Re: [squid-users] getting a CA to take PEM format csrs

From: Jonathan Giles <jong@dont-contact.us>
Date: Wed, 27 Aug 2003 12:41:26 -0400

Henrik:

Again thanks for the help.

I went through the apache mod_ssl directions to the letter, and still
having trouble.
here are the commands they refer to.

openssl genrsa -des3 -out www.virtualhost.com.key 1024

openssl req -new -key www.virtualhost.com.key -out
www.virtualhost.com.csr

openssl x509 -req -days 30 -in www.virtualhost.com.csr -signkey
www.virtualhost.com.key -out www.virtualhost.com.crt

Using the test .crt and key created by openssl, this is what I get
from...

[root@owa openssl]# /usr/local/squid/sbin/squid -D -d 1
Enter PEM pass phrase:
2003/08/27 16:17:24| Failed to acquire SSL private key
'/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM
routines:DEF_CALLBACK:problems getting password
FATAL: Bungled squid.conf line 64: https_port 443
cert=/etc/openssl/owa.clinedavis.com.crt
key=/etc/openssl/owa.clinedavis.com.key
Squid Cache (Version 2.5.STABLE3): Terminated abnormally.
CPU Usage: 0.080 seconds = 0.060 user + 0.020 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 360
Aborted
[root@owa openssl]# /usr/local/squid/sbin/squid -D -d 1
Enter PEM pass phrase:
[root@owa openssl]# Enter PEM pass phrase:
2003/08/27 16:17:53| Failed to acquire SSL private key
'/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM
routines:DEF_CALLBACK:problems getting password
FATAL: Bungled squid.conf line 64: https_port 443
cert=/etc/openssl/owa.clinedavis.com.crt
key=/etc/openssl/owa.clinedavis.com.key
Squid Cache (Version 2.5.STABLE3): Terminated abnormally.
CPU Usage: 0.070 seconds = 0.050 user + 0.020 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 359
Enter PEM pass phrase:
2003/08/27 16:17:56| Failed to acquire SSL private key
'/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM
routines:DEF_CALLBACK:problems getting password
FATAL: Bungled squid.conf line 64: https_port 443
cert=/etc/openssl/owa.clinedavis.com.crt
key=/etc/openssl/owa.clinedavis.com.key
Squid Cache (Version 2.5.STABLE3): Terminated abnormally.
CPU Usage: 0.070 seconds = 0.040 user + 0.030 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 359
Enter PEM pass phrase:
2003/08/27 16:17:59| Failed to acquire SSL private key
'/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM
routines:DEF_CALLBACK:problems getting password
FATAL: Bungled squid.conf line 64: https_port 443
cert=/etc/openssl/owa.clinedavis.com.crt
key=/etc/openssl/owa.clinedavis.com.key
Squid Cache (Version 2.5.STABLE3): Terminated abnormally.
CPU Usage: 0.090 seconds = 0.070 user + 0.020 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 359
Enter PEM pass phrase:
2003/08/27 16:18:02| Failed to acquire SSL private key
'/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM
routines:DEF_CALLBACK:problems getting password
FATAL: Bungled squid.conf line 64: https_port 443
cert=/etc/openssl/owa.clinedavis.com.crt
key=/etc/openssl/owa.clinedavis.com.key
Squid Cache (Version 2.5.STABLE3): Terminated abnormally.
CPU Usage: 0.070 seconds = 0.060 user + 0.010 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 359
Enter PEM pass phrase:
2003/08/27 16:18:06| Failed to acquire SSL private key
'/etc/openssl/owa.clinedavis.com.key': error:0906406D:PEM
routines:DEF_CALLBACK:problems getting password
FATAL: Bungled squid.conf line 64: https_port 443
cert=/etc/openssl/owa.clinedavis.com.crt
key=/etc/openssl/owa.clinedavis.com.key
Squid Cache (Version 2.5.STABLE3): Terminated abnormally.
CPU Usage: 0.080 seconds = 0.050 user + 0.030 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 359

[root@owa openssl]#

On Tuesday, August 26, 2003, at 08:07 PM, Henrik Nordstrom wrote:

> The Thawte guide for Apache mod_ssl works just fine for Squid, and
> their instructions does generate a PEM formatted CSR... and Thawte
> gives you a PEM formatted certificate back if you follow this
> procedure.
>
> The Apache guys have not confused the file formats. Apache mod_ssl
> wants PEM formatted certificates just as Squid. This is different
> from the DER format expected by many others but has the major benefit
> that the certificate can be exchanged in plain text email etc..
>
> However, if you have a CA which insists in binary DER certificates
> then OpenSSL have options to convert these to/from PEM format if
> needed.
>
>
> The error you are seeing probably means that your Squid binary is not
> SSL enabled.. what does "squid -v" say about your configure options?
> And is there any comments regarding configure options next to the
> https_port option in your squid.conf.default?
>
> Regards
> Henrik
>
>
> On Tuesday 26 August 2003 23.24, Jonathan Giles wrote:
>> hello:
>>
>> I have a working config for an https accel setup, but I have hit a
>> big problem. I have looked over the lists and have not found how
>> other people deal with this.
>>
>> I work with Thawte.com to get other certs for other https (apache)
>> servers, and they have told me they do not accept PEM anything.
>> And I understand that the csr must be in PEM for a CA to issue a
>> PEM crt. Thawte has told me it will be really hard to find a CA
>> that accepts PEM.
>>
>> How have other people here delt with this?
>>
>> Here attached is Thawte's response to my request.
>>
>> "Hi Jonathan
>>
>> The PEM format requirement is misleading, as the PEM format
>> mentioned actually refers to a standard DER format certificate, the
>> guys developing
>> the Apache standards seem to have confused the file types.
>> Therefore since
>> you are able to generate standard format CSRs, squid should also
>> work with
>> standard format certificates, even though Apache and squid are not
>> the same
>> they share the same openssl libraries.
>>
>> What error message do you receive when you restart the daemon?
>> Please send
>> us the error logs."
>>
>> Of course my logs just say Bungled conf file at the config
>>
>> Aug 25 17:22:29 owa squid: Bungled squid.conf line 62: https_port
>> 443 cert=/etc/openssl/certs/owa.clinedavis.com.test.crt
>> key=/etc/openssl/private/owa.clinedavis.com.key
>>
>> This is using the crt and key that was created using Thawte's
>> directions.
>>
>> Any suggestions would be greatly appreciated!
>>
>> jg
>>
>>
>>
>>
>>
>> ---=---=---
>> Jonathan Giles
>> Senior Unix Administrator
>> Cline Davis Mann
>> ---
>> Privileged/Confidential Information may be contained in this
>> message. If you are not the addressee indicated in this message
>> (or responsible for delivery of the message to such person), you
>> may not copy or deliver this message to anyone. In such case,
>> you should destroy this message and kindly notify the sender
>> by reply e-mail. Please advise immediately if you or your
>> employer do not consent to Internet e-mail of this kind.
>> Opinions, conclusions, and other information in this message
>> that do not relate to the official business of CDM shall
>> be understood as neither given nor endorsed by it.
>
> --
> Donations welcome if you consider my Free Squid support helpful.
> https://www.paypal.com/xclick/business=hno%40squid-cache.org
>
> If you need commercial Squid support or cost effective Squid or
> firewall appliances please refer to MARA Systems AB, Sweden
> http://www.marasystems.com/, info@marasystems.com
>
>
>
---=---=---
Jonathan Giles
Senior Unix Administrator
Cline Davis Mann

---
Privileged/Confidential Information may be contained in this
message.  If you are not the addressee indicated in this message
(or responsible for delivery of the message to such person), you
may not copy or deliver this message to anyone.  In such case,
you should destroy this message and kindly notify the sender
by reply e-mail.  Please advise immediately if you or your
employer do not consent to Internet e-mail of this kind.
Opinions, conclusions, and other information in this message
that do not relate to the official business of CDM shall
be understood as neither given nor endorsed by it.
Received on Wed Aug 27 2003 - 10:41:27 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:09 MST