SSL Certificate signing problem

SSL Certificate signing problem

[Tony Gogoi]

Hello,

There was an error in running /usr/share/ssl/misc/sign.sh
www.mydomain.com.csr

At first it complained of field 'commonName' Missing. So I added a
'commonName_default' entry in openssl.cnf. Then tried to resign the
certificate.

However this time onwards:
-----------------------------------
Sign the certificate? [y/n]: y
failed to upload database
TXT_DB error number 2
CA verifying: www.mydomain.com.crt <-> CA cert
unable to load certificate
3964:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE
------------------------------------------------

I feel its due to a bad certificate already in the database. But how do I
remove the earlier information from the 'database'. Or how could I rectify
this?

I am signing the certificate myself (not trusted thrid party etc).

Any help appreciated.

Thanks,
Tony

Re: SSL Certificate signing problem

[Adrian C.]

Hello. I'm trying to setup a simple failover between 2 gateways on kernel 2.6.2
Here it goes.
just one interface for everything: eth0
route add default gw 192.168.1.1
route add default gw 192.168.2.1

let's say i ping gmail.com and i kill the 192.168.1.1 machine. ping
stops for about 2 minutes then the next gateway is used and the ping
comes back to live. The only problem here is that it forgets to NAT my
clients via the new gway. At least that's my only explanation why it
stops NATting. Masquerading is done without a -d so destination is
any. What can be done here?
Also please let me know the files in which i should modify fallback
timeout for routes. I need a route check every 10 seconds or so.
One more thing, if 192.168.1.1 comes back to live i would like to
become the preferred gateway no matter if 192.168.1.2 is alive and
used by kernel. Is this solved by metrics?

Many thanks, 
Adrian.

Re: SSL Certificate signing problem

[Kevin J. Cummings]

Adrian C. wrote:
> Hello. I'm trying to setup a simple failover between 2 gateways on kernel 2.6.2
> Here it goes.
> just one interface for everything: eth0
> route add default gw 192.168.1.1
> route add default gw 192.168.2.1
> 
> let's say i ping gmail.com and i kill the 192.168.1.1 machine. ping
> stops for about 2 minutes then the next gateway is used and the ping
> comes back to live. The only problem here is that it forgets to NAT my
> clients via the new gway. At least that's my only explanation why it
> stops NATting. Masquerading is done without a -d so destination is
> any. What can be done here?
> Also please let me know the files in which i should modify fallback
> timeout for routes. I need a route check every 10 seconds or so.
> One more thing, if 192.168.1.1 comes back to live i would like to
> become the preferred gateway no matter if 192.168.1.2 is alive and
> used by kernel. Is this solved by metrics?

I thought that this is what Metrics were supposed to do.  If you 
*prefer* the .1.1 route, assign it a better Metric than the .2.1 route. 
  Then, when the .1.1 route goes down, the packets should be immediately 
re-routed to the .2.1 interface, and when the .1.1 comes back up, the 
first route should work again.  THat's *my* understanding of how Metrics 
are supposed to work.

I'm not an expert, and I'm not sure about what happens after a TCP 
connection is already established and then an interface fails (or 
restores) whether *that* connection will continue to use the previous 
routing or not.

-- 
Kevin J. Cummings
kjchome@rcn.com
cummings@kjchome.homeip.net
cummings@kjc386.framingham.ma.us

Re: SSL Certificate signing problem

[Adrian C.]

If i assign metric 1 to 1st gway and 2 to 2nd it never falls back from
gateway with best metric. Even if it goes down it still sticks to it.
Something is terribly wrong. I am running Slackware 10.


On Sat, 09 Oct 2004 20:20:26 -0400, Kevin J. Cummings
<cummings@kjchome.homeip.net> wrote:
> 
> 
> Adrian C. wrote:
> > Hello. I'm trying to setup a simple failover between 2 gateways on kernel 2.6.2
> > Here it goes.
> > just one interface for everything: eth0
> > route add default gw 192.168.1.1
> > route add default gw 192.168.2.1
> >
> > let's say i ping gmail.com and i kill the 192.168.1.1 machine. ping
> > stops for about 2 minutes then the next gateway is used and the ping
> > comes back to live. The only problem here is that it forgets to NAT my
> > clients via the new gway. At least that's my only explanation why it
> > stops NATting. Masquerading is done without a -d so destination is
> > any. What can be done here?
> > Also please let me know the files in which i should modify fallback
> > timeout for routes. I need a route check every 10 seconds or so.
> > One more thing, if 192.168.1.1 comes back to live i would like to
> > become the preferred gateway no matter if 192.168.1.2 is alive and
> > used by kernel. Is this solved by metrics?
> 
> I thought that this is what Metrics were supposed to do.  If you
> *prefer* the .1.1 route, assign it a better Metric than the .2.1 route.
>   Then, when the .1.1 route goes down, the packets should be immediately
> re-routed to the .2.1 interface, and when the .1.1 comes back up, the
> first route should work again.  THat's *my* understanding of how Metrics
> are supposed to work.
> 
> I'm not an expert, and I'm not sure about what happens after a TCP
> connection is already established and then an interface fails (or
> restores) whether *that* connection will continue to use the previous
> routing or not.
> 
> --
> Kevin J. Cummings
> kjchome@rcn.com
> cummings@kjchome.homeip.net
> cummings@kjc386.framingham.ma.us
>

Re: SSL Certificate signing problem

[Kevin J. Cummings]

Adrian C. wrote:
> If i assign metric 1 to 1st gway and 2 to 2nd it never falls back from
> gateway with best metric. Even if it goes down it still sticks to it.
> Something is terribly wrong. I am running Slackware 10.

I just went back and re-read what "Unix Networking" and "Linux Network 
Administrator's Guide" have to say about Metrics and I'm wrong.
They apply to Routing daemons (like RIP and gated) and help pick the 
"fastest" gateways (apparently, the metric is supposed to indicate a 
number of "hops" from here to there....)

However, what if, you create a process which does nothing else but check 
the status of interface 1.  Set up a default route through interface 1 
with a default metric (of say "2").  When the interface goes down, have 
the process "bring up" the second route by adding it to the routing 
table with a metric of "1".  Now the second interface is the "cheapest". 
  Your process should now continue to monitor the state of interface 1, 
and when it comes back up, you  need to figure out how to "dismantle" 
the second interface.  It could be just as simple as swaping the metrics 
so that interface 1 is now the "fastest" route.

Like I said before, I'm not a networking expert, and I don't understand 
all the dependancies of already open connections over the various 
routes, but it seems like a pretty simple way to do things.  OTOH, isn't 
this essentially what RIP and gated would do for you?  Inotice that 
Fedora Core 2 has a "routed" package.  Perhaps that has replaced 
RIP/gated in todays world (my documentation is 10-14 years old)?

Disclaimer:  I don't use RIP or gated (anymore) I have a single default 
interface (cable modem).  The last I tried to use RIP/gated, I was on a 
corperate network over a 9600 baud modem, and the "RIP storms" 
eventually consumed the entire bandwidth of the modem rendering the 
connection unusable.

-- 
Kevin J. Cummings
kjchome@rcn.com
cummings@kjchome.homeip.net
cummings@kjc386.framingham.ma.us

Re: SSL Certificate signing problem

[Adrian C.]

One more thing, if i try a load-balancing with ip route will it know
to failover if one of the routes fails?


On Sat, 09 Oct 2004 21:07:19 -0400, Kevin J. Cummings
<cummings@kjchome.homeip.net> wrote:
> Adrian C. wrote:
> > If i assign metric 1 to 1st gway and 2 to 2nd it never falls back from
> > gateway with best metric. Even if it goes down it still sticks to it.
> > Something is terribly wrong. I am running Slackware 10.
> 
> I just went back and re-read what "Unix Networking" and "Linux Network
> Administrator's Guide" have to say about Metrics and I'm wrong.
> They apply to Routing daemons (like RIP and gated) and help pick the
> "fastest" gateways (apparently, the metric is supposed to indicate a
> number of "hops" from here to there....)
> 
> However, what if, you create a process which does nothing else but check
> the status of interface 1.  Set up a default route through interface 1
> with a default metric (of say "2").  When the interface goes down, have
> the process "bring up" the second route by adding it to the routing
> table with a metric of "1".  Now the second interface is the "cheapest".
>   Your process should now continue to monitor the state of interface 1,
> and when it comes back up, you  need to figure out how to "dismantle"
> the second interface.  It could be just as simple as swaping the metrics
> so that interface 1 is now the "fastest" route.
> 
> Like I said before, I'm not a networking expert, and I don't understand
> all the dependancies of already open connections over the various
> routes, but it seems like a pretty simple way to do things.  OTOH, isn't
> this essentially what RIP and gated would do for you?  Inotice that
> Fedora Core 2 has a "routed" package.  Perhaps that has replaced
> RIP/gated in todays world (my documentation is 10-14 years old)?
> 
> Disclaimer:  I don't use RIP or gated (anymore) I have a single default
> interface (cable modem).  The last I tried to use RIP/gated, I was on a
> corperate network over a 9600 baud modem, and the "RIP storms"
> eventually consumed the entire bandwidth of the modem rendering the
> connection unusable.
> 
> 
> 
> --
> Kevin J. Cummings
> kjchome@rcn.com
> cummings@kjchome.homeip.net
> cummings@kjc386.framingham.ma.us
>

Re: SSL Certificate signing problem

[Adrian C.]

Problem solved. I have written a looong script ;)


On Sun, 10 Oct 2004 10:55:52 +0300, Adrian C. <drupix@gmail.com> wrote:
> One more thing, if i try a load-balancing with ip route will it know
> to failover if one of the routes fails?
> 
> 
> 
> 
> On Sat, 09 Oct 2004 21:07:19 -0400, Kevin J. Cummings
> <cummings@kjchome.homeip.net> wrote:
> > Adrian C. wrote:
> > > If i assign metric 1 to 1st gway and 2 to 2nd it never falls back from
> > > gateway with best metric. Even if it goes down it still sticks to it.
> > > Something is terribly wrong. I am running Slackware 10.
> >
> > I just went back and re-read what "Unix Networking" and "Linux Network
> > Administrator's Guide" have to say about Metrics and I'm wrong.
> > They apply to Routing daemons (like RIP and gated) and help pick the
> > "fastest" gateways (apparently, the metric is supposed to indicate a
> > number of "hops" from here to there....)
> >
> > However, what if, you create a process which does nothing else but check
> > the status of interface 1.  Set up a default route through interface 1
> > with a default metric (of say "2").  When the interface goes down, have
> > the process "bring up" the second route by adding it to the routing
> > table with a metric of "1".  Now the second interface is the "cheapest".
> >   Your process should now continue to monitor the state of interface 1,
> > and when it comes back up, you  need to figure out how to "dismantle"
> > the second interface.  It could be just as simple as swaping the metrics
> > so that interface 1 is now the "fastest" route.
> >
> > Like I said before, I'm not a networking expert, and I don't understand
> > all the dependancies of already open connections over the various
> > routes, but it seems like a pretty simple way to do things.  OTOH, isn't
> > this essentially what RIP and gated would do for you?  Inotice that
> > Fedora Core 2 has a "routed" package.  Perhaps that has replaced
> > RIP/gated in todays world (my documentation is 10-14 years old)?
> >
> > Disclaimer:  I don't use RIP or gated (anymore) I have a single default
> > interface (cable modem).  The last I tried to use RIP/gated, I was on a
> > corperate network over a 9600 baud modem, and the "RIP storms"
> > eventually consumed the entire bandwidth of the modem rendering the
> > connection unusable.
> >
> >
> >
> > --
> > Kevin J. Cummings
> > kjchome@rcn.com
> > cummings@kjchome.homeip.net
> > cummings@kjc386.framingham.ma.us
> >
>