They Never Use SSL?

March 25, 2010

OS X Server just makes me want to smoke crack sometimes. Dealing with SSL certs is one of those cases. At first, everything is peachy:

  • Create your self-signed cert in Server Admin, sans passphrase
  • Have it signed by a Certificate Authority
  • Import the signed cert, verify that all works.

Great. Now you want to install Rumpus and the WFM and use SSL for that too. First, let’s try to just paste the PEM file:

# cat /etc/certificates/mycert.key.pem
-----BEGIN RSA PRIVATE KEY-----
<OUTPUT REMOVED FOR BREVITY>
-----END RSA PRIVATE KEY-----

Paste that into stunnel… and:

Mar 25 18:50:17 mail [0x0-0x24024].com.maxum.rumpus[3144]: 2010.03.25 18:50:17 LOG3[3704:2694202624]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
Mar 25 18:50:17 mail [0x0-0x24024].com.maxum.rumpus[3144]: 2010.03.25 18:50:17 LOG3[3704:2694202624]: error stack: 906A068 : error:0906A068:PEM routines:PEM_do_header:bad password read
Mar 25 18:50:17 mail [0x0-0x24024].com.maxum.rumpus[3144]: 2010.03.25 18:50:17 LOG3[3704:2694202624]: SSL_CTX_use_RSAPrivateKey_file: 906406D: error:0906406D:PEM routines:DEF_CALLBACK:problems getting password

Yeww. Hmm. Looks like I have to strip the passphrase. Weird, I didn’t give one, but… mmkay, no biggie:

# openssl rsa -in /etc/certificates/mycert.key.pem -out mykey.nopass.key
Enter pass phrase for /etc/certificates/mycert.key.pem:<enter>
3808:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-30/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters
Enter pass phrase for /etc/certificates/mycert.key.pem:<enter>
3808:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-30/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters
Enter pass phrase for /etc/certificates/mycert.key.pem:<enter>
3808:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-30/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters

Well, like I said - THERE IS NO PASSPHRASE!!!

Wait, 10.6 put something in the System Keychain… ah, there it is. Maybe I should export the key from there. Launch KA, select the key, File > Export, and:

Wtf? No, wait, “it was a bug, Dave”. Keychain Access doesn’t have permissions to export anything from the System keychain. Ah, yes, I remember now:

$ sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access

… export the key and. Ah, thank you!

Ok, that was weird… But wait a minute - this is PKCS format, I can’t use this! Back to Terminal:

$ openssl pkcs12 -in mycert.p12 -out mycert.pem -nodes
Enter Import Password:<enter>
MAC verified OK

And finally I have something to use with Rumpus.

If 10.6 Server is “simpler than ever” then I can’t wait for 10.7! How the hell is a “typical” OS X Server admin (a graphic designer who shares his time between the Wacom and the server closet) supposed to know all this crap? This is exactly the kind of set up a typical design firm would run - 10.6 for collaboration, file sharing and backup and Rumpus for client access.

… I guess they just never use SSL.