Forum .LRN Q&A: SSL Installation Problem

Collapse
Posted by Ashem Yadava on
Hi

I am trying to run AOL server with SSL support. I have been able to successfully install nsopenssl and have also generated the certificate and the key.

However, when I try to access the server, the browser shows retrieving 370 B from 127.0.0.1:8000 and then it says page could not be loaded. While with 127.0.0.1:8443, I get the message - The server is broken.

But if I comment the line from the configuration file for nsopenssl.so, the server runs just fine.

The following is a section of the error.log, if this can be of any help. While loading CA certificate file ca.pem is not found. Also, it says ssl_outgoing_context does not exists.

Also, is there any working configuration file that I can use to compare with mine.

Many thanks
------------
05/Jun/2004:03:00:10][11514.16384][-main-] Notice: nsmain: AOLserver/4.0 starting

----------[LINES OMMITTED]-------

[05/Jun/2004:03:00:10][11514.16384][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nsopenssl.so'
[05/Jun/2004:03:00:10][11514.16384][-main-] Notice: nsopenssl (mscncc): loading SSL context 'ssl_incoming_requests_context'
[05/Jun/2004:03:00:10][11514.16384][-main-] Notice: nsopenssl (mscncc): 'ssl_incoming_requests_context' ciphers loaded successfully
[05/Jun/2004:03:00:10][11514.16384][-main-] Notice: nsopenssl (mscncc): 'ssl_incoming_requests_context' using SSLv3 protocol
[05/Jun/2004:03:00:10][11514.16384][-main-] Notice: nsopenssl (mscncc): 'ssl_incoming_requests_context' using TLSv1 protocol
[05/Jun/2004:03:00:10][11514.16384][-main-] Notice: nsopenssl (mscncc): 'ssl_incoming_requests_context' key loaded successfully
[05/Jun/2004:03:00:10][11514.16384][-main-] Notice: nsopenssl (mscncc): 'ssl_incoming_requests_context' certificate loaded successfully
[05/Jun/2004:03:00:10][11514.16384][-main-] Notice: nsopenssl (mscncc): 'ssl_incoming_requests_context' failed to load CA certificate file '/usr/local/aolserver/servers/mscncc/modules/nsopenssl/ca.pem'
[05/Jun/2004:03:00:10][11514.16384][-main-] Error: nsopenssl (mscncc): 'ssl_incoming_requests_context' CA certificate file is not readable or does not exist
[05/Jun/2004:03:00:10][11514.16384][-main-] Notice: nsopenssl (mscncc): loading SSL context 'ssl_outgoing_context'
[05/Jun/2004:03:00:10][11514.16384][-main-] Error: nsopenssl (mscncc): failed to find SSL context 'ssl_outgoing_context' in configuration file
[05/Jun/2004:03:00:10][11514.16384][-main-] Warning: nsopenssl (mscncc): attempt to add SSL context to server failed
[05/Jun/2004:03:00:10][11514.16384][-main-] Error: nsopenssl (mscncc): SSL context passed to NsOpenSSLContextValidate is NULL
[05/Jun/2004:03:00:10][11514.16384][-main-] Error: nsopenssl (mscncc): SSL context 'ssl_outgoing_context' left uninitialized
[05/Jun/2004:03:00:10][11514.16384][-main-] Notice: nsopenssl (mscncc): default SSL context for server is ssl_incoming_requests_context
[05/Jun/2004:03:00:10][11514.16384][-main-] Notice: default server SSL context: ssl_incoming_requests_context
[05/Jun/2004:03:00:10][11514.16384][-main-] Error: nsopenssl (mscncc): SSL context 'ssl_outgoing_context' doesn't exist; can't use it as a default
[05/Jun/2004:03:00:10][11514.16384][-main-] Notice: nsopenssl (mscncc): loading 'ssl_incoming_requests_driver' SSL driver
[05/Jun/2004:03:00:10][11514.16384][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nsdb.so'

Collapse
Posted by Bart Teeuwisse on
Ashem,

the problem obviously is in ca.pem. Is the file readable to AOLserver? Is it a valid CA certificate? Maybe you can post it here?

/Bart

Collapse
Posted by Ashem Yadava on
Bart

Thanks for the prompt reply. I do not have the file ca.pem. Is it automatically generated while making the certificates? I have generated the certfile.pem and keyfile.pem twice. But there is no ca.pem in the folder.
Do I need to copy it from somewhere?

Collapse
Posted by Bart Teeuwisse on
Ashem,

follow the instructions in http://sial.org/howto/openssl/self-signed/ including the link to create a CA (http://sial.org/howto/openssl/ca/). Then make sure that the files are where your nsopenssl config section says they are.

/Bart

Collapse
Posted by Ashem Yadava on
Thanks Bart

I will try and get back to you ASAP.

Ashem