Home Forums OS X Server and Client Discussion Web mod_ssl errors calling Openssl

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • April 27, 2004 at 4:41 pm #357879
    Anonymous
    Participant

    I am trying to set up SSL on my server and am getting errors from OpenSSL via mod_ssl. First, 10 lashes with a wet noodle for whoever decided not to provide human readable errors in mod_ssl. In any case here are the errors which seems to indicate mod_ssl is passing something wrong to OpenSSL:

    [Tue Apr 27 08:22:34 2004] [error] OpenSSL: error:0D0680A8:lib(13):func(104):reason(168)
    [Tue Apr 27 08:22:34 2004] [error] OpenSSL: error:0D07803A:lib(13):func(120):reason(58)

    If I run these codes through ‘openssl errstr’ I get:

    error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

    Can someone help me fix this? TIA.

    April 27, 2004 at 5:44 pm #357881
    Anonymous
    Participant

    Yes.

    However, I since determined that the server cert was corrupt in the httpd directory so I re-copied it with a good one from my certs directory. It still doesn’t work but now I’m getting the ASN1 header too long error which was mentioned in another post. Unfortunately, I cannot find a link to the 10.3 ssl article you referred to for removing the pass phrase.

    April 28, 2004 at 1:00 am #357893
    Hypnotoad
    Participant

    I think this may be what you are looking for:

    http://www.modssl.org/docs/2.8/ssl_faq.html#remove-passphrase

    And quoting from that page:

    [quote:31b466d1a4]
    The reason why this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to be able to read and parse this file. When you can be sure that your server is secure enough you perform two steps:

    1. Remove the encryption from the RSA private key (while preserving the original file):

    $ cp server.key server.key.org
    $ openssl rsa -in server.key.org -out server.key

    2. Make sure the server.key file is now only readable by root:

    $ chmod 400 server.key

    Now server.key will contain an unencrypted copy of the key. If you point your server at this file it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on that file are really such that only root or the web server user can read it (preferably get your web server to start as root but run as another server, and have the key readable onl] by root).
    [/quote:31b466d1a4]

    April 28, 2004 at 11:54 am #357895
    Anonymous
    Participant

    Thanks. Unfortunately, that didn’t seem to help. I am still getting the same error when I start Apache.

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.