Code: 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ...............++++++ ................++++++ e is 65537 (0x10001) error on line 13 of /var/www/web4/ssl/openssl.cnf 28531:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:366:line 13
I'm sorry. The file should look like this: Code: RANDFILE = $ENV::HOME/.rnd [ req ] default_bits = 1024 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes prompt = no output_password = some_password [ req_distinguished_name ] C = DE ST = Lower Saxony L = Lueneburg O = Example, Ltd. OU = IT CN = example.com emailAddress = [email protected] [ req_attributes ] challengePassword = A challenge password
nope. No errors now. So what do you think might be the problem and how to fix? Code: 0 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus .................................................++++++ ......++++++ e is 65537 (0x10001) writing RSA key
Hmmm, same problem I never responded to this thread, because I thought I couldn't add any insights, because I have created certs with ISPConfig without a problem before, so I thought it would be a local setup problem or something. BUT .... Today I wanted to add a cert to one of my sites and had the same problem. Using the create function, nothing happened. So looking further, I found the same missing openssl.cnf file. But on my system, when I create that file and use the create function again, the file gets deleted. And of course I don't get a certificate! I'm still bug hunting but thought I'd give the OP's a heads up. There's some serious weirdness happening.
Thanks for reporting this. I will have a look at this too to get it fixed before we release 2.2.10. Please keep me updated.
I just tested it with the 2.2.10 beta and it works for me on debian 3.1. Which linux distribution do you use and what exactly did you enter in the input fields on the SSL tab so I can try to reproduce the problem here.
I tested with 2.2.9 when I started with ISPConfig and it worked. I removed the certs, put the same server into production (I didn't change the config) and 1,5 months later it doesn't work. I know, they all say that ...... "I didn't touch the system" That's why I'm still trying to figure this out. Also on two other servers (one is even not used for live websites, I never created a site there) suffer from the same problem. Hmmmm, can't remember a Ubuntu package upgrade that could have an impact. The SSL package didn't upgrade past three months, did it? I'm using Ubuntu 6.10 and besides ISPConfig setup, EVERYTHING is from the distro. No manual package installs/changes. On the SSL tabs I just enter the top 5 fields (using only letters, not even dots), change the dropdown to create and hit save. Monitoring the logfile and the web1/ssl directory shows and error in the logfile and at the same moment the openssl.cnf file is deleted.
I guess the key to the problem is the openssl.cnf, it must contain some errors. Please try to comment out the line 1754 in the file /root/ispconfig/scripts/lib/config.lib.php: exec("rm -f $config_file"); So we can have a look at this file.
It was line 1751 in my /root/ispconfig/scripts/lib/config.lib.php Result: Code: RANDFILE = $ENV::HOME/.rnd [ req ] default_bits = 1024 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes prompt = no output_password = 630b6662d66e85e [ req_distinguished_name ] C = NL ST = NH L = Hilversum O = Tiempo BV OU = IT CN = www.tiempo.nl emailAddress = [email protected] [ req_attributes ] challengePassword = A challenge password But no further juice.
Just an in between update for those reading this thread (and I will be off line for a couple of hours). The problem is in the part where the csr is created (second command in the script). I've split all statements in separate commands and the scripts fails to execute the line: Code: 17.02.2007 - 12:44:51 => INFO - make_ssl_cnf /home/ispwww/web3/ssl/openssl.cnf 17.02.2007 - 12:44:51 => INFO - /root/ispconfig/scripts/lib/config.lib.php, Line 1748: openssl genrsa -des3 -rand /home/ispwww/web3/ssl/random_file -passout pass:5acd86a494bbb5a -out /home/ispwww/web3/ssl/tiempow02.tiempo.loc.key.org 1024 17.02.2007 - 12:44:51 => WARN - /root/ispconfig/scripts/lib/config.lib.php, Line 1749: WARNING: could not openssl req -new -passin pass:5acd86a494bbb5a -pass out pass:5acd86a494bbb5a -key /home/ispwww/web3/ssl/tiempow02.tiempo.loc.key.org -out /home/ispwww/web3/ssl/tiempow02.tiempo.loc.csr -days 365 -config /home/ ispwww/web3/ssl/openssl.cnf 17.02.2007 - 12:44:51 => WARN - /root/ispconfig/scripts/lib/config.lib.php, Line 1750: WARNING: could not openssl req -x509 -passin pass:5acd86a494bbb5a -pas sout pass:5acd86a494bbb5a -key /home/ispwww/web3/ssl/tiempow02.tiempo.loc.key.org -in /home/ispwww/web3/ssl/tiempow02.tiempo.loc.csr -out /home/ispwww/web3/s sl/tiempow02.tiempo.loc.crt -days 365 -config /home/ispwww/web3/ssl/openssl.cnf As I've commented the "rm lines" I am able to manually execute the second command Code: root@tiempou01:/home/ispwww/web3/ssl# openssl req -new -passin pass:5acd86a494bbb5a -passout pass:5acd86a494bbb5a -key /home/ispwww/web3/ssl/tiempow02.tiempo.loc.key.org -out /home/ispwww/web3/ssl/tiempow02.tiempo.loc.csr -days 365 -config /home/ispwww/web3/ssl/openssl.cnf root@tiempou01:/home/ispwww/web3/ssl# l total 24 0 -r-------- 1 root root 0 2007-01-13 12:53 .no_delete 4 drwxr-xr-x 8 www-data web3 4096 2007-01-14 04:00 .. 4 -rw-r--r-- 1 root root 963 2007-02-17 12:44 tiempow02.tiempo.loc.key.org 4 -r-------- 1 root root 887 2007-02-17 12:44 tiempow02.tiempo.loc.key 4 -rw-r--r-- 1 root root 761 2007-02-17 12:44 openssl.cnf 4 -rw-r--r-- 1 root root 757 2007-02-17 12:47 tiempow02.tiempo.loc.csr 4 drwxr-xr-x 2 www-data web3 4096 2007-02-17 12:47 . Why the scripts fails to run while the manual action works is unclear to me at this moment. To be continued (but for me tonight, my time)
Strange as the commands in config.lib.php are executes as root user too Maybe its a timing issue. Please try to add a line: sleep(2); before the line 1749 that executes the failing statement.
Found ! The problem is due to the fact that cron does not support the $ENV shell variable. Let me explain. The script /root/ispconfig/scripts/lib/config.lib.php uses the 'openssl.cnf.master' file to create the openssl.cnf file. This file contains on line 1 the statement: Code: RANDFILE = $ENV::HOME/.rnd According to the documentation this should point to the HOME directory of the user. But (I assume on most distributions) cron does not allow environment variables, or at least $HOME for cron is empty. Why this has ever worked before is a mystery for me. I have had it working on my systems previously. Even during testing today, ISPConfig created once a certificate request! The solution is to replace the master template Code: /root/ispconfig/isp/conf/openssl.cnf.master with this Code: [COLOR="Red"]RANDFILE = /root/ispconfig/isp/.rnd[/COLOR] [ req ] default_bits = 1024 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes prompt = no output_password = {SSL_PASSWORD} [ req_distinguished_name ] C = {SSL_COUNTRY} {SSL_STATE} L = {SSL_LOCALITY} O = {SSL_ORGANIZATION} {SSL_ORGANIZATION_UNIT} CN = {SSL_COMMON_NAME} emailAddress = {SSL_EMAIL} [ req_attributes ] challengePassword = A challenge password I have only changed line 1. Be sure to make this change with a Unix editor (I prefer 'vi'). After this, certificates will be generated smoothly. I hope Till or Falko can add this change in the next release.
Wow. Nicely done. While the outcome is the same, I think our cause might be different. Using FC5 with ISPConfig 2.2.8 there is no .rnd file located under /root/ispconfig/isp. I do have a .rnd located under /root. I cp'd it over to /root/ispconfig/isp/.rnd and made the change to the master and now I get the SSL Request and SSL cert. Worked like a champ. Just for S&G's I tried it with the master in it's original config after cp'ing the .rnd file into /root/ispconfig/isp and it didn't work.
Good to know. I learned something new today. Yaay. Ok. so I deleted file and it still worked. Yaay. So it's a cron thing. So if we update ISPConfig will we have to make this manual change again?
Depends. if the developers incorporate this in the distribution, you don't have to worry about this. I'm pretty confident this fix will be in the next 2.2.10 release Fortunately I don't have developers access ......
Thanks martin for finding the problem! Its not directly a cron thing because ISPConfig does not use cron for executing the configuration scripts, but as martinfst pointed out its a missing system variable. We will set it hardcoded in the next release. What really astonishes me is that it had worked so long and it still works on my servers
