Bug 45763 - No openssl.cnf defined by default causes OpenSSL commands to fail
Summary: No openssl.cnf defined by default causes OpenSSL commands to fail
Status: RESOLVED LATER
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Runtime Config (show other bugs)
Version: 2.2.9
Hardware: PC Windows XP
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: MassUpdate
Depends on:
Blocks:
 
Reported: 2008-09-08 05:54 UTC by Steve
Modified: 2018-11-07 21:09 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Steve 2008-09-08 05:54:34 UTC
my PATH includes %APACHE2_HOME%\bin
the OpenSSL version displayed is :  0.9.8h

trying to run the here under command :
OpenSSL> req -inform DER  -outform DER -out C:\CSR.der -pubkey -new -newkey rsa:1024 -verbose

I get this :
Unable to load config info from /usr/local/ssl/openssl.cnf
error in req

Indeed it seems that by default no openssl.cnf is created when installing Apache 2.2.9 on windows, I only see C:\ApacheGroup\Apache2.2\bin\openssl.exe

(By the way why the path is a unix style one /usr/local/ and not a windows style ?)

see related issue at http://rt.openssl.org/Ticket/Display.html?id=1187
and one sample cfg file at http://www.neilstuff.com/apache/apache2-ssl-windows.htm

see http://www.openssl.org/docs/apps/req.html
-config filename
    this allows an alternative configuration file to be specified, this overrides the compile time filename or any specified in the OPENSSL_CONF environment variable.


I have seen C:\ApacheGroup\Apache2.2\conf\openssl.cnf, so I tried :

OpenSSL> req -inform DER  -outform DER -out C:\CSR.der -pubkey -new -newkey rsa:1024 -verbose -config C:\ApacheGroup\Apache2.2\conf\openssl.cnf

Using configuration from C:\ApacheGroup\Apache2.2\conf\openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..............++++++
...................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:

So the Apache doc should mentionn where to find openssl.cnf and how to use the variable OPENSSL_CONF or better configure OpenSSL and apache in a such way that 
the req  command runs fine at first try
Comment 1 Gregg L. Smith 2009-08-31 12:09:02 UTC
Wow, this is one year old next week. I can answer this one in two parts for you.

1. This is a simple fix as you point, but it has to be done at compile time and therefore is *set in stone*, which leads to #2

2. The .msi installer from Apache.org allows you to put Apache anywhere your heart desires (last time I gave it a try), or just accept it's default. For most the default is fine, but I'd imagine, like me, people get tired of the super long path when working with configuration files and over time have come to put Apache in another place. Well, the developers cannot read your, mine or everyone elses mind to know exactly where that file is going to land on the file system once installed, thus the problem.

If they compile Openssl to look in C:/Program Files/Apache Software Foundation/Apache2.2/conf (which wouldn't be a bad idea) but you install Apache in C:/Apache2.2, you are right back to the same problem again.

As far as /usr/local/ssl/, that is where the OpenSSL people decided was the default location, if not change during compile, that is where it looks. 

Both of these software packages are first and foremost Unix, that is where it all started. Over time they have been ported to Windows, so most likely that is why the default path is just that, a unix path.
Comment 2 William A. Rowe Jr. 2018-11-07 21:09:05 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.