Pubcookie Fun

Keyclient commands: 

  #(Re)generate a pubcookie key
  #To download but not regenerate if existing (e.g., multiple hosts with same key), add -d
  /usr/local/pubcookie/keyclient -C /var/apache/etc/ssl.crt/CMU-CA-web-2.crt -H www.contrib.andrew.cmu.edu \
  -c /var/apache/etc/ssl.crt/www.contrib.andrew.cmu.edu.crt -k \
  /var/apache/etc/ssl.key/www.contrib.andrew.cmu.edu.key -D /var/apache/etc/ssl.crt/

  #To download the granting certificate
  /usr/local/pubcookie/keyclient -C /var/apache/etc/ssl.crt/CMU-CA-web-2.crt -H www.contrib.andrew.cmu.edu \
  -c /var/apache/etc/ssl.crt/www.contrib.andrew.cmu.edu.crt -k \
  /var/apache/etc/ssl.key/www.contrib.andrew.cmu.edu.key -D /var/apache/etc/ssl.crt/ -G \
  /var/pubcookie/andrew_granting_cert

If you see strange errors like the following in apache's error log: 

@4000000044b638a912601bf4 [Thu Jul 13 08:12:15 2006] [error] [client 128.244.230.162] libpbc_rd_safe: couldn't verify signature for my.contrib.andrew.cmu.edu OpenSSL error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
@4000000044b638a9126052a4 [Thu Jul 13 08:12:15 2006] [error] [client 128.244.230.162] libpbc_unbundle_cookie: libpbc_rd_priv() failed\n
@4000000044b638ad24c7a064 [Thu Jul 13 08:12:19 2006] [error] [client 128.244.230.162] libpbc_rd_safe: couldn't verify signature for my.contrib.andrew.cmu.edu OpenSSL error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
@4000000044b638ad24c7d714 [Thu Jul 13 08:12:19 2006] [error] [client 128.244.230.162] libpbc_unbundle_cookie: libpbc_rd_priv() failed\n
@4000000044b638ae13c224c4 [Thu Jul 13 08:12:20 2006] [error] [client 128.244.230.162] libpbc_rd_safe: couldn't verify signature for my.contrib.andrew.cmu.edu OpenSSL error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
@4000000044b6e2b314a48db4 [Thu Jul 13 20:17:45 2006] [error] [client 67.163.228.6] libpbc_rd_safe: couldn't verify signature for my.contrib.andrew.cmu.edu OpenSSL error: error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus

then try redownloading the pubcookie key using keyclient. These were once seen when the key was wrong.

Note that pubcookie 3.3 uses AES encryption by default, while andrew (as of January 2007) still uses some variant of 3.1. To talk to them, the following must be added to the apache configuration: 

PubcookieEncryption DES

Failing to add that will result in errors quite similar to the output suggesting a keyclient redownload. Note this configuration option is technically per-directory, so it can be set for andrew vs. club in the same way the login server URL, etc. are set.

Services/Contrib Webserver (last edited 2007-01-30 02:54:46 by mdille3)