SSL Certificate Error - Apache does not start
Im running ISPConfig 126.96.36.199, and trying to setup an SSL cert for a site.
However Apache now fails to start, and getting this in the error log:
[Tue Jul 26 21:16:49 2011] [error] Unable to configure RSA server private key
[Tue Jul 26 21:16:49 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
This is the steps I took in ISPConfig:
1. Enable SSL for the site
2. Create SSL cert on 'SSL' tab, fill out fields, change SSL Action to 'Create Certificate', Save
3. Go back to SSL tab, copy 'SSL Request' (CSR)
4. I used Trustico (www.trustico.co.nz) to create a RapidSSL certificate, using CSR (from above)
5. Received RapidSSL cert, copied and pasted into 'SSL Certificate' field in ISPConfig 'SSL' tab for website
6. Changed action to 'Save Certificate', saved
7. Apache fails to start, cannot access ISPConfig control panel
Error from log at top of post.
I managed to get apache running again by commenting out SSLEngine On for site.
Any help please?
Thanks in advance.
I have spoken with Trustico support, and they have said the reason for the error is:
"You have lost the matching private key, that was created when you generated the CSR"
The SSL CSR was created via ISPConfig, so where is the original matching private key?
The steps you took are correct.
According to the error message above, the ssl certificate that was copied back to ispconfig was not based on the csr from ispconfig, so that the key of the ssl cert did not match and apache could not be started. Maybe trustico created its own csr and did not use the one from ispconfig or you accidently selected "create certificate" instead of "save certificate" to save the ssl cert.
And then used this new SSL request on the trustico site to replace the previous one.
I then took the new SSL cert, copied into the 'SSL Certificate' field in ISPConfig, made sure I selected 'Save Certificate', and saved.
Same problem, same error:
[Tue Jul 26 22:15:06 2011] [error] Unable to configure RSA server private key
[Tue Jul 26 22:15:06 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
In my Trustico account I can view the SSL certificate I have purchased, and it shows the CSR used.
When I do a diff on this CSR from the Trustico system, to the 'SSL Request' listed on the SSL tab for the website in ISPConfig, the CSR's match, exactly.
So what else could be wrong?
In the Trustico account I also see a 'Root/CA' certificate. (this is a RapidSSL cert)
Does this effect anything?
Do I need to put this in the 'SSL Bundle' field in ISPConfig?
As a side note, you should update your ispconfig to the latest version 188.8.131.52
The ISPConfig version I have is actually 184.108.40.206
This is what the Monitor tab suggests.
Before I just looked in the sys_config table, db_version row.
I tried usng the CA/root cert from Trustico, in the same way I have used this on other non-ISPconfig servers.
I added this to the apache virtualhost config for the website:
Restarted apache, but still get the same error as before.
So I repated the whole process again, to see if I missed something:
1. Deleted SSL cert, disabled SSL for site
2. Waited for few minutes, checked site is ok, and SSL is disabled
3. Enabled SSL, waited
4. Filled in form on SSL tab of website, selected 'Create Certificate', saved, and waited
5. Checked SSL was working with self signed, yes, working OK in web browser
6. Copied 'SSL Request' from ISPConfig into Trustico, to replace the old CSR
7. Trustico generated a new SSL Certificate
8. Pasted new SSL cert into 'SSL Certificate' field for website, selected 'Save Certificate', saved, waited
9. Apache stopped, could not access ISPConfig.
Same error as before:
[Tue Jul 26 22:54:05 2011] [error] Unable to configure RSA server private key
[Tue Jul 26 22:54:05 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
I'm now going to try bypass the ISPConfig SSL process, and manually create my own SSL key and CSR, see if that works.
Got it working!
Manually created the Key, CSR, and resubmitted CSR to trustico, generated new Cert, and copied files into /ssl directory of website.
So not sure what went wrong with the ISPconfig ssl generation tools?
Will try it again for the next ssl cert I need to create, but at least for now I can do manually.
I had to add the intermediate.crt & then add or uncomment the path in the httpd.conf or whatever. I'm running ispconfig2 though, have done it the last 4 years and am having the same issue with the admin panel not starting. Must be something, but usually u just need the intermediate.crt & server.crt & the cert must be 2048
|All times are GMT +2. The time now is 12:11.|
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.