SSL and IPs problem.

Discussion in 'General' started by debian-lover, Apr 19, 2008.

  1. debian-lover

    debian-lover New Member

    Hi everyone, I need some help getting SSL working on my ISPConfig setup.

    First of all, I am not even sure if I've setup the IPs correctly. I have two private IPs and two public IPs that I can use.

    Private IPs:
    192.168.16.36
    192.168.16.37

    Public IPs (For eg):
    222.22.22.21
    222.22.22.22

    From the attachments, I am pretty sure (1) is private ip and (4) is public but not sure about (2) and (3).

    So, http://(www.)testsite.com works fine with the current configuration but as soon as I turn on the SSL, it stops working. I don't even have to touch the SSL tab, and I get the "connection was reset" error on Firefox. Also, I get the same error if I go to https://www.testsite.com

    Apache log in /var/log/apache2/error.log does not record anything; however, /var/www/web10/ssl/log/error.log has the following:
    Code:
    [Fri Apr 18 17:29:53 2008] [error] Unable to configure RSA server private key
    [Fri Apr 18 17:29:53 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:func(128):reason(116)
    [Fri Apr 18 17:29:54 2008] [error] Unable to configure RSA server private key
    [Fri Apr 18 17:29:54 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    [Fri Apr 18 17:36:06 2008] [error] Unable to configure RSA server private key
    [Fri Apr 18 17:36:06 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    [Fri Apr 18 17:36:48 2008] [error] Unable to configure RSA server private key
    [Fri Apr 18 17:36:48 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    [Fri Apr 18 17:36:48 2008] [error] Unable to configure RSA server private key
    [Fri Apr 18 17:36:48 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    [Fri Apr 18 17:37:20 2008] [error] Unable to configure RSA server private key
    [Fri Apr 18 17:37:20 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    [Fri Apr 18 17:37:20 2008] [error] Unable to configure RSA server private key
    [Fri Apr 18 17:37:20 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    [Fri Apr 18 17:38:11 2008] [error] Unable to configure RSA server private key
    [Fri Apr 18 17:38:11 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    [Fri Apr 18 17:38:12 2008] [error] Unable to configure RSA server private key
    [Fri Apr 18 17:38:12 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    
    What could be the problem? Any help much appreciated.
     

    Attached Files:

    • 1.gif
      1.gif
      File size:
      11.6 KB
      Views:
      14,710
    • 2.gif
      2.gif
      File size:
      15.7 KB
      Views:
      14,707
    • 3.gif
      3.gif
      File size:
      9.3 KB
      Views:
      14,711
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you copy a SSL cert into the ssl directory of the website manually?

    Please go to the SSL tab of the site, enter the details for the SSL key and select create as action. Then click on save and wait about a minute. Then try again to connect.
     
  3. debian-lover

    debian-lover New Member

    Yes till, it works fine with the self-signed certificate, but when I install a trusted certificate, apache stops working and doesn't restart until I delete the new certificate. I've tried two different certificates, from comodo and rapidssl. Both give the same error that doesn't let the apache to restart.

    Code:
    [Sat Apr 19 01:18:49 2008] [error] Unable to configure RSA server private key
    [Sat Apr 19 01:18:49 2008] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
    I googled for this error and found this
    They, indeed, match in my case. I can't figure out where the problem is. Any Idea?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, you missed to say in your post that you installed a ssl cert that was not created on basis of the csr from ispconfig. If you want to setup a trusted cert, it must be created on basis of the CSR that ISPConfig created for you, otherwise you will get this errors as the private key is not avlid for your certificate.

    Another solution is to replace the private key in the ssl direcory of the website with the private key that you used to create the trusted cert.
     
  5. debian-lover

    debian-lover New Member

    I did followed the steps listed in the official ISPConfig documentation to create a CSR. Ok, here's what I did:

    - Enabled SSL Checkbox
    - In the SSL Tab, filled all the information in text-boxes
    - In the drop down, selected "Create Certificate"
    - Wait for a minute
    - In the drop down, selected "Save Certificate"
    - Restarted apache and everything working fine (I can access https:// with the popup).

    Now, to replace the self-signed cert with trusted cert.
    - In the SSL tab, copied the "SSL Request" and sent it to CA.
    - They gave me the certificate, and I relaced the default "SSL Certificate" with the one CA gave me.
    - "Save certificate"
    - Restarted apache, and it stopped working.

    As I said, I've tried this with two different CAs. One of them required the SSLCertificateChainFile, I uploaded the chain file and entered the required line the "Apache Directives (Optional)." Both of them give the same error.

    Also, I am still confused about the IPs. Should I get more public IPs or Private IPs?

    Sorry for being a pain. I am working on it as hard as I can. Thanks for your time.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Your steps are ok, but the error message shows definately that the wrong key is used. Are you really sure that you did not accidently entered the bundle certificate in the SSL certificate field and that you CA did not use another CSR for the cert then the one created by ispconfig?
     
  7. debian-lover

    debian-lover New Member

    Yeah, I entered the .crt only not the bundle.

    Ok, the modulus of .key and .crt (from CA) do not match, but the they do match in case of .key and .crt (self-signed).

    Any idea what I am doing wrong?

    Thanks
     
    Last edited: Apr 20, 2008
  8. debian-lover

    debian-lover New Member

    Resolved. Did a complete re-install.

    For SSL, if going with Comodo, choose "Other" as your CSR generator not Apache's mod_ssl.
     

Share This Page