Clayton - 2013-09-06

Ok, I'm trying to generate a certificate for murmur, and I am at a complete loss here guys. Any help or advice is greatly appreciated.

I started by generating the mumble.key. Simple enough, continued on the create a domain and validate it, and generate the ssl_mumble.crt. I do NOT have a subdomain registered with my domain, so when StartCom asked for one, I used something that doesn't truly exist. Regardless, it accepted and generated the key. This is where things kinda break down. I'm using Win7 x64, so cat isn't exactly a viable command. Instead I'm using the "type" command as follows:

type sub.class1.server.ca.pem > ssl_mumble_concat.crt
type ssl_mumbl.crt >> ssl_mumble_concat.crt

Pointing the murmur.ini to these files and running murmur.exe -wipessl comes up with the "Failed to find certificate matching private key" error. Right, so, http://mumble.sourceforge.net/Obtaining_a_StartCom_Murmur_Certificate covers this, stating

If you've followed the above instructions, but murmur reports "Failed to find certificate matching private key" on startup, your system certificates are possibly outdated. Debian 5.0 Lenny is affected by this. To solve this issue, add the StartCom Certificate Authority certificate to the certificates file by running the next command in the directory containing ssl_mumble_concat.crt:

So I did such, using:

type ca.pem >> ssl_mumble_concat.crt

And of course, I have the same issue, "Failed to find certificate matching private key". So I decide to check if the key and certificate match, using:

openssl x509 -noout -modulus -in ssl_mumble_concat.crt | openssl md5
openssl rsa -noout -modulus -in mumble.key | openssl md5

The two mismatched. Right, so that won't work, let's take it back an iteration and concatenate the ssl_mumble_concat.crt without the ca.pem.

Still a mismatch, so let's see if the mumble.key and ssl_mumble.crt match. Funny thing, the mumble.key and ssl_mumble.crt stdin match when using the x509 and rsa checks.So I'm a little confused as to why the concatenation step exists. But, I think that may be where my error is.

So moving on, I then try to point the sslcertificate in the murmur.ini to ssl_mumble.crt. This time, the server actually runs. Great! The only problem now is I can't get a client to join. I'm getting the following error on the server:
"<1:(-1)> SSL Error: No certificates could be verified"

To summarize, my issues are:
-combining sub.class1.server.ca.pem and ssl_mumble with or without combining ca.pem results in a "Failed to find certificate matching private key," and the x509 and rsa openssl modules confirm this.
-Using only the ssl_mumble.crt with the mumble.key matches, however, results in certificates not being verified when a client attempts to join.

My questions are:
-What am I doing wrong in creating a certificate for murmur?
-Why does the concatenation step exist when it causes the key and the certificate to not match? Does the concatenation exist so that certificates have a way to be verified?

Thanks!