Bug 45763 - No openssl.cnf defined by default causes OpenSSL commands to fail
No openssl.cnf defined by default causes OpenSSL commands to fail
Status: NEW
Product: Apache httpd-2
Classification: Unclassified
Component: Runtime Config
2.2.9
PC Windows XP
: P2 normal (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2008-09-08 05:54 UTC by Steve
Modified: 2009-08-31 12:09 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Steve 2008-09-08 05:54:34 UTC
my PATH includes %APACHE2_HOME%\bin
the OpenSSL version displayed is :  0.9.8h

trying to run the here under command :
OpenSSL> req -inform DER  -outform DER -out C:\CSR.der -pubkey -new -newkey rsa:1024 -verbose

I get this :
Unable to load config info from /usr/local/ssl/openssl.cnf
error in req

Indeed it seems that by default no openssl.cnf is created when installing Apache 2.2.9 on windows, I only see C:\ApacheGroup\Apache2.2\bin\openssl.exe

(By the way why the path is a unix style one /usr/local/ and not a windows style ?)

see related issue at http://rt.openssl.org/Ticket/Display.html?id=1187
and one sample cfg file at http://www.neilstuff.com/apache/apache2-ssl-windows.htm

see http://www.openssl.org/docs/apps/req.html
-config filename
    this allows an alternative configuration file to be specified, this overrides the compile time filename or any specified in the OPENSSL_CONF environment variable.


I have seen C:\ApacheGroup\Apache2.2\conf\openssl.cnf, so I tried :

OpenSSL> req -inform DER  -outform DER -out C:\CSR.der -pubkey -new -newkey rsa:1024 -verbose -config C:\ApacheGroup\Apache2.2\conf\openssl.cnf

Using configuration from C:\ApacheGroup\Apache2.2\conf\openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..............++++++
...................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:

So the Apache doc should mentionn where to find openssl.cnf and how to use the variable OPENSSL_CONF or better configure OpenSSL and apache in a such way that 
the req  command runs fine at first try
Comment 1 Gregg L. Smith 2009-08-31 12:09:02 UTC
Wow, this is one year old next week. I can answer this one in two parts for you.

1. This is a simple fix as you point, but it has to be done at compile time and therefore is *set in stone*, which leads to #2

2. The .msi installer from Apache.org allows you to put Apache anywhere your heart desires (last time I gave it a try), or just accept it's default. For most the default is fine, but I'd imagine, like me, people get tired of the super long path when working with configuration files and over time have come to put Apache in another place. Well, the developers cannot read your, mine or everyone elses mind to know exactly where that file is going to land on the file system once installed, thus the problem.

If they compile Openssl to look in C:/Program Files/Apache Software Foundation/Apache2.2/conf (which wouldn't be a bad idea) but you install Apache in C:/Apache2.2, you are right back to the same problem again.

As far as /usr/local/ssl/, that is where the OpenSSL people decided was the default location, if not change during compile, that is where it looks. 

Both of these software packages are first and foremost Unix, that is where it all started. Over time they have been ported to Windows, so most likely that is why the default path is just that, a unix path.