Fwd: [umurmur-general] Certificate chains in uMurmur
96 views
Skip to first unread message
Felix Morgner
May 11, 2014, 6:57:09 PM5/11/14
to umurmur...@googlegroups.com
Sorry for double posting but i didn't send it to the list, so here you go:
For getting certificate chaining to work, you need to point ca_path to the DIRECTORY containing the intermediate certificates.
On most systems, pointing it to '/etc/openssl/certs' or '/etc/ssl/certs' should suffice (depending on your OS/distribution).
If it still doesn't work, make sure you've installed the intermediate certs in the directory you've specified in ca_path.
Please note, you must point the options at a DIRECTORY not a FILE.
Hope that helps.
Felix
For getting certificate chaining to work, you need to point ca_path to the DIRECTORY containing the intermediate certificates.
On most systems, pointing it to '/etc/openssl/certs' or '/etc/ssl/certs' should suffice (depending on your OS/distribution).
If it still doesn't work, make sure you've installed the intermediate certs in the directory you've specified in ca_path.
Please note, you must point the options at a DIRECTORY not a FILE.
Hope that helps.
Felix
Felix Morgner
May 12, 2014, 4:47:54 AM5/12/14
to umurmur...@googlegroups.com
On 12 May 2014, at 09:36, Gabriel Nadler <nadler...@gmail.com> wrote:
> My current setup looks like this (I'm on a Synology NAS):
>
> certificate = "/usr/local/umurmur/var/mumble.crt";
> private_key = "/usr/local/umurmur/var/mumble.key";
> ca_path = "/etc/ssl/certs/";
Looks good.
>
>
> and I copied the two *.pem files I got from StartSSL into that folder making them readable for all users on the system.
I forgot to mention, for OpenSSL to find the CA/Intermediate certs, you need to symlink them to their "hash" inside of the specified directory.
For example I've got it configured that way (for CACert):
$ ls -l /etc/openssl/certs/
-rw-r--r-- 1 root wheel 2569 Oct 11 2004 CACert Signing Authority.pem
-rw-r--r-- 1 root wheel 2610 May 23 2011 CACert Class 3 Root.pem
....
lrwxr-xr-x 1 root wheel 29 Apr 24 09:33 99d0fa06.0 -> CACert Signing Authority.pem
lrwxr-xr-x 1 root wheel 23 Apr 24 09:34 590d426f.0 -> CACert Class 3 Root.pem
To get the hashes you can use openssl itself:
openssl x509 -noout -hash -in <ca-certificate-file>
Where <ca-certificate-file> is your filename for the CA/Intermediate .pem file. Please note, you've got to add ".0" (without the quotes) to the symlink name.
You could also do it the "lazy" way:
ln -s my_ca.pem `openssl x509 -hash -noout -in my_ca.pem`.0
replacing my_ca.pem with your actual filename.
Please let me know if that fixed your issue. For more info: http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl
If it works, I think I'll add an entry in the wiki.
> My current setup looks like this (I'm on a Synology NAS):
>
> certificate = "/usr/local/umurmur/var/mumble.crt";
> private_key = "/usr/local/umurmur/var/mumble.key";
> ca_path = "/etc/ssl/certs/";
Looks good.
>
>
> and I copied the two *.pem files I got from StartSSL into that folder making them readable for all users on the system.
I forgot to mention, for OpenSSL to find the CA/Intermediate certs, you need to symlink them to their "hash" inside of the specified directory.
For example I've got it configured that way (for CACert):
$ ls -l /etc/openssl/certs/
-rw-r--r-- 1 root wheel 2569 Oct 11 2004 CACert Signing Authority.pem
-rw-r--r-- 1 root wheel 2610 May 23 2011 CACert Class 3 Root.pem
....
lrwxr-xr-x 1 root wheel 29 Apr 24 09:33 99d0fa06.0 -> CACert Signing Authority.pem
lrwxr-xr-x 1 root wheel 23 Apr 24 09:34 590d426f.0 -> CACert Class 3 Root.pem
To get the hashes you can use openssl itself:
openssl x509 -noout -hash -in <ca-certificate-file>
Where <ca-certificate-file> is your filename for the CA/Intermediate .pem file. Please note, you've got to add ".0" (without the quotes) to the symlink name.
You could also do it the "lazy" way:
ln -s my_ca.pem `openssl x509 -hash -noout -in my_ca.pem`.0
replacing my_ca.pem with your actual filename.
Please let me know if that fixed your issue. For more info: http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl
If it works, I think I'll add an entry in the wiki.
nadler...@gmail.com
Jun 3, 2014, 7:47:29 AM6/3/14
to umurmur...@googlegroups.com
This worked perfectly. Thanks for the help.
Reply all
Reply to author
Forward
0 new messages