Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 10th June 2009, 00:03
wxman wxman is offline
Senior Member
 
Join Date: May 2007
Posts: 189
Thanks: 11
Thanked 2 Times in 2 Posts
Default Adding SSL cert brought Apache down

I was trying to step through adding a cert to one of my sites using ISPConfig 3.0.1.3. I made it to adding the SSL and bundle, told it to save, and the whole server froze. I have no idea where I went wrong, but my log shows:
Code:
Unable to configure RSA server private key
SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
every time I try a restart.

I know one thing that I might have missed was changing the IP address from * to the actual address. If I got to command prompt to restart apache, all it says is:
Code:
httpd (pid 13791?) not running
When I was setting it up, I also wasn't sure if I was suposed to change the certificate showing under the 'SSL Request' box, and replace it with the one for my domain that was sent me. I did replace it, then pasted the bundle into the bottom box, and told it to save. Before I pasted the new domain cert into the box that already had one in it, I copied the cert that was there and saved it.

Is there anything to I can do to restart the whole process? I'd be happy to remove the changes and start over, but I don't know where to start. I can get to server files, and Mysql tables, but nothing running on Apache.

Last edited by wxman; 10th June 2009 at 02:38.
Reply With Quote
Sponsored Links
  #2  
Old 10th June 2009, 03:00
wxman wxman is offline
Senior Member
 
Join Date: May 2007
Posts: 189
Thanks: 11
Thanked 2 Times in 2 Posts
Default

I sort of fixed it. I went in a commented out the SSL lines in the apache2/sites-available/ vhosts file for the domain I was working on. After an apache restart I was able to get back into ISPConfig 3 and deleted the certificate that was there, and unchecked SSL for the site. The problem now is I must have changed something without knowing. I can't get to my site at all, but I can get to ISPConfig, and there's no entry in the error log when I try to see my site. An apache restart gives:
Code:
_default_ VirtualHost overlap on port 80, the first has precedence
then it starts. I found the error that fixes this by adding the *:80 back that I must have removed by accident.

I still need to add the certificate that started all this, but I don't want to make the same mistakes. Is there any step by steps to doing the certs in ISPC3? I just checked the SSL page, and it still shows something in the 'SSL Certificate' and 'SSL Request' boxes.

Last edited by wxman; 10th June 2009 at 03:24.
Reply With Quote
  #3  
Old 10th June 2009, 08:37
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,170
Thanks: 829
Thanked 5,412 Times in 4,255 Posts
Default

Your problem is that you added a ssl certificate tht was not based on the csr created by ispconfig, so the private keys dont matched and apache was not able to start namyore. You have to reissue the certificate and this time use the csr that was created by ispconfig to create the signed certificate.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 10th June 2009, 12:52
wxman wxman is offline
Senior Member
 
Join Date: May 2007
Posts: 189
Thanks: 11
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by till View Post
Your problem is that you added a ssl certificate tht was not based on the csr created by ispconfig, so the private keys dont matched and apache was not able to start namyore. You have to reissue the certificate and this time use the csr that was created by ispconfig to create the signed certificate.
I did use the CSR created by ISPConfig. When I first went to the domain settings on ISPConfig, there was nothing in the CSR box. I told it to create certificate. It made the CSR which I used to get a standard certificate at Godaddy. They sent me the cert for the domain, and the bundle. I went back to ISPConfig and there was a certificate now showing in both the CSR and SSL Certificate boxes. I replaced the one in the SSL Certificate box with the SSL certificate that was issued, pasted the bundle into the SSL bundle box, then told it to 'save certificate'. That's when it froze. I wasn't sure if I was supposed to replace the showing cert in the SSL Certificate box with the one they issued or not.

Also. I'm not clear on the IP address. The web server is behind a load balancer, which is behind a router. I have 5 IP addresses, and one of them is now routed to the local address at the load balancer. ISPConfig server IP is set to local address of the load balancer.
Code:
[server]
auto_network_configuration=
ip_address=192.168.31.100
I would like to use the public IP I'm using now for the first certificate, but I expect at least two more sites will need them. Do I just add more IP's the "Edit Server IP" section?

Here's an even bigger question. I don't know how I missed it, but HAProxy can't do SSL. I'm told that I need to install apache and mod_ssl on my LB' nodes. First I have to find a how-to for that. But that made me wonder now where the certificates get installed.
I'm really wondering if I should do away with haproxy, get rid of the LB nodes, and just run heartbeat on the server to do failover.

Last edited by wxman; 10th June 2009 at 17:54.
Reply With Quote
  #5  
Old 3rd September 2009, 05:05
jbimmerle jbimmerle is offline
Junior Member
 
Join Date: Sep 2009
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Similar to my request in another post -- does anyone have any follow-up on this?

Thanks
Reply With Quote
  #6  
Old 3rd September 2009, 11:19
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,170
Thanks: 829
Thanked 5,412 Times in 4,255 Posts
Default

And what is your exact question? Please make a new post for your issue instead of posting in other threads.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 3rd September 2009, 12:35
jbimmerle jbimmerle is offline
Junior Member
 
Join Date: Sep 2009
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
And what is your exact question? Please make a new post for your issue instead of posting in other threads.
Sorry -- I posted in this thread because I had exactly the same question as wxMan concerning SSL certificates on load balanced environments and how they work. I will post a new separate thread on this but please don't bash me for opening a duplicate stream then.

Wow -- can't win with some people.
Reply With Quote
  #8  
Old 3rd September 2009, 13:00
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,170
Thanks: 829
Thanked 5,412 Times in 4,255 Posts
Default

The problem is that in most cases, poeple post to threads because they think they are related but they are not really related to the problem. Or a problem in a thread is to a specific version of a software and does not apply to current versions. Thats why it is better to make a new thread for a problem and post the exact problem description and error messages that you got.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #9  
Old 3rd September 2009, 13:58
jbimmerle jbimmerle is offline
Junior Member
 
Join Date: Sep 2009
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Understood. Once I've collected my thoughts I will post under a separate thread to ensure that I've explained everything as clearly as possible (or at least tried).

Thanks again and sorry for being a bit testy -- late night last night and an early morning. Makes for a bad combination.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
problems with suexec gobokster Installation/Configuration 7 7th May 2009 13:33
SSL "connection interrupted" apache not listening on 443 yuro Installation/Configuration 10 28th October 2008 14:42
CENTOS 5 Ping Problem gAnDo Server Operation 11 28th March 2008 20:58
Strato Server - Restoring with SystemImager popper2001 HOWTO-Related Questions 5 28th July 2007 10:18
Creating image with Systemimager cuongtim HOWTO-Related Questions 3 18th November 2006 13:55


All times are GMT +2. The time now is 14:12.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.