From: Harald w. <wa...@re...> - 2002-08-30 07:37:31
|
Hi dears, here my report for installing OpenCA-0.8.6 an SuSE8.0. First I make an update with all patch.rpms from use . To compile ocspd I need to install openssl-devel-0.9.8-1. Its easy to download the rpm from openssl and do rpm -U openssl-devel-0.9.8-1.i386.rpm I also install=20 rpm -i --force openssl-0.9.8-1.i386.rpm The problem with installation of openssl-0.9.8-1 is, is this: file /usr/bin/c_rehash from install of openssl-0.9.8-1 conflicts with fil= e=20 from package openssl-0.9.6c-29 file /usr/bin/openssl from install of openssl-0.9.8-1 conflicts with file= from=20 package openssl-0.9.6c-29 file /usr/lib/libcrypto.so.0 from install of openssl-0.9.8-1 conflicts wi= th=20 file from package openssl-0.9.6c-29 file /usr/lib/libssl.so.0 from install of openssl-0.9.8-1 conflicts with = file=20 from package openssl-0.9.6c-29 I hope this works for the other programms which use openssl too. The I update the openssl perl-modul (I don't know if it is necessary): #tar xzf OpenCA-OpenSSL-0.8.43.tar.gz #cd OpenCA-OpenSSL-0.8.43 #perl Makefile.pl Can't open perl script "Makefile.pl": No such file or directory #ls =2E .. Changes LICENSE MANIFEST Makefile.PL OpenSSL.pm doc test = test.pl #perl Makefile.PL Checking if your kit is complete... Looks good Writing Makefile for OpenCA::OpenSSL # make cp OpenSSL.pm blib/lib/OpenCA/OpenSSL.pm Manifying blib/man3/OpenCA::OpenSSL.3pm t# make install Installing /usr/lib/perl5/site_perl/5.6.1/OpenCA/OpenSSL.pm Installing /usr/share/man/man3/OpenCA::OpenSSL.3pm Writing=20 /usr/lib/perl5/site_perl/5.6.1/i586-linux/auto/OpenCA/OpenSSL/.packlist Appending installation info to /usr/lib/perl5/5.6.1/i586-linux/perllocal.= pod In configure I miss the entry for scripts/openca-unrevoke: I edit configure with vi: In line 3233 I added at position 359 scripts/openca-unrevoke with only one blank before and after as limiter t= o the=20 other entrys. At line 3744 I copy this line and replace in the new line newcert with=20 unrevoke. It looks like this: "scripts/openca-newcert" ) CONFIG_FILES=3D"$CONFIG_FILES=20 scripts/openca-newcert" ;; "scripts/openca-unrevoke" ) CONFIG_FILES=3D"$CONFIG_FILES=20 scripts/openca-unrevoke" ;; In configure.in the same problem:With vi I do in line 259 a copy of this= line=20 and replace newcert with unrevoke. It looks now like this: scripts/openca-unrevoke scripts/openca-dblist The I call configure: =2E/configure prefix=3D/home/full-ca --with-user=3Dwwwrun --with-group=3D= nogroup \ --with-ca=3D/home/full-ca/OpenCA --with-ca-htdocs=3D/home/full-ca/htdo= cs-ca\ --with-ca-cgi=3D/home/full-ca/cgi-ca\ --with-raserver=3D/home/RAServer \ --with-raserver-htdocs=3D/home/RAServer/htdocs-raserver \ --with-raserver-cgi=3D/home/RAServer/cgi-raserver \ --with-public-htdocs=3D/home/RAServer/htdocs-public\ --with-public-cgi=3Dhome/RAServer/cgi-public\ --with-base-url=3Dresults-security.de\ --with-org=3Dresults-security\ --with-country=3DDE\ --with-loc=3DHannover\ --with-ldap-url=3Dldap.results-security.de\ --with-ldap-port=3D389\ --with-ldap-root=3D"cn=3DLDAP_Manager,c=3DDE"\ --with-ldap-root-pwd=3Dajfqfjqfsomethinlikethis In Makefile ./src/modules/openca-ocspd/src/Makefile in line 95 I delete the entry -lfl. My line looks now like this: OCSPD_INCLUDE_LIBS =3D -ldl Perhaps I do a mistake above, so I have to edit once again: In scripts/Makefile in line 44 the " must be closed to openca-unrevoke, = I=20 have to delete the space; it looks like this: openca-unrevoke" Now I can do make all and do make install If you type only make it will do a make all. For information do a make in= fo. Next Problem: When I generate a CA-Request (step 3: # Generate new CA Certificate Reque= st=20 (use generated secret key);) on initialization on http:..full-ca I get this error message in error_log of apache: Can't use an undefined value as an ARRAY reference at=20 /usr/lib/perl5/site_perl/5.6.1/OpenCA/OpenSSL.pm line 234. I change in /home/full-ca/cgi-ca/cmds/genCAReq near line 57 (before, I tr= y=20 some things and create debug outputs, now I don't know anymore the original file in detail, Hint: I thrown away= the=20 L=3D$l and change the SUBJECT to DN-Parameter.) #$cryptoShell->genReq( KEYFILE=3D>"$cakeyFile", # OUTFILE=3D>"$careqFile", # SUBJECT =3D> "Email=3D$email,CN=3D$cn,OU=3D$ou,O=3D= $o,C=3D$c", # PASSWD =3D> $pwd ); $cryptoShell->genReq( KEYFILE=3D>"$cakeyFile", OUTFILE=3D>"$careqFile", DN =3D> ["$email","$cn","$ou","$o","$c"], PASSWD =3D> $pwd ); Now step 3 works. Then I do step 5 # Generate Self Signed CA Certificate (from altready=20 generated request); Is OK. Before Step 6 # Export CA certificate; I do: chown root.disk /dev/fd0 chmod 660 /dev/fd0 chmod 666 /dev/fd0 I think, there my be a better solution than give access for everybody to = the=20 floppy. Perhaps I use sudo and change the cgi-script in that way, that only the=20 necessary works. Now I can change to RASserver and do these three steps: RAServer init/Initialize Database RAServer init/Import CA certificate The floppy with CA-Certificate must= be=20 present RAServer init/Rebuild CA Chain It looks like "all things working fine". For beginners: the apache and DNS have to be configured:=20 Listen 80 Listen 443, -> we use Virtuel hosting, l101 is the name of my setup-PC , this must = be in=20 your DNS BindAddress l101.intern.results-hannover.de:80 BindAddress l101.intern.results-hannover.de:443 NameVirtualHost l101.intern.results-hannover.de:80 NameVirtualHost l101.intern.results-hannover.de:443 -> then I use include-files include /home/full-ca/apache.conf include /home/RAServer/apache.conf -> For an example the file /home/full-ca/apache.conf, you need an alias i= n=20 your DNS for this hostname which point to l101: <VirtualHost ca.intern.results-hannover.de:80> ServerAdmin ro...@l1... DocumentRoot /home/full-ca/htdocs-ca ServerName ca.intern.results-hannover.de <Directory "/home/full-ca/htdocs-ca"> Options Indexes FollowSymlinks MultiViews AllowOverride None Order allow,deny Allow from all </Directory> ScriptAlias /cgi-bin/ "/home/full-ca/cgi-ca/" <Directory "/home/full-ca/cgi-ca"> AllowOverride None Options None Order allow,deny Allow from all </Directory> </VirtualHost> Greetings --=20 Dr. Harald Wallus Results GmbH=20 Am Listholze 78, D-30177 Hannover=20 Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 =3D 1-90=20 Email: wa...@re...=20 Internet: http://www.results-hannover.de=20 |