Forum OpenACS Q&A: Response to An OpenSSL/Aolserver HOWTO
Thanks. I guess that's the problem.
I haven't created the clientcert.pem and clientkey.pem. I notice that error. I just copied & pasted the sample configuration, which didn't mention how to create a client cert and key. So I took it for granted that without that client cert and key file, nsopenssl can still work.
But the truth is: it won't. I commented that out. Do a little bit tweak here and there. Finally get it work. Here is the my configuration file I created with the same nsd.tcl of birdnotes. Hope it can help if someone has my problem.
ns_log notice "nsd.tcl: starting to read config file..."
# which database do you want? postgres or oracle
set database postgres
if {$database == "oracle"} {
set db_password "mysitepassword"
}
set httpport 80
set httpsport 443
# The hostname and address should be set to actual values.
set hostname 10.10.10.11 (Change to your hostname)
set address 10.10.10.11 (change to your internal IP)
set server "birdnotes"
set db_name $server
set servername "birdnotes.com Community"
set serverroot "/web/${server}"
# if debug is false, all debugging will be turned off
set debug true
# you shouldn't need to adjust much below here
# for a standard install
#
# AOLserver's home and binary directories. Autoconfigurable.
#
set homedir [file dirname [ns_info config]]
set bindir [file dirname [ns_info nsd]]
#
# Where are your pages going to live ?
#
set pageroot ${serverroot}/www
set directoryfile index.tcl,index.adp,index.html,index.htm
#
# nsssl: Only loads if keyfile.pem and certfile.pem exist.
# If you are using SSL, make sure you have these dirs and files (refer
# to the AOLserver docs)
#set sslkeyfile ${homedir}/servers/${server}/modules/nsssl/keyfile.pem
#set sslcertfile ${homedir}/servers/${server}/modules/nsssl/certfile.pem
set sslkeyfile ${homedir}/servers/${server}/modules/nsopenssl/keyfile.pem
set sslcertfile ${homedir}/servers/${server}/modules/nsopenssl/certfile.pem
#
# Global server parameters
#
ns_section ns/parameters
ns_param serverlog ${homedir}/log/${server}-error.log
ns_param home $homedir
ns_param maxkeepalive 5
ns_param logroll on
ns_param maxbackup 5
ns_param debug $debug
#
# Thread library (nsthread) parameters
#
ns_section ns/threads
ns_param mutexmeter true ;# measure lock contention
ns_param stacksize [expr 2*512*1024]
#
# MIME types.
#
# Note: AOLserver already has an exhaustive list of MIME types, but in
# case something is missing you can add it here.
#
ns_section ns/mimetypes
ns_param Default text/plain
ns_param NoExtension text/plain
ns_param .pcd image/x-photo-cd
ns_param .prc application/x-pilot
ns_param .xls application/vnd.ms-excel
ns_param .pdf application/pdf
#
# Tcl Configuration
#
ns_section ns/server/${server}/tcl
ns_param library ${serverroot}/tcl
ns_param autoclose on
ns_param debug $debug
############################################################
#
# Server-level configuration
#
# There is only one server in AOLserver, but this is helpful when multiple
# servers share the same configuration file. This file assumes that only
# one server is in use so it is set at the top in the "server" Tcl variable
# Other host-specific values are set up above as Tcl variables, too.
#
ns_section ns/servers
ns_param $server $servername
#
# Server parameters
#
ns_section ns/server/${server}
ns_param directoryfile $directoryfile
ns_param pageroot $pageroot
ns_param maxconnections 5
ns_param maxdropped 0
ns_param maxthreads 5
ns_param minthreads 5
ns_param threadtimeout 120
ns_param globalstats false ;# Enable built-in statistics
ns_param urlstats false ;# Enable URL statistics
ns_param maxurlstats 1000 ;# Max number of URL's to do stats on
#ns_param directoryadp $pageroot/dirlist.adp ;# Choose one or the other
#ns_param directoryproc _ns_dirlist ;# ...but not both!
#ns_param directorylisting fancy ;# Can be simple or fancy
#
# ADP (AOLserver Dynamic Page) configuration
#
ns_section ns/server/${server}/adp
ns_param map /*.adp ;# Extensions to parse as ADP's
#ns_param map "/*.html" ;# Any extension can be mapped
ns_param enableexpire false ;# Set "Expires: now" on all ADP's
ns_param enabledebug $debug ;# Allow Tclpro debugging with "?debug"
ns_param defaultparser fancy
ns_section ns/server/${server}/adp/parsers
ns_param fancy ".adp"
#
# Socket driver module (HTTP) -- nssock
#
ns_section ns/server/${server}/module/nssock
ns_param timeout 120
ns_param address $address
ns_param hostname $hostname
ns_param port $httpport
#
# Socket driver module (HTTPS) -- nsssl
#
# nsssl does not load unless sslkeyfile/sslcertfile exist (above).
#
#ns_section ns/server/${server}/module/nsssl
#ns_param port $httpsport
#ns_param hostname $hostname
#ns_param address $address
#ns_param keyfile $sslkeyfile
#ns_param certfile $sslcertfile
#
# Database drivers
# The database driver is specified here. PostgreSQL driver being loaded.
# Make sure you have the driver compiled and put it in {aolserverdir}/bin
#
ns_section "ns/db/drivers"
if { $database == "oracle" } {
ns_param ora8 ${bindir}/ora8.so
} else {
ns_param postgres ${bindir}/postgres.so ;# Load PostgreSQL driver
}
#
# Database Pools: This is how AOLserver ``talks'' to the RDBMS. You need
# three for OpenACS: main, log, subquery. Make sure to replace ``yourdb''
# and ``yourpassword'' with the actual values for your db name and the
# password for it.
# AOLserver can have different pools connecting to different databases
# and even different different database servers.
#
ns_section ns/db/pools
ns_param pool1 "Pool 1"
ns_param pool2 "Pool 2"
ns_param pool3 "Pool 3"
ns_section ns/db/pool/pool1
ns_param maxidle 1000000000
ns_param maxopen 1000000000
ns_param connections 5
ns_param verbose $debug
ns_param extendedtableinfo true
ns_param logsqlerrors $debug
if { $database == "oracle" } {
ns_param driver ora8
ns_param datasource {}
ns_param user $db_name
ns_param password $db_password
} else {
ns_param driver postgres
ns_param datasource localhost::${db_name}
ns_param user nsadmin
ns_param password ""
}
ns_section ns/db/pool/pool2
ns_param maxidle 1000000000
ns_param maxopen 1000000000
ns_param connections 5
ns_param verbose $debug
ns_param extendedtableinfo true
ns_param logsqlerrors $debug
if { $database == "oracle" } {
ns_param driver ora8
ns_param datasource {}
ns_param user $db_name
ns_param password $db_password
} else {
ns_param driver postgres
ns_param datasource localhost::${db_name}
ns_param user nsadmin
ns_param password ""
}
ns_section ns/db/pool/pool3
ns_param maxidle 1000000000
ns_param maxopen 1000000000
ns_param connections 5
ns_param verbose $debug
ns_param extendedtableinfo true
ns_param logsqlerrors $debug
if { $database == "oracle" } {
ns_param driver ora8
ns_param datasource {}
ns_param user $db_name
ns_param password $db_password
} else {
ns_param driver postgres
ns_param datasource localhost::${db_name}
ns_param user nsadmin
ns_param password ""
}
ns_section ns/server/${server}/db
ns_param pools "*"
ns_param defaultpool pool1
ns_section ns/server/${server}/redirects
ns_param 404 "global/file-not-found.html"
ns_param 403 "global/forbidden.html"
#
# Access log -- nslog
#
ns_section ns/server/${server}/module/nslog
ns_param file ${homedir}/log/${server}.log
ns_param enablehostnamelookup false
ns_param logcombined true
#ns_param logrefer false
#ns_param loguseragent false
ns_param maxbackup 5
ns_param rollday *
ns_param rollfmt %Y-%m-%d-%H:%M
ns_param rollhour 0
ns_param rollonsignal true
ns_param rolllog true
#
# nsjava - aolserver module that embeds a java virtual machine. Needed to
# support webmail. See http://nsjava.sourceforge.net for further
# details. This may need to be updated for OpenACS4 webmail
#
ns_section ns/server/${server}/module/nsjava
ns_param enablejava off ;# Set to on to enable nsjava.
ns_param verbosejvm off ;# Same as command line -debug.
ns_param loglevel Notice
ns_param destroyjvm off ;# Destroy jvm on shutdown.
ns_param disablejitcompiler off
ns_param classpath /usr/local/jdk/jdk118_v1/lib/classes.zip:${bindir}/nsjava.jar:${pageroot}/webmail/java/activation.jar:${pageroot}/webmail/java/mail.jar:${pageroot}/webmail/java
#
# CGI interface -- nscgi, if you have legacy stuff. Tcl or ADP files inside
# AOLserver are vastly superior to CGIs. I haven't tested these params but they
# should be right.
#
#ns_section "ns/server/${server}/module/nscgi"
# ns_param map "GET /cgi-bin/ /web/$server/cgi-bin"
# ns_param map "POST /cgi-bin/ /web/$server/cgi-bin"
# ns_param Interps CGIinterps
#ns_section "ns/interps/CGIinterps"
# ns_param .pl "/usr/bin/perl"
#
# Modules to load
#
ns_section ns/server/${server}/modules
ns_param nssock ${bindir}/nssock.so
ns_param nslog ${bindir}/nslog.so
ns_param nssha1 ${bindir}/nssha1.so
ns_param nscache ${bindir}/nscache.so
ns_param nsrewrite ${bindir}/nsrewrite.so
ns_param nsxml ${bindir}/nsxml.so
#ns_param nsopenssl ${bindir}/nsopenssl.so
#ns_param nsfts ${bindir}/nsfts.so
#ns_param nsperm ${bindir}/nsperm.so
#ns_param nscgi ${bindir}/nscgi.so
#ns_param nsjava ${bindir}/libnsjava.so
#
## nsssl: loads only if requisite files already exist (see top of this
# file).
#if { [file exists $sslcertfile] && [file exists $sslkeyfile] } {
# ns_param nsssl ${bindir}/nsssle.so
# ns_param nsssl ${bindir}/nsopenssl.so
#} else {
# ns_log warning "nsd.tcl: nsssl not loaded because key/cert files do not exist."
#}
ns_section "ns/server/${server}/module/nsopenssl"
# NSD-driven connections:
ns_param ServerPort $httpsport
ns_param ServerHostname $hostname
ns_param ServerAddress $address
ns_param ServerCertFile certfile.pem
ns_param ServerKeyFile keyfile.pem
ns_param ServerProtocols "SSLv2, SSLv3, TLSv1"
ns_param ServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param ServerSessionCache false
ns_param ServerSessionCacheID 1
ns_param ServerSessionCacheSize 512
ns_param ServerSessionCacheTimeout 300
ns_param ServerPeerVerify true
ns_param ServerPeerVerifyDepth 3
ns_param ServerCADir ca
ns_param ServerCAFile ca.pem
ns_param ServerTrace false
# For listening and accepting SSL connections via Tcl/C API:
ns_param SockServerCertFile certfile.pem
ns_param SockServerKeyFile keyfile.pem
ns_param SockServerProtocols "SSLv2, SSLv3, TLSv1"
ns_param SockServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockServerSessionCache false
ns_param SockServerSessionCacheID 2
ns_param SockServerSessionCacheSize 512
ns_param SockServerSessionCacheTimeout 300
ns_param SockServerPeerVerify true
ns_param SockServerPeerVerifyDepth 3
ns_param SockServerCADir internal_ca
ns_param SockServerCAFile internal_ca.pem
ns_param SockServerTrace false
# Outgoing SSL connections
#ns_param SockClientCertFile clientcertfile.pem
#ns_param SockClientKeyFile clientkeyfile.pem
#ns_param SockClientProtocols "SSLv2, SSLv3, TLSv1"
#ns_param SockClientCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
#ns_param SockClientSessionCache false
#ns_param SockClientSessionCacheID 3
#ns_param SockClientSessionCacheSize 512
#ns_param SockClientSessionCacheTimeout 300
#ns_param SockClientPeerVerify true
#ns_param SockServerPeerVerifyDepth 3
#ns_param SockClientCADir ca
#ns_param SockClientCAFile ca.pem
#ns_param SockClientTrace false
# OpenSSL library support:
ns_param RandomFile /some/file
ns_param SeedBytes 1024
ns_section "ns/server/${server}/modules"
ns_param nsopenssl ${bindir}/nsopenssl.so
#if { [file exists $sslcertfile] && [file exists $sslkeyfile] } {
# ns_param nsopenssl ${bindir}/nsopenssl.so
#} else {
# ns_log warning "nsd.tcl: nsopenssl not loaded because key/cert files do not exist."
#}
ns_log notice "nsd.tcl: finished reading config file."
My default web folder is /web/birdnotes/ and aolserver directory is /usr/local/aolserver.I follow the instruction in ReadMe.txt and copy the test-cert.pem and test-key.pem to /user/local/aolserver/servers/birdnotes/modules/nsopenssl.
Thank you for your help.
Jay
