rohc

Create certificate for iprohc

Asked by Atik

Hi,

I have compiled iprohc successfully, but wont able to run, due to server certificate, i create self sign certificate but having error while loading it

Apr 22 23:55:07 Linux iprohc_server[9295]: load server certificate from file '/etc/ssl/client.p12'
Apr 22 23:55:07 Linux iprohc_server[9295]: too few certificates in PKCS#12 file '/etc/ssl/client.p12'
Apr 22 23:55:07 Linux iprohc_server[9295]: remove pidfile '/var/run/iprohc_server.pid'
Apr 22 23:55:07 Linux iprohc_server[9295]: server stops with exit code 1
Apr 22 23:55:07 Linux iprohc_server[9295]: close syslog session

please give a tutorial how to generate certificate.

Regards
Atik

Question information

Language:
English Edit question
Status:
Solved
For:
rohc Edit question
Assignee:
No assignee Edit question
Solved by:
Didier Barvaux
Solved:
Last query:
Last reply:
Revision history for this message
Didier Barvaux (didier-barvaux) said : 		#1

Atik,

> Apr 22 23:55:07 Linux iprohc_server[9295]: load server certificate from file '/etc/ssl/client.p12'
> Apr 22 23:55:07 Linux iprohc_server[9295]: too few certificates in PKCS#12 file '/etc/ssl/client.p12'

A PKCS#12 file is a container. The IP/ROHC application requires the p12 file to contain
the client's X.509 certificate, the client's private key, and the CA X.509 certificate. You
can create a p12 file with the 'openssl pkcs12 <params>' command. See 'man pkcs12'
for more details.

Regards,
Didier

Revision history for this message
Atik (atik) said : 		#2

Hi,

I have created PKCS#12 file by following command. i guess it didn't include ca.crt

openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12

what parameter need to include ca.crt too?

Regards
Atik

Revision history for this message
Best Didier Barvaux (didier-barvaux) said : 		#3

Atik,

> I have created PKCS#12 file by following command. i guess it didn't
> include ca.crt
> openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
> what parameter need to include ca.crt too?

Use -certfile.

Regards,
Didier

Revision history for this message
Atik (atik) said : 		#4

Thank you, its working now.

is there any way to assign client to get Static IP? iprohc server assigning dynamic ip each new client.

Regards
Atik

Revision history for this message
Didier Barvaux (didier-barvaux) said : 		#5

Atik,

> Thank you, its working now.

Great!

> is there any way to assign client to get Static IP? iprohc server assigning
> dynamic ip each new client.

No. The IP address is dynamic in the configured range. Static association
could be interesting, the feature would probably be accepted if you
implement it.

Regards,
Didier

Revision history for this message
Atik (atik) said : 		#6

Thanks Didier Barvaux, that solved my question.

Revision history for this message
matthew (xcalibre0) said : 		#7

Atik How did you get your iprohc to give you errors/logs? I'm also trying to execute but it simply silently fails. It is possible that I also have a certificate problem but I don't know how to find out what went wrong.

Revision history for this message
matthew (xcalibre0) said : 		#8

Ok I think I found it, there is a hidden parameter for iprohc server called "--debug" that is not exposed in the usage comments.

Also, it appears to log everything to the default syslog running in most unix which puts its logs with everything else in /var/log/messages.

Revision history for this message
Didier Barvaux (didier-barvaux) said : 		#9

Matthew,

> Ok I think I found it, there is a hidden parameter for iprohc server
> called "--debug" that is not exposed in the usage comments.
>
> Also, it appears to log everything to the default syslog running in
> most unix which puts its logs with everything else in /var/log/messages.

The iprohc client and server both use syslog to trace their behaviour.
They both use the daemon facility. The server is identified with the
"iprohc_server" string. Client is identified by "iprohc_client".

You may configure your syslog daemon to redirect thoses traces in
a separate file if you want to.

The --debug option allows the daemon to also emit debug traces. They
should not needed except if you are analyzing a problem. Debug traces
are very verbose, so I advice you not to enable them in production.

I fixed the server's help message. It now prints all options. Thank for
reporting the problem!

Regards,
Didier