SSL Certificate Error - Apache does not start

Discussion in 'Installation/Configuration' started by snowfly, Jul 26, 2011.

  1. snowfly

    snowfly Member

    Hi,

    Im running ISPConfig 3.0.3.1, and trying to setup an SSL cert for a site.

    However Apache now fails to start, and getting this in the error log:

    [Tue Jul 26 21:16:49 2011] [error] Unable to configure RSA server private key
    [Tue Jul 26 21:16:49 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

    This is the steps I took in ISPConfig:

    1. Enable SSL for the site
    2. Create SSL cert on 'SSL' tab, fill out fields, change SSL Action to 'Create Certificate', Save
    3. Go back to SSL tab, copy 'SSL Request' (CSR)
    4. I used Trustico (www.trustico.co.nz) to create a RapidSSL certificate, using CSR (from above)
    5. Received RapidSSL cert, copied and pasted into 'SSL Certificate' field in ISPConfig 'SSL' tab for website
    6. Changed action to 'Save Certificate', saved
    7. Apache fails to start, cannot access ISPConfig control panel

    Error from log at top of post.

    I managed to get apache running again by commenting out SSLEngine On for site.


    Any help please?
    Thanks in advance.
     
  2. snowfly

    snowfly Member

    Update:
    I have spoken with Trustico support, and they have said the reason for the error is:

    "You have lost the matching private key, that was created when you generated the CSR"

    The SSL CSR was created via ISPConfig, so where is the original matching private key?
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The steps you took are correct.

    According to the error message above, the ssl certificate that was copied back to ispconfig was not based on the csr from ispconfig, so that the key of the ssl cert did not match and apache could not be started. Maybe trustico created its own csr and did not use the one from ispconfig or you accidently selected "create certificate" instead of "save certificate" to save the ssl cert.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The ssl key is in the ssl directory of the website. It does not get chnaged when you upload the cert, so you did not lost the key as the trustico support guessed. I explained you above the possible reasons for the error message, either the trustico ssl cert is not based on the csr generated by ispconfig or you accidently generated a new csr and key instaed of saving it.
     
  5. snowfly

    snowfly Member

    I deleted the SSL cert, and then recreated a new SSL Request via the website SSL tab, and made sure I selected 'Create Certificate'

    And then used this new SSL request on the trustico site to replace the previous one.

    I then took the new SSL cert, copied into the 'SSL Certificate' field in ISPConfig, made sure I selected 'Save Certificate', and saved.

    Same problem, same error:
    [Tue Jul 26 22:15:06 2011] [error] Unable to configure RSA server private key
    [Tue Jul 26 22:15:06 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

    In my Trustico account I can view the SSL certificate I have purchased, and it shows the CSR used.

    When I do a diff on this CSR from the Trustico system, to the 'SSL Request' listed on the SSL tab for the website in ISPConfig, the CSR's match, exactly.

    So what else could be wrong?

    In the Trustico account I also see a 'Root/CA' certificate. (this is a RapidSSL cert)
    Does this effect anything?
    Do I need to put this in the 'SSL Bundle' field in ISPConfig?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok. But the self signed certificate from ispconfig worked fine, before you replaced it with the ssl cert from trustico?

    That might be, but only trustico can tell you if this certificate has to be installed as ssl chain certificate to use their certs in apache.

    As a side note, you should update your ispconfig to the latest version 3.0.3.3
     
  7. snowfly

    snowfly Member

    Yes self signed certificate worked fine before I purchased RapidSSL cert from trustico.

    The ISPConfig version I have is actually 3.0.3.3
    This is what the Monitor tab suggests.
    Before I just looked in the sys_config table, db_version row.

    I tried usng the CA/root cert from Trustico, in the same way I have used this on other non-ISPconfig servers.
    I added this to the apache virtualhost config for the website:
    SSLCertificateChainFile /var/www/clients/clientxxx/webxxx/ssl/xxx.ca

    Restarted apache, but still get the same error as before.
     
  8. snowfly

    snowfly Member

    So I repated the whole process again, to see if I missed something:

    1. Deleted SSL cert, disabled SSL for site
    2. Waited for few minutes, checked site is ok, and SSL is disabled
    3. Enabled SSL, waited
    4. Filled in form on SSL tab of website, selected 'Create Certificate', saved, and waited
    5. Checked SSL was working with self signed, yes, working OK in web browser
    6. Copied 'SSL Request' from ISPConfig into Trustico, to replace the old CSR
    7. Trustico generated a new SSL Certificate
    8. Pasted new SSL cert into 'SSL Certificate' field for website, selected 'Save Certificate', saved, waited
    9. Apache stopped, could not access ISPConfig.

    Same error as before:
    [Tue Jul 26 22:54:05 2011] [error] Unable to configure RSA server private key
    [Tue Jul 26 22:54:05 2011] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

    Weird...?

    I'm now going to try bypass the ISPConfig SSL process, and manually create my own SSL key and CSR, see if that works.
     
  9. snowfly

    snowfly Member

    Got it working!

    Manually created the Key, CSR, and resubmitted CSR to trustico, generated new Cert, and copied files into /ssl directory of website.

    So not sure what went wrong with the ISPconfig ssl generation tools?

    Will try it again for the next ssl cert I need to create, but at least for now I can do manually.
     
  10. kextra1

    kextra1 ISPConfig Developer ISPConfig Developer

    I had to add the intermediate.crt & then add or uncomment the path in the httpd.conf or whatever. I'm running ispconfig2 though, have done it the last 4 years and am having the same issue with the admin panel not starting. Must be something, but usually u just need the intermediate.crt & server.crt & the cert must be 2048
     
  11. Tony Gillett

    Tony Gillett New Member

    For anyone else that is struggling with this...

    I had the same issue on one of my CentOS 6.5 servers recently and it was down to when I generated the KEY and CSR.

    I have three sites running on this server in virtualhosts all with dedicated ip's and each site has it's own SSL Certificate.

    In a rush when changing one of the certificates, I stupidly just followed the certificate providers guide to gaining the CSR and installing it in Apache, and I was instructed to use the following command:

    openssl req -new -newkey rsa:2048 -nodes -keyout domain-name-here.key -out domain-name-here.csr

    After installing the new certificate I was then also facing Apache not starting and the same errors in /var/log/httpd/ssl_error_log

    [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

    [error] Unable to configure RSA server private key


    Now what I really should have done was check my .bash_history files, as I have successfully done this in CentOS many times before.

    I should have run these two commands instead :

    openssl genrsa -des3 -out domain-name-here.co.uk.key 2048

    openssl req -new -key domain-name-here.co.uk.key -out domain-name-here.co.uk.csr

    This then successfully generated the CSR and KEY, I re-applied for the certificate using the newly gained CSR, then applied the new certificate and added the new key file and finally then Apache would start cleanly.

    Hope this helps.

    Tony
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Instead of running any of these commands manually you should have used the ispconfig ssl functions on the ssl tab of the websites as this avoids the problems with non matching key / crt.
     
  13. Tony Gillett

    Tony Gillett New Member

    As I don't use ispconfig I don't have that option ;)
     

Share This Page