[SOLVED] c_rehash and openssl difference

[maumar]

I am in this case, for whom interested

Code:

http://bugzilla.zimbra.com/show_bug.cgi?id=45048#c31

I'd get x509 hash of ldap_master_ca_2048.pem and I am noting that using c_rehash and

Code:

openssl x509 -hash -noout -in cert.pem

give different hash, as below:

Code:

# /opt/zimbra/conf # cp -a ca /root/
# cd /root/ca
# /opt/zimbra/openssl-1.0.0d/bin/c_rehash .
Doing .
commercial_ca_1.pem => 578d5c04.0
ldap_master_ca_2048.pem => 2c543cd1.0
WARNING: Skipping duplicate certificate commercial_ca.pem
ca.pem => 3a1412e5.0

~/ca # ls -la
total 32
drwxr-xr-x  2 zimbra zimbra 4096 Jun 19 10:10 .
drwxr-x--- 10 root   root   4096 Jun 19 10:09 ..
lrwxrwxrwx  1 root   root     23 Jun 19 10:10 2c543cd1.0 -> ldap_master_ca_2048.pem
lrwxrwxrwx  1 root   root      6 Jun 19 10:10 3a1412e5.0 -> ca.pem
lrwxrwxrwx  1 root   root     19 Jun 19 10:10 578d5c04.0 -> commercial_ca_1.pem
-rw-r-----  1 zimbra zimbra  891 Apr  3 12:16 ca.key
-rw-r-----  1 zimbra zimbra  960 Apr  3 12:16 ca.pem
-rw-r--r--  1 zimbra zimbra 1143 Apr  3 12:16 commercial_ca_1.pem
-rw-r--r--  1 zimbra zimbra 1143 Apr  3 12:16 commercial_ca.pem
-rw-r--r--  1 zimbra zimbra 2607 Jun 19 10:05 ldap_master_ca_2048.pem

but using openssl:

Code:

 ~/ca # openssl x509 -hash -noout -in ldap_master_ca_2048.pem
7999be0d

what am I missing?
why calculated hashes differ?
which one is that right? 7999be0d or 2c543cd1 ?

[maumar]

i see that when a ca is deployed, zimbra does use: c_rehash;
then i will use that, but nevertheless is interesting to understand why they are different

[maumar]

Thanks to Quanah; as he pointed here: Bug 45048 – LDAP replication fails with self-signed certificates and different certificate authorities

c_rehash and ln -s -f should be run as zimbra user:

Code:

# su - zimbra
$ cd conf/ca
$ c_rehash .

or, using /opt/zimbra/conf/ca/master.ca.pem example:

Code:

# su - zimbra
$ cd conf/ca
$ ln -f -s /opt/zimbra/conf/ca/master.ca.pem \
                          `openssl x509 -hash -noout  \
                           -in /opt/zimbra/conf/ca/master.ca.pem `.0

will lead to the same result.

[Ramadan Mansoura]

redeploying the commercial certificate on the master generated two hashes;
for the commercial_ca.pem and commercial_ca_2.pem files.
copying those two files over to the replica and recreating the hash on them using openssl fixed this problem.

[maumar]

now i have on master:

Code:

ls -la /opt/zimbra/conf/ca
total 20
drwxr-xr-x   2 zimbra zimbra 4096 Jun 20 01:46 .
drwxrwxr-x  10 zimbra zimbra 4096 Jun 19 23:54 ..
lrwxrwxrwx   1 root   root     17 Jun 19 23:50 2c543cd1.0 -> commercial_ca.pem
-rw-r-----   1 zimbra zimbra 1216 Jun 19 23:50 commercial_ca_1.pem
-rw-r-----   1 zimbra zimbra 1391 Jun 19 23:50 commercial_ca_2.pem
-rw-r-----   1 zimbra zimbra 2607 Jun 19 23:50 commercial_ca.pem
lrwxrwxrwx   1 root   root     19 Jun 19 23:50 f131b364.0 -> commercial_ca_2.pem

on the first replica:

Code:

 ~/conf/ca $ ls -la
total 16
drwxr-xr-x  2 zimbra zimbra 4096 Jun 20 08:21 .
drwxrwxr-x 10 zimbra zimbra 4096 Jun 20 02:06 ..
lrwxrwxrwx  1 zimbra zimbra   17 Jun 20 02:14 2c543cd1.0 -> commercial_ca.pem
-rw-r-----  1 zimbra zimbra 2607 Jun 20 02:13 commercial_ca.pem
-rw-r-----  1 zimbra zimbra 1391 Jun 20 02:02 commercial_ca_2.pem
lrwxrwxrwx  1 zimbra zimbra   19 Jun 20 02:04 f131b364.0 -> commercial_ca_2.pem

on the second replica:

Code:

# ls -la /opt/zimbra/conf/ca
total 16
drwxr-xr-x 2 zimbra zimbra 4096 Jun 20 02:40 .
drwxrwxr-x 9 zimbra zimbra 4096 Jun 19 21:28 ..
lrwxrwxrwx 1 zimbra zimbra   17 Jun 20 02:37 2c543cd1.0 -> commercial_ca.pem
-rw-r----- 1 zimbra zimbra 1391 Jun 20 02:39 commercial_ca_2.pem
-rw-r----- 1 zimbra zimbra 2607 Jun 20 02:36 commercial_ca.pem
lrwxrwxrwx 1 zimbra zimbra   19 Jun 20 02:40 f131b364.0 -> commercial_ca_2.pem

as far as i can see, these 3 files on master are not neede and mast be deleted:

Code:

ca.pem 
ca.key
ln -f -s /opt/zimbra/conf/ca/master.ca.pem \
                          `openssl x509 -hash -noout  \
                           -in /opt/zimbra/conf/ca/master.ca.pem `.0

maybe they are needed by selfsigned ca