Error opening ca certificate ca pem



unixforum.org

Форум для пользователей UNIX-подобных систем

  • Темы без ответов
  • Активные темы
  • Поиск
  • Статус форума

Решено: Openssl

Модератор: SLEDopit

Решено: Openssl

Сообщение Sapphire » 09.07.2006 00:55

При создании сертификата получаю такую ошибку
openssl ca -extfile /etc/ssl/openssl.cnf -extensions server -out certs/Cserv.pem -infiles req/Rserv.pem

Using configuration from /etc/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
630:error:02001002:system library:fopen:No such file or directory:bss_file.c:278:fopen(‘./demoCA/private/cakey.pem’,’r’)
630:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280:
unable to load CA private key

Самое интересное ищу /demoCA/private/cakey.pem и не нахожу

Re: Решено: Openssl

Сообщение shrikes » 01.08.2006 18:31

При создании сертификата получаю такую ошибку
openssl ca -extfile /etc/ssl/openssl.cnf -extensions server -out certs/Cserv.pem -infiles req/Rserv.pem

Using configuration from /etc/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
630:error:02001002:system library:fopen:No such file or directory:bss_file.c:278:fopen(‘./demoCA/private/cakey.pem’,’r’)
630:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280:
unable to load CA private key

Самое интересное ищу /demoCA/private/cakey.pem и не нахожу

А ты попробуй указывать абсолютные пути к файлам.

Re: Решено: Openssl

Сообщение Naruto-kun » 05.01.2010 08:19

1)Потом если пробую так:

Если верить вики:

И если я правильно всё понял. То получается так:
(1)Signing:
1) Хэшируем сообщение -> получаем хэш сообщения( ХС).
2) Шифруем ХС с помощью закрытого ключа -> получаем зашифрованный хэш сообщения( ЗХС) (Сигнатура)
3) ЗХС объеденяется с сертификатом -> [ЗХС+Серт]
4) И получивишимся [ЗХС+Серт] подписываем сообщение
(2)Verification:
1) Разделяем сообщение на сообщение и сигнатуру
2) Хэшируем сообщение получаем хэш (Х1)
3) Декодируем сигнатуру получая хэш (Х2)
4) Сравниваем Х1 и Х2, если всё верно — проверку прошли, иначе нет.

Вот и интересует, почему же у меня ошибки и как возможно сделать с помощью openssl, то что на вики(картинке), если ей конечно можно верить

Источник

Вопрос по Openssl

Using configuration from /usr/lib/ssl/openssl.cnf

Error opening CA private key ./demoCA/private/cakey.pem

понял начал поправил openssl.cnf

openssl req -newkey rsa:1024 -keyout moonkey.pem -out mooncert.pem

openssl ca -in moonkey.pem -days 730 -out mooncert.pem -notext

У тебя csr и сертификат имеют одно и то же имя.

сапсиб за подсказку разобрался подписал , собственно вопрос

Что такое 01. pem ?

плюс создание CRL

По CRL у тебя же в конфиге написано:

01.pem — это и есть твой сертификат 🙂 ($serial)

мозг уже отключился , что конкретно там не так ?

У тебя есть переменная crlnumber, значение которой выставлено в $dir, т.е. в имя каталога (1). Если ты ее закомментируешь, у тебя будет создан CRL первой версии.

Читайте также:  Error 122 область данных переданная по системному вызову слишком мала

But, scalability is an issue, since v1 crl could glow very big

Limitation of extending v1 crl

crl substitution attack could be done with v1 crl

v2 crl solves these problem by introducing the notion of extensions (compared with v3 x509 certificate)

A critical extension should be processed, and understood by related parties.

Non-critical extensions could be ignored

Источник

Ruby Net::HTTP responds with OpenSSL::SSL::SSLError «certificate verify failed» after certificate renewal

We recently renewed the SSL certificate of our site, and the following occurs on Mac OS El Capitan 10.11.3:

All my searches on Google and StackOverflow come up with answers suggesting a problem with the Ruby installation, but they seem to be related to older Ruby versions and I don’t think this is the case here. Here is what I’ve tried:

  • brew update
  • brew upgrade openssl
  • rvm osx-ssl-certs update all
  • rvm install ruby-2.3.1 —disable-binary —with-openssl-dir=»$(brew —prefix openssl)» (I did not have this version before)
  • rvm requirements
  • crlrefresh rpv to purge the OSX system wide CRL cache, per Uzbekjon’s suggestion.

How can I resolve this?

  • The problem does not occur on a freshly installed linux Docker container that has bare Ruby 2.2.3. So maybe it’s something to do with Mac OS, or SSL local caching.
  • This issue might have existed before the certificate renewal. I cannot know for sure. However, the renewal did cause a similar problem with a 3rd party we’re using as I discuss in this question.
  • The certificate installation was verified by Namecheap to be correct, online checkers show everything works, and all major browsers show the certificate as valid.

Solution

With much help from BoraMa, it is now clear what was happening. COMODO added a new root called COMODO RSA Certification Authority instead of the previous COMODO Certification Authority . The new root was not registered within Mac’s keychain, causing this issue.

One way we attempted to debug this was by running:

Источник

Poco + OpenSSL + CA PEM : «Unacceptable certificate» error for 1 out of 2 identical sites

I am trying to do a SSL handshake with www1.filemail.com . I am using cURL’s cacert.pem , but I am getting this error:

Making the handshake against any other HTTPS website works — including www2.filemail.com . www1 and www2 should be identically configured — and they both work fine in all browsers. They also test fine here (identical certificates and intermediary certificates are sent out for both sites):

Читайте также:  While trying to retrieve the requested url the following error was encountered

Why am I getting this problem with www1 using OpenSSL and the cacert.pem file?

There has to be a difference in the certificate setup of www1 and www2. I have tested with a myriad of tools (openssl, ssllabs etc.) to try to pinpoint the difference — but I always get the exact same results for both sites (except when running my code)

What am I missing here? What’s the difference between the sites?

(It should be noted that we are using a relatively cheap wildcard certificate provided by RapidSSL — so I’m guessing it has something to do with intermediate or cross-root certificates — but everything seems to be in order when testing with the tools mentioned above.)

2 Answers 2

www1 and www2 should be identically configured — and they both work fine in all browsers.

Here are the certificates. A diff shows they are the same end-entity (server) certificate:

Each server is could be a sending a different chain. Use openssl s_client with openssl x509 and -showcerts to get the chain.

I am trying to do a SSL handshake towards www1.filemail.com — but I am getting this error:

RapidSSL SHA256 CA — G3 is a CA; it issued the server’s certificate. The server is called the subject. As you work up a chain, the former issuer becomes the current subject. At the top of the chain is the self signed root. At the root, the issuer==subject.

The RapidSSL G3 CA is either (1) self-signed, so its a root CA; or (2) signed by another CA higher in the chain, so its a subordinate CA (i.e., it has an issuer). In this case, the G3 CA is a subordinate and it has an issuer.

It sounds like one server is sending the complete chain needed to validate the server’s certificate; and the other server is not. Servers are supposed to send the complete chain to avoid the «which directory» problem in PKI. The «complete chain» is every certificate except the self-signed root (but many send the root, too).

Читайте также:  Error csrf reload page

The client must trust the self-signed root a priori, and its why it should not be sent (otherwise, a bad guy can swap-in his own chain). Or, instead of using cacert.pem :

You can load RapidSSL SHA256 CA — G3 and use that as the root of the trust. You will avoid the other 300 or so CA’s in cacert.pem that are not needed to validate the server chain. Its good security engineering.

You can fetch RapidSSL SHA256 CA — G3 from rapidSSL’s site at Intermediate CA Certificate: RapidSSL with SHA-2 (under SHA-1 Root).

UPDATE using RapidSSL SHA256 CA — G3:

Here’s the signer’s certificate:

Notice OpenSSL finished with Verify return code: 2 (unable to get issuer certificate). That’s fine because you don’t care about the issuer. You’ve rooted your trust at GeoTrust Inc., CN = RapidSSL SHA256 CA — G3 , and RapidSSL SHA256 CA — G3 certified/signed the server’s certificate.

Источник

Docker-machine : ca.pem not found

Here i am creating a test machine(dev) using the docker machine.

The vm gets created and runs with out flaws. And here is the error when i run the following command:

I have no idea how to deal with this problem. Tried restarting boot2docker.

5 Answers 5

You should try using docker-machine regenerate-certs dev . The problem i think is that somehow your .pem file got deleted or was not created. I had the same issue and regenerating the certs fixed the problem (reboot did not help btw).

I guess you are getting Docker-machine : ca.pem not found error even when you use docker info or any command with docker

Try this command: docker-machine env -u output will be similar to:

# Run this command to configure your shell:

# eval $(docker-machine env -u)

now enter eval $(docker-machine env -u)

this should do the work. Try docker info to be sure finally.

I was getting the exact same error. It turned out to be the Cisco AnyConnect client affecting my networking settings. It’s not enough to quit AnyConnect, you have to reboot your machine to restore your settings.

If someone knows more about how AnyConnect is affecting things and if there are solutions better than rebooting, I’d love to hear about it!

Источник

Оцените статью
toolgir.ru
Adblock
detector