View Single Post
  #4  
Old 8th November 2012, 20:40
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 386
Thanks: 28
Thanked 58 Times in 50 Posts
Default

Sorry to resurrect the thread here, Till.

So, I had to renew the SSL certificate for a domain.

Before sending the CSR off to the CSA, I ensured that the CSR contents in ISPConfig matched the contents on the filesystem (in /var/www/example.com/ssl/example.com.csr). Both values matched, so I requested the new certificate with that old/existing CSR (per the previous discussion in this thread).

When the new certificate came back, I attempted to follow your instructions and paste only the new .crt contents into ISPConfig's "SSL Certificate" field. When I clicked "Save Certificate", Apache refused to restart with:

Code:
[Thu Nov 08 10:44:06 2012] [error] Unable to configure RSA server private key
[Thu Nov 08 10:44:06 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Thu Nov 08 10:44:08 2012] [error] Unable to configure RSA server private key
[Thu Nov 08 10:44:08 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
So, I did some research and used the commands outlined at https://www.sslshopper.com/certificate-key-matcher.html to perform comparisons against the various certificate components.

Here is the output of the various commands against the old/existing/working certificate:

Code:
# openssl x509 -noout -modulus -in /var/www/example.com/ssl/example.com.crt | openssl md5
395aed008daf908ba3c447cec3a50db6
# openssl rsa -noout -modulus -in /var/www/example.com/ssl/example.com.key | openssl md5
395aed008daf908ba3c447cec3a50db6
# openssl req -noout -modulus -in /var/www/example.com/ssl/example.com.csr | openssl md5
395c05c527c4a8584a01863542213e96
Is the last hash, for the CSR, supposed to match the hash for the certificate and the key? In other words, does the above output indicate that this CSR was not in fact used to generate the certificate? This seems to be the case, because I pasted the new certificate into the site's ssl directory, alongside the other files, and hashed its modulus:

Code:
# openssl x509 -noout -modulus -in /var/www/example.com/ssl/example.com.new.crt | openssl md5
395c05c527c4a8584a01863542213e96
So, what does this tell us? That this CSR file is irrelevant, as it was not used to create the first/original certificate?
Reply With Quote