Problem installing SSL for WebSite

I needed to get an actual SSL Cert for one of the 3 websites I am running under ISPCONFIG. I put in the information and chose create certificate and saved. Then I copied the SSL Request and put it into my application for a key. Got the key and pasted it into the SSL Certificate box in ISPCONFIG for the website I need the key for, saved it and restarted ispconfig_server. All restarted but I can not get to the website. I am using Fedora Core 7 setup using the how to for FC7 and asked for a mod ssl type key. Does everything have to be the same as far as company information that was entered during the how to for openssl, even the department? I setup ISPCONFIG using my company name etc.. but the department I used was web. I am using www for the website. Just so I am clear, IPCONFIG is setup as web.mydomainname.com and my website is www.mydomainname.com. Also does the number of days play a factor as I plan to buy a 3 year cert?

httpd does not start and the error I am getting in the error log of the website is:
Unable to configure RSA server private key
SSL Library error: 185073780 error:0B080074:x509 certificate routines:x509_check_private_key:key values mismatch

Do I need to regen my keys on the server using the same code as in the how to for FC7 or just the x509 ones?

Trying to figure it all out but don't want to do anything that is going to cause me to start over...


John

 

I may be using the word KEY in the wrong context because that's what I did. I entered the information at the top of the SSL form in ISPCONFIG and chose create to make the SSL Request, then I chose save, after that I copied the request into the CA's form and when I got the files from the CA, I took the one that ended in .crt and pasted it into SSL Certificate and chose save as the option and then clicked on save. When I restarted ISPCONFIG, httpd failed to restart with the error.

I also recieved a file called my_domain_name.ca-bundle. Was I supposed to do anything with this?

Thanks

John

 

Could part of my problem be that I am calling the ISP Server web.mydomainname.com and then I have setup a website called www.mydomainname.com?

Can I change the name of the ISP server or will I have to re-install ISPCONFIG in order to change the name, if it's causing me a problem.

Hoping to get this resolved soon. I am trying to go live with this by this weekend.

Thanks

John

 

No, that's no problem.

Did you take a look at this guide? http://www.howtoforge.com/faq/14_49_en.html

 

I think I have it worked out.

While viewing the cert created by ISPCONFIG for the ISP Server, I realized that when I installed ISPCONFIG, I always used MY email address and setup the oranganization as web. SO, this time, I logged in as admin, deleted the existing cert that was created by ISPCONFIG, logged out, logged back in as myself, created a request using web as the organization and submitted it. Now, there are no errors bring ISPCONFIG and httpd back up and the cert shows my CA's name.

I am running this at home this week while I am off (some vacation), so it still shows as can't be trusted, but that has to be because it's not sitting at the IP it is supposed to be at, yes?

Thanks for the replies guys and the fantastic work you all do in helping everyone on this site.... it's really appreciated.

John

 

The IP doesn't matter, but I guess you're also using a different hostname?

 

The IP address that the domain is sitting at right now is the only thing that is different. The DNS points to the IP address at work and right now, I am just running it on my home DSL Non-Static IP. I just change my host files on my workstation to match the current IP to connect to the server for testing. I'll know more tomorrow as I am taking it back to work. Hopefully, the warning stops popping up then.

John

 

Update: I contacted my SSL CA and they said I was getting the not trusted warning because of no intermediate file being installed., So I added the intermediate ca file, as per their instructions, to the .conf files, both the httpd.conf and the httpd.conf.https files where they are looking for the SSLCertificateChainFile. They were commented out originally. Not sure I needed it in both conf files, but now. IE 6 or IE7 do not complain, but Firefox 2.0.0.6 still complains even though the CA is listed as an Authority. Does anyone know why this might be happening only in Firefox? It may in others, but I only have FireFox and IE6 - IE7.

50% of the way there....

 

What I think it is , is the misconfiguration on the server of the cert. CA is now telling me to try a different file for the bundle file. I'll have to wait until tomorrow to try it.

This is the screen that pops up in Firefox.

 

Installing the new file did not solve the problem.
Ok.. still not fixed, but it seems that I should be working on the ssl.conf file, not the httpd.conf or httpd.conf.https files.

By installing the paths for my .crt, .key and .ca.bundle files, I can now access Squirrelmail and ISPConfig using IE6 and 7 where before I did this, I couldn't access the pages using IE, but Firfox was able to.
Firefox still doesn't trust my Cert from the CA but IE does.
I have installed as they requested using the ssl.conf file located in etc/httpd/conf.d./

This is what I have in ssl.conf now

SSLCertificateFile /the path to cert file/www.tidesmarine.com.crt
SSLCertificateKeyFile /the path to cert file/www.tidesmarine.com.key
SSLCertificateChainFile /the path to cert file/www.tidesmarine.com.ca-bundle.crt
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt


What else can I look at?

 

Update:

Problem, I thought was finally solved. What I had to do, was add the Chain File to the Vhosts_ispconfig.conf file under the 443 section of my web site.


Update: See MY post on 3rd page about adding line to httpd.conf

 

Well, I THOUGHT it was solved, BUT... something rewrites the Vhosts_ispconfig.conf file.

What would be doing this?

It omits the chain file from the new file that gets written. It rewrote the file at 8:54 am today. What file is it basing it's information on when it rewrites this file?

Thanks

John

 

try adding the chain file in the apache directives of the site.
SSLCertificateChainFile /the path to cert file/www.tidesmarine.com.ca-bundle.crt

 

I don't have an apache.conf or apache2.conf file.

I did the Fedora Core 7 install per how to's. I have several conf files, but none that start with apache. I already have the file paths in the ssl.conf foler and it puts my .key and .crt file in the Vhost_ispconfig.conf file, just not the chain file.

I'll keep looking but if someone has a difinitive answer as to which file the VHosts file gets written from using FC7, please let me know.

John

 

I won't touch the Vhosts_ispconfg.conf file, but what file does ISPCONFIG get it's information from to write it? I have the chain file in ssl.conf and it does not get written to the Vhosts_ispconfig.conf file. The Key and crt file paths do, but not the Chain file.