Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 19th April 2008, 06:30
debian-lover debian-lover is offline
HowtoForge Supporter
 
Join Date: Mar 2008
Posts: 13
Thanks: 3
Thanked 0 Times in 0 Posts
Default SSL and IPs problem.

Hi everyone, I need some help getting SSL working on my ISPConfig setup.

First of all, I am not even sure if I've setup the IPs correctly. I have two private IPs and two public IPs that I can use.

Private IPs:
192.168.16.36
192.168.16.37

Public IPs (For eg):
222.22.22.21
222.22.22.22

From the attachments, I am pretty sure (1) is private ip and (4) is public but not sure about (2) and (3).

So, http://(www.)testsite.com works fine with the current configuration but as soon as I turn on the SSL, it stops working. I don't even have to touch the SSL tab, and I get the "connection was reset" error on Firefox. Also, I get the same error if I go to https://www.testsite.com

Apache log in /var/log/apache2/error.log does not record anything; however, /var/www/web10/ssl/log/error.log has the following:
Code:
[Fri Apr 18 17:29:53 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:29:53 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:func(128):reason(116)
[Fri Apr 18 17:29:54 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:29:54 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Apr 18 17:36:06 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:36:06 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Apr 18 17:36:48 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:36:48 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Apr 18 17:36:48 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:36:48 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Apr 18 17:37:20 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:37:20 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Apr 18 17:37:20 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:37:20 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Apr 18 17:38:11 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:38:11 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
[Fri Apr 18 17:38:12 2008] [error] Unable to configure RSA server private key
[Fri Apr 18 17:38:12 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
What could be the problem? Any help much appreciated.
Attached Images
   
Reply With Quote
Sponsored Links
  #2  
Old 19th April 2008, 11:00
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 37,043
Thanks: 841
Thanked 5,661 Times in 4,468 Posts
Default

Did you copy a SSL cert into the ssl directory of the website manually?

Please go to the SSL tab of the site, enter the details for the SSL key and select create as action. Then click on save and wait about a minute. Then try again to connect.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 19th April 2008, 11:28
debian-lover debian-lover is offline
HowtoForge Supporter
 
Join Date: Mar 2008
Posts: 13
Thanks: 3
Thanked 0 Times in 0 Posts
Default

Yes till, it works fine with the self-signed certificate, but when I install a trusted certificate, apache stops working and doesn't restart until I delete the new certificate. I've tried two different certificates, from comodo and rapidssl. Both give the same error that doesn't let the apache to restart.

Code:
[Sat Apr 19 01:18:49 2008] [error] Unable to configure RSA server private key
[Sat Apr 19 01:18:49 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
I googled for this error and found this
Quote:
View the certificate modulus using the following command:

openssl x509 -noout -text -in certfile -modulus


View the key using the following command:

openssl rsa -noout -text -in keyfile -modulus


Verify the following:
Verify that the certificate and private key is saved in Notepad and that it has no trailing spaces.
The "modulus" and "public exponent" portions in the key and the certificate must match exactly.
Make sure you aren't using the default server.key file.
You should also check the httpd.conf file to make sure that the directives are pointing to the correct private key and certificate.


If they do not match, you will have to reissue your certificate

From: http://www.entrust.net/knowledge-bas...te.cfm?tn=5892
They, indeed, match in my case. I can't figure out where the problem is. Any Idea?
Reply With Quote
  #4  
Old 19th April 2008, 11:44
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 37,043
Thanks: 841
Thanked 5,661 Times in 4,468 Posts
Default

Ok, you missed to say in your post that you installed a ssl cert that was not created on basis of the csr from ispconfig. If you want to setup a trusted cert, it must be created on basis of the CSR that ISPConfig created for you, otherwise you will get this errors as the private key is not avlid for your certificate.

Another solution is to replace the private key in the ssl direcory of the website with the private key that you used to create the trusted cert.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
Williamsl (8th July 2014)
  #5  
Old 19th April 2008, 20:53
debian-lover debian-lover is offline
HowtoForge Supporter
 
Join Date: Mar 2008
Posts: 13
Thanks: 3
Thanked 0 Times in 0 Posts
Default

I did followed the steps listed in the official ISPConfig documentation to create a CSR. Ok, here's what I did:

- Enabled SSL Checkbox
- In the SSL Tab, filled all the information in text-boxes
- In the drop down, selected "Create Certificate"
- Wait for a minute
- In the drop down, selected "Save Certificate"
- Restarted apache and everything working fine (I can access https:// with the popup).

Now, to replace the self-signed cert with trusted cert.
- In the SSL tab, copied the "SSL Request" and sent it to CA.
- They gave me the certificate, and I relaced the default "SSL Certificate" with the one CA gave me.
- "Save certificate"
- Restarted apache, and it stopped working.

As I said, I've tried this with two different CAs. One of them required the SSLCertificateChainFile, I uploaded the chain file and entered the required line the "Apache Directives (Optional)." Both of them give the same error.

Also, I am still confused about the IPs. Should I get more public IPs or Private IPs?

Sorry for being a pain. I am working on it as hard as I can. Thanks for your time.
Reply With Quote
  #6  
Old 20th April 2008, 00:02
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 37,043
Thanks: 841
Thanked 5,661 Times in 4,468 Posts
Default

Your steps are ok, but the error message shows definately that the wrong key is used. Are you really sure that you did not accidently entered the bundle certificate in the SSL certificate field and that you CA did not use another CSR for the cert then the one created by ispconfig?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 20th April 2008, 01:37
debian-lover debian-lover is offline
HowtoForge Supporter
 
Join Date: Mar 2008
Posts: 13
Thanks: 3
Thanked 0 Times in 0 Posts
Default

Yeah, I entered the .crt only not the bundle.

Ok, the modulus of .key and .crt (from CA) do not match, but the they do match in case of .key and .crt (self-signed).

Any idea what I am doing wrong?

Thanks

Last edited by debian-lover; 20th April 2008 at 02:36.
Reply With Quote
  #8  
Old 21st April 2008, 12:59
debian-lover debian-lover is offline
HowtoForge Supporter
 
Join Date: Mar 2008
Posts: 13
Thanks: 3
Thanked 0 Times in 0 Posts
 
Default

Resolved. Did a complete re-install.

For SSL, if going with Comodo, choose "Other" as your CSR generator not Apache's mod_ssl.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SSL problem - error 12263 chillifire Installation/Configuration 11 8th December 2007 00:25
Can't solve SSL problem virtualweb Installation/Configuration 2 10th January 2007 17:50
ssl on multiple internal IPs bruma Installation/Configuration 1 9th October 2006 12:30
ISPConfig httpd brightshadow General 29 14th September 2006 10:21
Multiple IPs running SSL: config error benbalbo Installation/Configuration 2 18th November 2005 12:34


All times are GMT +2. The time now is 16:31.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.