Hi, I'm going crazy, I'm on it since yesterday morning. I have a certificate that I had to renew (at Namecheap), I was forced to reissue it because of a mistake (not from me but it's not important). Code: [Wed Oct 02 13:33:15 2013] [error] Unable to configure RSA server private key [Wed Oct 02 13:33:15 2013] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch I tried this: Delete old certificates in the ispconfig panel Create a new command line csr (request) copy / paste the certificate and the intermediate certificate in ispconfig commit (save) Apache crashes I tried this: Copy and paste the old csr and obtain a new certificate Get the novelty crt and copy/paste in place of the former (editing file) Apache crashes I tried old way: Create a new csr, and obtain a new certificate modifying the vhost accordingly: <IfModule mod_ssl.c> SSLEngine on # SSLCertificateFile /var/www/clients/client0/web109/ssl/domain.crt # SSLCertificateKeyFile /var/www/clients/client0/web109/ssl/domain.key # SSLCACertificateFile /var/www/clients/client0/web109/ssl/domain.bundle SSLCertificateFile /etc/ssl/apache2/domain.crt SSLCertificateKeyFile /etc/ssl/apache2/domain.key SSLCertificateChainFile /etc/ssl/apache2/intermediate.crt </IfModule> Apache crashes I finally tried this: Create a new csr from my old key obtain a certificate and copy/paste in place of the former Apache crashes I know the topic has been discussed often... I read this: http://www.howtoforge.com/forums/showthread.php?t=53208 and this: http://www.howtoforge.com/forums/archive/index.php/t-59220.html And many more ... I do not see where is my mistake. I'm sure of course it's my fault, but I can't figure how I can get out of this problem. I don't understand why it is so complicated to flush old ssl configuration on ispconfig ? Some help to drive me out of this would be very nice! Laurent. (and sorry for my poor english...).
Ok, there are no known issues with the ssl part in that version. A ssl certificateconsist of 2 parts, the ssl key and the ssl cert. The csr is not important for the certificate installation, it is only used to obtain a signed ssl cert. this can not work as you did not copy the key. Instead of creaing a csr on the command line, it would have been better to craete one in ispconfig. Normally you would just use this stes fro a renewal: 1) ake the csr that is shown in ispconfig and let it sign again. the csr will not expire, so you can use it again. When you get the new ssl cert back, paste its content in the ssl cert field, select "save certificate" as action and press on the save button. There is no need to delete certificates or create csr's manually etc. To start over again, follow these steps: 1) empty all fields on the ssl tab of the wbsite, select delete certificate as action and click on save. Then wait at least one minute. 2) To be absolutely sure that there is no ssl cert left, delet all files in the ssl folder of the website. 3) Now create a new self signed ssl cert in ispconfig. use the csr that is shown in ispconfig to get a signed ssl cert and paste this signed ssl cert in the sl cert field and select "save certificate" as action.
Hi Till, Thank you very much for your answer. You are right, I should have just renew the certificate, but... I asked someone to do it for me and he reissue... I followed what you said: - Emptied all fields, selected "delete certificate", saved - erased all files in /ssl folder (it remained one) - Asked for a new cert with the csr I found in Ispconfig - Pasted the new obtained cert in the cert field, select "save certificate" and save. Apache2 failed, and Ispconfig keeped old configuration. - I try again adding this time the intermediate cert (I pasted the intermediate cert from rapidssl in the SSL bundle) and select save certificate and save. Still failed. The only point where I'm confused is the choice of the cert at namecheap... I choosed Apache2 but I have the choice with (apache + openssl / apache + mod_ssl / apache + apacheSSL). I read i have to choose Apache2, I think it's the good choice. What's in my /ssl folder now: Code: -rw-r--r-- 1 root root 1334 oct. 2 16:47 domain.biz.crt -rw-r--r-- 1 root root 1862 oct. 2 16:47 domain.biz.crt.err -rw-r--r-- 1 root root 1119 oct. 2 16:47 domain.biz.csr -rw-r--r-- 1 root root 1138 oct. 2 16:47 domain.biz.csr.err -r-------- 1 root root 1679 oct. 2 16:47 domain.biz.key -rw-r--r-- 1 root root 1679 oct. 2 16:47 domain.biz.key~ -r-------- 1 root root 1706 oct. 2 16:47 domain.biz.key.err -r-------- 1 root root 1751 oct. 2 16:47 domain.biz.key.org -r-------- 1 root root 1751 oct. 2 16:47 domain.biz.key.org.err I don't understand why the csr and csr.err have not the same size (nor the key), and I don't understand what is key.org... So I'm still at the same point... I should laught of myself... At the beginning it doesn't appears like something so difficult. If you think I have missed something important, please tell me what! Could it be a namecheap problem ?
For more information: Do not try too often to reissue the certificate ... It is nowhere stated that we should not try more than 10 times ... I'm now fighting with Geotrust (via Namecheap) to obtain a new reissue.
Did you test that the self signed ssl cert worked after you created it? You must be able to reach the site with ssl bout 1-2 minutes after you created the self signed ssl cert. You will get a warning about a untrusted cert off course, but thats ok at this stage.
Hi Till, Yes everithing is OK: Code: # openssl x509 -noout -modulus -in domain.biz.crt | openssl md5 (stdin)= 7a41377f2698d4c273dcc1af1bbf235c # openssl rsa -noout -modulus -in domain.biz.key | openssl md5 (stdin)= 7a41377f2698d4c273dcc1af1bbf235c # openssl req -noout -modulus -in domain.biz.csr | openssl md5 (stdin)= 7a41377f2698d4c273dcc1af1bbf235c I Had an answer from Geotrust: I'll be able to reissue after 24h. I'll test again tomorrow. Thank you.
Hello, Code: and the webiste opens fine with sl in the browser after you accepted the warning message? Yes, that's what I meant. I'm still "banned" by Geotrust, I'll try again in a couple of hours. This time I would make backups before doing anything ...
Yes. Backup the whole conten of the ssl folder of the site, it contains all ssl related files of the website.
Hi, Ok, it's solved. I got the certificate from GeoTrust, copy/paste the certificate (crt and intermediate) in the panel ISPConfig and save. I do not understand how I got to block all... Thank you for your patience. Laurent.
Hi again Till, No, I'm sorry it's not finished... I have another domain with a wildcard certificate. I follow exactly the same procedure than with the other domaine, and it doesn't work I found in the ispconfig log this: Code: 04.10.2013-13:37 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/*.isalo.org.key.org~ 04.10.2013-13:37 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/*.isalo.org.key~ 04.10.2013-13:37 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/*.isalo.org.csr 04.10.2013-13:37 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/*.isalo.org.crt 04.10.2013-13:37 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/*.isalo.org.bundle 04.10.2013-13:37 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/*.isalo.org.key 04.10.2013-13:37 - WARNING - Action aborted, file is a symlink: /var/www/clients/client1/web2/ssl/*.isalo.org.key It happens at the moment where I fill the fields in the panel (for the Cert an the bundle from Geotrust). i have noticed that when I have created the new certificate (the autosigned) all the fields was empty in the ispconfig panel. Do you know what could happened ?
Thats a issue in ispconfig, it is related to wildcard certs only. The workaround is to select domain.com and not *.domain.com in the ssl cert settings. Not quite sure if I understood you correctly: if the csr and key fields are empty, then no certificate key and csr had been created by ispconfig, so how were you been able to get a signed cert from geotrust without the csr?
Hello, Ok! Thank you for work around. But, I Should redo a CSR, no ??? You understood very well. Fields where empty AND the files was created. Strange it isn't ? I came back few times in the ssl tab to be sure... I should take a screenshot ... I pick the CSR in the /ssl directory. So, please, for the wildcard, I should redo the csr ? Or... Can I redo the CSR and edit the (new) file to paste the old values inside?
Well, I finally reached my goal ... 1) For simple certificates (www.domain.tld or domain.tld) ISPConfig3 does its job very well. Create CSR with SSL tab, make the certificate request (Choose APACHE2), paste the certificate and bundle in the tab, save. 2 ) For Wildcard certificates ... It does not work as stated above Till . But choosing domain.tld in ssl Tab of Ispconfig is not the solution ... When I want to reissue the certificate at Geotrust, it doesn't work: Geotrust told me that CSR is for domain.tld and not for *.domain.tld ... This must be done from the command line ... But with openssl to generate the key and the csr, you should remember to choose APACHE + OPENSSL from Geotrust. If you choose APACHE2 the md5 of "CRT " generated by Geotrust does not fit with the md5 of you "CSR" and " KEY" ... Then just change the vhost by hand, like this: Code: *SSLCertificateFile /var/www/clients/clientX/weby/ssl/domain.tld.cert *SSLCertificateKeyFile /var/www/clients/clientX/weby/ssl/domain.tld.no.key *SSLCertificateChainFile /var/www/clients/clientX/weby/ssl/intermediate.crt Again, a little difference with how to report the "bundle" in the vhost: should be used SSLCertificateChainFile and not SSLCACertificateFile. I hope it helps someone !
