[Openca-Users] Report OpenCA 0.8.1.6 on SuSE8.0

[Harald w. <wa...@re...>]

Hi dears,

here my report for installing OpenCA-0.8.6 an SuSE8.0.

First I make an update with all patch.rpms from use .

To compile ocspd  I need to install openssl-devel-0.9.8-1.
Its easy to download the rpm from openssl and do
 rpm -U   openssl-devel-0.9.8-1.i386.rpm
I also install=20
 rpm -i --force openssl-0.9.8-1.i386.rpm
The problem with installation of openssl-0.9.8-1 is, is this:
file /usr/bin/c_rehash from install of openssl-0.9.8-1 conflicts with fil=
e=20
from package openssl-0.9.6c-29
file /usr/bin/openssl from install of openssl-0.9.8-1 conflicts with file=
 from=20
package openssl-0.9.6c-29
file /usr/lib/libcrypto.so.0 from install of openssl-0.9.8-1 conflicts wi=
th=20
file from package openssl-0.9.6c-29
file /usr/lib/libssl.so.0 from install of openssl-0.9.8-1 conflicts with =
file=20
from package openssl-0.9.6c-29
I hope this works for the other programms which use openssl too.

The I update the openssl perl-modul (I don't know if it is necessary):
#tar xzf OpenCA-OpenSSL-0.8.43.tar.gz
#cd OpenCA-OpenSSL-0.8.43
#perl Makefile.pl
Can't open perl script "Makefile.pl": No such file or directory
 #ls
=2E  ..  Changes  LICENSE  MANIFEST  Makefile.PL  OpenSSL.pm  doc  test  =
test.pl
#perl Makefile.PL
Checking if your kit is complete...
Looks good
Writing Makefile for OpenCA::OpenSSL
# make
cp OpenSSL.pm blib/lib/OpenCA/OpenSSL.pm
Manifying blib/man3/OpenCA::OpenSSL.3pm
t# make install
Installing /usr/lib/perl5/site_perl/5.6.1/OpenCA/OpenSSL.pm
Installing /usr/share/man/man3/OpenCA::OpenSSL.3pm
Writing=20
/usr/lib/perl5/site_perl/5.6.1/i586-linux/auto/OpenCA/OpenSSL/.packlist
Appending installation info to /usr/lib/perl5/5.6.1/i586-linux/perllocal.=
pod



In configure I miss the entry for scripts/openca-unrevoke:
I edit configure with vi: In line 3233 I added at position 359
scripts/openca-unrevoke with only one blank before and after as limiter t=
o the=20
other entrys.
At line 3744 I copy this line and replace in the new line newcert with=20
unrevoke. It looks like this:
 "scripts/openca-newcert" ) CONFIG_FILES=3D"$CONFIG_FILES=20
scripts/openca-newcert" ;;
 "scripts/openca-unrevoke" ) CONFIG_FILES=3D"$CONFIG_FILES=20
scripts/openca-unrevoke" ;;
In configure.in the same problem:With vi  I do in line 259 a copy of this=
 line=20
and replace newcert
with unrevoke. It looks now like this:
                scripts/openca-unrevoke
                scripts/openca-dblist



The I call configure:
=2E/configure prefix=3D/home/full-ca --with-user=3Dwwwrun  --with-group=3D=
nogroup \
   --with-ca=3D/home/full-ca/OpenCA --with-ca-htdocs=3D/home/full-ca/htdo=
cs-ca\
   --with-ca-cgi=3D/home/full-ca/cgi-ca\
   --with-raserver=3D/home/RAServer \
   --with-raserver-htdocs=3D/home/RAServer/htdocs-raserver \
   --with-raserver-cgi=3D/home/RAServer/cgi-raserver \
   --with-public-htdocs=3D/home/RAServer/htdocs-public\
   --with-public-cgi=3Dhome/RAServer/cgi-public\
   --with-base-url=3Dresults-security.de\
   --with-org=3Dresults-security\
   --with-country=3DDE\
   --with-loc=3DHannover\
   --with-ldap-url=3Dldap.results-security.de\
   --with-ldap-port=3D389\
   --with-ldap-root=3D"cn=3DLDAP_Manager,c=3DDE"\
   --with-ldap-root-pwd=3Dajfqfjqfsomethinlikethis

In Makefile ./src/modules/openca-ocspd/src/Makefile in line 95
I delete the entry -lfl. My line looks now like this:
OCSPD_INCLUDE_LIBS =3D -ldl

Perhaps I do a mistake above, so I have to edit once again:
In  scripts/Makefile in line 44 the " must be closed to openca-unrevoke, =
I=20
have to delete the space; it looks like this:
         openca-unrevoke"



Now I can do
   make all
and do
   make install
If you type only make it will do a make all. For information do a make in=
fo.


Next Problem:
When I generate a CA-Request (step 3: # Generate new CA Certificate Reque=
st=20
(use generated secret key);)
on initialization on http:..full-ca  I get this error message in
error_log of apache:
Can't use an undefined value as an ARRAY reference at=20
/usr/lib/perl5/site_perl/5.6.1/OpenCA/OpenSSL.pm line 234.

I change in /home/full-ca/cgi-ca/cmds/genCAReq near line 57 (before, I tr=
y=20
some things and create debug outputs,
now I don't know anymore the original file in detail, Hint: I thrown away=
 the=20
L=3D$l and change the SUBJECT to DN-Parameter.)
#$cryptoShell->genReq( KEYFILE=3D>"$cakeyFile",
#                       OUTFILE=3D>"$careqFile",
#                       SUBJECT =3D> "Email=3D$email,CN=3D$cn,OU=3D$ou,O=3D=
$o,C=3D$c",
#                       PASSWD =3D> $pwd );
$cryptoShell->genReq( KEYFILE=3D>"$cakeyFile",
                        OUTFILE=3D>"$careqFile",
                        DN =3D> ["$email","$cn","$ou","$o","$c"],
                        PASSWD =3D> $pwd );
Now step 3 works.
Then I do step 5 # Generate Self Signed CA Certificate (from altready=20
generated request); Is OK.

Before Step 6 # Export CA certificate; I do:
 chown root.disk /dev/fd0
 chmod 660 /dev/fd0
 chmod 666 /dev/fd0
I think, there my be a better solution than give access for everybody to =
the=20
floppy.
Perhaps I use sudo and change the cgi-script in that way, that only the=20
necessary works.


Now I can change to RASserver and do these three steps:
RAServer init/Initialize Database
RAServer init/Import CA certificate   The floppy with CA-Certificate must=
 be=20
present
RAServer init/Rebuild CA Chain

It looks like "all things working fine".

For beginners: the apache and DNS  have to be configured:=20
Listen 80
Listen 443,
 ->  we use Virtuel hosting, l101 is the name of my setup-PC , this must =
be in=20
your DNS
BindAddress l101.intern.results-hannover.de:80
BindAddress l101.intern.results-hannover.de:443

NameVirtualHost l101.intern.results-hannover.de:80
NameVirtualHost l101.intern.results-hannover.de:443
-> then I use include-files
include /home/full-ca/apache.conf
include /home/RAServer/apache.conf

-> For an example the file /home/full-ca/apache.conf, you need an alias i=
n=20
your DNS for this hostname which point to l101:

<VirtualHost ca.intern.results-hannover.de:80>
    ServerAdmin ro...@l1...
    DocumentRoot /home/full-ca/htdocs-ca
    ServerName ca.intern.results-hannover.de


  <Directory "/home/full-ca/htdocs-ca">
        Options Indexes FollowSymlinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>



ScriptAlias /cgi-bin/ "/home/full-ca/cgi-ca/"

  <Directory "/home/full-ca/cgi-ca">
        AllowOverride None
        Options None
        Order allow,deny
        Allow from all
    </Directory>

</VirtualHost>


Greetings
--=20
Dr. Harald Wallus
Results GmbH=20
Am Listholze 78, D-30177 Hannover=20
Tel: +49(0)511 90 95 1-23  Fax: +49(0)511 90 95 =3D 1-90=20
Email: wa...@re...=20
Internet: http://www.results-hannover.de=20