ISPConfig and SSL Certificates

Discussion in 'Installation/Configuration' started by phamels, Feb 7, 2007.

  1. Daisy

    Daisy New Member

    Code:
    0 semi-random bytes loaded
    Generating RSA private key, 1024 bit long modulus
    ...............++++++
    ................++++++
    e is 65537 (0x10001)
    error on line 13 of /var/www/web4/ssl/openssl.cnf
    28531:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:366:line 13
    
     
  2. falko

    falko Super Moderator

    I'm sorry. The file should look like this:
    Code:
            RANDFILE               = $ENV::HOME/.rnd
    
            [ req ]
            default_bits           = 1024
            default_keyfile        = keyfile.pem
            distinguished_name     = req_distinguished_name
            attributes             = req_attributes
            prompt                 = no
            output_password        = some_password
    
            [ req_distinguished_name ]
            C                      = DE
            ST                     = Lower Saxony
            L                      = Lueneburg
            O                      = Example, Ltd.
            OU                     = IT
            CN                     = example.com
            emailAddress           = info@example.com
    
            [ req_attributes ]
            challengePassword              = A challenge password
     
  3. Daisy

    Daisy New Member

    nope. No errors now. So what do you think might be the problem and how to fix?

    Code:
    0 semi-random bytes loaded
    Generating RSA private key, 1024 bit long modulus
    .................................................++++++
    ......++++++
    e is 65537 (0x10001)
    writing RSA key
     
  4. martinfst

    martinfst HowtoForge Supporter

    Hmmm, same problem

    I never responded to this thread, because I thought I couldn't add any insights, because I have created certs with ISPConfig without a problem before, so I thought it would be a local setup problem or something. BUT ....

    Today I wanted to add a cert to one of my sites and had the same problem. Using the create function, nothing happened. So looking further, I found the same missing openssl.cnf file. But on my system, when I create that file and use the create function again, the file gets deleted. And of course I don't get a certificate!

    I'm still bug hunting but thought I'd give the OP's a heads up. There's some serious weirdness happening.
     
  5. till

    till Super Moderator

    Thanks for reporting this. I will have a look at this too to get it fixed before we release 2.2.10. Please keep me updated.
     
  6. till

    till Super Moderator

    I just tested it with the 2.2.10 beta and it works for me on debian 3.1.

    Which linux distribution do you use and what exactly did you enter in the input fields on the SSL tab so I can try to reproduce the problem here.
     
  7. martinfst

    martinfst HowtoForge Supporter

    I tested with 2.2.9 when I started with ISPConfig and it worked. I removed the certs, put the same server into production (I didn't change the config) and 1,5 months later it doesn't work. I know, they all say that ...... "I didn't touch the system" That's why I'm still trying to figure this out. Also on two other servers (one is even not used for live websites, I never created a site there) suffer from the same problem. Hmmmm, can't remember a Ubuntu package upgrade that could have an impact. The SSL package didn't upgrade past three months, did it?
    I'm using Ubuntu 6.10 and besides ISPConfig setup, EVERYTHING is from the distro. No manual package installs/changes. On the SSL tabs I just enter the top 5 fields (using only letters, not even dots), change the dropdown to create and hit save. Monitoring the logfile and the web1/ssl directory shows and error in the logfile and at the same moment the openssl.cnf file is deleted.:confused:
     
  8. till

    till Super Moderator

    I guess the key to the problem is the openssl.cnf, it must contain some errors. Please try to comment out the line 1754 in the file /root/ispconfig/scripts/lib/config.lib.php:

    exec("rm -f $config_file");

    So we can have a look at this file.
     
  9. martinfst

    martinfst HowtoForge Supporter

    It was line 1751 in my /root/ispconfig/scripts/lib/config.lib.php :eek:
    Result:
    Code:
            RANDFILE               = $ENV::HOME/.rnd
    
            [ req ]
            default_bits           = 1024
            default_keyfile        = keyfile.pem
            distinguished_name     = req_distinguished_name
            attributes             = req_attributes
            prompt                 = no
            output_password        = 630b6662d66e85e
    
            [ req_distinguished_name ]
            C                      = NL
            ST                     = NH
            L                      = Hilversum
            O                      = Tiempo BV
            OU                     = IT
            CN                     = www.tiempo.nl
            emailAddress           = admin@tiempo.nl
    
            [ req_attributes ]
            challengePassword              = A challenge password
    
    But no further juice.
     
  10. martinfst

    martinfst HowtoForge Supporter

  11. martinfst

    martinfst HowtoForge Supporter

    Just an in between update for those reading this thread (and I will be off line for a couple of hours).
    The problem is in the part where the csr is created (second command in the script). I've split all statements in separate commands and the scripts fails to execute the line:
    Code:
    17.02.2007 - 12:44:51 => INFO - make_ssl_cnf /home/ispwww/web3/ssl/openssl.cnf
    17.02.2007 - 12:44:51 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 1748: openssl genrsa -des3 -rand /home/ispwww/web3/ssl/random_file -passout 
    pass:5acd86a494bbb5a -out /home/ispwww/web3/ssl/tiempow02.tiempo.loc.key.org 1024
    17.02.2007 - 12:44:51 => WARN - /root/ispconfig/scripts/lib/config.lib.php, Line 1749: WARNING: could not openssl req -new -passin pass:5acd86a494bbb5a -pass
    out pass:5acd86a494bbb5a -key /home/ispwww/web3/ssl/tiempow02.tiempo.loc.key.org -out /home/ispwww/web3/ssl/tiempow02.tiempo.loc.csr -days 365 -config /home/
    ispwww/web3/ssl/openssl.cnf
    17.02.2007 - 12:44:51 => WARN - /root/ispconfig/scripts/lib/config.lib.php, Line 1750: WARNING: could not openssl req -x509 -passin pass:5acd86a494bbb5a -pas
    sout pass:5acd86a494bbb5a -key /home/ispwww/web3/ssl/tiempow02.tiempo.loc.key.org -in /home/ispwww/web3/ssl/tiempow02.tiempo.loc.csr -out /home/ispwww/web3/s
    sl/tiempow02.tiempo.loc.crt -days 365 -config /home/ispwww/web3/ssl/openssl.cnf
    
    As I've commented the "rm lines" I am able to manually execute the second command
    Code:
    root@tiempou01:/home/ispwww/web3/ssl#  openssl req -new -passin pass:5acd86a494bbb5a -passout pass:5acd86a494bbb5a -key /home/ispwww/web3/ssl/tiempow02.tiempo.loc.key.org -out /home/ispwww/web3/ssl/tiempow02.tiempo.loc.csr -days 365 -config /home/ispwww/web3/ssl/openssl.cnf
    root@tiempou01:/home/ispwww/web3/ssl# l
    total 24
    0 -r-------- 1 root     root    0 2007-01-13 12:53 .no_delete
    4 drwxr-xr-x 8 www-data web3 4096 2007-01-14 04:00 ..
    4 -rw-r--r-- 1 root     root  963 2007-02-17 12:44 tiempow02.tiempo.loc.key.org
    4 -r-------- 1 root     root  887 2007-02-17 12:44 tiempow02.tiempo.loc.key
    4 -rw-r--r-- 1 root     root  761 2007-02-17 12:44 openssl.cnf
    4 -rw-r--r-- 1 root     root  757 2007-02-17 12:47 tiempow02.tiempo.loc.csr
    4 drwxr-xr-x 2 www-data web3 4096 2007-02-17 12:47 .
    
    Why the scripts fails to run while the manual action works is unclear to me at this moment. To be continued (but for me tonight, my time)
     
  12. till

    till Super Moderator

    Strange as the commands in config.lib.php are executes as root user too :confused: Maybe its a timing issue. Please try to add a line:

    sleep(2);

    before the line 1749 that executes the failing statement.
     
  13. martinfst

    martinfst HowtoForge Supporter

    Found !

    The problem is due to the fact that cron does not support the $ENV shell variable. Let me explain.

    The script /root/ispconfig/scripts/lib/config.lib.php uses the 'openssl.cnf.master' file to create the openssl.cnf file. This file contains on line 1 the statement:
    Code:
    RANDFILE               = $ENV::HOME/.rnd
    According to the documentation this should point to the HOME directory of the user. But (I assume on most distributions) cron does not allow environment variables, or at least $HOME for cron is empty. Why this has ever worked before is a mystery for me. I have had it working on my systems previously. Even during testing today, ISPConfig created once a certificate request!

    The solution is to replace the master template
    Code:
    /root/ispconfig/isp/conf/openssl.cnf.master
    with this
    Code:
            [COLOR="Red"]RANDFILE               = /root/ispconfig/isp/.rnd[/COLOR]
    
            [ req ]
            default_bits           = 1024
            default_keyfile        = keyfile.pem
            distinguished_name     = req_distinguished_name
            attributes             = req_attributes
            prompt                 = no
            output_password        = {SSL_PASSWORD}
    
            [ req_distinguished_name ]
            C                      = {SSL_COUNTRY}
            {SSL_STATE}
            L                      = {SSL_LOCALITY}
            O                      = {SSL_ORGANIZATION}
            {SSL_ORGANIZATION_UNIT}
            CN                     = {SSL_COMMON_NAME}
            emailAddress           = {SSL_EMAIL}
    
            [ req_attributes ]
            challengePassword              = A challenge password
    
    I have only changed line 1. Be sure to make this change with a Unix editor (I prefer 'vi'). After this, certificates will be generated smoothly. I hope Till or Falko can add this change in the next release.
     
  14. Daisy

    Daisy New Member

    Wow. Nicely done. While the outcome is the same, I think our cause might be different.

    Using FC5 with ISPConfig 2.2.8 there is no .rnd file located under /root/ispconfig/isp. I do have a .rnd located under /root. I cp'd it over to /root/ispconfig/isp/.rnd and made the change to the master and now I get the SSL Request and SSL cert. Worked like a champ.

    Just for S&G's I tried it with the master in it's original config after cp'ing the .rnd file into /root/ispconfig/isp and it didn't work.
     
  15. martinfst

    martinfst HowtoForge Supporter

    The .rnd file is generated. It's created when it doesn't exist. No need to copy it over anywhere.
     
  16. Daisy

    Daisy New Member

    Good to know. I learned something new today. Yaay. Ok. so I deleted file and it still worked. Yaay. So it's a cron thing. So if we update ISPConfig will we have to make this manual change again?
     
  17. martinfst

    martinfst HowtoForge Supporter

    Depends. if the developers incorporate this in the distribution, you don't have to worry about this. I'm pretty confident this fix will be in the next 2.2.10 release :D

    Fortunately I don't have developers access ......
     
  18. falko

    falko Super Moderator

    I'm feeling pressed... :D
     
  19. till

    till Super Moderator

    Thanks martin for finding the problem!

    Its not directly a cron thing because ISPConfig does not use cron for executing the configuration scripts, but as martinfst pointed out its a missing system variable. We will set it hardcoded in the next release.

    What really astonishes me is that it had worked so long and it still works on my servers :confused:
     
  20. purechaos

    purechaos New Member

    I'm using ISP Config 2, I'm logged into the admin panel but I dont see an SSL tab in ISPConfig?
     

Share This Page