I can't seem to figure out how to change the Apache user and group that gets used by OpenCA   
I found there's a file OPENCA_ROOT/etc/openca_start which does set %AUTOCONF with the values:


openca_start.template has these lines too, but after I make the changes, I have no idea how to get OpenCA to become "aware" of the changes. I did read in OPENCA_ROOT/etc/config.xml that OPENCA_ROOT/etc/configure_etc.sh is actually  meant to cycle through the different template files and refresh the configuration, but I don't quite see this happening when I run the script.

The reason why I wanted to do this, is because I got warnings about this issue when installing openca-common and openca-pub rpms:


But also, when I try to go to the main Certification Authority page on my web server, https://localhost/cgi-bin/ca/ca, I get an error that /var/openca/etc/servers/ca.conf "exists but cannot be read" and the possible explanation on this page is that I should recompile openca with the correct options


I wasn't able to get OpenCA built from source, because certain perl moduels wouldn't compile properly and I decided that the RPMs should solve some of these problems. But, it looks like I'll be running into the same problem anyway.

When I alternately tried to make that file world-readable ( perhaps by the Apache user since I made the conf files are owned by root ), I got a different message from that main Certification Authority script:


First I thought this was an even worse error, but then when reading [1] I happened to see that OpenCA runs as a service and not just as Apache itself. I tried actually starting this service with /etc/init.d/openca , but then I got the error that took me back to the source installation. ( So I think you don't have to include the correct Apache username as a compile option. If you start the service, it will start /var/openca/etc/openca_start and read in AUTOCONF settings )



Basically, the OpenCA::OpenSSL perl module wasn't installed among the others into /var/openca/perl-modules/perl5 , such as from Authen::, CGI::, IO::, LWP::, MIME::, XML::, X500::, Parse::, URI::, Net::, Mail::, Locale::, Convert::, Bundle:: and OpenCA 's OpenCA::AC , ::Configuration, ::REQ, ::PKCS7, ::TRIStateCGI, ::X509, ::Session, ::Tools, ::LDAP, ::CRL, ::DBI, ::Crypto and ::Log. Why would that one be missed?

Well the worst thing is that OpenCA::OpenSSL runs into compilation errors when I try to build from source and when I try to install from CPAN using perl -MCAPN -e shell.
    

It looks like I might be missing OpenSSL::X509. I checked at CPAN [2] and there is such a module, at version 0.7 : Crypt-OpenSSL-X509-0.7.tar.gz. I tried to grab it from CPAN, but this module ran into errors too!!! I hope it's a missing dependency and the flaking isn't caused by a bug. I believe I'm missing some modules, because the prominent error was :


I know that most Modules I get from CPAN have dependencies that get downloaded automagically, so I don't understand why the depends needed here don't come in. I think it could be sloppiness. I saw at [3], the README page for Crypt::OpenSSL::X509, that "blah blah blah" was listed for the dependencies. Maybe this is true in an official capacity too.

I think I may be missing Crypt::OpenSSL::PKCS12 , Crypt::Blowfish, OpenSSL::Random

I got Modules in this order :
Crypt::Blowfish
Crypt::HCE_SHA
Crypt::X509::CRL
Crypt::OpenSSL::RSA
Crypt::OpenSSL::PKCS10

When I get errors about not having something I know I have, I really don't know what to do next. When trying to install Crypt::OpenSSL::PKCS12, I see the message "libcrypto is not installed or not in the default lib path." Well I have libcrypto.so.5 in /lib/. Where is it expected?

It turns out  libcrypto.a, the static library, was missing. I guess it has to be compiled into some of these Perl Modules? I got it with libopenssl-devel-0.9.8e-45.5.i586.rpm . I suppose it makes sense, since I only remember getting OpenSSL by itself. I got these packages with SUSE YaST and I noticed a few others that could be useful, so I got those too:

So after getting these libraries, I tried to start OpenCA and got a different error message. Great, at least the other one is resolved.


This seems like an access permissions issue. Who needs write permissions? Only root has write permissions to this log. Is that enough? I added group write permissions to /var/openca/var/log/xml_cache.log and that removed some of the errors, but not the ones about XML cache not working properly.

I sort of smelled files in  /var/openca/ should be owned by the Apache user, but the errors at the beginning made me think otherwise. So I changed this directory tree to be owned by  the Apache user and now surely enough, OpenCA starts up [4]. I see two processes continuously running  openca_start under the Apache user, so I suppose  this is the service.

Why is the perl ca script crashing?

That's not the end though, because the main script localhost/cgi-bin/ca/ca still doesn't work. I get an "Internal Server Error". This usually usually means there's a bug in the perl script. However, running the script from the command line doesn't cause any trouble ( running as the Apache user of course ). This script is necessary, because it gets run by the Certif Auth index.html page, localhost/openca/ca/index.html. There's an automatic redirect there to localhost/cgi-bin/ca?cmd=getStaticPage&name=index.

By the way, there are many other configuration files here:


Maybe I'll check the output of that perl script verbosely?

Okay, so the query string "cmd=getStaticPage&name=index" gets passed down to ca. I run

I don't get much from the command line:


When I used debug mode, with option -d, I saw that perhaps the code halted somewhere:

Using -w gives


And using  -d -w gives


And the apache error log gives


Malformed header? I wonder if those non XHTML compliant tags are problematic  ( <br> instead of <br /> ) Well, [5] dishes out that the HTTP 500 Error, which I'm getting, specifies that Perl is not outputting the proper Perl header :

Content-type: text/html
<HTML>
<HEAD><TITLE>Output from CGI Script</TITLE></HEAD>

This is not going to be an easy thing to check, because there are so many external modules being used in this script; it may be that this header should be output elsewhere in a perl module I can't see easiliy.

Actually, looking at the ca script, it does print the required header, but not for all possible cases. Hmmm. Okay, I added the proper header, but now the page just says the following without errors.


Actually, looking at the debug output, I still get the same suspicious messages mentioned above.

Hey I forgot, does OpenCA need some Database  access? There are not such complaints, but maybe I should create the database mentioned within config.xml.

Q: Should openCA be running as the OpenCA user or as the Apache user ?

Well I suppose that should be set in one of these conf files or even config.xml.

Q: I'm not getting any database access related errors, though I haven't setup config.xml to know about my  database. Do I need this database?

Actually I forgot I already had created a database and a MySQL account for an OpenCA user. But I checked and there are no tables in this database. IS there some script to setup the schema?

Actually [6] says there is no documentation for MySQL, but PostgreSQL. Well, the default setting in config.xml was actually mysql (!) so I'll go with that since I don't have PostgreSQL installed on this system.

Well, I set the corresponding username and password in this file and then I ran the configure_etc.sh script, but nothing changed. Actually, I then tried to stop/start the openca service. It started back up again, but I got a message:


This error is generated by the openca_start script by the line


The definition of loadCfg() in the OpenCA::Configuration module shows that the error is probably because the common.conf filename is somehow not being captured properly or something is preventing the file from getting opened. It surely exists.

It's also a good point of reference to check out the logs: /OPENCA_DIR/var/log/stderr.log

Hmm, well there's an error in there that suggests the DBD::MySQL module is missing. Let's see with CPAN, using perl -MCPAN -e shell.

Hey so I didn't have this module, for sure ! And I just installed it. So now I know that the following stderr.log error corresponds to the blank response at a browser.


But it's not enough to install this module. I had to restart the OpenCA service. That's not enough either. And that wasn't enough either.

Well it turns out, as the error may imply, DBD::MySQL and DBD::mysql are different modules. Hmm. Well I had errors when trying to install the second one.

Actually I was blind and didn't notice that installing DBD::MySQL errored out not being able to find this module. So regarding the correct one. CPAN was able to fetch DBD-mysql-4.008.tar.gz, but there's a prominent error:


Also


I found that mysql_config didn't have a link in /usr/bin along with all the other mysql binaries, so I added this. That fixed the first error and the next time around compilation started, but some files were missing:

I will use the following settings for compiling and testing:



I decided to try to see if I was missing any mysql header files so I downloaded mysql client and DBD development packages:


The compilation worked fine this time, but for some reason, the installer still could not access my root mysql account. All of the tests said


But what password is being used anyway? How could the installer know the mysql client password? Maybe I can just give my root account permissions to access mysql without a password, but that's nuts, since it has all permissions. The other recommendation at the end of the message is that I can 'force' install, but I'd really like to test.

So I tried to run the test manually, inserting the required options at the prompt to the perl Makefile in the cpan directory, on my system this is at

/root/.cpan/build/DBD-mysql-4.008-<random_stuff>/Makefile.PL

I set root as the test user and I set a password for test, but ended with the error:

Failed to create t/mysql.mtest: No such file or directory at /root.cpan/build/DBD-mysql-4.008-<random_stuff>/Makefile.PL line 196, <PIPE> line 73

I don't exactly see anything else regarding this. I could just try to force the CPAN installation and see what happens. I guess I could remove the mod and try again if it flakes later on.

How to force install in CPAN?

That's good with just "force install DBD::mysql "

Okay, I forced the install and now I see a login screen below the text that was showing up before and there's also a new error that sounds like it's about a database


Regardless, the lack of a Perl module from allowing access to the database may have stopped the login screen from showing up somehow, but ther are still no changes in the openca database itself. So I still think I need to fill in that DB with some schema.

What schema information should go into the OpenCA DB?

There was still an error in the error log:


This is really odd, since there's an error about writing to 'syslogdevice', but this stderr.log gets filled without a problem and the Apache logs get filled as well ( hmm but I haven't seen messages in them recently ).


And when I try to log into the CA with a random username/password, I get


That should probably be expected, but the


is also there. And the error is more complicated when trying to get to the 'node' script:


Going to 'node' gives


How nice, there are discussions of certain errors at [7]. So as I understand, the SSL connection which is setup has a symmetric algorithm whose selected key is too short. Could raising the symmetric cipher number of bits required in the Apache httpd.conf help solve this?
   
Google found someone elses's OpenCA server with the same error I've been having

The error

was at [9]. But the [8] website does have evidence that part of the installation is functioning.


logs useful to check regarding OpenCA

• mysql access log
• /var/log/mysqld.log
  
• apache access log
• apache error log
• openca error log
• /OPENCA_DIR/var/log/stderr.log
• openca access log (?)
• /var/openca/var/log/xml_cache.log
• php error log(?)
• dmesg
• syslog
  

summary of all current symptoms/errors

• most pages I go to have WARNING commit failed so starting general rollback! error
• Also, most pages can't find their own stylesheet
  
• the openca database in MySQL is not populated with a template as it should be
• [10] describes that OpenCA initializes itself through preliminary options at the ca/ca page, so I have to probably first figure out why I can't properly access that page and maybe then I'll be able to access everything else. There's word of the user being able to click on "Initialize the Certification Authority".
  
• [11] shows I should encounter this even if I am not using the Live CD. 
• I found the "Initialize the Certification Authority" quote in /var/openca/lib/cmds/getStaticPage
• This file even spells out the different "Phase I, II and III" portions. But I dont know how  this text gets to a page from here yet.
• the main ca/index.html page calls cgi-bin/ca/ca?cmd=getStaticPage&name=index . 
• It's also possible to see some of the other functions into getStaticPage at /var/openca/etc/menu.xml
  
• main ca/ca page has errors:
•  When I head to the first page, I initially get the WARNING commit failed so starting general rollback!
• Then I get a login screen. But the question is, why is there a login screen when I still didn't go through that initialization process.
• the stylesheet is pointing at "/ca/default.css", but it's really at /openca/ca/default.css
• The main perl code that prints HTML here is at /var/openca/perl-modules/perl5/OpenCA/UI/HTML.pm
• It references the parameter HTDOCS, which apparently points to "/ca" instead of "/openca/ca"
• I checked config.xml and I actually had it wrong there. I hope that fixes something.
• What should I do to make openCA reread its configuration? Is that through using configure_etc.sh ? I think so.
• Okay so I ran that and some of the page colors actually started to show up. But not all of them.
• Now the main error when going to ca/ca that occurs in the openca log is :
• DBD::mysql::st execute failed: Unknown character set: 'utf-8' at /var/openca/perl-modules/perl5/OpenCA/DBI.pm line 2544.
• yd
• going to  node/node page gives me Error 6251043 about using a symmetric key length that's too short
• Why is there nothing in /var/openca/var/db/ ? Should there be? From where else would the main database schema get populated?
• Here's an error I'm getting when going to the node page:
  
• PKI Master Alert: Message: addMessage failed for log slot sys_log (6511070). Cannot write to syslogtevice.
  

References

[1] http://wiki.arcs.org.au/bin/view/Main/CAInstallGuide093

[2] http://www.cpan.org/modules/01modules.index.html

[3] http://www.cpan.org/authors/id/D/DA/DANIEL/Crypt-OpenSSL-X509-0.3.1.readme

[4] http://www.mail-archive.com/openca-users@lists.sourceforge.net/msg08903.html

[5] http://oreilly.com/openbook/cgi/ch12_01.html

[6] https://openca.org/~madwolf/ch04s10.html

[7] https://www.openca.org/~madwolf/apes05.html

[8] https://ca.psigrid.gov.ph

[9] https://ca.psigrid.gov.ph/cgi-bin/pub/pki?cmd=logout

[10] http://www.dartmouth.edu/~deploypki/CA/OpenCA-LiveCD.html

[11] http://www.nabble.com/help:-initialize-the-RA-td2989215.html