[Eisfair] [e1] Eigene (own)cloud nach Hause holen

Di Aug 5 16:04:02 CEST 2014

Hallo Jürgen,

ich weiß nicht aber irgendwie stehe ich auf Kriegsfuss mit den 
Zertifikaten :(

Am 31.07.2014 13:19, schrieb Juergen Edner:
> ich hae im certs-Paket beschrieben wie ein Zertifikat für einen
> Webserver erstellt wird, wenn es das ist was Du suchst:
>
> http://www.eisfair.org/fileadmin/eisfair/doc/node19.html#SECTION001995000000000000000

ich habe es anhand der Anleitung versucht - aber siehe selbst:

Parameters
   1 - change/set certificate type: web
   = - change/set certificate name: apache

Certificate Authority (CA)
   = - create a CA key - done.
   = - create a self-signed CA certificate - done. (valid until: 19.07.2024)
   = - create .pem CA certificate and copy it to /usr/local/ssl/certs - 
done.
   6 - show CA key and certificate location
   = - revoke a certificate
   = - update revocation list

Server/service/client certificate
  10 - create a new key or select an existing one [apache] - NEW - done.
  11 - create certificate request - done.
  12 - sign certificate request with CA key
  13 - create Diffie-Hellman parameters (takes up to 20min)
  14 - create .pem certificate and copy it to /usr/local/ssl/certs
  == - create PKCS#12 document
  16 - show key and certificate location

  == - send certificates by e-mail

Please select (1,6,10-14,16), (q)uit: 6

/usr/local/ssl/newcerts/ca.crt
/usr/local/ssl/private/ca.key
/usr/local/ssl/certs/archive/ca.pem
/usr/local/ssl/certs/ca.pem

Press ENTER to continue
Certificate generation

Parameters
   1 - change/set certificate type: web
   = - change/set certificate name: apache

Certificate Authority (CA)
   = - create a CA key - done.
   = - create a self-signed CA certificate - done. (valid until: 19.07.2024)
   = - create .pem CA certificate and copy it to /usr/local/ssl/certs - 
done.
   6 - show CA key and certificate location
   = - revoke a certificate
   = - update revocation list

Server/service/client certificate
  10 - create a new key or select an existing one [apache] - NEW - done.
  11 - create certificate request - done.
  12 - sign certificate request with CA key
  13 - create Diffie-Hellman parameters (takes up to 20min)
  14 - create .pem certificate and copy it to /usr/local/ssl/certs
  == - create PKCS#12 document
  16 - show key and certificate location

  == - send certificates by e-mail

Please select (1,6,10-14,16), (q)uit: 12

The certificate database hasn't been updated since 16.11.2005, update it 
now (y/N): y

0. Passphrase for your CA key.

running command: openssl ca -updatedb
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for /usr/local/ssl/private/ca.key:
CA certificate and CA private key do not match
3074467464:error:0B080074:x509 certificate 
routines:X509_check_private_key:key values mismatch:x509_cmp.c:330:

You will be asked to enter the following data, after pressing ENTER:

1. Select key usage.
2. Select start date/validity.
3. Passphrase of your CA key.

running command: openssl ca -name Server_CA -in 
/usr/local/ssl/csr/apache.csr -out /usr/local/ssl/newcerts/apache.crt
Press ENTER to continue

  1 - Server usage (server)
  2 - Client usage (e-mail)

Please choose usage type (1-2) [1]: 1

  1 - use default start date/validity: 2014-08-05 15:56:48 / 365 days
  2 - set individual start date/validity

Please choose desired option (1-2) [1]: 2

Please enter date/time [YYYY-MM-DD HH:MM:SS]: 2024-08-05 15:56:48

Please enter number of validity days [365]: 3650
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for /usr/local/ssl/private/ca.key:
CA certificate and CA private key do not match
3074659976:error:0B080074:x509 certificate 
routines:X509_check_private_key:key values mismatch:x509_cmp.c:330:
Error opening certificate file /usr/local/ssl/newcerts/apache.crt
3075094152:error:02001002:system library:fopen:No such file or 
directory:bss_file.c:404:fopen('/usr/local/ssl/newcerts/apache.crt','re')
3075094152:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:406:
unable to load certificate

If you've generated a new certificate with a start-date in the future
then remember to copy the new certificate to the certificate store
(menu point 14) not before the old certificate has become invalid!

Press ENTER to continue
Certificate generation

Parameters
   1 - change/set certificate type: web
   = - change/set certificate name: apache

Certificate Authority (CA)
   = - create a CA key - done.
   = - create a self-signed CA certificate - done. (valid until: 19.07.2024)
   = - create .pem CA certificate and copy it to /usr/local/ssl/certs - 
done.
   6 - show CA key and certificate location
   = - revoke a certificate
   = - update revocation list

Server/service/client certificate
  10 - create a new key or select an existing one [apache] - NEW - done.
  11 - create certificate request - done.
  12 - sign certificate request with CA key
  13 - create Diffie-Hellman parameters (takes up to 20min)
  14 - create .pem certificate and copy it to /usr/local/ssl/certs
  == - create PKCS#12 document
  16 - show key and certificate location

  == - send certificates by e-mail

Please select (1,6,10-14,16), (q)uit:

Es will einfach nicht :( - speziell diese Meldung verstehe ich nicht und 
weiß nicht wie ich sie beheben soll:

CA certificate and CA private key do not match
3074659976:error:0B080074:x509 certificate 
routines:X509_check_private_key:key values mismatch:x509_cmp.c:330:
Error opening certificate file /usr/local/ssl/newcerts/apache.crt
3075094152:error:02001002:system library:fopen:No such file or 
directory:bss_file.c:404:fopen('/usr/local/ssl/newcerts/apache.crt','re')
3075094152:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:406:
unable to load certificate

Vielen Dank & viele Grüße
Fabian