You are viewing a plain text version of this content. The canonical link for it is here.

Posted to test-dev@httpd.apache.org by Stas Bekman <st...@stason.org> on 2003/07/29 17:12:24 UTC

httpd-test: failing to generate certificates for testing

I have:

openssl-0.9.7a-1.1mdk
libopenssl0.9.7-0.9.7a-1.1mdk
libopenssl0.9.7-devel-0.9.7a-1.1mdk
libopenssl0-0.9.6i-1.1mdk

I can't configure the latest cvs of httpd-test/perl-framework test suite. It 
fails on:

httpd-test/perl-framework/t/conf/ssl/ca/asf> openssl ca -policy 
policy_anything -in csr/server_dsa_dsa_dsa.csr -out 
certs/server_dsa_dsa_dsa.crt -passin pass:httpd -config 
conf/server_dsa_dsa_dsa.cnf -batch
Using configuration from conf/server_dsa_dsa_dsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'California'
localityName          :PRINTABLE:'San Francisco'
organizationName      :PRINTABLE:'ASF'
organizationalUnitName:PRINTABLE:'httpd-test/dsa-test'
commonName            :PRINTABLE:'localhost'
emailAddress          :IA5STRING:'test-dev@httpd.apache.org'
Certificate is to be certified until Jul 28 15:07:29 2004 GMT (365 days)
failed to update database
TXT_DB error number 2

Any ideas? I was building it just fine some time ago...

__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

Re: httpd-test: failing to generate certificates for testing

Posted by Stas Bekman <st...@stason.org>.

Joe Orton wrote:
> On Tue, Jul 29, 2003 at 05:12:24PM +0200, Stas Bekman wrote:
> ...
> 
>>Certificate is to be certified until Jul 28 15:07:29 2004 GMT (365 days)
>>failed to update database
>>TXT_DB error number 2
> 
> 
> This is reproducible on every clean checkout? 

Yes.

> It works OK here with
> openssl 0.9.7a.  openssl can sometimes get confused and gives odd errors
> like this when the text files in the "database" aren't how it expects.

openssl 0.9.7a here as well. And it did work before. Any ideas how to solve it?


__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

[patch] Re: httpd-test: failing to generate certificates for testing

Posted by Stas Bekman <st...@stason.org>.

Stas Bekman wrote:
> Joe Orton wrote:
> 
>> On Tue, Jul 29, 2003 at 05:12:24PM +0200, Stas Bekman wrote:
>> ...
>>
>>> Certificate is to be certified until Jul 28 15:07:29 2004 GMT (365 days)
>>> failed to update database
>>> TXT_DB error number 2

After debugging this problem, I've figured that the failure is due to the fact 
that it tries to reuse the same index.txt files for many certificates. The 
following patch fixes that, by creating a separate foo-index.txt for each 
module. Please test that I didn't break anything, it fixes the problem for me.

Index: Apache-Test/lib/Apache/TestSSLCA.pm
===================================================================
RCS file: 
/home/cvs/httpd-test/perl-framework/Apache-Test/lib/Apache/TestSSLCA.pm,v
retrieving revision 1.13
diff -u -r1.13 TestSSLCA.pm
--- Apache-Test/lib/Apache/TestSSLCA.pm	9 Feb 2003 23:06:07 -0000	1.13
+++ Apache-Test/lib/Apache/TestSSLCA.pm	12 Aug 2003 19:22:42 -0000
@@ -172,7 +172,9 @@
      return $file if -e $file;

      my $dn = dn($name);
-    my $db = SSLCA_DB;
+    my $db = sslca_db($name);
+
+    writefile($db, '', 1);

      writefile($file, <<EOF);
  [ req ]
@@ -245,7 +247,6 @@
  my $digest_auth_hash    = '$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/';

  sub new_ca {
-    writefile(SSLCA_DB, '', 1);
      writefile('serial', "01\n", 1);

      writefile('ssl.htpasswd',
@@ -306,6 +307,11 @@
                        "-out export/$name.p12", $passin, $passout;
  }

+sub sslca_db {
+    my $name = shift;
+    return "$name-" . SSLCA_DB;
+}
+
  sub revoke_cert {
      my $name = shift;

@@ -314,11 +320,12 @@
      #revokes in the SSLCA_DB database
      openssl ca => "-revoke certs/$name.crt", @args;

-    unless (-e SSLCA_DB) {
+    my $db = sslca_db($name);
+    unless (-e $db) {
          #hack required for win32
-        my $new = join '.', SSLCA_DB, 'new';
+        my $new = join '.', $db, 'new';
          if (-e $new) {
-            cp $new, SSLCA_DB;
+            cp $new, $db;
          }
      }

Index: Apache-Test/Changes
===================================================================
RCS file: /home/cvs/httpd-test/perl-framework/Apache-Test/Changes,v
retrieving revision 1.38
diff -u -r1.38 Changes
--- Apache-Test/Changes	11 Aug 2003 20:07:07 -0000	1.38
+++ Apache-Test/Changes	12 Aug 2003 19:22:42 -0000
@@ -8,6 +8,10 @@

  =item 1.04-dev -

+fix Apache::TestSSLCA to generate a separate index.txt file for each
+new certificate it generates, on certain platforms openssl fails to
+re-use the same file. [Stas]
+
  remove the unused example section from t/conf/extra.conf.in, it made
  an assumption that mod_auth is available [Stas]


__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

Re: httpd-test: failing to generate certificates for testing

Posted by Stas Bekman <st...@stason.org>.

Joe Orton wrote:
> On Tue, Jul 29, 2003 at 05:12:24PM +0200, Stas Bekman wrote:
> ...
> 
>>Certificate is to be certified until Jul 28 15:07:29 2004 GMT (365 days)
>>failed to update database
>>TXT_DB error number 2
> 
> 
> This is reproducible on every clean checkout? 

Yes.

> It works OK here with
> openssl 0.9.7a.  openssl can sometimes get confused and gives odd errors
> like this when the text files in the "database" aren't how it expects.

openssl 0.9.7a here as well. And it did work before. Any ideas how to solve it?


__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

Re: httpd-test: failing to generate certificates for testing

Posted by Joe Orton <jo...@redhat.com>.

On Tue, Jul 29, 2003 at 05:12:24PM +0200, Stas Bekman wrote:
...
> Certificate is to be certified until Jul 28 15:07:29 2004 GMT (365 days)
> failed to update database
> TXT_DB error number 2

This is reproducible on every clean checkout?  It works OK here with
openssl 0.9.7a.  openssl can sometimes get confused and gives odd errors
like this when the text files in the "database" aren't how it expects.