HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=15)
-   -   SSL and IPs problem. (http://www.howtoforge.com/forums/showthread.php?t=22493)

debian-lover 19th April 2008 05:30

SSL and IPs problem.
 
3 Attachment(s)
Hi everyone, I need some help getting SSL working on my ISPConfig setup.

First of all, I am not even sure if I've setup the IPs correctly. I have two private IPs and two public IPs that I can use.

Private IPs:
192.168.16.36
192.168.16.37

Public IPs (For eg):
222.22.22.21
222.22.22.22

From the attachments, I am pretty sure (1) is private ip and (4) is public but not sure about (2) and (3).

So, http://(www.)testsite.com works fine with the current configuration but as soon as I turn on the SSL, it stops working. I don't even have to touch the SSL tab, and I get the "connection was reset" error on Firefox. Also, I get the same error if I go to https://www.testsite.com

Apache log in /var/log/apache2/error.log does not record anything; however, /var/www/web10/ssl/log/error.log has the following:
Code:

[Fri Apr 18 17:29:53 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:29:53 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:func(128):reason(116)
[Fri Apr 18 17:29:54 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:29:54 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Apr 18 17:36:06 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:36:06 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Apr 18 17:36:48 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:36:48 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Apr 18 17:36:48 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:36:48 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Apr 18 17:37:20 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:37:20 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Apr 18 17:37:20 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:37:20 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Apr 18 17:38:11 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:38:11 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Apr 18 17:38:12 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:38:12 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

What could be the problem? Any help much appreciated.

till 19th April 2008 10:00

Did you copy a SSL cert into the ssl directory of the website manually?

Please go to the SSL tab of the site, enter the details for the SSL key and select create as action. Then click on save and wait about a minute. Then try again to connect.

debian-lover 19th April 2008 10:28

Yes till, it works fine with the self-signed certificate, but when I install a trusted certificate, apache stops working and doesn't restart until I delete the new certificate. I've tried two different certificates, from comodo and rapidssl. Both give the same error that doesn't let the apache to restart.

Code:

[Sat Apr 19 01:18:49 2008] [error] Unable to configure RSA server private key
[Sat Apr 19 01:18:49 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

I googled for this error and found this
Quote:

View the certificate modulus using the following command:

openssl x509 -noout -text -in certfile -modulus


View the key using the following command:

openssl rsa -noout -text -in keyfile -modulus


Verify the following:
Verify that the certificate and private key is saved in Notepad and that it has no trailing spaces.
The "modulus" and "public exponent" portions in the key and the certificate must match exactly.
Make sure you aren't using the default server.key file.
You should also check the httpd.conf file to make sure that the directives are pointing to the correct private key and certificate.


If they do not match, you will have to reissue your certificate

From: http://www.entrust.net/knowledge-bas...te.cfm?tn=5892
They, indeed, match in my case. I can't figure out where the problem is. Any Idea?

till 19th April 2008 10:44

Ok, you missed to say in your post that you installed a ssl cert that was not created on basis of the csr from ispconfig. If you want to setup a trusted cert, it must be created on basis of the CSR that ISPConfig created for you, otherwise you will get this errors as the private key is not avlid for your certificate.

Another solution is to replace the private key in the ssl direcory of the website with the private key that you used to create the trusted cert.

debian-lover 19th April 2008 19:53

I did followed the steps listed in the official ISPConfig documentation to create a CSR. Ok, here's what I did:

- Enabled SSL Checkbox
- In the SSL Tab, filled all the information in text-boxes
- In the drop down, selected "Create Certificate"
- Wait for a minute
- In the drop down, selected "Save Certificate"
- Restarted apache and everything working fine (I can access https:// with the popup).

Now, to replace the self-signed cert with trusted cert.
- In the SSL tab, copied the "SSL Request" and sent it to CA.
- They gave me the certificate, and I relaced the default "SSL Certificate" with the one CA gave me.
- "Save certificate"
- Restarted apache, and it stopped working.

As I said, I've tried this with two different CAs. One of them required the SSLCertificateChainFile, I uploaded the chain file and entered the required line the "Apache Directives (Optional)." Both of them give the same error.

Also, I am still confused about the IPs. Should I get more public IPs or Private IPs?

Sorry for being a pain. I am working on it as hard as I can. Thanks for your time.

till 19th April 2008 23:02

Your steps are ok, but the error message shows definately that the wrong key is used. Are you really sure that you did not accidently entered the bundle certificate in the SSL certificate field and that you CA did not use another CSR for the cert then the one created by ispconfig?

debian-lover 20th April 2008 00:37

Yeah, I entered the .crt only not the bundle.

Ok, the modulus of .key and .crt (from CA) do not match, but the they do match in case of .key and .crt (self-signed).

Any idea what I am doing wrong?

Thanks

debian-lover 21st April 2008 11:59

Resolved. Did a complete re-install.

For SSL, if going with Comodo, choose "Other" as your CSR generator not Apache's mod_ssl.


All times are GMT +2. The time now is 14:05.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.