HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   SSL Certificate Error - Apache does not start (http://www.howtoforge.com/forums/showthread.php?t=53543)

snowfly 26th July 2011 11:44

SSL Certificate Error - Apache does not start
 
Hi,

Im running ISPConfig 3.0.3.1, and trying to setup an SSL cert for a site.

However Apache now fails to start, and getting this in the error log:

[Tue Jul 26 21:16:49 2011] [error] Unable to configure RSA server private key
[Tue Jul 26 21:16:49 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

This is the steps I took in ISPConfig:

1. Enable SSL for the site
2. Create SSL cert on 'SSL' tab, fill out fields, change SSL Action to 'Create Certificate', Save
3. Go back to SSL tab, copy 'SSL Request' (CSR)
4. I used Trustico (www.trustico.co.nz) to create a RapidSSL certificate, using CSR (from above)
5. Received RapidSSL cert, copied and pasted into 'SSL Certificate' field in ISPConfig 'SSL' tab for website
6. Changed action to 'Save Certificate', saved
7. Apache fails to start, cannot access ISPConfig control panel

Error from log at top of post.

I managed to get apache running again by commenting out SSLEngine On for site.


Any help please?
Thanks in advance.

snowfly 26th July 2011 12:03

Update:
I have spoken with Trustico support, and they have said the reason for the error is:

"You have lost the matching private key, that was created when you generated the CSR"

The SSL CSR was created via ISPConfig, so where is the original matching private key?

till 26th July 2011 12:04

The steps you took are correct.

According to the error message above, the ssl certificate that was copied back to ispconfig was not based on the csr from ispconfig, so that the key of the ssl cert did not match and apache could not be started. Maybe trustico created its own csr and did not use the one from ispconfig or you accidently selected "create certificate" instead of "save certificate" to save the ssl cert.

till 26th July 2011 12:06

Quote:

Originally Posted by snowfly (Post 260397)
Update:
I have spoken with Trustico support, and they have said the reason for the error is:

"You have lost the matching private key, that was created when you generated the CSR"

The SSL CSR was created via ISPConfig, so where is the original matching private key?

The ssl key is in the ssl directory of the website. It does not get chnaged when you upload the cert, so you did not lost the key as the trustico support guessed. I explained you above the possible reasons for the error message, either the trustico ssl cert is not based on the csr generated by ispconfig or you accidently generated a new csr and key instaed of saving it.

snowfly 26th July 2011 12:24

Quote:

Originally Posted by till (Post 260399)
The ssl key is in the ssl directory of the website. It does not get chnaged when you upload the cert, so you did not lost the key as the trustico support guessed. I explained you above the possible reasons for the error message, either the trustico ssl cert is not based on the csr generated by ispconfig or you accidently generated a new csr and key instaed of saving it.

I deleted the SSL cert, and then recreated a new SSL Request via the website SSL tab, and made sure I selected 'Create Certificate'

And then used this new SSL request on the trustico site to replace the previous one.

I then took the new SSL cert, copied into the 'SSL Certificate' field in ISPConfig, made sure I selected 'Save Certificate', and saved.

Same problem, same error:
[Tue Jul 26 22:15:06 2011] [error] Unable to configure RSA server private key
[Tue Jul 26 22:15:06 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

In my Trustico account I can view the SSL certificate I have purchased, and it shows the CSR used.

When I do a diff on this CSR from the Trustico system, to the 'SSL Request' listed on the SSL tab for the website in ISPConfig, the CSR's match, exactly.

So what else could be wrong?

In the Trustico account I also see a 'Root/CA' certificate. (this is a RapidSSL cert)
Does this effect anything?
Do I need to put this in the 'SSL Bundle' field in ISPConfig?

till 26th July 2011 12:31

Quote:

Same problem, same error:
[Tue Jul 26 22:15:06 2011] [error] Unable to configure RSA server private key
[Tue Jul 26 22:15:06 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Ok. But the self signed certificate from ispconfig worked fine, before you replaced it with the ssl cert from trustico?

Quote:

Do I need to put this in the 'SSL Bundle' field in ISPConfig?
That might be, but only trustico can tell you if this certificate has to be installed as ssl chain certificate to use their certs in apache.

As a side note, you should update your ispconfig to the latest version 3.0.3.3

snowfly 26th July 2011 12:46

Quote:

Originally Posted by till (Post 260403)
Ok. But the self signed certificate from ispconfig worked fine, before you replaced it with the ssl cert from trustico?



That might be, but only trustico can tell you if this certificate has to be installed as ssl chain certificate to use their certs in apache.

As a side note, you should update your ispconfig to the latest version 3.0.3.3

Yes self signed certificate worked fine before I purchased RapidSSL cert from trustico.

The ISPConfig version I have is actually 3.0.3.3
This is what the Monitor tab suggests.
Before I just looked in the sys_config table, db_version row.

I tried usng the CA/root cert from Trustico, in the same way I have used this on other non-ISPconfig servers.
I added this to the apache virtualhost config for the website:
SSLCertificateChainFile /var/www/clients/clientxxx/webxxx/ssl/xxx.ca

Restarted apache, but still get the same error as before.

snowfly 26th July 2011 13:01

So I repated the whole process again, to see if I missed something:

1. Deleted SSL cert, disabled SSL for site
2. Waited for few minutes, checked site is ok, and SSL is disabled
3. Enabled SSL, waited
4. Filled in form on SSL tab of website, selected 'Create Certificate', saved, and waited
5. Checked SSL was working with self signed, yes, working OK in web browser
6. Copied 'SSL Request' from ISPConfig into Trustico, to replace the old CSR
7. Trustico generated a new SSL Certificate
8. Pasted new SSL cert into 'SSL Certificate' field for website, selected 'Save Certificate', saved, waited
9. Apache stopped, could not access ISPConfig.

Same error as before:
[Tue Jul 26 22:54:05 2011] [error] Unable to configure RSA server private key
[Tue Jul 26 22:54:05 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Weird...?

I'm now going to try bypass the ISPConfig SSL process, and manually create my own SSL key and CSR, see if that works.

snowfly 26th July 2011 13:39

Got it working!

Manually created the Key, CSR, and resubmitted CSR to trustico, generated new Cert, and copied files into /ssl directory of website.

So not sure what went wrong with the ISPconfig ssl generation tools?

Will try it again for the next ssl cert I need to create, but at least for now I can do manually.

kextra1 23rd April 2014 04:01

I had to add the intermediate.crt & then add or uncomment the path in the httpd.conf or whatever. I'm running ispconfig2 though, have done it the last 4 years and am having the same issue with the admin panel not starting. Must be something, but usually u just need the intermediate.crt & server.crt & the cert must be 2048


All times are GMT +2. The time now is 14:17.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.