Results 1 to 5 of 5

Thread: [SOLVED] c_rehash and openssl difference

  1. #1
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    341
    Rep Power
    8

    Default [SOLVED] c_rehash and openssl difference

    I am in this case, for whom interested
    Code:
    http://bugzilla.zimbra.com/show_bug.cgi?id=45048#c31
    I'd get x509 hash of ldap_master_ca_2048.pem and I am noting that using c_rehash and

    Code:
    openssl x509 -hash -noout -in cert.pem
    give different hash, as below:

    Code:
    # /opt/zimbra/conf # cp -a ca /root/
    # cd /root/ca
    # /opt/zimbra/openssl-1.0.0d/bin/c_rehash .
    Doing .
    commercial_ca_1.pem => 578d5c04.0
    ldap_master_ca_2048.pem => 2c543cd1.0
    WARNING: Skipping duplicate certificate commercial_ca.pem
    ca.pem => 3a1412e5.0
    
    ~/ca # ls -la
    total 32
    drwxr-xr-x  2 zimbra zimbra 4096 Jun 19 10:10 .
    drwxr-x--- 10 root   root   4096 Jun 19 10:09 ..
    lrwxrwxrwx  1 root   root     23 Jun 19 10:10 2c543cd1.0 -> ldap_master_ca_2048.pem
    lrwxrwxrwx  1 root   root      6 Jun 19 10:10 3a1412e5.0 -> ca.pem
    lrwxrwxrwx  1 root   root     19 Jun 19 10:10 578d5c04.0 -> commercial_ca_1.pem
    -rw-r-----  1 zimbra zimbra  891 Apr  3 12:16 ca.key
    -rw-r-----  1 zimbra zimbra  960 Apr  3 12:16 ca.pem
    -rw-r--r--  1 zimbra zimbra 1143 Apr  3 12:16 commercial_ca_1.pem
    -rw-r--r--  1 zimbra zimbra 1143 Apr  3 12:16 commercial_ca.pem
    -rw-r--r--  1 zimbra zimbra 2607 Jun 19 10:05 ldap_master_ca_2048.pem
    but using openssl:
    Code:
     ~/ca # openssl x509 -hash -noout -in ldap_master_ca_2048.pem
    7999be0d
    what am I missing?
    why calculated hashes differ?
    which one is that right? 7999be0d or 2c543cd1 ?

  2. #2
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    341
    Rep Power
    8

    Default

    i see that when a ca is deployed, zimbra does use: c_rehash;
    then i will use that, but nevertheless is interesting to understand why they are different

  3. #3
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    341
    Rep Power
    8

    Thumbs up

    Thanks to Quanah; as he pointed here: Bug 45048 – LDAP replication fails with self-signed certificates and different certificate authorities

    c_rehash and ln -s -f should be run as zimbra user:

    Code:
    # su - zimbra
    $ cd conf/ca
    $ c_rehash .
    or, using /opt/zimbra/conf/ca/master.ca.pem example:

    Code:
    # su - zimbra
    $ cd conf/ca
    $ ln -f -s /opt/zimbra/conf/ca/master.ca.pem \
                              `openssl x509 -hash -noout  \
                               -in /opt/zimbra/conf/ca/master.ca.pem `.0
    will lead to the same result.

  4. #4
    Ramadan Mansoura is offline Former Zimbran
    Join Date
    Oct 2006
    Posts
    55
    Rep Power
    8

    Default

    redeploying the commercial certificate on the master generated two hashes;
    for the commercial_ca.pem and commercial_ca_2.pem files.
    copying those two files over to the replica and recreating the hash on them using openssl fixed this problem.

  5. #5
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    341
    Rep Power
    8

    Default

    now i have on master:

    Code:
    ls -la /opt/zimbra/conf/ca
    total 20
    drwxr-xr-x   2 zimbra zimbra 4096 Jun 20 01:46 .
    drwxrwxr-x  10 zimbra zimbra 4096 Jun 19 23:54 ..
    lrwxrwxrwx   1 root   root     17 Jun 19 23:50 2c543cd1.0 -> commercial_ca.pem
    -rw-r-----   1 zimbra zimbra 1216 Jun 19 23:50 commercial_ca_1.pem
    -rw-r-----   1 zimbra zimbra 1391 Jun 19 23:50 commercial_ca_2.pem
    -rw-r-----   1 zimbra zimbra 2607 Jun 19 23:50 commercial_ca.pem
    lrwxrwxrwx   1 root   root     19 Jun 19 23:50 f131b364.0 -> commercial_ca_2.pem
    on the first replica:
    Code:
     ~/conf/ca $ ls -la
    total 16
    drwxr-xr-x  2 zimbra zimbra 4096 Jun 20 08:21 .
    drwxrwxr-x 10 zimbra zimbra 4096 Jun 20 02:06 ..
    lrwxrwxrwx  1 zimbra zimbra   17 Jun 20 02:14 2c543cd1.0 -> commercial_ca.pem
    -rw-r-----  1 zimbra zimbra 2607 Jun 20 02:13 commercial_ca.pem
    -rw-r-----  1 zimbra zimbra 1391 Jun 20 02:02 commercial_ca_2.pem
    lrwxrwxrwx  1 zimbra zimbra   19 Jun 20 02:04 f131b364.0 -> commercial_ca_2.pem
    on the second replica:
    Code:
    # ls -la /opt/zimbra/conf/ca
    total 16
    drwxr-xr-x 2 zimbra zimbra 4096 Jun 20 02:40 .
    drwxrwxr-x 9 zimbra zimbra 4096 Jun 19 21:28 ..
    lrwxrwxrwx 1 zimbra zimbra   17 Jun 20 02:37 2c543cd1.0 -> commercial_ca.pem
    -rw-r----- 1 zimbra zimbra 1391 Jun 20 02:39 commercial_ca_2.pem
    -rw-r----- 1 zimbra zimbra 2607 Jun 20 02:36 commercial_ca.pem
    lrwxrwxrwx 1 zimbra zimbra   19 Jun 20 02:40 f131b364.0 -> commercial_ca_2.pem
    as far as i can see, these 3 files on master are not neede and mast be deleted:
    Code:
    ca.pem 
    ca.key
    ln -f -s /opt/zimbra/conf/ca/master.ca.pem \
                              `openssl x509 -hash -noout  \
                               -in /opt/zimbra/conf/ca/master.ca.pem `.0
    maybe they are needed by selfsigned ca

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •