HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Adding SSL cert brought Apache down (http://www.howtoforge.com/forums/showthread.php?t=36180)

wxman 10th June 2009 00:03

Adding SSL cert brought Apache down
 
I was trying to step through adding a cert to one of my sites using ISPConfig 3.0.1.3. I made it to adding the SSL and bundle, told it to save, and the whole server froze. I have no idea where I went wrong, but my log shows:
Code:

Unable to configure RSA server private key
SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

every time I try a restart.

I know one thing that I might have missed was changing the IP address from * to the actual address. If I got to command prompt to restart apache, all it says is:
Code:

httpd (pid 13791?) not running
When I was setting it up, I also wasn't sure if I was suposed to change the certificate showing under the 'SSL Request' box, and replace it with the one for my domain that was sent me. I did replace it, then pasted the bundle into the bottom box, and told it to save. Before I pasted the new domain cert into the box that already had one in it, I copied the cert that was there and saved it.

Is there anything to I can do to restart the whole process? I'd be happy to remove the changes and start over, but I don't know where to start. I can get to server files, and Mysql tables, but nothing running on Apache.

wxman 10th June 2009 03:00

I sort of fixed it. I went in a commented out the SSL lines in the apache2/sites-available/ vhosts file for the domain I was working on. After an apache restart I was able to get back into ISPConfig 3 and deleted the certificate that was there, and unchecked SSL for the site. The problem now is I must have changed something without knowing. I can't get to my site at all, but I can get to ISPConfig, and there's no entry in the error log when I try to see my site. An apache restart gives:
Code:

_default_ VirtualHost overlap on port 80, the first has precedence
then it starts. I found the error that fixes this by adding the *:80 back that I must have removed by accident.

I still need to add the certificate that started all this, but I don't want to make the same mistakes. Is there any step by steps to doing the certs in ISPC3? I just checked the SSL page, and it still shows something in the 'SSL Certificate' and 'SSL Request' boxes.

till 10th June 2009 08:37

Your problem is that you added a ssl certificate tht was not based on the csr created by ispconfig, so the private keys dont matched and apache was not able to start namyore. You have to reissue the certificate and this time use the csr that was created by ispconfig to create the signed certificate.

wxman 10th June 2009 12:52

Quote:

Originally Posted by till (Post 193141)
Your problem is that you added a ssl certificate tht was not based on the csr created by ispconfig, so the private keys dont matched and apache was not able to start namyore. You have to reissue the certificate and this time use the csr that was created by ispconfig to create the signed certificate.

I did use the CSR created by ISPConfig. When I first went to the domain settings on ISPConfig, there was nothing in the CSR box. I told it to create certificate. It made the CSR which I used to get a standard certificate at Godaddy. They sent me the cert for the domain, and the bundle. I went back to ISPConfig and there was a certificate now showing in both the CSR and SSL Certificate boxes. I replaced the one in the SSL Certificate box with the SSL certificate that was issued, pasted the bundle into the SSL bundle box, then told it to 'save certificate'. That's when it froze. I wasn't sure if I was supposed to replace the showing cert in the SSL Certificate box with the one they issued or not.

Also. I'm not clear on the IP address. The web server is behind a load balancer, which is behind a router. I have 5 IP addresses, and one of them is now routed to the local address at the load balancer. ISPConfig server IP is set to local address of the load balancer.
Code:

[server]
auto_network_configuration=
ip_address=192.168.31.100

I would like to use the public IP I'm using now for the first certificate, but I expect at least two more sites will need them. Do I just add more IP's the "Edit Server IP" section?

Here's an even bigger question. I don't know how I missed it, but HAProxy can't do SSL. I'm told that I need to install apache and mod_ssl on my LB' nodes. First I have to find a how-to for that. But that made me wonder now where the certificates get installed.
I'm really wondering if I should do away with haproxy, get rid of the LB nodes, and just run heartbeat on the server to do failover.

jbimmerle 3rd September 2009 05:05

Similar to my request in another post -- does anyone have any follow-up on this?

Thanks

till 3rd September 2009 11:19

And what is your exact question? Please make a new post for your issue instead of posting in other threads.

jbimmerle 3rd September 2009 12:35

Quote:

Originally Posted by till (Post 203081)
And what is your exact question? Please make a new post for your issue instead of posting in other threads.

Sorry -- I posted in this thread because I had exactly the same question as wxMan concerning SSL certificates on load balanced environments and how they work. I will post a new separate thread on this but please don't bash me for opening a duplicate stream then.

Wow -- can't win with some people.

till 3rd September 2009 13:00

The problem is that in most cases, poeple post to threads because they think they are related but they are not really related to the problem. Or a problem in a thread is to a specific version of a software and does not apply to current versions. Thats why it is better to make a new thread for a problem and post the exact problem description and error messages that you got.

jbimmerle 3rd September 2009 13:58

Understood. Once I've collected my thoughts I will post under a separate thread to ensure that I've explained everything as clearly as possible (or at least tried).

Thanks again and sorry for being a bit testy -- late night last night and an early morning. Makes for a bad combination.


All times are GMT +2. The time now is 02:44.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.