gnd | 20 May 16:51 2009

Re: GnuTls: Base64 unexpected header error

hello,

I investigated further on the private key. Its obtained from the provider
1&1 via some free SSL certificate giveaway that is a deal with Geotrust ..

So the problem with the key is that its not generated by us, but its
generated by either 1&1 or Geotrust - which provides the certificate to
it.

Another thing is that the key length is different from the keys that we
generated by ourselves. Our private keys are 1024 bit RSA with the size of
887 bytes, whilst the key from 1&1 has a size of 912 bytes. Also its
starting with "-----BEGIN PRIVATE KEY-----" instead of "-----BEGIN RSA
PRIVATE KEY-----".

When i do a certtool -d9 -k on the key i get this kind of info from the
certtool:

|<2>| ASSERT: x509_b64.c:452
|<2>| Could not find '-----BEGIN RSA PRIVATE KEY'
|<2>| ASSERT: x509_b64.c:452
|<2>| Could not find '-----BEGIN DSA PRIVATE KEY'
|<2>| ASSERT: privkey.c:378
(here it prints out key info)

So the key is in some format that cant be read by mod_gnutls. Do you have
any idea what format it could be ?

thank you,

(Continue reading)

Nikos Mavrogiannopoulos | 20 May 15:55 2009
Picon

Re: GnuTls: Base64 unexpected header error

On Wed, May 20, 2009 at 5:51 PM,  <gnd@...> wrote:
> hello,
>
> I investigated further on the private key. Its obtained from the provider
> 1&1 via some free SSL certificate giveaway that is a deal with Geotrust ..
>
> So the problem with the key is that its not generated by us, but its
> generated by either 1&1 or Geotrust - which provides the certificate to
> it.
> Another thing is that the key length is different from the keys that we
> generated by ourselves. Our private keys are 1024 bit RSA with the size of
> 887 bytes, whilst the key from 1&1 has a size of 912 bytes. Also its
> starting with "-----BEGIN PRIVATE KEY-----" instead of "-----BEGIN RSA
> PRIVATE KEY-----".

It seems it is a PKCS #8 key. You can convert it to a format that
mod_gnutls should be able to read
using certtool -k. However which version of gnutls do you use? Newer
versions seem to autodetect the
private key file.

regards,
Nikos
gnd | 20 May 17:27 2009

Re: GnuTls: Base64 unexpected header error

hello,

> However which version of gnutls do you use? Newer
> versions seem to autodetect the
> private key file.

im running Debian and the installed mod_gnutls is:

Package: libapache2-mod-gnutls
Priority: extra
Section: httpd
Installed-Size: 80
Maintainer: Jack Bates <ms419@...>
Architecture: i386
Source: mod-gnutls
Version: 0.5.2-1
Depends: libc6 (>= 2.7-1)
Filename: pool/main/m/mod-gnutls/libapache2-mod-gnutls_0.5.2-1_i386.deb
Size: 25824

> It seems it is a PKCS #8 key. You can convert it to a format that
> mod_gnutls should be able to read
> using certtool -k.

I tried to convert the key with:
certtool --generate-privkey --infile xxx_real.key --outfile key.pem

and its working, insofar as apache will start up, but the website is not
working because of:

(Continue reading)

Simon Josefsson | 20 May 16:26 2009

Re: GnuTls: Base64 unexpected header error

gnd@... writes:

>> It seems it is a PKCS #8 key. You can convert it to a format that
>> mod_gnutls should be able to read
>> using certtool -k.
>
> I tried to convert the key with:
> certtool --generate-privkey --infile xxx_real.key --outfile key.pem
>
> and its working, insofar as apache will start up, but the website is not
> working because of:
>
> An error occurred during a connection to www.mobivita.com.
> Peer's certificate has an invalid signature.
> (Error code: sec_error_bad_signature)
> (this is what firefox tells me).
>
> Maybe i did not convert the key correctly ?

That command generates a new key, it does not convert your existing key.
So signature failures is expected.  Try:

certtool -k < oldkey.pem > newkey.pem

/Simon
gnd | 21 May 09:56 2009

Re: GnuTls: Base64 unexpected header error

Hello,

> That command generates a new key, it does not convert your existing key.
> So signature failures is expected.  Try:
>
> certtool -k < oldkey.pem > newkey.pem

^^ this helped, thank you very much for advices. I have another question -
the version of mod_gnutls which i provided in former email - should it or
should it not autodetect the key type ?

kind regards,

gnd/
Nikos Mavrogiannopoulos | 21 May 13:09 2009

Re: GnuTls: Base64 unexpected header error

It is gnutls (not mod_gnutls) that does the auto-detection. Thus
please specify the version you have in your system.

regards,
Nikos

On Thu, May 21, 2009 at 10:56 AM,  <gnd@...> wrote:
> Hello,
>
>> That command generates a new key, it does not convert your existing key.
>> So signature failures is expected.  Try:
>>
>> certtool -k < oldkey.pem > newkey.pem
>
> ^^ this helped, thank you very much for advices. I have another question -
> the version of mod_gnutls which i provided in former email - should it or
> should it not autodetect the key type ?
>
> kind regards,
>
> gnd/
>
>
gnd | 21 May 14:24 2009

Re: GnuTls: Base64 unexpected header error

Hello,

dpkg shows me this:

ii  gnutls-bin                        2.6.6-1                    the GNU
TLS library - commandline utilities
ii  gnutls-doc                        2.6.6-1                    the GNU
TLS library - documentation and exam
ii  libgnutls13                       2.0.4-4                    the GNU
TLS library - runtime library
ii  libgnutls26                       2.6.6-1                    the GNU
TLS library - runtime library

regards,

gnd/

> It is gnutls (not mod_gnutls) that does the auto-detection. Thus
> please specify the version you have in your system.
>
> regards,
> Nikos
>
> On Thu, May 21, 2009 at 10:56 AM,  <gnd@...> wrote:
>> Hello,
>>
>>> That command generates a new key, it does not convert your existing
>>> key.
>>> So signature failures is expected.  Try:
>>>
(Continue reading)

Nikos Mavrogiannopoulos | 21 May 19:56 2009

Re: GnuTls: Base64 unexpected header error

gnd@... wrote:
> Hello,
> 
> dpkg shows me this:
> 
> ii  gnutls-bin                        2.6.6-1                    the GNU
> TLS library - commandline utilities
> ii  gnutls-doc                        2.6.6-1                    the GNU
> TLS library - documentation and exam
> ii  libgnutls13                       2.0.4-4                    the GNU
> TLS library - runtime library
> ii  libgnutls26                       2.6.6-1                    the GNU
> TLS library - runtime library

could it be that mod_gnutls is using libgnutls13? Could you check the
output of ldd path/to/mod_gnutls.so?

regards,
Nikos
Nikos Mavrogiannopoulos | 21 May 20:01 2009

Re: GnuTls: Base64 unexpected header error

gnd@... wrote:
> Hello,
> 
> dpkg shows me this:
> 
> ii  gnutls-bin                        2.6.6-1                    the GNU
> TLS library - commandline utilities
> ii  gnutls-doc                        2.6.6-1                    the GNU
> TLS library - documentation and exam
> ii  libgnutls13                       2.0.4-4                    the GNU
> TLS library - runtime library
> ii  libgnutls26                       2.6.6-1                    the GNU
> TLS library - runtime library

Sorry it seems that mod_gnutls doesn't use the gnutls' functions that do
the autodetection. The next release will support it.

regards,
Nikos

Gmane