Smalltalk Gemtalk GLASS

Moving from X.509/PEM to X.509/pk12

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
ccrraaiigg
Reply | Threaded
Open this post in threaded view
|

Moving from X.509/PEM to X.509/pk12

ccrraaiigg

Hi--

     I have an EC2 Amazon Linux AMI GLASS site working well with nginx
as the webserver and an X.509 PEM certificate for security (thanks
again, all!). So of course my client wants the certificate to be X.509
pk12. :)  I made a pk12 version of the certificate with:

% openssl pkcs12 -export -out certificate.pfx -inkey site.privateKey.pem
-in site.cert.pem -certfile cacert.pem

and modified /etc/nginx/nginx.conf to use certificate.pfx as the
ssl_certificate. When I restart nginx, I get:

nginx: [emerg]
SSL_CTX_use_certificate_chain_file("/etc/nginx/weather.smalltalkconsulting.net.cert.pfx")
failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib)
nginx: configuration file /etc/nginx/nginx.conf test failed

Googling error message fragments wasn't edifying. Does anyone know
enough about nginx and/or openssl/pk12 to help?

     Alternatively, can someone help me move to Apache, under the theory
that nginx's support for pk12 is broken and Apache's isn't?


     thanks!

-C

--
Craig Latta
www.netjam.org/resume
+31   6 2757 7177
+ 1 415  287 3547 (no SMS)
James Foster-8
Reply | Threaded
Open this post in threaded view
|

Re: Moving from X.509/PEM to X.509/pk12

James Foster-8
Craig,

Some time ago I wrote up a description of installing Apache on Slicehost. Some of it might apply, and I'm sure we can quickly get you going with that.

http://programminggems.wordpress.com/2008/09/12/slice-4/

I'm pretty sure I set up https as well, but I can't find any notes on that process (and I don't know what kind of certificate I used), so I probably won't be much help on that part.

~James

On Apr 18, 2012, at 2:46 AM, Craig Latta wrote:

>
> Hi--
>
>     I have an EC2 Amazon Linux AMI GLASS site working well with nginx
> as the webserver and an X.509 PEM certificate for security (thanks
> again, all!). So of course my client wants the certificate to be X.509
> pk12. :)  I made a pk12 version of the certificate with:
>
> % openssl pkcs12 -export -out certificate.pfx -inkey site.privateKey.pem
> -in site.cert.pem -certfile cacert.pem
>
> and modified /etc/nginx/nginx.conf to use certificate.pfx as the
> ssl_certificate. When I restart nginx, I get:
>
> nginx: [emerg]
> SSL_CTX_use_certificate_chain_file("/etc/nginx/weather.smalltalkconsulting.net.cert.pfx")
> failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
> error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib)
> nginx: configuration file /etc/nginx/nginx.conf test failed
>
> Googling error message fragments wasn't edifying. Does anyone know
> enough about nginx and/or openssl/pk12 to help?
>
>     Alternatively, can someone help me move to Apache, under the theory
> that nginx's support for pk12 is broken and Apache's isn't?
>
>
>     thanks!
>
> -C
>
> --
> Craig Latta
> www.netjam.org/resume
> +31   6 2757 7177
> + 1 415  287 3547 (no SMS)

Paul DeBruicker
Reply | Threaded
Open this post in threaded view
|

Re: Moving from X.509/PEM to X.509/pk12

Paul DeBruicker
In reply to this post by ccrraaiigg
I thought pkcs12 certs ended with .p12 not .pfx.

https://en.wikipedia.org/wiki/PKCS12


Seems odd that Nginx wouldn't support them as I think it just uses openssl.






On 12-04-18 02:46 AM, Craig Latta wrote:

>
> Hi--
>
>       I have an EC2 Amazon Linux AMI GLASS site working well with nginx
> as the webserver and an X.509 PEM certificate for security (thanks
> again, all!). So of course my client wants the certificate to be X.509
> pk12. :)  I made a pk12 version of the certificate with:
>
> % openssl pkcs12 -export -out certificate.pfx -inkey site.privateKey.pem
> -in site.cert.pem -certfile cacert.pem
>
> and modified /etc/nginx/nginx.conf to use certificate.pfx as the
> ssl_certificate. When I restart nginx, I get:
>
> nginx: [emerg]
> SSL_CTX_use_certificate_chain_file("/etc/nginx/weather.smalltalkconsulting.net.cert.pfx")
> failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
> error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib)
> nginx: configuration file /etc/nginx/nginx.conf test failed
>
> Googling error message fragments wasn't edifying. Does anyone know
> enough about nginx and/or openssl/pk12 to help?
>
>       Alternatively, can someone help me move to Apache, under the theory
> that nginx's support for pk12 is broken and Apache's isn't?
>
>
>       thanks!
>
> -C
>
> --
> Craig Latta
> www.netjam.org/resume
> +31   6 2757 7177
> + 1 415  287 3547 (no SMS)

ccrraaiigg
Reply | Threaded
Open this post in threaded view
|

Re: Moving from X.509/PEM to X.509/pk12

ccrraaiigg

Hi Paul--

> I thought pkcs12 certs ended with .p12 not .pfx.

     Various examples I find on the web use different extensions. It
doesn't seem to matter in this case; I get the same errors (and with PEM
content I get the same success).

> Seems odd that Nginx wouldn't support them as I think it just uses
> openssl.

     Agreed!


     thanks,

-C

--
Craig Latta
www.netjam.org/resume
+31   6 2757 7177
+ 1 415  287 3547 (no SMS)

ccrraaiigg
Reply | Threaded
Open this post in threaded view
|

Re: Moving from X.509/PEM to X.509/pk12

ccrraaiigg
In reply to this post by James Foster-8

Hi James--

> Some time ago I wrote up a description of installing Apache on
> Slicehost. Some of it might apply, and I'm sure we can quickly get
> you going with that.
>
> http://programminggems.wordpress.com/2008/09/12/slice-4/

     Thanks, James. Yeah, the hardest part about moving to Apache is
just making it work with FastCGI/GLASS at all, apart from any crypto
considerations. I read your example, but am not quite sure what to do,
since my Linux ("Amazon Linux AMI") has an Apache 2.2 installation, but
has none of the a2* programs you use, and has /etc/httpd/ instead of
/etc/apache2/.


     thanks again,

-C

--
Craig Latta
www.netjam.org/resume
+31   6 2757 7177
+ 1 415  287 3547 (no SMS)

Free forum by Nabble Edit this page