Very Computer

We've got a server that has been running Apache v1.3.19 with openSSL
0.9.6 just fine for a few months now.  The Verisign certificate we're
using is set to expire in a couple of weeks, and we thought we'd renew
it a little early, just in case (in this case, a good call).

We requested a new certificate on 8 Oct, and received our new cert on 11
Oct.  When I put it in place and changed the filenames to the correct
key and cert files in httpd.conf, apache wouldn't start.  The messages
in the error_log were:

[Thu Oct 11 13:06:30 2001] [notice] SIGUSR1 received.  Doing graceful
restart
[Thu Oct 11 13:06:30 2001] [crit] Error reading server certificate file
/usr/local/apps/ssl/certs/wisdom.2001-10-08.crt
[Thu Oct 11 13:06:30 2001] [crit] error:0D0A2007:asn1 encoding
routines:d2i_X509_CINF:expecting an asn1 sequence
[Thu Oct 11 13:06:30 2001] [crit] error:0D09F004:asn1 encoding
routines:d2i_X509:nested asn1 error
[Thu Oct 11 13:06:30 2001] [crit] error:0906700D:PEM
routines:PEM_ASN1_read_bio:ASN1 lib

I emailed Verisign "Customer Support" telling them the problem, and they
replied back saying that "Technical questions regarding the
configuration of your Digital ID on the server are best handled by the
developers of your specific server software."

Even though I replied back, asking them why Apache tech support would be
better able to help with the problem when the only difference between
functional SSL and non-functional SSL was the new certificate that
Verisign sent me, I decided to post here to see if anyone else has had
any problems like this.

--
Kurt Cypher
Computing & Telecommunications Services
Wright State University

On Fri, 12 Oct 2001 11:26:08 -0400,

+ Even though I replied back, asking them why Apache tech support would be
+ better able to help with the problem when the only difference between
+ functional SSL and non-functional SSL was the new certificate that
+ Verisign sent me, I decided to post here to see if anyone else has had
+ any problems like this.

I stuck this error message (error:0D0A2007:asn1 encoding) into google
and got some things:

http://www.my-opensource.org/lists/myoss/2001-04/msg00056.html
http://www.mail-archive.com/openssl-users%40openssl.org/msg18793.html

One suggestion was that it might be a CRLF problem - using a DOS file
with a unixy installation.

You may want to ask on an SSL newsgroup/mailing list, as well.

James
--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.

CRLF was one of the first things I checked, since I've been burned by
that before.

After I posted my initial message, I did a little more searching, and
found a site that indicated that the error message meant that the
certificate file was probably corrupt or empty.  It definitely wasn't
empty, so I gave that bit of feedback to Verisign on Friday, and Monday
afternoon, I finally got a reply back saying that maybe the certificate
was corrupt, and suggested I try requesting a replacement certificate
(free within the first 30 days after you get your cert).  Our
replacement cert is working fine.

Kurt

--
Kurt Cypher
Computing & Telecommunications Services
Wright State University