ISPConfig and SSL Certificates

Code:

0 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...............++++++
................++++++
e is 65537 (0x10001)
error on line 13 of /var/www/web4/ssl/openssl.cnf
28531:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:366:line 13

 

I'm sorry. The file should look like this:

Code:

        RANDFILE               = $ENV::HOME/.rnd

        [ req ]
        default_bits           = 1024
        default_keyfile        = keyfile.pem
        distinguished_name     = req_distinguished_name
        attributes             = req_attributes
        prompt                 = no
        output_password        = some_password

        [ req_distinguished_name ]
        C                      = DE
        ST                     = Lower Saxony
        L                      = Lueneburg
        O                      = Example, Ltd.
        OU                     = IT
        CN                     = example.com
        emailAddress           = [email protected]

        [ req_attributes ]
        challengePassword              = A challenge password

 

nope. No errors now. So what do you think might be the problem and how to fix?

Code:

0 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.................................................++++++
......++++++
e is 65537 (0x10001)
writing RSA key

 

Hmmm, same problem

I never responded to this thread, because I thought I couldn't add any insights, because I have created certs with ISPConfig without a problem before, so I thought it would be a local setup problem or something. BUT ....

Today I wanted to add a cert to one of my sites and had the same problem. Using the create function, nothing happened. So looking further, I found the same missing openssl.cnf file. But on my system, when I create that file and use the create function again, the file gets deleted. And of course I don't get a certificate!

I'm still bug hunting but thought I'd give the OP's a heads up. There's some serious weirdness happening.

 

I tested with 2.2.9 when I started with ISPConfig and it worked. I removed the certs, put the same server into production (I didn't change the config) and 1,5 months later it doesn't work. I know, they all say that ...... "I didn't touch the system" That's why I'm still trying to figure this out. Also on two other servers (one is even not used for live websites, I never created a site there) suffer from the same problem. Hmmmm, can't remember a Ubuntu package upgrade that could have an impact. The SSL package didn't upgrade past three months, did it?

I'm using Ubuntu 6.10 and besides ISPConfig setup, EVERYTHING is from the distro. No manual package installs/changes. On the SSL tabs I just enter the top 5 fields (using only letters, not even dots), change the dropdown to create and hit save. Monitoring the logfile and the web1/ssl directory shows and error in the logfile and at the same moment the openssl.cnf file is deleted.

 

It was line 1751 in my /root/ispconfig/scripts/lib/config.lib.php
Result:

Code:

        RANDFILE               = $ENV::HOME/.rnd

        [ req ]
        default_bits           = 1024
        default_keyfile        = keyfile.pem
        distinguished_name     = req_distinguished_name
        attributes             = req_attributes
        prompt                 = no
        output_password        = 630b6662d66e85e

        [ req_distinguished_name ]
        C                      = NL
        ST                     = NH
        L                      = Hilversum
        O                      = Tiempo BV
        OU                     = IT
        CN                     = www.tiempo.nl
        emailAddress           = [email protected]

        [ req_attributes ]
        challengePassword              = A challenge password

But no further juice.

 

To be exact, there is an updated www.tiempo.nl.key.org file in the ssl subdirectory.

 

Just an in between update for those reading this thread (and I will be off line for a couple of hours).
The problem is in the part where the csr is created (second command in the script). I've split all statements in separate commands and the scripts fails to execute the line:

Code:

17.02.2007 - 12:44:51 => INFO - make_ssl_cnf /home/ispwww/web3/ssl/openssl.cnf
17.02.2007 - 12:44:51 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 1748: openssl genrsa -des3 -rand /home/ispwww/web3/ssl/random_file -passout 
pass:5acd86a494bbb5a -out /home/ispwww/web3/ssl/tiempow02.tiempo.loc.key.org 1024
17.02.2007 - 12:44:51 => WARN - /root/ispconfig/scripts/lib/config.lib.php, Line 1749: WARNING: could not openssl req -new -passin pass:5acd86a494bbb5a -pass
out pass:5acd86a494bbb5a -key /home/ispwww/web3/ssl/tiempow02.tiempo.loc.key.org -out /home/ispwww/web3/ssl/tiempow02.tiempo.loc.csr -days 365 -config /home/
ispwww/web3/ssl/openssl.cnf
17.02.2007 - 12:44:51 => WARN - /root/ispconfig/scripts/lib/config.lib.php, Line 1750: WARNING: could not openssl req -x509 -passin pass:5acd86a494bbb5a -pas
sout pass:5acd86a494bbb5a -key /home/ispwww/web3/ssl/tiempow02.tiempo.loc.key.org -in /home/ispwww/web3/ssl/tiempow02.tiempo.loc.csr -out /home/ispwww/web3/s
sl/tiempow02.tiempo.loc.crt -days 365 -config /home/ispwww/web3/ssl/openssl.cnf

As I've commented the "rm lines" I am able to manually execute the second command

Code:

root@tiempou01:/home/ispwww/web3/ssl#  openssl req -new -passin pass:5acd86a494bbb5a -passout pass:5acd86a494bbb5a -key /home/ispwww/web3/ssl/tiempow02.tiempo.loc.key.org -out /home/ispwww/web3/ssl/tiempow02.tiempo.loc.csr -days 365 -config /home/ispwww/web3/ssl/openssl.cnf
root@tiempou01:/home/ispwww/web3/ssl# l
total 24
0 -r-------- 1 root     root    0 2007-01-13 12:53 .no_delete
4 drwxr-xr-x 8 www-data web3 4096 2007-01-14 04:00 ..
4 -rw-r--r-- 1 root     root  963 2007-02-17 12:44 tiempow02.tiempo.loc.key.org
4 -r-------- 1 root     root  887 2007-02-17 12:44 tiempow02.tiempo.loc.key
4 -rw-r--r-- 1 root     root  761 2007-02-17 12:44 openssl.cnf
4 -rw-r--r-- 1 root     root  757 2007-02-17 12:47 tiempow02.tiempo.loc.csr
4 drwxr-xr-x 2 www-data web3 4096 2007-02-17 12:47 .

Why the scripts fails to run while the manual action works is unclear to me at this moment. To be continued (but for me tonight, my time)

 

Found !

The problem is due to the fact that cron does not support the $ENV shell variable. Let me explain.

The script /root/ispconfig/scripts/lib/config.lib.php uses the 'openssl.cnf.master' file to create the openssl.cnf file. This file contains on line 1 the statement:

Code:

RANDFILE               = $ENV::HOME/.rnd

According to the documentation this should point to the HOME directory of the user. But (I assume on most distributions) cron does not allow environment variables, or at least $HOME for cron is empty. Why this has ever worked before is a mystery for me. I have had it working on my systems previously. Even during testing today, ISPConfig created once a certificate request!

The solution is to replace the master template

Code:

/root/ispconfig/isp/conf/openssl.cnf.master

with this

Code:

        [COLOR="Red"]RANDFILE               = /root/ispconfig/isp/.rnd[/COLOR]

        [ req ]
        default_bits           = 1024
        default_keyfile        = keyfile.pem
        distinguished_name     = req_distinguished_name
        attributes             = req_attributes
        prompt                 = no
        output_password        = {SSL_PASSWORD}

        [ req_distinguished_name ]
        C                      = {SSL_COUNTRY}
        {SSL_STATE}
        L                      = {SSL_LOCALITY}
        O                      = {SSL_ORGANIZATION}
        {SSL_ORGANIZATION_UNIT}
        CN                     = {SSL_COMMON_NAME}
        emailAddress           = {SSL_EMAIL}

        [ req_attributes ]
        challengePassword              = A challenge password

I have only changed line 1. Be sure to make this change with a Unix editor (I prefer 'vi'). After this, certificates will be generated smoothly. I hope Till or Falko can add this change in the next release.

 

Wow. Nicely done. While the outcome is the same, I think our cause might be different.

Using FC5 with ISPConfig 2.2.8 there is no .rnd file located under /root/ispconfig/isp. I do have a .rnd located under /root. I cp'd it over to /root/ispconfig/isp/.rnd and made the change to the master and now I get the SSL Request and SSL cert. Worked like a champ.

Just for S&G's I tried it with the master in it's original config after cp'ing the .rnd file into /root/ispconfig/isp and it didn't work.

 

The .rnd file is generated. It's created when it doesn't exist. No need to copy it over anywhere.

 

Good to know. I learned something new today. Yaay. Ok. so I deleted file and it still worked. Yaay. So it's a cron thing. So if we update ISPConfig will we have to make this manual change again?

 

Depends. if the developers incorporate this in the distribution, you don't have to worry about this. I'm pretty confident this fix will be in the next 2.2.10 release

Fortunately I don't have developers access ......

 

I'm feeling pressed...

 

I'm using ISP Config 2, I'm logged into the admin panel but I dont see an SSL tab in ISPConfig?