SSL Reissue problem

Discussion in 'Installation/Configuration' started by lollollollol, Oct 2, 2013.

  1. lollollollol

    lollollollol Member

    Hi,
    I'm going crazy, I'm on it since yesterday morning. :(
    I have a certificate that I had to renew (at Namecheap), I was forced to reissue it because of a mistake (not from me but it's not important).

    Code:
    [Wed Oct 02 13:33:15 2013] [error] Unable to configure RSA server private key
    [Wed Oct 02 13:33:15 2013] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    I tried this:
    Delete old certificates in the ispconfig panel
    Create a new command line csr (request)
    copy / paste the certificate and the intermediate certificate in ispconfig
    commit (save)

    Apache crashes

    I tried this:
    Copy and paste the old csr and obtain a new certificate
    Get the novelty crt and copy/paste in place of the former (editing file)

    Apache crashes

    I tried old way:
    Create a new csr, and obtain a new certificate
    modifying the vhost accordingly:
    <IfModule mod_ssl.c>
    SSLEngine on
    # SSLCertificateFile /var/www/clients/client0/web109/ssl/domain.crt
    # SSLCertificateKeyFile /var/www/clients/client0/web109/ssl/domain.key
    # SSLCACertificateFile /var/www/clients/client0/web109/ssl/domain.bundle
    SSLCertificateFile /etc/ssl/apache2/domain.crt
    SSLCertificateKeyFile /etc/ssl/apache2/domain.key
    SSLCertificateChainFile /etc/ssl/apache2/intermediate.crt
    </IfModule>

    Apache crashes

    I finally tried this:
    Create a new csr from my old key
    obtain a certificate and copy/paste in place of the former

    Apache crashes

    I know the topic has been discussed often...
    I read this: http://www.howtoforge.com/forums/showthread.php?t=53208
    and this: http://www.howtoforge.com/forums/archive/index.php/t-59220.html
    And many more ...

    I do not see where is my mistake. I'm sure of course it's my fault, but I can't figure how I can get out of this problem.

    I don't understand why it is so complicated to flush old ssl configuration on ispconfig ?

    Some help to drive me out of this would be very nice! :)

    Laurent.
    (and sorry for my poor english...).
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Which ispconfig version do you use?
     
  3. lollollollol

    lollollollol Member

    Hi Till,
    Always here to help, it's very nice! :)

    3.0.5.3 on a Wheezy up-to-date.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, there are no known issues with the ssl part in that version.

    A ssl certificateconsist of 2 parts, the ssl key and the ssl cert. The csr is not important for the certificate installation, it is only used to obtain a signed ssl cert.

    this can not work as you did not copy the key. Instead of creaing a csr on the command line, it would have been better to craete one in ispconfig.

    Normally you would just use this stes fro a renewal:

    1) ake the csr that is shown in ispconfig and let it sign again. the csr will not expire, so you can use it again. When you get the new ssl cert back, paste its content in the ssl cert field, select "save certificate" as action and press on the save button. There is no need to delete certificates or create csr's manually etc.

    To start over again, follow these steps:

    1) empty all fields on the ssl tab of the wbsite, select delete certificate as action and click on save. Then wait at least one minute.

    2) To be absolutely sure that there is no ssl cert left, delet all files in the ssl folder of the website.

    3) Now create a new self signed ssl cert in ispconfig. use the csr that is shown in ispconfig to get a signed ssl cert and paste this signed ssl cert in the sl cert field and select "save certificate" as action.
     
  5. lollollollol

    lollollollol Member

    Hi Till,
    Thank you very much for your answer.
    You are right, I should have just renew the certificate, but... I asked someone to do it for me and he reissue...

    I followed what you said:
    - Emptied all fields, selected "delete certificate", saved
    - erased all files in /ssl folder (it remained one)
    - Asked for a new cert with the csr I found in Ispconfig
    - Pasted the new obtained cert in the cert field, select "save certificate" and save.

    Apache2 failed, and Ispconfig keeped old configuration.

    - I try again adding this time the intermediate cert (I pasted the intermediate cert from rapidssl in the SSL bundle) and select save certificate and save.

    Still failed.

    The only point where I'm confused is the choice of the cert at namecheap...
    I choosed Apache2 but I have the choice with (apache + openssl / apache + mod_ssl / apache + apacheSSL). I read i have to choose Apache2, I think it's the good choice.

    What's in my /ssl folder now:
    Code:
    -rw-r--r-- 1 root root 1334 oct.   2 16:47 domain.biz.crt
    -rw-r--r-- 1 root root 1862 oct.   2 16:47 domain.biz.crt.err
    -rw-r--r-- 1 root root 1119 oct.   2 16:47 domain.biz.csr
    -rw-r--r-- 1 root root 1138 oct.   2 16:47 domain.biz.csr.err
    -r-------- 1 root root 1679 oct.   2 16:47 domain.biz.key
    -rw-r--r-- 1 root root 1679 oct.   2 16:47 domain.biz.key~
    -r-------- 1 root root 1706 oct.   2 16:47 domain.biz.key.err
    -r-------- 1 root root 1751 oct.   2 16:47 domain.biz.key.org
    -r-------- 1 root root 1751 oct.   2 16:47 domain.biz.key.org.err
    
    I don't understand why the csr and csr.err have not the same size (nor the key), and I don't understand what is key.org...

    So I'm still at the same point... I should laught of myself...
    At the beginning it doesn't appears like something so difficult.

    If you think I have missed something important, please tell me what!
    Could it be a namecheap problem ?
     
  6. lollollollol

    lollollollol Member

    For more information: Do not try too often to reissue the certificate ...
    It is nowhere stated that we should not try more than 10 times ...

    I'm now fighting with Geotrust (via Namecheap) to obtain a new reissue.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you test that the self signed ssl cert worked after you created it? You must be able to reach the site with ssl bout 1-2 minutes after you created the self signed ssl cert. You will get a warning about a untrusted cert off course, but thats ok at this stage.
     
  8. lollollollol

    lollollollol Member

    Hi Till,
    Yes everithing is OK:

    Code:
    # openssl x509 -noout -modulus -in domain.biz.crt | openssl md5
    (stdin)= 7a41377f2698d4c273dcc1af1bbf235c
    # openssl rsa -noout -modulus -in domain.biz.key | openssl md5
    (stdin)= 7a41377f2698d4c273dcc1af1bbf235c
    # openssl req -noout -modulus -in domain.biz.csr | openssl md5
    (stdin)= 7a41377f2698d4c273dcc1af1bbf235c
    I Had an answer from Geotrust: I'll be able to reissue after 24h.
    I'll test again tomorrow.

    Thank you.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    and the webiste opens fine with sl in the browser after you accepted the warning message?
     
  10. lollollollol

    lollollollol Member

    Hello,
    Code:
    and the webiste opens fine with sl in the browser after you accepted the warning message?
    Yes, that's what I meant.
    I'm still "banned" by Geotrust, I'll try again in a couple of hours.
    This time I would make backups before doing anything ...
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. Backup the whole conten of the ssl folder of the site, it contains all ssl related files of the website.
     
  12. lollollollol

    lollollollol Member

    Hi,
    Ok, it's solved. I got the certificate from GeoTrust, copy/paste the certificate (crt and intermediate) in the panel ISPConfig and save.
    I do not understand how I got to block all...

    Thank you for your patience. :)
    Laurent.
     
  13. lollollollol

    lollollollol Member

    Hi again Till,
    No, I'm sorry it's not finished...
    I have another domain with a wildcard certificate.

    I follow exactly the same procedure than with the other domaine, and it doesn't work

    I found in the ispconfig log this:
    Code:
    04.10.2013-13:37 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/*.isalo.org.key.org~
    04.10.2013-13:37 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/*.isalo.org.key~
    04.10.2013-13:37 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/*.isalo.org.csr
    04.10.2013-13:37 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/*.isalo.org.crt
    04.10.2013-13:37 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/*.isalo.org.bundle
    04.10.2013-13:37 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/*.isalo.org.key
    04.10.2013-13:37 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/*.isalo.org.key
    It happens at the moment where I fill the fields in the panel (for the Cert an the bundle from Geotrust).
    i have noticed that when I have created the new certificate (the autosigned) all the fields was empty in the ispconfig panel.

    Do you know what could happened ?
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats a issue in ispconfig, it is related to wildcard certs only.

    The workaround is to select domain.com and not *.domain.com in the ssl cert settings.

    Not quite sure if I understood you correctly: if the csr and key fields are empty, then no certificate key and csr had been created by ispconfig, so how were you been able to get a signed cert from geotrust without the csr?
     
  15. lollollollol

    lollollollol Member

    Hello,

    Ok! Thank you for work around.

    But, I Should redo a CSR, no ???

    You understood very well.

    Fields where empty AND the files was created. Strange it isn't ? I came back few times in the ssl tab to be sure...
    I should take a screenshot ...
    I pick the CSR in the /ssl directory.

    So, please, for the wildcard, I should redo the csr ?
    Or... Can I redo the CSR and edit the (new) file to paste the old values​​ inside?
     
  16. lollollollol

    lollollollol Member

    Well, I finally reached my goal ... :)

    1) For simple certificates (www.domain.tld or domain.tld) ISPConfig3 does its job very well. Create CSR with SSL tab, make the certificate request (Choose APACHE2), paste the certificate and bundle in the tab, save.

    2 ) For Wildcard certificates ... It does not work as stated above Till .

    But choosing domain.tld in ssl Tab of Ispconfig is not the solution ... When I want to reissue the certificate at Geotrust, it doesn't work: Geotrust told me that CSR is for domain.tld and not for *.domain.tld ...

    This must be done from the command line ...
    But with openssl to generate the key and the csr, you should remember to choose APACHE + OPENSSL from Geotrust. If you choose APACHE2 the md5 of "CRT " generated by Geotrust does not fit with the md5 of you "CSR" and " KEY" ...

    Then just change the vhost by hand, like this:

    Code:
    *SSLCertificateFile /var/www/clients/clientX/weby/ssl/domain.tld.cert
    *SSLCertificateKeyFile /var/www/clients/clientX/weby/ssl/domain.tld.no.key
    *SSLCertificateChainFile /var/www/clients/clientX/weby/ssl/intermediate.crt
    
    Again, a little difference with how to report the "bundle" in the vhost:
    should be used SSLCertificateChainFile and not SSLCACertificateFile.

    I hope it helps someone ! ;)
     

Share This Page