(CATOOL) CAtool error
Mike McCauley
mikem at open.com.au
Wed Nov 22 17:50:19 CST 2006
Hello Martin,
thanks for your detailed report and diagnosis.
If your certificate requesters know the Key Encryption Passphrase from their
original request, then we have a fix that will allow the keyphrase to be
entered into the renewal request form. Would you care to test that before we
create a full new release?
A tgz file is attached with new versions of
lib/perl/Catool/Action/SubmitRequest.pm and
lib/templates/new-request-renewal.htmpl
as root:
cd /usr/local/catool
tar zxvf catool-1.3.6-patches.tgz
Please let me know how you get on.
Cheers.
On Wednesday 22 November 2006 21:28, Martin Burton wrote:
> OK, I've got to the bottom of this... removing the unlink for the csr
> temp files revealed the problem.
>
> When the original requests were generated a passphrase was used to
> protect the private key. Catool then stores the (encrypted) key in the
> DB, encrypted again with its own key.
>
> At renewal time the key is retrieved from the db and decrypted using the
> catool key, which leaves the original passphrase protected key.
>
> This is then passed to the RunOpenssl method with the rest of the temp
> files, and of course openssl then wants the original passphrase used to
> protect the key. There is no way of specifying this on the renewal page
> so it can't be passed to openssl, which fails as it can't open the
> request key.
>
> Running the command manually (I assume that Catool just sends a \n to
> the "Enter pass phrase" prompt)
>
> catool:/usr/local/catool/var/tmp# openssl x509 -x509toreq -in
> catoolFvEJ3M-cert.pem -signkey catoolDlJPdP-key.pem -out
> catoolpBNBt8-csr.pem
> Getting request Private Key
> Enter pass phrase for catoolDlJPdP-key.pem:
> unable to load request key
>
> If I actually enter the passphrase used at key generation time:
>
> catool:/usr/local/catool/var/tmp# openssl x509 -x509toreq -in
> catoolFvEJ3M-cert.pem -signkey catoolDlJPdP-key.pem -out
> catoolpBNBt8-csr.pem
> Getting request Private Key
> Enter pass phrase for catoolDlJPdP-key.pem:
> Generating certificate request
>
> Not sure how to get around this, any ideas?
>
> Cheers,
>
> Martin.
>
> Martin Burton wrote:
> > Hmm,
> >
> > I've upgraded to openssl 0.9.8c (latest in debian/testing) and still get
> > the same results.
> >
> > I'm going to delve into the code and see if I can figure out just what
> > is going on...
> >
> > Cheers,
> >
> > Martin.
> >
> > Mike McCauley wrote:
> >> Hello Martin,
> >>
> >> On Wednesday 22 November 2006 17:38, Martin Burton wrote:
> >>> Thanks for the response Mike,
> >>>
> >>> We're running:
> >>> catool:~# dpkg -l | grep openssl
> >>> ii openssl 0.9.8a-4 Secure Socket Layer (SSL) binary and
> >>> related
> >>> catool:~# openssl version
> >>> OpenSSL 0.9.8a 11 Oct 2005
> >>>
> >>> and:
> >>>
> >>> catool:~# cat /usr/local/catool/lib/version
> >>> # $Id: version,v 1.11 2004/04/19 18:57:29 chip Exp $
> >>> # $Source: /usr/local/src/CVS/catool/lib/version,v $
> >>>
> >>> 1.3.5
> >>>
> >>>
> >>> Could be we need to upgrade CAtool.
> >>
> >> I dont think there were any changes between 1.3.5 and 1.3.6 that could
> >> cause this.
> >>
> >> I suspect instead that its the OpenSSL 0.9.8a version. I have found
> >> 0.9.8a to be flaky in other ways, so perhaps you should consider
> >> upgrading or downgrading openssl
> >>
> >>> We need to renew our support on
> >>> CATool as it's just expired. The guy who authorises our
> >>> software/support purchases has been away for a few days so we've not
> >>> had the renewal signed off yet. It's on the cards along with an
> >>> upgrade from silver to gold (we're going to need more than 200
> >>> certificates soon!).
> >>
> >> We will be happy to help you with that.
> >>
> >>
> >> Cheers.
> >>
> >>> Regards,
> >>>
> >>> Martin.
> >>>
> >>> Mike McCauley wrote:
> >>>> Hello Martin,
> >>>>
> >>>> thanks for your report. I will try to help you.
> >>>>
> >>>> Test here show that certificate renewal works OK, so I am suspecting
> >>>> an openssl version problem.
> >>>>
> >>>> We run here against OpenSSL 0.9.7g.
> >>>> What version do you have installed there?
> >>>>
> >>>> And what version of CATool do you have installed?
> >>>>
> >>>> Cheers.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: catool-1.3.6-patches.tgz
Type: application/x-tgz
Size: 3905 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/catool/attachments/20061123/6a3a5d80/attachment.bin>
More information about the catool
mailing list