Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 2nd October 2013, 14:41
lollollollol lollollollol is offline
Member
 
Join Date: Nov 2011
Location: Madagascar
Posts: 44
Thanks: 7
Thanked 6 Times in 5 Posts
Default SSL Reissue problem

Hi,
I'm going crazy, I'm on it since yesterday morning.
I have a certificate that I had to renew (at Namecheap), I was forced to reissue it because of a mistake (not from me but it's not important).

Code:
[Wed Oct 02 13:33:15 2013] [error] Unable to configure RSA server private key
[Wed Oct 02 13:33:15 2013] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
I tried this:
Delete old certificates in the ispconfig panel
Create a new command line csr (request)
copy / paste the certificate and the intermediate certificate in ispconfig
commit (save)

Apache crashes

I tried this:
Copy and paste the old csr and obtain a new certificate
Get the novelty crt and copy/paste in place of the former (editing file)

Apache crashes

I tried old way:
Create a new csr, and obtain a new certificate
modifying the vhost accordingly:
<IfModule mod_ssl.c>
SSLEngine on
# SSLCertificateFile /var/www/clients/client0/web109/ssl/domain.crt
# SSLCertificateKeyFile /var/www/clients/client0/web109/ssl/domain.key
# SSLCACertificateFile /var/www/clients/client0/web109/ssl/domain.bundle
SSLCertificateFile /etc/ssl/apache2/domain.crt
SSLCertificateKeyFile /etc/ssl/apache2/domain.key
SSLCertificateChainFile /etc/ssl/apache2/intermediate.crt
</IfModule>

Apache crashes

I finally tried this:
Create a new csr from my old key
obtain a certificate and copy/paste in place of the former

Apache crashes

I know the topic has been discussed often...
I read this: http://www.howtoforge.com/forums/showthread.php?t=53208
and this: http://www.howtoforge.com/forums/arc...p/t-59220.html
And many more ...

I do not see where is my mistake. I'm sure of course it's my fault, but I can't figure how I can get out of this problem.

I don't understand why it is so complicated to flush old ssl configuration on ispconfig ?

Some help to drive me out of this would be very nice!

Laurent.
(and sorry for my poor english...).
Reply With Quote
Sponsored Links
  #2  
Old 2nd October 2013, 15:26
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,166
Thanks: 829
Thanked 5,412 Times in 4,255 Posts
Default

Which ispconfig version do you use?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 2nd October 2013, 15:37
lollollollol lollollollol is offline
Member
 
Join Date: Nov 2011
Location: Madagascar
Posts: 44
Thanks: 7
Thanked 6 Times in 5 Posts
Default

Hi Till,
Always here to help, it's very nice!

Quote:
Which ispconfig version do you use?
3.0.5.3 on a Wheezy up-to-date.
Reply With Quote
  #4  
Old 2nd October 2013, 15:56
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,166
Thanks: 829
Thanked 5,412 Times in 4,255 Posts
Default

Ok, there are no known issues with the ssl part in that version.

A ssl certificateconsist of 2 parts, the ssl key and the ssl cert. The csr is not important for the certificate installation, it is only used to obtain a signed ssl cert.

Quote:
I tried this:
Delete old certificates in the ispconfig panel
Create a new command line csr (request)
copy / paste the certificate and the intermediate certificate in ispconfig
commit (save)

Apache crashes
this can not work as you did not copy the key. Instead of creaing a csr on the command line, it would have been better to craete one in ispconfig.

Normally you would just use this stes fro a renewal:

1) ake the csr that is shown in ispconfig and let it sign again. the csr will not expire, so you can use it again. When you get the new ssl cert back, paste its content in the ssl cert field, select "save certificate" as action and press on the save button. There is no need to delete certificates or create csr's manually etc.

To start over again, follow these steps:

1) empty all fields on the ssl tab of the wbsite, select delete certificate as action and click on save. Then wait at least one minute.

2) To be absolutely sure that there is no ssl cert left, delet all files in the ssl folder of the website.

3) Now create a new self signed ssl cert in ispconfig. use the csr that is shown in ispconfig to get a signed ssl cert and paste this signed ssl cert in the sl cert field and select "save certificate" as action.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 2nd October 2013, 17:20
lollollollol lollollollol is offline
Member
 
Join Date: Nov 2011
Location: Madagascar
Posts: 44
Thanks: 7
Thanked 6 Times in 5 Posts
Default

Hi Till,
Thank you very much for your answer.
You are right, I should have just renew the certificate, but... I asked someone to do it for me and he reissue...

I followed what you said:
- Emptied all fields, selected "delete certificate", saved
- erased all files in /ssl folder (it remained one)
- Asked for a new cert with the csr I found in Ispconfig
- Pasted the new obtained cert in the cert field, select "save certificate" and save.

Apache2 failed, and Ispconfig keeped old configuration.

- I try again adding this time the intermediate cert (I pasted the intermediate cert from rapidssl in the SSL bundle) and select save certificate and save.

Still failed.

The only point where I'm confused is the choice of the cert at namecheap...
I choosed Apache2 but I have the choice with (apache + openssl / apache + mod_ssl / apache + apacheSSL). I read i have to choose Apache2, I think it's the good choice.

What's in my /ssl folder now:
Code:
-rw-r--r-- 1 root root 1334 oct.   2 16:47 domain.biz.crt
-rw-r--r-- 1 root root 1862 oct.   2 16:47 domain.biz.crt.err
-rw-r--r-- 1 root root 1119 oct.   2 16:47 domain.biz.csr
-rw-r--r-- 1 root root 1138 oct.   2 16:47 domain.biz.csr.err
-r-------- 1 root root 1679 oct.   2 16:47 domain.biz.key
-rw-r--r-- 1 root root 1679 oct.   2 16:47 domain.biz.key~
-r-------- 1 root root 1706 oct.   2 16:47 domain.biz.key.err
-r-------- 1 root root 1751 oct.   2 16:47 domain.biz.key.org
-r-------- 1 root root 1751 oct.   2 16:47 domain.biz.key.org.err
I don't understand why the csr and csr.err have not the same size (nor the key), and I don't understand what is key.org...

So I'm still at the same point... I should laught of myself...
At the beginning it doesn't appears like something so difficult.

If you think I have missed something important, please tell me what!
Could it be a namecheap problem ?
Reply With Quote
  #6  
Old 3rd October 2013, 09:25
lollollollol lollollollol is offline
Member
 
Join Date: Nov 2011
Location: Madagascar
Posts: 44
Thanks: 7
Thanked 6 Times in 5 Posts
Default

For more information: Do not try too often to reissue the certificate ...
It is nowhere stated that we should not try more than 10 times ...

Quote:
Unable to Process your order.
We are unable to Process your certificate request. We apologize for the inconvenience and we encourage you to try again. Error Details:-3005 ; Insufficent Remaining Reissues
I'm now fighting with Geotrust (via Namecheap) to obtain a new reissue.
Reply With Quote
  #7  
Old 3rd October 2013, 10:55
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,166
Thanks: 829
Thanked 5,412 Times in 4,255 Posts
Default

Did you test that the self signed ssl cert worked after you created it? You must be able to reach the site with ssl bout 1-2 minutes after you created the self signed ssl cert. You will get a warning about a untrusted cert off course, but thats ok at this stage.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 3rd October 2013, 14:33
lollollollol lollollollol is offline
Member
 
Join Date: Nov 2011
Location: Madagascar
Posts: 44
Thanks: 7
Thanked 6 Times in 5 Posts
Default

Hi Till,
Yes everithing is OK:

Code:
# openssl x509 -noout -modulus -in domain.biz.crt | openssl md5
(stdin)= 7a41377f2698d4c273dcc1af1bbf235c
# openssl rsa -noout -modulus -in domain.biz.key | openssl md5
(stdin)= 7a41377f2698d4c273dcc1af1bbf235c
# openssl req -noout -modulus -in domain.biz.csr | openssl md5
(stdin)= 7a41377f2698d4c273dcc1af1bbf235c
I Had an answer from Geotrust: I'll be able to reissue after 24h.
I'll test again tomorrow.

Thank you.
Reply With Quote
  #9  
Old 4th October 2013, 09:26
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,166
Thanks: 829
Thanked 5,412 Times in 4,255 Posts
Default

Quote:
Yes everithing is OK:
and the webiste opens fine with sl in the browser after you accepted the warning message?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #10  
Old 4th October 2013, 09:37
lollollollol lollollollol is offline
Member
 
Join Date: Nov 2011
Location: Madagascar
Posts: 44
Thanks: 7
Thanked 6 Times in 5 Posts
 
Default

Hello,
Code:
and the webiste opens fine with sl in the browser after you accepted the warning message?
Yes, that's what I meant.
I'm still "banned" by Geotrust, I'll try again in a couple of hours.
This time I would make backups before doing anything ...
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Static IP for Site and SSL problem mmidgett Installation/Configuration 2 16th August 2012 19:11
Nginx problem with ssl certificate jpucik Installation/Configuration 2 24th June 2012 15:13
Sending mails: fine > recive: bad Moundy General 1 19th June 2012 23:40
Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail -Ubuntu 8.04 c4rdinal HOWTO-Related Questions 112 23rd August 2011 10:49
Virtual users... Ubuntu 8.04 spaceuser HOWTO-Related Questions 12 19th June 2008 08:04


All times are GMT +2. The time now is 08:04.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.