Forum OpenACS Q&A: SSL Module Fails to Load

Collapse
Posted by Glen McInnis on
I need a little help with SSL config for AOL server.

I am using AOL 3.3.1, nsopenssl 2.0, RedHat 6.2 but I can not get
things running.

I created cert and key files as described at
http://pascal.scheffers.net/patch/openssl.txt

However my logs show an error when trying to load the key file. Why
is it asking to enter the PEM pass phrase? Relevant part of log is
below.

Any help would be appreciated.

-------------------------------------------------------------------

[10/Sep/2001:15:27:42][22271.1024][-main-] Notice: modload:
loading '/usr/local/aolserver/bin/nsopenssl.so'

[10/Sep/2001:15:27:42][22271.1024][-main-] Notice: nsopenssl:
ServerTrace = 0

[10/Sep/2001:15:27:42][22271.1024][-main-] Notice: nsopenssl:
ServerProtocols = SSLv2, SSLv3, TLSv1

[10/Sep/2001:15:27:42][22271.1024][-main-] Notice: nsopenssl: Using
SSLv2 protocol

[10/Sep/2001:15:27:42][22271.1024][-main-] Notice: nsopenssl: Using
SSLv3 protocol

[10/Sep/2001:15:27:42][22271.1024][-main-] Notice: nsopenssl: Using
TLSv1 protocol

[10/Sep/2001:15:27:42][22271.1024][-main-] Notice: nsopenssl:
ServerCipherSuite = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

[10/Sep/2001:15:27:42][22271.1024][-main-] Notice: nsopenssl:
ServerCertFile
= /usr/local/aolserver/servers/loada/modules/nsopenssl/site.crt

[10/Sep/2001:15:27:42][22271.1024][-main-] Notice: nsopenssl:
ServerKeyFile
= /usr/local/aolserver/servers/loada/modules/nsopenssl/site.key
Enter PEM pass phrase:

[10/Sep/2001:15:27:42][22271.1024][-main-] Error: nsopenssl: error
loading private key
file "/usr/local/aolserver/servers/loada/modules/nsopenssl/site.key"

[10/Sep/2001:15:27:42][22271.1024][-main-] Error: modload: failed to
load 'nsopenssl.so': 'Ns_ModuleInit' returned -1

[10/Sep/2001:15:27:42][22271.1024][-main-] Fatal: modload: failed to
load module 'nsopenssl.so'

Collapse
Posted by S. Y. on
I think you added a challenge passphrase. Generate a new key/cert pair without it or strip out the passphrase following the instructions right here. Also, some folks were working on an nsopenssl HOWTO. Try the search engine and see if they've finished it up.
Collapse
Posted by S. Y. on
Oops, never mind about my comment about seeking out the HOWTO. It looks like you found it.
Collapse
Posted by Andrew Piskorski on
Glen, you need to strip the passphrase out of your SSL key. Here's how I've done it:

To generate a self-signed cert. and then strip out the passphrase so it will work with AOLserver, do:

$ /usr/local/ssl/bin/openssl req -new -x509 -keyout key+pass.pem -out certfile.pem -days 365
$ /usr/local/ssl/bin/openssl rsa -in key+pass.pem -out keyfile.pem