[ previous ] [ next ] [ threads ]
 
 From:  "Schreiner, Torry" <tschreiner at clark dot edu>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] Re: mini_httpd update to provide support for chained (intermediate CA) certificates
 Date:  Fri, 5 Sep 2008 11:24:00 -0700
Never mind.  Turned out to be a problem with my private key.  I had to
have my certificate cancelled and requested a new one.  1.3b14 works
great with the GlobalSign OrganizationSSL intermediate CA certificate.

Thanks 

-----Original Message-----
From: Bernie O'Connor [mailto:Bernie dot OConnor at sas dot com] 
Sent: Friday, September 05, 2008 6:38 AM
To: Schreiner, Torry
Subject: RE: [m0n0wall-dev] Re: mini_httpd update to provide support for
chained (intermediate CA) certificates

I haven't extensively tested this in 1.3x series, I backported my fix to
mini_http to 1.232.  Put the m0n0wall cert first, then the intermediate
cert second (in the captive portal configuration page).  I don't recall
exactly what makes mini_http fail to start (might be a mismatch in the
private key on the configuration page and key used to generate cert).
Is the GlobalSign OrganizationSSL a new signing organization?  The certs
I got working were from Verisign.

You might be able to use http://{yourm0n0wall)/exec.php and try to start
mini_http by hand -- I think the syntax is something like:

/usr/local/sbin/mini_httpd -S -a -M 0 -E /var/etc/cert-portal.pem -p
8002

NOTE: this starts it up on 8002 so you won't interfere with anything
running on 8001.  You might be able to see any error messages on
startup.

Also, you can install openssl client on a machine in the lan side of
your m0n0wall and issue a command like:

openss s_client -CAfile ca-certificates.crt -host 149.173.19.9 -port
8002

and the client will give you info about the certs (as long as your
mini_http stays up, first).

Hope this helps some,
bernie