- Also, it seems that the hash output for the umwebCA is not what you are saying it should be: [root@molar cosign-ca-dir]# openssl x509 -hash -noout -in ./umwebCA.pem 4700e8dd Thanks, Shawn Rahl Unix Administrator Dental Informatics, School of Dentistry University of Michigan sr...@um... On Fri, Aug 17, 2012 at 10:35 AM, Mark Montague <ma...@ca...> wrote: > On August 17, 2012 10:27 , Shawn Rahl <sr...@um...> wrote: > >> Output.... >> >> [root@molar cosign-ca-dir]# ls -la /etc/httpd/cosign-ca-dir >> [...] >> >> lrwxrwxrwx 1 root root 11 Aug 17 07:51 fa84f4ea.0 -> umwebCA.pem >> [...] >> >> -rw-r--r-- 1 root root 1334 Aug 17 08:52 umwebCA.pem >> [root@molar cosign-ca-dir]# sha512sum umwebCA.pem >> e8de2020db961a1d20ef17752945eb**dfdc089ceeb9d9370d6cbbac29f3c6** >> 5711994e5e54a03338d3d6b03b711f**aa197c229b9eb9832be982fa0cd3eb**65a79a04 >> umwebCA.pem >> >> Be sure you have the following in that directory (note that this >> will be different for people from other institutions): >> >> lrwxrwxrwx. 1 root root 11 Jul 10 11:22 5cc1e784.0 -> umwebCA.pem >> -rw-r--r--. 1 root root 1334 Mar 19 10:56 umwebCA.pem >> >> Also make sure you have the correct CA root certificate: >> >> [root@minos certs]# sha512sum umwebCA.pem >> e8de2020db961a1d20ef17752945eb**dfdc089ceeb9d9370d6cbbac29f3c6** >> 5711994e5e54a03338d3d6b03b711f**aa197c229b9eb9832be982fa0cd3eb**65a79a04 >> umwebCA.pem >> [root@minos certs]# >> >> > If you have the wrong hash -- as you seem to -- mod_cosign will not be > able to find the CA root certificate for UM Web CA. > > How did you generate the hash symlink? > > If this is a Red Hat Enterprise Linux box, make sure you have the > authconfig RPM installed, then run: > > cd /etc/httpd/cosign-ca-dir ; /usr/sbin/cacertdir_rehash . > > Or, if you have the c_rehash script from the OpenSSL source code > distribution, run: > > cd /etc/httpd/cosign-ca-dir ; c_rehash . > > Also, you should be able to see the same output for: > > [root@minos certs]# openssl x509 -hash -noout -in ./umwebCA.pem > 5cc1e784 > [root@minos certs]# > > Short form: fixing the hash symlink should solve the problem. > > -- > Mark Montague > ma...@ca... > > |