Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd October 2012, 22:49
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 395
Thanks: 30
Thanked 58 Times in 50 Posts
Default Creating a new CSR when a certificate is already installed and in use

The ISPConfig 3 manual does not address this particular situation:

I have an SSL certificate that is already installed, and it has become necessary for me to renew that certificate. I need to install the new certificate without interruption to HTTPS service.

How is this done in ISPConfig 3? From what I can tell, if I choose "Create certificate" from the SSL Action menu, ISPConfig will indeed generate a new CSR, but it will also overwrite the existing certificate's key file, which will cause Apache to fail (because the key and the certificate will no longer match).

Historically, I've had to create the new CSR on the shell prompt and then copy everything into place, as described in the manual section, "5.4.1 How Do I Import An Existing SSL Certificate Into A Web Site That Was Created Later In ISPConfig?"

Am I missing something? Or is the manual route the only route at the moment?

Thanks for any help.
Reply With Quote
Sponsored Links
  #2  
Old 24th October 2012, 09:41
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,804
Thanks: 840
Thanked 5,613 Times in 4,424 Posts
Default

You dont have to create a new csr when you renew a ssl cert as csr's dont expire. Just take the existing csr and let it sign again, copy the new crt in the ssl crt field in ispconfig, select save as action and click on the save button.No manual changes required in any files.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
cbj4074 (24th October 2012)
  #3  
Old 24th October 2012, 15:41
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 395
Thanks: 30
Thanked 58 Times in 50 Posts
Default

Thanks, Till. Very nice; I was unaware of the fact that CSRs do not expire. I learn something new every day around here.
Reply With Quote
  #4  
Old 8th November 2012, 21:40
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 395
Thanks: 30
Thanked 58 Times in 50 Posts
Default

Sorry to resurrect the thread here, Till.

So, I had to renew the SSL certificate for a domain.

Before sending the CSR off to the CSA, I ensured that the CSR contents in ISPConfig matched the contents on the filesystem (in /var/www/example.com/ssl/example.com.csr). Both values matched, so I requested the new certificate with that old/existing CSR (per the previous discussion in this thread).

When the new certificate came back, I attempted to follow your instructions and paste only the new .crt contents into ISPConfig's "SSL Certificate" field. When I clicked "Save Certificate", Apache refused to restart with:

Code:
[Thu Nov 08 10:44:06 2012] [error] Unable to configure RSA server private key
[Thu Nov 08 10:44:06 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Thu Nov 08 10:44:08 2012] [error] Unable to configure RSA server private key
[Thu Nov 08 10:44:08 2012] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
So, I did some research and used the commands outlined at https://www.sslshopper.com/certificate-key-matcher.html to perform comparisons against the various certificate components.

Here is the output of the various commands against the old/existing/working certificate:

Code:
# openssl x509 -noout -modulus -in /var/www/example.com/ssl/example.com.crt | openssl md5
395aed008daf908ba3c447cec3a50db6
# openssl rsa -noout -modulus -in /var/www/example.com/ssl/example.com.key | openssl md5
395aed008daf908ba3c447cec3a50db6
# openssl req -noout -modulus -in /var/www/example.com/ssl/example.com.csr | openssl md5
395c05c527c4a8584a01863542213e96
Is the last hash, for the CSR, supposed to match the hash for the certificate and the key? In other words, does the above output indicate that this CSR was not in fact used to generate the certificate? This seems to be the case, because I pasted the new certificate into the site's ssl directory, alongside the other files, and hashed its modulus:

Code:
# openssl x509 -noout -modulus -in /var/www/example.com/ssl/example.com.new.crt | openssl md5
395c05c527c4a8584a01863542213e96
So, what does this tell us? That this CSR file is irrelevant, as it was not used to create the first/original certificate?
Reply With Quote
  #5  
Old 9th November 2012, 09:47
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,804
Thanks: 840
Thanked 5,613 Times in 4,424 Posts
Default

Quote:
So, what does this tell us? That this CSR file is irrelevant, as it was not used to create the first/original certificate?
The content of the csr file and the csr field in ispconfig was identical at the time the original certificate was created in ispconfig. It might be that someone replaced the csr or key file in the filesystem or pasted a different csr into the csr field in ispconfig so that the csr and key does not belong together anymore.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 9th November 2012, 19:02
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 395
Thanks: 30
Thanked 58 Times in 50 Posts
 
Default

Quote:
It might be that someone replaced the csr or key file in the filesystem or pasted a different csr into the csr field in ispconfig so that the csr and key does not belong together anymore.
That "someone" was me.

After looking through my files, I see what happened.

I created a self-signed certificate when I installed ISPConfig, via the ISPC interface, just to secure communications until I could acquire a proper certificate.

Then I generated the CSR for the proper certificate on the command-line (not through ISPConfig).

Fortunately, I kept all of the certificate components, and I was able to find the original CSR file and its modulus's MD5 hash matches that of the other certificate components.

So, it seems that I will need to have the new certificate reissued upon the correct CSR.

Thanks for your help in straightening this out, Till.
Reply With Quote
Reply

Bookmarks

Tags
csr, renew, ssl

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 04:35.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.