Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 26th July 2011, 11:44
snowfly snowfly is offline
Member
 
Join Date: Jul 2006
Posts: 84
Thanks: 0
Thanked 4 Times in 3 Posts
Default SSL Certificate Error - Apache does not start

Hi,

Im running ISPConfig 3.0.3.1, and trying to setup an SSL cert for a site.

However Apache now fails to start, and getting this in the error log:

[Tue Jul 26 21:16:49 2011] [error] Unable to configure RSA server private key
[Tue Jul 26 21:16:49 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

This is the steps I took in ISPConfig:

1. Enable SSL for the site
2. Create SSL cert on 'SSL' tab, fill out fields, change SSL Action to 'Create Certificate', Save
3. Go back to SSL tab, copy 'SSL Request' (CSR)
4. I used Trustico (www.trustico.co.nz) to create a RapidSSL certificate, using CSR (from above)
5. Received RapidSSL cert, copied and pasted into 'SSL Certificate' field in ISPConfig 'SSL' tab for website
6. Changed action to 'Save Certificate', saved
7. Apache fails to start, cannot access ISPConfig control panel

Error from log at top of post.

I managed to get apache running again by commenting out SSLEngine On for site.


Any help please?
Thanks in advance.
Reply With Quote
Sponsored Links
  #2  
Old 26th July 2011, 12:03
snowfly snowfly is offline
Member
 
Join Date: Jul 2006
Posts: 84
Thanks: 0
Thanked 4 Times in 3 Posts
Default

Update:
I have spoken with Trustico support, and they have said the reason for the error is:

"You have lost the matching private key, that was created when you generated the CSR"

The SSL CSR was created via ISPConfig, so where is the original matching private key?
Reply With Quote
  #3  
Old 26th July 2011, 12:06
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,259 Times in 4,123 Posts
Default

Quote:
Originally Posted by snowfly View Post
Update:
I have spoken with Trustico support, and they have said the reason for the error is:

"You have lost the matching private key, that was created when you generated the CSR"

The SSL CSR was created via ISPConfig, so where is the original matching private key?
The ssl key is in the ssl directory of the website. It does not get chnaged when you upload the cert, so you did not lost the key as the trustico support guessed. I explained you above the possible reasons for the error message, either the trustico ssl cert is not based on the csr generated by ispconfig or you accidently generated a new csr and key instaed of saving it.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 26th July 2011, 12:24
snowfly snowfly is offline
Member
 
Join Date: Jul 2006
Posts: 84
Thanks: 0
Thanked 4 Times in 3 Posts
Default

Quote:
Originally Posted by till View Post
The ssl key is in the ssl directory of the website. It does not get chnaged when you upload the cert, so you did not lost the key as the trustico support guessed. I explained you above the possible reasons for the error message, either the trustico ssl cert is not based on the csr generated by ispconfig or you accidently generated a new csr and key instaed of saving it.
I deleted the SSL cert, and then recreated a new SSL Request via the website SSL tab, and made sure I selected 'Create Certificate'

And then used this new SSL request on the trustico site to replace the previous one.

I then took the new SSL cert, copied into the 'SSL Certificate' field in ISPConfig, made sure I selected 'Save Certificate', and saved.

Same problem, same error:
[Tue Jul 26 22:15:06 2011] [error] Unable to configure RSA server private key
[Tue Jul 26 22:15:06 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

In my Trustico account I can view the SSL certificate I have purchased, and it shows the CSR used.

When I do a diff on this CSR from the Trustico system, to the 'SSL Request' listed on the SSL tab for the website in ISPConfig, the CSR's match, exactly.

So what else could be wrong?

In the Trustico account I also see a 'Root/CA' certificate. (this is a RapidSSL cert)
Does this effect anything?
Do I need to put this in the 'SSL Bundle' field in ISPConfig?
Reply With Quote
  #5  
Old 26th July 2011, 12:31
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,259 Times in 4,123 Posts
Default

Quote:
Same problem, same error:
[Tue Jul 26 22:15:06 2011] [error] Unable to configure RSA server private key
[Tue Jul 26 22:15:06 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Ok. But the self signed certificate from ispconfig worked fine, before you replaced it with the ssl cert from trustico?

Quote:
Do I need to put this in the 'SSL Bundle' field in ISPConfig?
That might be, but only trustico can tell you if this certificate has to be installed as ssl chain certificate to use their certs in apache.

As a side note, you should update your ispconfig to the latest version 3.0.3.3
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 26th July 2011, 12:46
snowfly snowfly is offline
Member
 
Join Date: Jul 2006
Posts: 84
Thanks: 0
Thanked 4 Times in 3 Posts
Default

Quote:
Originally Posted by till View Post
Ok. But the self signed certificate from ispconfig worked fine, before you replaced it with the ssl cert from trustico?



That might be, but only trustico can tell you if this certificate has to be installed as ssl chain certificate to use their certs in apache.

As a side note, you should update your ispconfig to the latest version 3.0.3.3
Yes self signed certificate worked fine before I purchased RapidSSL cert from trustico.

The ISPConfig version I have is actually 3.0.3.3
This is what the Monitor tab suggests.
Before I just looked in the sys_config table, db_version row.

I tried usng the CA/root cert from Trustico, in the same way I have used this on other non-ISPconfig servers.
I added this to the apache virtualhost config for the website:
SSLCertificateChainFile /var/www/clients/clientxxx/webxxx/ssl/xxx.ca

Restarted apache, but still get the same error as before.
Reply With Quote
  #7  
Old 26th July 2011, 12:04
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,259 Times in 4,123 Posts
Default

The steps you took are correct.

According to the error message above, the ssl certificate that was copied back to ispconfig was not based on the csr from ispconfig, so that the key of the ssl cert did not match and apache could not be started. Maybe trustico created its own csr and did not use the one from ispconfig or you accidently selected "create certificate" instead of "save certificate" to save the ssl cert.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig 3 - CentOS 5.4 - SSL Problems!?! owainbaber Installation/Configuration 4 26th July 2011 17:12
Creating a SSL certificate - Quick guide SamTzu Tips/Tricks/Mods 22 4th January 2011 13:38
Is my postfix is hacked? bzzik Server Operation 21 15th July 2009 14:13
SSL for virtual hosts on one certificate rbartz Tips/Tricks/Mods 8 20th November 2007 17:59
"Too many open files in system" problems Berry Installation/Configuration 3 10th November 2007 21:58


All times are GMT +2. The time now is 19:26.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.