Results 1 to 6 of 6
  1. #1
    Master Untangler Big D's Avatar
    Join Date
    Nov 2008
    Posts
    719

    Default Difficulties importing SSL certificate

    Seem to be having some issues in the 9.2.0 related to certificate renewals/imports. It likes to hang the apache2 process after I click import for my GoDaddy Cert.

    Shrug, it might just be me. I have to whack apache2 process run the 9.2 patch for CSR to generate a generic apache.pem to replace the FUBAR one. I can then bring up the web page again.

    Don't really have an issue generating the certificate or CSR just when it comes to importing. Get some error during the import about the Private key not being found. Below is a snippet of /var/log/apache2/error.log during the import step.

    Code:
    [Wed Mar 21 15:52:48 2012] [error] [client 192.168.2.123] ValueError: Failed to acquire global mutex lock, referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:53:12 2012] [error] [client 192.168.2.123] File does not exist: /var/www/skins/default/images/default, referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:58:09 2012] [notice] [client 192.168.2.123] DbmSession: registered database cleanup., referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [notice] SIGUSR1 received.  Doing graceful restart
    [Wed Mar 21 15:59:47 2012] [warn] (22)Invalid argument: Failed to acquire global mutex lock at index 0
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] mod_python (pid=2498, interpreter='localhost', phase='PythonHeaderParserHandler', handler='uvmlogin'): Application error, referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] ServerName: 'localhost', referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] DocumentRoot: '/var/www/', referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] URI: '/webui/JSON-RPC', referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] Location: '/webui', referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] Directory: None, referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] Filename: 'JSON-RPC', referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] PathInfo: None, referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] Traceback (most recent call last):, referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/importer.py", line 1537, in HandlerDispatch\n    default=default_handler, arg=req, silent=hlist.silent), referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/importer.py", line 1229, in _process_target\n    result = _execute_target(config, req, object, arg), referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/importer.py", line 1128, in _execute_target\n    result = object(arg), referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/uvmlogin.py", line 58, in headerparserhandler\n    sess = Session.Session(req, lock=0), referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/Session.py", line 803, in Session\n    timeout=timeout, lock=lock), referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/Session.py", line 372, in __init__\n    timeout=timeout, lock=lock), referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/Session.py", line 180, in __init__\n    if self.load():, referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/Session.py", line 250, in load\n    dict = self.do_load(), referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123]   File "/usr/lib/python2.5/site-packages/mod_python/Session.py", line 392, in do_load\n    _apache._global_lock(self._req.server, None, 0), referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:47 2012] [error] [client 192.168.2.123] ValueError: Failed to acquire global mutex lock, referer: https://edge.databalance.com:446/webui/startPage.do
    [Wed Mar 21 15:59:51 2012] [warn] No JkShmFile defined in httpd.conf. Using default /var/log/apache2/jk-runtime-status
    [Wed Mar 21 15:59:51 2012] [notice] mod_python: Creating 8 session mutexes based on 5 max processes and 25 max threads.
    [Wed Mar 21 15:59:51 2012] [notice] mod_python: using mutex_directory /tmp
    [Wed Mar 21 15:59:51 2012] [error] Init: Private key not found
    [Wed Mar 21 15:59:51 2012] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
    [Wed Mar 21 15:59:51 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    [Wed Mar 21 15:59:51 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
    [Wed Mar 21 15:59:51 2012] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
    The beatings shall continue until morale improves!

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Mateo, CA
    Posts
    12,936

    Default

    Are there any errors in uvm.log that you see when you import the cert?

    Would you mind sending me the cert to dmorris@untangle.com so I can try to import it into my system?
    Just let me know exactly what steps you took and I'll try it.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Master Untangler Big D's Avatar
    Join Date
    Nov 2008
    Posts
    719

    Default

    uvm.log

    No errors just INFO. You can see where I generated a new self-signed then the CSR.

    Code:
    Mar 21 15:53:18 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl req -new -key /etc/apache2/ssl/apache.pem -subj /CN=edge.databalance.com/O=Data_Balance/OU=ICOT/L=Clearwater/ST=Florida/C=US)
    Mar 21 15:53:18 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl req -new -key /etc/apache2/ssl/apache.pem -subj /CN=edge.databalance.com/O=Data_Balance/OU=ICOT/L=Clearwater/ST=Florida/C=US) = 0 took 19 ms.
    Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl x509 -in /tmp/gci3197694006986955844.tmp -dates -noout -subject -issuer -nameopt RFC2253)
    Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl x509 -in /tmp/gci3197694006986955844.tmp -dates -noout -subject -issuer -nameopt RFC2253) = 0 took 6 ms.
    Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(/usr/share/untangle/bin/ut-inspect_ca /tmp/gci3197694006986955844.tmp)
    Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(/usr/share/untangle/bin/ut-inspect_ca /tmp/gci3197694006986955844.tmp) = 1 took 10 ms.
    Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl x509 -in /tmp/gci3197694006986955844.tmp -text)
    Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl x509 -in /tmp/gci3197694006986955844.tmp -text) = 0 took 6 ms.
    Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl verify -CApath /usr/share/ca-certificates -CAfile /tmp/gci3197694006986955844.tmp -purpose any /tmp/gci3197694006986955844.tmp)
    Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl verify -CApath /usr/share/ca-certificates -CAfile /tmp/gci3197694006986955844.tmp -purpose any /tmp/gci3197694006986955844.tmp) = 0 took 5 ms.
    Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl rsa -i /etc/apache2/ssl/apache.pem)
    Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl rsa -i /etc/apache2/ssl/apache.pem) = 1 took 5 ms.
    Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl verify -CApath /usr/share/ca-certificates -CAfile /tmp/apache2031153014084878723.tmp -purpose any /tmp/apache2031153014084878723.tmp)
    Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(openssl verify -CApath /usr/share/ca-certificates -CAfile /tmp/apache2031153014084878723.tmp -purpose any /tmp/apache2031153014084878723.tmp) = 0 took 6 ms.
    Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(apache2ctl graceful)
    Mar 21 15:59:47 localhost [ExecManagerImpl] INFO  ExecManager.exec(apache2ctl graceful) = 0 took 42 ms.
    The beatings shall continue until morale improves!

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Mateo, CA
    Posts
    12,936

    Default

    Thanks for your help figuring this one out Big D!

    I have updated the patch here which should now fix the space issue and the import issue:
    http://wiki.untangle.com/index.php/9...ates_issue_fix

    The issue was this command:
    ExecManager.exec(openssl rsa -i /etc/apache2/ssl/apache.pem)

    should have been:
    ExecManager.exec(openssl rsa -in /etc/apache2/ssl/apache.pem)



    edit: btw, if you ever get apache where it won't start you can do the following to create a new cert and restart it:
    Code:
    curl "http://www.untangle.com/download/patches/generic/update_cert.sh" | dash
    Last edited by dmorris; 03-21-2012 at 05:16 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    18,392

    Default

    Ouch, yeah openssl really does work much better when it can find the private key.

    Also, I made this exact typo myself yesterday. I'm trying to get my brain wrapped around Debian 6 for a new LAMP server. I figured I'd actually get the SSL going this trip around, and did the exact same thing before I pulled the facepalm.

    For the curious, and there are I'm sure more condensed way of doing this, but a raw self signed cert process I've got working on Debian 6.

    #Generate 2048bit RSA Private Key as privkey.key
    openssl genrsa -out privkey.key 2048
    #Generate a CSR Request based on RSA Private key
    openssl req -new -key privkey.key -out certreq.csr
    #Sign CSR yourself for 10 years.
    openssl x509 -req -days 3650 -in certreq.csr -signkey privkey.key -out newcert.crt

    The last step there can be done by a certificate authority if you want a fully functional keychain.

    Anyway Apache2 tends to play better if both the private key and the certificate are in the same file. So I do these commands real quick to make the .pem.

    cp privkey.key apache.pem
    cat newcert.crt >> apache.pem

    I haven't gotten into an actual cert yet, that challenge will wait until this thing is ready for production. I'm assuming that .pem has to have the certificate authority's cert in there too.

    UT's UI makes all this point and click, which has us all far too spoiled.
    Rob Sandling, BS:SWE, MCP
    Intouch Technology
    Phone: 480-272-9889
    NexgenAppliances.com
    Phone: 866-794-8879

  6. #6
    Master Untangler
    Join Date
    Jan 2011
    Posts
    813

    Default

    oh, I ran into this exact problem a couple of weeks ago, kept thinking I was doing something wrong in the way I was creating the SSL certificate. I should have had more confidence in myself and reported it.

    thanks for the fix.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2